Viewing Traffic Insights Data

View your Traffic Insights data at Traffic Insights > Views. This screen is a rollup of your total network traffic by application or conversation across your entire enterprise network.

Views landing screen

The default screen shows a stacked area chart of your ten highest-throughput applications across a 24-hour period, with a new sampling point every 5 minutes (see View By for more information about the stacked chart). Move the sample slider back for a view of up to the last 30 days. The table shows what happened in your selected time point for throughput (total, downstream, or upstream) or connections per second.

For the fullest traffic analysis, including "top talkers", comparison of different time-spans, and different data visualizations (for example, pie charts, build-your-own tables and color grids, etc.), we recommend you use the Traffic Insights Flows dashboard template, which you can customize to your needs, or create a dashboard of your own. See Traffic Insights Alerts and Dashboards for more information.

Timeline

The Traffic Insights Views timeline works similarly to other ThousandEyes data views.

  • Use the top swimlane control to show a detailed timeline in the chart beneath up to the past 30 days.

  • Detail shows traffic flow data down to 5-minute increments.

  • Hover over any time point in the chart for a breakdown of total throughput.

Table

As with the timeline, the Traffic Insights data table works similarly to other ThousandEyes data tables, with the following features.

  • The table data is automatically updated by changes made to the fields in the global selectors. For example, the table is automatically sorted by the selected metric.

  • You can change the sort order of the table by any column, ascending or descending. You can only sort by one column at a time (except when using grouping - see View By for more information).

Note that the table only shows data within the 5-minute window immediately behind the pointer in the timeline. If you change the time range to 7 days, or 30 days, the table data will not change.

Further information about the Traffic Insights data table is provided below in Global Selectors.

Global Selectors

The Traffic Insights Views landing screen includes a number of global selectors across the top that, when changed, affect the data displayed in both the chart and table beneath. These are the Filters, View By, and Metrics selectors.

Filters

Use the filters to narrow down the data set along many different categories. The default filters include:

  • Traffic Monitor Locations: Refers to the location of the network devices that are sending network flows to a forwarder. This shows the location of the forwarder it exports to by default, but you can change the location settings (country and region) by opening the edit panel for each monitor on the Traffic Monitors screen.

  • Forwarding Agents: Refers to the name of the forwarder that receives network flow data.

  • Device: Refers to the device name or IP address of the traffic monitor.

  • Interface: Refers to the interface type if it has been discovered with SNMP, otherwise it is blank. For example, “GigabitEthernet0/1/0”.

Use the Add Filter button to add the following filters:

  • Client IP: The IP address of the side designated as the client in a conversation.

  • Server IP: The IP address of the side designated as the server in a conversation.

  • Application: The application name as reported by NBAR (Network Based Application Recognition) or enriched by NBAR cloud.

  • Server Location: The geo-location of the server's IP address.

  • Server Port: The port used by the server.

  • Protocol: The transport protocol used by the conversation (TCP, UDP, ICMP, IGMP, OSPFIGP).

  • Client Subnet Tag: Any subnet tag you have assigned to a client subnet.

  • Server Subnet Tag: Any subnet tag you have assigned to a server subnet.

View By

The View By selector differs from a filter in that it changes how and what data is represented, rather than narrowing the data set. Choose to view your data either by applications or conversations.

  • Applications: Shows volume of traffic and connections per application.

  • Conversations: Shows data exchanges between two endpoints (any two of a 4-tuple flow record: client IP, server IP, destination port, protocol).

Application View

An application refers to a grouping or class of applications as defined in your enterprise network using an application recognition engine (for example, Cisco NBAR) or by inference of the application's public IP using cloud intelligence (see Initiating and Understanding Application Recognition for more information).

The view defaults to show a stacked area chart of the top ten applications by throughput for the chosen time period. Choose up to 12 applications for comparison, and turn on Total to see the graph-line showing total throughput for all applications. The applications displayed in the legend are also reflected in the table beneath the chart and when hovering over the chart. Change the metric to view the data sorted by that metric, in both chart and table. The table contains the following fields:

  • Application: Application identified for this traffic.

  • Total Throughput: Displayed based on the calculated traffic rate and percent of total throughput against all applications.

  • Downstream Throughput: Traffic from server to client.

  • Upstream Throughput: Traffic from client to server.

  • CPS (connections per second): Counts the rate of new TCP sessions initiated by a TCP initiation packet. If an initiation packet is not detected (for example, you are using a Meraki device or an SD-WAN solution for which this field is not included) or if the protocol is UDP, the counter is not available.

Conversation View

A conversation refers to the data exchange between two endpoints over one or more connections.

The view shows a histogram chart of your selected metric. The table beneath the chart shows the data in tabular form for the point in time you have chosen. The table contains the following fields:

  • Client: Client IP address.

  • Server: Server IP address or hostname, if available.

  • Server Port: Port on which server connection was established for this client connection.

  • Server Location: Location of the server.

  • Protocol: TCP or UDP.

  • Device: Device name of the router or switch that is configured to act as the traffic monitor for Traffic Insights. This is the network device that is sending network flow traffic data to the Enterprise Agent that has been enabled as a forwarder.

  • Client Interface: Interface that the traffic monitor is collecting traffic data from.

  • Server Interface: Interface that the traffic monitor is sending traffic data to.

  • Application: If your enterprise network is configured to perform application recognition, the Application column shows which application this traffic is associated with. The application types correspond to the application recognition that you have previously configured. Additionally, if the application data isn't included in the flow record Traffic Insights attempts to infer the application based on its public IP.

  • CPS (connections per second): Counts the rate of new TCP sessions initiated by a TCP initiation packet. If an initiation packet is not detected (for example, you are using a Meraki device or an SD-WAN solution for which this field is not included) or if the protocol is UDP, the counter is not available.

  • Total Throughput: Displayed based on the calculated traffic rate and percent of upstream and downstream throughput generated by a conversation.

  • Throughput Trend: A spark line or mini-graph showing the last 30 minutes.

  • ... (ellipsis): Allows you to group existing table by application.

Grouping

Unlike with the application view, the conversation view table also offers a grouping feature. You can use Group By to sort by multiple different aspects of the data.

You can choose up to two groupings, which sorts the table (from highest throughput to lowest) first by the first grouping category, then by the second. The available groupings are:

  • Client: Client IP address.

  • Device: Network device name where traffic monitor is hosted.

  • Application: Application traffic type.

  • No Grouping

  • Subnet Tag: Shows user-defined tags for client subnet.

  • Server: Server IP address.

  • Server Location: Shows city and country where server is located.

Metrics

The metrics you are able to choose from depend on your View By selection. The selected metric displays on the timeline and updates the table to sort by that metric. Throughput is displayed as bps (bits per second), Kbps (kilobits per second), Mbps (megabits per second), etc. depending on the calculated traffic rate. The applications view includes all of the following metrics. The conversations view includes only total throughput and connections per second.

  • Total Throughput: Represents the total volume of traffic.

  • Downstream Throughput: Represents the volume of downstream (server to client) traffic.

  • Upstream Throughput: Represents the volume of upstream (client to server) traffic.

  • Connections per second: Connections per second (CPS).

PreviousConnecting Optional External CollectorsNextTraffic Insights Alerts and Dashboards

Last updated