Traffic Insights Views and Settings
Last updated
Last updated
This section describes the screens in the ThousandEyes user interface that are used for various configuration steps and for viewing results. For information about the FPS (flow record per second) monitoring screen, see Traffic Insights FPS Monitoring.
The following screens correspond to Step 1: Enable an Enterprise Agent of the Configuration Guide.
Traffic Insights supports two kinds of Enterprise Agents as flow forwarders: those hosted on a virtual appliance, or the Cisco Application-Hosted Framework (CAF). See Flow Forwarder Requirements for more information and other Enterprise Agent requirements.
To check whether any of your existing Enterprise Agents are on a supported device, you can simply add a filter from the Enterprise Agent Settings screen.
Select the Enterprise Agents screen.
On the Agents tab, open the Add a Filter dropdown.
Select Installation Type.
In the subsequent filter dropdown, select Virtual Appliance and/or Cisco Application Hosting.
The list of agents automatically updates in line with the filters selected and the total appears to the right of the search field.
If no existing Enterprise Agents are on supported devices, click Add New Enterprise Agent on the top right of the screen and follow the prompts within the relevant article in the Enterprise Agent Installing section.
Once you have identified or installed an Enterprise Agent on a supported device that meets Traffic Insights compatibility requirements, you can enable it for flow forwarding.
The above Enterprise Agent settings screen corresponds to step 1.2 Enable Flow Forwarding on the Enterprise Agent of the Configuration Guide.
Turning on the Enterprise Agent’s flow forwarding capabilities is a necessary step to enable the agent to receive flow data from your flow exporter (traffic monitor) and forward this data to ThousandEyes.
Click the Enterprise Agents screen.
Select the agent you want to designate as a flow forwarder from the list to open the edit panel.
Select the Advanced Settings tab.
Scroll down to Agent Modules.
The Traffic Insights status of this agent shows as either Enabled or Disabled.
If it’s Disabled, click the Enable button and confirm.
Click Save Changes.
Now that you have forwarding enabled for Traffic Insights, you can keep track of the Enterprise Agents you use for forwarding via another Enterprise Agent filter. Follow steps 1-4 in Finding a Supported Agent but select Traffic Insights as the filter. Then select Enabled. All devices enabled for Traffic Insights are displayed.
Alternatively, view them on the Traffic Insights Forwarders screen. See Forwarders Screen below.
Step 2: Configure SNMP Device Discovery of the Configuration Guide requires you to discover and monitor the devices you will use as traffic monitors via SNMP. You can find instructions and relevant screens for this step in the Device Layer articles.
The Thousandeyes Traffic Insights screens cover allow-listing, forwarder enablement, and subnet tagging.
In Step 3: Configure Network Flow Data of the Configuration Guide, you set up network flows to transit through the devices you just discovered and monitored in step 2, and on to the forwarders you designated in step 1.
The following Traffic Insights Settings screens illustrate how to allow-list your new traffic monitors and configure the two optional settings: subnet tagging and external flow collecting.
The above allow-list screen corresponds to 3.4 Allow-List the Flow Device in ThousandEyes of the Configuration Guide.
Go to Traffic Insights > Settings.
The Traffic Monitors tab shows your network devices (traffic monitors) that have been successfully configured to export network flows.
Allow-list your monitors in one of three ways:
To allow-list all monitors, click Allow All in the warning box at the top of the screen.
To allow-list a selection, check the boxes next to the monitors you want to allow and click Allow at the bottom of the screen.
To allow-list an individual monitor, click the ellipsis on an agent’s row, and select Allow.
Once allow-listed, view and manage your traffic monitors on the Traffic Monitors screen.
Columns:
Network Device IP: Identifies the network device that is acting as a traffic monitor and is already sending flow data to an Enterprise Agent.
Network Device Name: Optional field, if a device name was configured on the device itself and SNMP device discovery has been completed. See Device Layer Screens for more information.
Enterprise Agent: Enterprise Agent name as configured in ThousandEyes Agent Settings.
Site: Optional user-defined site name where this traffic monitor is located. Open each monitor's edit panel on the Traffic Monitor screen to edit.
Geo Location: Optional country and region where this traffic monitor is located. Defaults to the location of the forwarder the monitor exports to. Open each monitor's edit panel on the Traffic Monitor screen to edit.
Status: Either Allowed or Not Allowed.
Last Active (UTC): Date and time that this traffic monitor sent flow data to ThousandEyes.
FPS (Peak): Flow records per second sent from the traffic monitor that might be forwarded to ThousandEyes platform if allowed. Shows average and peak values.
Unsupported FPS (Peak): Flow records per second sent from the traffic monitor and discarded due to unsupported format. Shows average and peak values.
The Forwarders screen lists the Enterprise Agents you have enabled for flow forwarding. You can find instructions on how to install and enable Enterprise Agents at Enterprise Agents Settings Screens. Below, we explain how to view and manage your forwarders.
The Forwarders screen shows traffic flowing through each Enterprise Agent in the time frame chosen.
Columns:
Agent Name: The ThousandEyes Enterprise Agent name.
Listening Ports: TCP and UDP listening ports, editable on the Edit screen.
External Collector: Optional; enable on the Edit screen.
UDP Ingress: Kbps and packets per second.
TCP Ingress: Kbps and packets per second.
Dropped Events: Number of dropped packet(s).
Egress: Kbps.
External Collector Mirrored: Kbps.
FPS (Peak): Flow records per second received by the agent and forwarded to ThousandEyes platform. Shows average and peak values.
Unsupported FPS (Peak): Flow records per second received by the agent and discarded due to unsupported format. Shows average and peak values.
If you already collect flow data into a collector, you can add an external flow collector to the ThousandEyes flow process via the External Collector Management panel and Edit panel of the Forwarders screen. These screens correspond to Configure External Flow Collectors in the Configuration Guide. You can also edit the listening ports for your forwarders via this screen.
External Collector Management Panel
Go to Traffic Insights > Settings.
Select the Forwarders screen.
Click External Collector Management in the top right.
In the panel, click + Add New External Collector.
Enter the collector's name, IP address and port.
Click Save.
Edit Forwarder Panel
Go to Traffic Insights > Settings.
Select the Forwarders screen.
On your chosen forwarder, click the ellipsis and select Edit.
In the edit panel, change the TCP or UDP listening ports, and/or
Enable an external collector by sliding the toggle to Enabled.
Select the external collector from the subsequent dropdown.
Click Save.
The Subnet Tags screen corresponds to Create Subnet Tags in the Configuration Guide.
Subnet tagging is a way of labeling IP address ranges within ThousandEyes, in order to filter by subnets or tags in the Traffic Insights data view. One way to use this is to identify network traffic flows that are associated with IP address ranges assigned to certain user groups or departments.
For example, you can use a subnet tag of “Engineering”. Meanwhile, application recognition on your network might classify a traffic conversation as “AWS”. Then through the Traffic Insights view, you'd be able to see when a big surge of AWS traffic starts coming from Engineering.
Columns:
Subnet Name: A unique name provided for this subnet using + Create Subnets. Note that the name is not the same as the subnet tags, which are re-usable.
Subnet: The IP address range associated with this subnet for example 192.168.110.0/24.
Type: Subnet type is either Client or Server.
Tags: One or more tags assigned to this subnet.
Created By: The ThousandEyes user who created this subnet.
Created On: Date this subnet was created.
Modified By: ThousandEyes user who last modified this subnet.
Modified On: Date this subnet was last modified.
Subnet tagging configuration in Traffic Insights requires prior configuration of your IP subnets on your network. Within Traffic Insights, you can choose whether those subnets are identified by client or by server.
In case of client subnet tagging, the tag will be assigned if the client’s IP matches the IP range specified for the subnet tag, and in case of a server subnet tagging, the tag will be assigned in case that the server’s IP matches the subnet.
Client subnet tagging allows you to mark/tag your clients or the originating source.
Server subnet tagging enables you to mark the resources or targets used in your network.
Fields required for creating a subnet tag are:
Subnet Name: Enter a descriptive name such as “Engineering” or “guest wi-fi”.
Subnets: Enter one or more IP addresses or address ranges. Both IPv4 and IPv6 addressing is supported. For example, 1.1.1.1/12 or 2620:0:860:2::/64.
Type: Choose either Client or Server as the subnet type.
Choose Tags: Use + Add Tags to create new tags and associate them with this subnet. To choose one or more existing tags, click in the text box to see a pop-up searchable list with check boxes.
Tags Management lists and tracks your subnet tags (labels). Each tag shows the number of subnets associated. Use the Edit subnet ellipsis on the Subnet Tagging Screen to add or remove tags from that subnet.
This screen is a rollup of your total network traffic by app across your entire enterprise network.
The default screen shows a stacked chart of a selection of your applications across a 24-hour period, with a new sampling point every 10 minutes. The table shows what happened in your selected time point for throughput (total, downstream, or upstream) or connections.
The Traffic Insights Views landing screen includes the following filters:
Traffic Monitor Locations: Refers to the location of the network devices that are sending NetFlow to a ThousandEyes Enterprise Agent. This shows the location of the forwarder it exports to by default, but you can change the location settings (country and region) by opening the edit panel for each monitor on the Traffic Monitor screen.
Forwarding Agents: Refers to the name of the Enterprise Agent that receives network flow data.
Device: Refers to the device name or IP address of the network device where your traffic monitor is hosted.
Interface: Refers to the interface type if it has been discovered with SNMP, otherwise it is blank. For example, “GigabitEthernet0/1/0”.
The selected metric displays on the timeline. Throughput is displayed as bps (bits per second), Kbps (kilobits per second), Mbps (megabits per second), etc. depending on the calculated traffic rate.
Total Throughput: Represents the total volume of traffic.
Downstream Throughput: Represents the volume of downstream (server to client) traffic.
Upstream Throughput: Represents the volume of upstream (client to server) traffic.
Connections per second: Connections per second (CPS).
The Traffic Insights view timeline works similarly to other ThousandEyes data views.
Use the top swimlane control to show a detailed timeline in the chart beneath up to the past 30 days.
Detail shows traffic flow data down to 10-minute increments.
Below the timeline and filter areas is a detail table that changes depending on the Group By selection. Note that the data in the table is only within the 10-minute window immediately behind the pointer in the timeline. If you change the time range to 7 days, or 30 days, the table data will not change.
For the detail table below the stacked chart, a drop-down offers the following Group By options:
Applications: Shows volume of traffic and connections per application.
Conversations: Refers to a data exchange between two endpoints, occurring over one or more network connections, for example applications that use multiple channels for communication.
Application Path: Shows application traffic to/from tagged subnets, passing through a particular network device and interface.
Custom: Lets you choose what to show in the table from local (client) and remote (server) networks.
The Views screen defaults to group by applications. Note that when you choose to group by any other option, the view changes from a stacked chart to a bar chart, showing upstream and downstream simultaneously. You can view these screens in the following “Group By” sections.
An application refers to a grouping or class of applications as defined in your enterprise network using application recognition or by inference of the application's public IP.
Application: Application identified for this traffic.
Total Throughput: Displayed based on the calculated traffic rate and percent of total throughput against all applications.
Downstream Throughput: Traffic from server to client.
Upstream Throughput: Traffic from client to server.
CPS (connections per second): Counts the rate of new TCP sessions initiated by a TCP initiation packet. If an initiation packet is not detected (for example, you are using a Meraki device or an SD-WAN solution for which this field is not included) or if the protocol is UDP, the counter is not available.
A conversation refers to the data exchange between two endpoints over one or more connections.
Client: Client IP address.
Server: Server IP address or hostname, if available.
Server Port: Port on which server connection was established for this client connection.
Server Location: Location of the server.
Protocol: TCP or UDP.
Device: Device name of the router or switch that is configured to act as the traffic monitor for Traffic Insights. This is the network device that is sending network flow traffic data to the Enterprise Agent that has been enabled as a forwarder.
Client Interface: Interface that the traffic monitor is collecting traffic data from.
Server Interface: Interface that the traffic monitor is sending traffic data to.
Application: If your enterprise network is configured to perform application recognition, the Application column shows which application this traffic is associated with. The application types correspond to the application recognition that you have previously configured. Additionally, if the application data isn't included in the flow record Traffic Insights attempts to infer the application based on its public IP.
CPS (connections per second): Counts the rate of new TCP sessions initiated by a TCP initiation packet. If an initiation packet is not detected (for example, you are using a Meraki device or an SD-WAN solution for which this field is not included) or if the protocol is UDP, the counter is not available.
Total Throughput: Displayed based on the calculated traffic rate and percent of upstream and downstream throughput generated by a conversation.
Throughput Trend: A spark line or mini-graph showing the last 30 minutes.
... (ellipsis): Allows you to group existing table by application.
Application Path refers to application traffic to/from tagged subnets, passing through a particular network device and interface.
Client Subnet Tags: Lists all the tags that you’ve created to identify your subnets as described in Subnet Tagging Screen. The subnets themselves also need to be identified in ThousandEyes as client or server.
Server Subnet Tags: See above.
Device: Name of network device that hosts the traffic monitor.
Client Interface: Interface that the traffic monitor is collecting traffic data from.
Server Interface: Interface that the traffic monitor is sending traffic data to.
Application: Application identified for this traffic.
Clients: Number of clients.
Servers: Number of servers.
Total Throughput: Displayed based on the calculated rate of traffic and percent of total throughput against all applications.
CPS (connections per second): Counts the rate of new TCP sessions initiated by a TCP initiation packet. If an initiation packet is not detected (for example, you are using a Meraki device or an SD-WAN solution for which this field is not included) or if the protocol is UDP, the counter is not available.
... (ellipsis): Allows you to group existing table by application.
Local Network
Client: Client IP address.
Device: Network device name where traffic monitor is hosted.
Application: Application traffic type.
Subnet Tag: Shows user-defined tags for client subnet.
Remote Network
Server: Server IP address.
Location: Show city and country where server is located.
Application: Application traffic type.
Subnet Tag: Shows user-defined tags for server subnet.
You can configure alerts and dashboards for Traffic Insights using the same alert and dashboard components as for other ThousandEyes features.
To view which alerts metrics are specific to Traffic Insights, see Traffic Insights Alerts.
For information on getting started quickly with a dashboard for Traffic Insights, see Using the Dashboard Templates.
If you want to add Traffic Insights widgets to an existing dashboard, see Dashboard Widgets, which lists which widgets are available for Traffic Insights in its Widget Configuration Summary Table.
