Viewing Traffic Insights Data
View your Traffic Insights data at Traffic Insights > Views. This screen is a rollup of your total network traffic by application or conversation across your entire enterprise network.
The default screen shows a stacked area chart of your ten highest-throughput applications across a 24-hour period, with a new sampling point every 5 minutes (see View By for more information about the stacked chart). Move the sample slider back for a view of up to the last 30 days. The Table tab shows what happened in your selected time point for throughput (total, downstream, or upstream) or connections per second. Select the Sankey tab to view the relationship among flows across different domains (applications, interfaces, ports, etc.).
For the fullest traffic analysis, including "top talkers", comparison of different time-spans, and different data visualizations (for example, pie charts, build-your-own tables and color grids, etc.), we recommend you use the Traffic Insights Flows dashboard template, which you can customize to your needs, or create a dashboard of your own. See Traffic Insights Alerts and Dashboards for more information.
Global Selectors
The Traffic Insights Views landing screen includes a number of global selectors across the top that, when changed, affect the data displayed in both the chart and table beneath. These are the Filters, View By, and Metrics selectors.
Filters
Use the filters to narrow down the data set along many different categories. The default filters include:
Traffic Monitor Locations: Refers to the location of the network devices that are sending network flows to a forwarder. This shows the location of the forwarder it exports to by default, but you can change the location settings (country and region) by opening the edit panel for each monitor on the Traffic Monitors screen.
Forwarding Agents: Refers to the name of the forwarder that receives network flow data.
Device: Refers to the device name or IP address of the traffic monitor.
Interface: Refers to the interface type if it has been discovered with SNMP, otherwise it is blank. For example, “GigabitEthernet0/1/0”.
When flow consolidation is turned on, filtering by Forwarding Agents, Device, or Interface displays results that are not consolidated to allow you to view the full traffic impact at the device-level.
Use the Add Filter button to add the following filters:
Client IP: The IP address of the side designated as the client in a conversation.
Server IP: The IP address of the side designated as the server in a conversation.
Application: The application name as reported by NBAR (Network Based Application Recognition) or enriched by NBAR cloud.
Server Location: The geo-location of the server's IP address.
Server Port: The port used by the server.
Protocol: The transport protocol used by the conversation (TCP, UDP, ICMP, IGMP, OSPFIGP).
Client Subnet Tag: Any subnet tag you have assigned to a client subnet.
Server Subnet Tag: Any subnet tag you have assigned to a server subnet.
View By
The View By selector differs from a filter in that it changes how and what data is represented, rather than narrowing the data set. Choose to view your data either by applications or conversations.
Applications: Shows volume of traffic and connections per application.
Conversations: Shows data exchanges between two endpoints (any two of a 4-tuple flow record: client IP, server IP, destination port, protocol).
Application View
An application refers to a grouping or class of applications as defined in your enterprise network using an application recognition engine (for example, Cisco NBAR) or by inference of the application's public IP using cloud intelligence (see Initiating and Understanding Application Recognition for more information).
The view defaults to show a stacked area chart of the top ten applications by throughput for the chosen time period. Throughput is automatically consolidated if you have flow consolidation turned on, unless filtered by device-level. Choose up to 12 applications for comparison, and turn on Total to see the graph-line showing total throughput for all applications. The applications displayed in the legend are also reflected in the table beneath the chart and when hovering over the chart. Change the metric to view the data sorted by that metric, in both chart and table. The table contains the following fields:
Application: Application identified for this traffic.
Total Throughput: Displayed based on the calculated traffic rate and percent of total throughput against all applications.
Downstream Throughput: Traffic from server to client.
Upstream Throughput: Traffic from client to server.
CPS (connections per second): Counts the rate of new TCP sessions initiated by a TCP initiation packet. If an initiation packet is not detected (for example, you are using a Meraki device or an SD-WAN solution for which this field is not included) or if the protocol is UDP, the counter is not available.
Conversation View
A conversation refers to the data exchange between two endpoints over one or more connections.
The view shows a histogram chart of your selected metric. The table beneath the chart shows the data in tabular form for the point in time you have chosen. The table contains the following fields:
Client: Client IP address.
Server: Server IP address or hostname, if available.
Server Port: Port on which server connection was established for this client connection.
Server Location: Location of the server.
Protocol: TCP, UDP, ICMP, IGMP, OSPFIGP.
Device: Device name of the router or switch that is configured to act as the traffic monitor for Traffic Insights. This is the network device that is sending network flow traffic data to the Enterprise Agent that has been enabled as a forwarder.
Client Interface: Interface that the traffic monitor is collecting traffic data from.
Server Interface: Interface that the traffic monitor is sending traffic data to.
Application: If your enterprise network is configured to perform application recognition, the Application column shows which application this traffic is associated with. The application types correspond to the application recognition that you have previously configured. Additionally, if the application data isn't included in the flow record Traffic Insights attempts to infer the application based on its public IP.
CPS (connections per second): Counts the rate of new TCP sessions initiated by a TCP initiation packet. If an initiation packet is not detected (for example, you are using a Meraki device or an SD-WAN solution for which this field is not included) or if the protocol is UDP, the counter is not available.
Total Throughput: Displayed based on the calculated traffic rate and percent of upstream and downstream throughput generated by a conversation.
Throughput Trend: A spark line or mini-graph showing the last 30 minutes.
... (ellipsis): Allows you to group existing table by application.
When flow consolidation is enabled, the values in some columns change to display the number of distinct values in that field per unique conversation, such as 7 applications or 5 devices. This reflects the “stitching” together of consolidated flow records. You can click on some numbered values to filter by that field and view details of the records that were stitched together.
Grouping
Unlike with the application view, the conversation view table also offers a grouping feature. You can use Group By to sort by multiple different aspects of the data.
You can choose up to two groupings, which sorts the table first by the first grouping category, then by the second. The available groupings are:
Client: Client IP address.
Device: Network device name where traffic monitor is hosted. Note: when grouped by device, data is not consolidated.
Application: Application traffic type.
No Grouping: Allows you to limit the number of groups you view by (none or just one).
Subnet Tag: Shows user-defined tags for subnets.
Server: Server IP address.
Server Location: Shows city and country where server is located.
Metrics
The metrics you are able to choose from depend on your View By selection. The selected metric displays on the timeline and updates the table to sort by that metric. Throughput is displayed as bps (bits per second), Kbps (kilobits per second), Mbps (megabits per second), etc. depending on the calculated traffic rate. The applications view includes all of the following metrics. The conversations view includes only total throughput and connections per second (though note that upstream and downstream throughput are displayed graphically when total throughput is selected).
Total Throughput: Represents the total volume of traffic.
Downstream Throughput: Represents the volume of downstream (server to client) traffic.
Upstream Throughput: Represents the volume of upstream (client to server) traffic.
Connections per second: Connections per second (CPS).
Timeline
The Traffic Insights Views timeline works similarly to other ThousandEyes data views.
Use the top swimlane control to show a detailed timeline in the chart beneath up to the past 30 days.
Detail shows traffic flow data down to 5-minute increments.
Hover over any time point in the chart for a breakdown of total throughput.
Table Tab
As with the timeline, the Traffic Insights data table works similarly to other ThousandEyes data tables, with the following features.
The table data is automatically updated by changes made to the fields in the global selectors. For example, the table is automatically sorted by the selected metric.
You can change the sort order of the table by any column, ascending or descending. You can only sort by one column at a time (except when using grouping - see View By for more information).
Note that the table only shows data within the 5-minute window immediately behind the pointer in the timeline. If you change the time range to 7 days, or 30 days, the table data will not change.
Further information about the Traffic Insights data table is provided above in Global Selectors.
Sankey Tab
The diagram on the Sankey tab provides a powerful visual tool to represent network traffic flows. A Sankey diagram is a flow diagram where the width of the bands is proportional to the metric being displayed, allowing you to visually track how traffic moves between different network entities.
This visualization helps in understanding the relation among traffic flows across different domains, making it easier to identify bottlenecks, overloaded interfaces, or unusual traffic patterns.
In the context of Traffic Insights, the Sankey diagram reflects the data in the View By views for Conversations and Applications and the chosen metric, providing preformatted visualizations optimized for these data sets. The diagram shows the traffic during the 5-minute interval selected on the timeline above. Select any other 5-minute interval to regenerate the diagram for that timespan.
Sankey Use Cases
Network operators: Triage and visually estimate impacted client IPs, subnets, and interfaces. The diagram supports exploration of traffic between applications and destinations, helping to investigate flow distributions across the network.
Network planners: Identify heavily used paths for capacity planning and redundancy, as well as validate routing policies based on observed traffic flows.
How to Use the Diagram
You “read” the diagram from left to right. Each View By view shows the behavior of your applications or clients (in the case of conversations) as they traverse your network. See the View By section for information about the different layers shown in each view.
You can interact with the diagram in the following ways:
Hover over a node to view a tooltip displaying details of the traffic into and out of it. The resources feeding and being fed by that node are highlighted to better visualize the traffic going in and out.
Hover over a link to view a tooltip detailing the traffic’s metric value between the two highlighted nodes.
Click a node to filter by it (note: you must use the Filter bar to filter by interface). The Filter bar and chart update accordingly.
To return to the landing screen, select Reset filters on the Filter bar.
Last updated