Traffic Insights Views and Settings

This section describes the screens in the ThousandEyes user interface that are used for various configuration steps and for viewing results. For information about the FPS (flow record per second) monitoring screen, see Traffic Insights FPS Monitoring.

Enterprise Agent Settings Screens

The following screens correspond to Step 1: Enable an Enterprise Agent of the Configuration Guide.

Finding a Supported Agent

Traffic Insights supports two methods of deploying Enterprise Agents as forwarders: they can either be hosted on a virtual appliance, or as part of the Cisco Application-Hosted Framework (CAF). See Enterprise Agent Requirements for more information and other Enterprise Agent requirements.

To check whether any of your existing Enterprise Agents are on a supported device, you can simply add a filter from the Enterprise Agent Settings screen.

  1. Go to Network & App Synthetics > Agent Settings.

  2. Select the Enterprise Agents screen.

  3. On the Agents tab, open the Add a Filter dropdown.

  4. Select Installation Type.

    Add a Filter dropdown menu

  5. In the subsequent filter dropdown, select Virtual Appliance and/or Cisco Application Hosting.

    Installation Type filter selections

    • The list of agents automatically updates in line with the filters selected and the total appears to the right of the search field.

Though you may have Enterprise Agents on supported devices, you must still check that the supported devices meet all other compatibility requirements for Traffic Insights in order for forwarding to work. See Enterprise Agent Requirements.

If no existing Enterprise Agents are on supported devices, click Add New Enterprise Agent on the top right of the screen and follow the prompts within the relevant article in the Enterprise Agent Installing section.

Once you have identified or installed an Enterprise Agent on a supported device that meets Traffic Insights compatibility requirements, you can enable it for forwarding.

Enabling Forwarding

Enterprise Agent Settings screen

The above Enterprise Agent settings screen corresponds to step 1.2 Enable Forwarding on the Enterprise Agent of the Configuration Guide.

Turning on the Enterprise Agent’s forwarding capabilities is a necessary step to enable the agent to receive flow data from your flow exporter (traffic monitor) and forward this data to ThousandEyes.

  1. Go to Network & App Synthetics > Agent Settings.

  2. Click the Enterprise Agents screen.

  3. Select the agent you want to designate as a forwarder from the list to open the edit panel.

  4. Select the Advanced Settings tab.

  5. Scroll down to Agent Modules.

    1. The Traffic Insights status of this agent shows as either Enabled or Disabled.

  6. If it’s Disabled, click the Enable button and confirm.

  7. Click Save Changes.

Viewing Your Forwarders

Now that you have forwarding enabled for Traffic Insights, you can keep track of the Enterprise Agents you use for forwarding via another Enterprise Agent filter. Follow steps 1-4 in Finding a Supported Agent but select Traffic Insights as the filter. Then select Enabled. All devices enabled for Traffic Insights are displayed.

Alternatively, view them on the Traffic Insights Forwarders screen. See Forwarders Screen below.

Device Layer Screens

Step 2: Configure SNMP Device Discovery of the Configuration Guide requires you to discover and monitor the devices you will use as traffic monitors via SNMP. You can find instructions and relevant screens for this step in the Device Layer articles.

Traffic Insights Settings Screens

The Thousandeyes Traffic Insights screens cover allow-listing, forwarder enablement, and subnet tagging.

Traffic Monitors Screen

In Step 3: Configure Network Flow Data of the Configuration Guide, you set up network flows to transit through the devices you just discovered and monitored in step 2, and on to the forwarders you designated in step 1.

The following Traffic Insights Settings screen illustrates how to allow-list your new traffic monitors and configure the two optional settings: subnet tagging and external flow collecting.

Allow-Listing Your Flow Device

Allow-listing options

The above allow-list screen corresponds to 3.4 Allow-List the Flow Device in ThousandEyes of the Configuration Guide.

  1. Go to Traffic Insights > Settings.

    • The Traffic Monitors tab shows your network devices (traffic monitors) that have been successfully configured to export network flows.

  2. Allow-list your monitors in one of three ways:

    1. To allow-list all monitors, click Allow All in the warning box at the top of the screen.

    2. To allow-list a selection, check the boxes next to the monitors you want to allow and click Allow at the bottom of the screen.

    3. To allow-list an individual monitor, click the ellipsis on an agent’s row, and select Allow.

Managing Your Traffic Monitors

Once allow-listed, view and manage your traffic monitors on the Traffic Monitors screen.

Columns:

  • Network Device IP: Identifies the network device that is acting as a traffic monitor and is already sending flow data to an Enterprise Agent.

  • Network Device Name: Optional field, if a device name was configured on the device itself and SNMP device discovery has been completed. See Device Layer Screens for more information.

  • Enterprise Agent: Enterprise Agent name as configured in ThousandEyes Agent Settings.

  • Site: Optional user-defined site name where this traffic monitor is located. Open each monitor's edit panel on the Traffic Monitor screen to edit.

  • Geo Location: Optional country and region where this traffic monitor is located. Defaults to the location of the forwarder the monitor exports to. Open each monitor's edit panel on the Traffic Monitor screen to edit.

  • Status: Either Allowed or Not Allowed.

  • Last Active (UTC): Date and time that this traffic monitor sent flow data to ThousandEyes.

  • FPS (Avg/Peak): Flow records per second sent from the traffic monitor that might be forwarded to ThousandEyes platform if allowed. Shows average and peak values.

  • Unsupported FPS (Avg/Peak): Flow records per second sent from the traffic monitor and discarded due to unsupported format. Shows average and peak values.

  • ... (ellipsis): Click to Edit, Allow, or Delete each row.

Forwarders Screen

The Forwarders screen lists the Enterprise Agents you have enabled for forwarding. You can find instructions on how to install and enable Enterprise Agents at Enterprise Agents Settings Screens. Below, we explain how to view and manage your forwarders.

Forwarders screen

The Forwarders screen shows traffic flowing through each Enterprise Agent in the time frame chosen. Choose from 2 hours up to 2 days. Filter results by Agent Name or External Collector. The Clear Stats button in the top right refreshes collection of all forwarder data to restart from now. See below for External Collector Management.

Columns:

  • Agent Name: The ThousandEyes Enterprise Agent name.

  • Listening Ports: TCP and UDP listening ports, editable on the Edit screen.

  • External Collector: Optional; enable on the Edit screen.

  • UDP Ingress: Kbps and packets per second.

  • TCP Ingress: Kbps and packets per second.

  • Dropped Events: Number of dropped packet(s).

  • Egress: Kbps.

  • External Collector Mirrored: Kbps.

  • FPS (Avg/Peak): Flow records per second received by the agent and forwarded to ThousandEyes platform. Shows average and peak values.

  • Unsupported FPS (Avg/Peak): Flow records per second received by the agent and discarded due to unsupported format. Shows average and peak values.

  • ... (ellipsis): Click to Edit or Clear Stats for each row.

External Flow Collector Screens

If you already collect flow data into a collector, you can add an external flow collector to the ThousandEyes flow process via the External Collector Management panel and Edit panel of the Forwarders screen. These screens correspond to Configure External Flow Collectors in the Configuration Guide. You can also edit the listening ports for your forwarders via this screen.

External collector integration structure

External Collector Management Panel

External Collector Management panel

  1. Go to Traffic Insights > Settings.

  2. Select the Forwarders screen.

  3. Click External Collector Management in the top right.

  4. In the panel, click + Add New External Collector.

  5. Enter the collector's name, IP address and port.

Create External Collector panel

  1. Click Save.

Edit Forwarder Panel

Edit Forwarder panel

  1. Go to Traffic Insights > Settings.

  2. Select the Forwarders screen.

  3. On your chosen forwarder, click the ellipsis (...) and select Edit.

  4. In the panel, change the TCP or UDP listening ports, and/or

  5. Enable an external collector by sliding the toggle to Enabled.

  6. Select the external collector from the subsequent dropdown.

  7. Click Save.

Subnet Tagging Screen

Subnet Tagging screen

The Subnet Tags screen corresponds to Create Subnet Tags in the Configuration Guide. You can find the screen at Traffic Insights > Settings > Subnets Tags, and instructions for creating subnet tags at Creating Subnets, below.

Subnet tagging is a way of labeling IP address ranges within ThousandEyes with user-friendly names, in order to filter by subnets or tags in the Traffic Insights data view. This feature is useful for identifying network traffic flows associated with specific user groups, departments, or client/server types, providing an easier way to view and analyze your network activity.

For example, you can create a subnet tag called “Developers” for the network subnet that is used by your dev team. Through application recognition, your monitoring device might classify traffic conversations as “AWS” or "Github". When the dev team complains that their build jobs are running too slowly, you can use Traffic Insights views to quickly isolate their network and traffic using a descriptive subnet name that is associated with the big surge of AWS traffic coming in from the developers. You'll also be able to see how it flows through your network.

Once you've created tags and they are showing onscreen, you can edit or delete them via each row's ellipsis (...), or select multiple by their checkboxes and use the Delete button at the bottom. Manage existing tags or create new tags for existing subnets via the Tags Management button in the top right (see Managing Tags for more information).

Columns:

  • Subnet Name: A unique name provided for this subnet using + Create Subnets. Note that the name is not the same as the subnet tags, which are re-usable.

  • Subnet: The IP address range associated with this subnet for example 192.168.110.0/24.

  • Type: Subnet type is either Client or Server.

  • Tags: One or more tags assigned to this subnet.

  • Created By: The ThousandEyes user who created this subnet.

  • Created On: Date this subnet was created.

  • Modified By: ThousandEyes user who last modified this subnet.

  • Modified On: Date this subnet was last modified.

  • ... (ellipsis): Click to Edit or Delete each row.

Creating Subnets

Create Subnets panel

Subnet tagging configuration in Traffic Insights requires prior configuration of your IP subnets on your network. Within Traffic Insights, you can choose whether those subnets are identified by client or by server.

In the case of client subnet tagging, the tag is assigned if the client’s IP matches the IP range specified for the subnet tag, and in the case of server subnet tagging, the tag is assigned if the server’s IP matches the subnet.

  • Client subnet tagging allows you to mark/tag your clients or the originating source.

  • Server subnet tagging enables you to mark the resources or targets used in your network.

Fields required for creating a subnet tag are:

  • Subnet Name: Enter a descriptive name such as “Engineering” or “guest wi-fi”.

  • Subnets: Type in one or more IP addresses or address ranges, hitting Enter after each one. Both IPv4 and IPv6 addressing is supported. For example, 1.1.1.1/12 or 2620:0:860:2::/64.

  • Type: Choose either Client or Server as the subnet type.

  • Choose Tags: Use + Add Tags to create new tags and associate them with this subnet. To choose one or more existing tags, click in the text box to see a pop-up searchable list with check boxes.

Managing Tags

Tags Management panel

Tags Management lists and tracks your subnet tags (labels). Each tag shows the number of subnets associated. Add new tags using the Create New button in the lower left. You can then associate new tags with current subnets by using the Edit ellipsis on the Subnet Tagging Screen to add or remove tags from that subnet.

Traffic Insights Views Screens

Views Landing Screen

Views landing screen

View your Traffic Insights data at Traffic Insights > Views. This screen is a rollup of your total network traffic by application or conversation across your entire enterprise network.

The default screen shows a stacked area chart of your ten highest-throughput applications across a 24-hour period, with a new sampling point every 5 minutes (see View By for more information about the stacked chart). Move the sample slider back for a view of up to the last 30 days. The table shows what happened in your selected time point for throughput (total, downstream, or upstream) or connections per second.

For the fullest traffic analysis, including "top talkers", comparison of different time-spans, and different data visualizations (for example, pie and stacked charts, build-your-own tables and color grids, etc.), we recommend you use the Traffic Insights Flows dashboard template, which you can customize to your needs, or create a dashboard of your own. See Alerts and Dashboards with Traffic Insights for more information.

Timeline

The Traffic Insights Views timeline works similarly to other ThousandEyes data views.

  • Use the top swimlane control to show a detailed timeline in the chart beneath up to the past 30 days.

  • Detail shows traffic flow data down to 5-minute increments.

  • Hover over any time point in the chart for a breakdown of total throughput.

Table

As with the timeline, the Traffic Insights data table works similarly to other ThousandEyes data tables, with the following features.

  • The table data is automatically updated by changes made to the fields in the global selectors. For example, the table is automatically sorted by the selected metric.

  • You can change the sort order of the table by any column, ascending or descending. You can only sort by one column at a time (except when using grouping - see View By for more information).

Note that the table only shows data within the 5-minute window immediately behind the pointer in the timeline. If you change the time range to 7 days, or 30 days, the table data will not change.

Further information about the Traffic Insights data table is provided below in Global Selectors.

Global Selectors

The Traffic Insights Views landing screen includes a number of global selectors across the top that, when changed, affect the data displayed in both the chart and table beneath. These are the Filters, View By, and Metrics selectors.

Filters

Use the filters to narrow down the data set along many different categories. The default filters include:

  • Traffic Monitor Locations: Refers to the location of the network devices that are sending network flows to a ThousandEyes Enterprise Agent. This shows the location of the forwarder it exports to by default, but you can change the location settings (country and region) by opening the edit panel for each monitor on the Traffic Monitor screen.

  • Forwarding Agents: Refers to the name of the Enterprise Agent that receives network flow data.

  • Device: Refers to the device name or IP address of the network device where your traffic monitor is hosted.

  • Interface: Refers to the interface type if it has been discovered with SNMP, otherwise it is blank. For example, “GigabitEthernet0/1/0”.

Use the Add Filter button to add the following filters:

  • Client IP: The IP address of the side designated as the client in a conversation.

  • Server IP: The IP address of the side designated as the server in a conversation.

  • Application: The application name as reported by NBAR (Network Based Application Recognition) or enriched by NBAR cloud.

  • Server Location: The geo-location of the server's IP address.

  • Server Port: The port used by the server.

  • Protocol: The transport protocol used by the conversation (TCP, UDP, ICMP, IGMP, OSPFIGP).

  • Client Subnet Tag: Any subnet tag you have assigned to a client subnet.

  • Server Subnet Tag: Any subnet tag you have assigned to a server subnet.

View By

The View By selector differs from a filter in that it changes how and what data is represented, rather than narrowing the data set. Choose to view your data either by applications or conversations.

  • Applications: Shows volume of traffic and connections per application.

  • Conversations: Shows data exchanges between two endpoints (any two of a 4-tuple flow record: client IP, server IP, destination port, protocol).

Application View

An application refers to a grouping or class of applications as defined in your enterprise network using an application recognition engine (for example, Cisco NBAR) or by inference of the application's public IP using cloud intelligence (see Application Recognition for more information).

The view defaults to show a stacked area chart of the top ten applications by throughput for the chosen time period. Choose up to 12 applications for comparison, and turn on Total to see the graph-line showing total throughput for all applications. The applications displayed in the legend are also reflected in the table beneath the chart and when hovering over the chart. Change the metric to view the data sorted by that metric, in both chart and table. The table contains the following fields:

  • Application: Application identified for this traffic.

  • Total Throughput: Displayed based on the calculated traffic rate and percent of total throughput against all applications.

  • Downstream Throughput: Traffic from server to client.

  • Upstream Throughput: Traffic from client to server.

  • CPS (connections per second): Counts the rate of new TCP sessions initiated by a TCP initiation packet. If an initiation packet is not detected (for example, you are using a Meraki device or an SD-WAN solution for which this field is not included) or if the protocol is UDP, the counter is not available.

Conversation View

A conversation refers to the data exchange between two endpoints over one or more connections.

The view shows a histogram chart of your selected metric. The table beneath the chart shows the data in tabular form for the point in time you have chosen. The table contains the following fields:

  • Client: Client IP address.

  • Server: Server IP address or hostname, if available.

  • Server Port: Port on which server connection was established for this client connection.

  • Server Location: Location of the server.

  • Protocol: TCP or UDP.

  • Device: Device name of the router or switch that is configured to act as the traffic monitor for Traffic Insights. This is the network device that is sending network flow traffic data to the Enterprise Agent that has been enabled as a forwarder.

  • Client Interface: Interface that the traffic monitor is collecting traffic data from.

  • Server Interface: Interface that the traffic monitor is sending traffic data to.

  • Application: If your enterprise network is configured to perform application recognition, the Application column shows which application this traffic is associated with. The application types correspond to the application recognition that you have previously configured. Additionally, if the application data isn't included in the flow record Traffic Insights attempts to infer the application based on its public IP.

  • CPS (connections per second): Counts the rate of new TCP sessions initiated by a TCP initiation packet. If an initiation packet is not detected (for example, you are using a Meraki device or an SD-WAN solution for which this field is not included) or if the protocol is UDP, the counter is not available.

  • Total Throughput: Displayed based on the calculated traffic rate and percent of upstream and downstream throughput generated by a conversation.

  • Throughput Trend: A spark line or mini-graph showing the last 30 minutes.

  • ... (ellipsis): Allows you to group existing table by application.

Grouping

Unlike with the application view, the conversation view table also offers a grouping feature. You can use Group By to sort by multiple different aspects of the data.

You can choose up to two groupings, which sorts the table (from highest throughput to lowest) first by the first grouping category, then by the second. The available groupings are:

  • Client: Client IP address.

  • Device: Network device name where traffic monitor is hosted.

  • Application: Application traffic type.

  • No Grouping

  • Subnet Tag: Shows user-defined tags for client subnet.

  • Server: Server IP address.

  • Server Location: Shows city and country where server is located.

Metrics

The metrics you are able to choose from depend on your View By selection. The selected metric displays on the timeline and updates the table to sort by that metric. Throughput is displayed as bps (bits per second), Kbps (kilobits per second), Mbps (megabits per second), etc. depending on the calculated traffic rate. The applications view includes all of the following metrics. The conversations view includes only total throughput and connections per second.

  • Total Throughput: Represents the total volume of traffic.

  • Downstream Throughput: Represents the volume of downstream (server to client) traffic.

  • Upstream Throughput: Represents the volume of upstream (client to server) traffic.

  • Connections per second: Connections per second (CPS).

Alerts and Dashboards with Traffic Insights

You can configure alerts and dashboards for Traffic Insights using the same alert and dashboard components as for other ThousandEyes features.

To view which alerts metrics are specific to Traffic Insights, see Traffic Insights Alerts.

To get started quickly with a dashboard for Traffic Insights, start with the Traffic Insights Flows dashboard template. See Traffic Insights Dashboard Template below for more detailed information about this template and Using the Dashboard Templates for information on where and how to deploy templates.

If you want to add Traffic Insights widgets to an existing dashboard, see Dashboard Widgets, which lists which widgets are available for Traffic Insights in its Widget Configuration Summary Table.

Traffic Insights Dashboard Template

The Traffic Insights Flows dashboard template can be customized to suit your specific requirements, whether before or after deployment, but comes with the following default widgets.

  • Netflow (Mean) - a number card widget. Provides a quick view of the overall health and delta for the following metrics:

    • Total Throughput

    • Downstream Throughput

    • Upstream Throughput

    • Connection Rate

  • Total Throughput (by Device) - a timeline widget.

  • Downstream Throughput, Upstream Throughput, and Connection Rate (by Device) - timeline widgets. Note that connection rate only populates for TCP flows. See Applying Filters for configuration options.

  • NetFlow App (Top 25) - a multi-metric table. See Configure Your NetFlow App (Top 25) Widget for configuration requirements.

  • Downstream Throughput, Upstream Throughput and Connection Rate by application - timeline widgets. Applying Filters can help to make the best sense of these charts.

  • Total Throughput (by Location) - a timeline widget.

  • Total Location Throughput (by Device) and Total Device Throughput (by Interface) - both color grid widgets.

For all of the above widgets, you can customize them to your preferences using the cog icon in the top right of each widget to open their edit panes.

Configure Your NetFlow App (Top 25) Widget

This widget defaults to sorting by application (alphabetical). For best results, and to view your “top talkers” (applications with the highest throughput), sort instead by total throughput, also with the following adjustments:

  1. Click the cog icon on the top right of the widget to open the editing panel.

    Editing Multi Metric Table panel

  2. Update the Widget Title to “NetFlow App (Top 25)”.

  3. Click Rows to access the Design panel.

  4. Use the Sort By dropdown to select Total Throughput (Mean).

    The widget Design panel

    • The down arrow is the default selection to mean “descending”. If you wanted to find the least used applications, you could click the up arrow (“ascending”).

  5. Additional adjustments could include:

    • The Rows are set to Application for the purposes of “top talkers”, but you could also choose from All, Geo Location, Device or Interface.

    • Show Comparison to Previous Timespan shows the data change delta below the metric between the current data set and the previous data set.

    • Limit To x rows allows you to adjust how many rows you view.

  6. Click Save.

Applying Filters

While you can apply filters to individual widgets via the cog icon, you can also apply filters to your whole dashboard, which you can then save for future reference. See Tailoring Dashboards with Dashboard Filters for instructions on how to select, save, and load saved filters to your dashboard. You can also save a filter as a default, and lock widget filters. For the Traffic Insights Flows template, the following dashboard filters are available (noting that Geo Location is already added by default):

  • Application

  • Device

  • Interface

The filters offer the following use case examples:

  • Geo Location: Filters all NetFlow data from specific locations; for example you have NetFlow set up at a remote location like Homer, Alaska, where you have users experiencing an issue accessing your corporate application to book their deep-sea fishing trip. Once you select the locations, the entire dashboards' widgets are filtered to only show data from those locations.

  • Application: Lists all the applications that have been identified using NBAR (see Application Recognition for more information). Choose any number of applications to filter by. This can be especially useful for quickly troubleshooting network performance that you know is being caused by a specific application, or to narrow down applications that may be causing network performance issues.

  • Device: Filters by device name. For example, quickly isolate the flows shown in the dashboard to just the device or set of devices that you want to troubleshoot flow data for. Or if you had a particular set of devices in your data center that serve your critical applications for your warehouse, you could save a filter with them and use it for troubleshooting or share it with your support team as their warehouse application dashboard.

  • Interface: Filters by interface. For example, use this in conjunction with the device filter to isolate flow data for just a device and interface to understand the blast radius of a user infected with malware.

You can also move straight from the dashboard to Traffic Insights > Views, with all the relevant filters applied, to troubleshoot any issue you see on the dashboard. See Troubleshooting with Dashboard Drill Down to find out how.

Configure the Refresh Rate

The dashboard is set to refresh every 24 hours by default, yet you probably run tests far more frequently than that and need to view your enterprise traffic status more than once a day. To update your dashboard refresh frequency, we recommend selecting Last 1 hour from the top right frequency dropdown.

Refresh rate options
PreviousTraffic Insights Configuration GuideNextTraffic Insights FPS Monitoring

Last updated