opFlow provides the option to use and keep RAW flow (NetFlow) data and/or to use summarised flow data. There are several configuration options available to control how opFlow does this and this article will describe those configuration options. These configuration options are to be added to the opCommon.nmis file. The installer has already added sane defaults of these options.
| Table of Contents |
|---|
Why is Flow Summarisation Useful
...
There are 7 configuration options to control this behaviour, they are:
| Configuration | Default | Unit | Description |
|---|---|---|---|
| opflow_summarisation_interval | 60 | Seconds | the number of seconds for a period raw flow will be summarised to |
| opflow_summarisation_enabled | true | Boolean | true or false to enable to disable flow summarisation |
| opflow_summarisation_display | true | Boolean | true or false to enable the display of summarised flow data |
| opflow_keep_raw_flows | true | Boolean | true or false to keep the raw flow data or not |
| opflow_display_raw_flows | true | Boolean | true or false to enable the display of raw flow data, where it is best used, in the conversation matrix it is used by default |
| opflow_raw_flows_age_days | 8 | Days | the number of days to keep the raw flow data |
| opflow_conversation_age_days | 42 | Days | the number of days to keep the summarised flow data |
How Flow Data is Summarised
As the raw flow records are processed, the data is pooled in a buffer grouped by combining the Summary Interval, the source IP address the destination IP address and the application (which is derived from the protocol, and source and destination UDP or TCP port). This means that if a network management server was requesting SNMP from a router, NetFlow would see each UDP get/response as a flow, which may possibly be a single packet, after summarisation, the information about the server talking to the router will still be there, and represented as a single summarised flow record, but with all the data summarised together.
Here is a visualisation of the process:
Extended Summarisation
Since opFlow 3.0 and all opFlowSP versions, you are able to configure further summarised flows in order to be able to keep more historical information. You will notice that the installer comes with the following extra summary options:
| Code Block | ||
|---|---|---|
| ||
'opflow_summary_stages' => {
'daily' => {
'collapse_min_bytes' => 102400,
'collapse_min_pkts' => 128,
'collection_size' => 1073741824,
'period' => 3600
},
'hourly' => {
collapse_min_bytes => 1024,
collapse_min_pkts => 5,
collection_size => 1073741824, # 1gb
period => 3600,
},
'quarterhr' => {
'collapse_min_bytes' => 1024,
'collapse_min_pkts' => 5,
'collection_size' => 1073741824,
'period' => 900
}
}, |
...
Collection capped size
...