Wednesday 9 November 2016

Diagnosing abnormal network traffic levels



A common question that network managers handle is "Why is the network slow?". In many cases, poor network performance can be caused by a localised overload. This may be caused by mistakes in the network configuration, equipment malfunctions, inadvertent mis-use, or because capacity is insufficient for the normal load. Since an sFlow enabled network and sFlowTrend provide complete visibility of network usage, it is easy to pinpoint overload conditions and take appropriate action. It is even possible to receive alerts so that proactive controls can be implemented to prevent poor performance occurring. Here is an example of how sFlowTrend helps you identify and diagnose network overload conditions.


Dashboard, Thresholds indicates an abnormally high level of unicast traffic. Click on the unicast indicator to view the Thresholds tab and find out why.




The Thresholds tab indicates the switch 10.1.4.253 is experiencing the abnormally high level of unicast traffic. Click on the unicast indicator to see which interfaces are affected.
The interface with ifIndex 23 is most affected by the unicast traffic. Click on the unicast indicator to bring up the menu and select Root cause to see who and what is contributing to the unicast traffic.

100% of unicast frames are sent from hosts in the External subnet to hosts in the External subnet. Looking at the fourth row, 58% of the unicast frames are sent from 208.65.153.251 TCP:80 to 64.151.76.36. From this we can conclude that the major factor causing the abnormally high unicast traffic is web traffic from server 208.65.153.251 (which is in the External subnet). To see for how long abnormal levels of unicast traffic have affected this interface, click on the Network > Counters tab (or choose View chart from the Root cause tab menu).


The Network > Top N tab displays the details of the top connections.
In this example we have created a custom top connections chart that allows us to focus on the server port and ignore the ephemeral client port.
The Network > Circles tab allows you to visualise the traffic flows between groups of addresses to help understand the communication patterns across the network.