Step-by-Step: Troubleshooting Network Traffic with Flowalyzer
Network congestion, unauthorized bandwidth consumption, and intermittent slow-downs can disrupt critical business operations. When standard ping tests and traceroutes fail to isolate the root cause, network administrators turn to NetFlow, sFlow, and IPFIX analyzers. Flowalyzer is a specialized tool designed to test, validate, and troubleshoot network flow data.
This guide provides a systematic approach to diagnosing and resolving network traffic anomalies using Flowalyzer. Phase 1: Validating Flow Exporter Configuration
Before analyzing traffic patterns, you must ensure that your network devices (routers, switches, firewalls) are actively and correctly sending flow data to your collection server.
Launch Flowalyzer: Open the application interface on your management workstation.
Select the Listener Tab: Navigate to the configuration or listener section to monitor incoming ports.
Verify Port Settings: Ensure Flowalyzer is listening on the standard ports configured on your exporting devices. Common defaults include: NetFlow v5 / v9: Port 2055 or 9996 sFlow: Port 6343 IPFIX: Port 4739
Check the Exporter List: Observe the active dashboard to verify if the IP addresses of your core routers or firewalls appear.
Analyze Packet Count: If the device is listed but the packet count remains at zero, verify that access control lists (ACLs) or local firewalls are not blocking UDP traffic on the specified ports. Phase 2: Isolating Bandwidth Hogs (Top Talkers)
Once data verification is complete, the next step is identifying which hosts or protocols are saturating your WAN or LAN links.
Access the Top Talkers Dashboard: Open the primary traffic analysis view.
Filter by Interface: Select the specific inbound or outbound interface experiencing high utilization.
Sort by Volume: Order the active connections by total bytes transferred rather than packet count. This separates high-bandwidth file transfers from low-bandwidth, high-packet applications like VoIP.
Identify the Source and Destination: Note the IP addresses consuming the highest percentage of the pipe.
Perform a DNS Lookup: Use Flowalyzer’s built-in NSLookup tool to resolve the external destination IP addresses. This helps determine if the traffic belongs to a legitimate cloud service (e.g., AWS, Microsoft 365) or an unauthorized streaming/peer-to-peer network. Phase 3: Analyzing Protocols and Applications
If individual host IPs do not immediately reveal the problem, analyzing the transport layer protocols and port numbers will clarify what type of traffic is dominating the network.
Navigate to the Protocol Breakdown View: Look at the distribution graphs (pie charts or bar charts) within the application.
Isolate Non-Standard Ports: Look for high volumes of traffic bound for high-numbered unassigned ports, which frequently indicate custom applications, malware activity, or tunneling protocols. Check Well-Known Services: TCP ⁄80: Standard web traffic or cloud synchronization.
TCP 445: Internal Server Message Block (SMB) traffic, which may indicate a large internal file migration or potential ransomware propagation.
UDP 53: Excessive DNS traffic, which could point to a misconfigured internal server or a DNS amplification attack.
Cross-Reference with Timeframes: Utilize the time-window slider to pinpoint exactly when the protocol spike began. Phase 4: Investigating Network Latency and Packet Drops
Flowalyzer can help determine whether network sluggishness is caused by sheer volume or underlying transport issues.
Review TCP Flag Distributions: Look at the ratio of SYN, ACK, RST, and FIN flags in the flow records.
Identify High RST (Reset) Counts: A sudden spike in TCP RST packets typically indicates that connections are being forcefully terminated. This points to a firewall blocking traffic, a server rejecting connections, or a scanning tool probing the network.
Monitor Flow Sequence Numbers: Check for gaps or out-of-sequence flow data notifications within Flowalyzer’s event logs. Gaps suggest that the collector host itself is overwhelmed and dropping flow packets, or that intermediate network links are congested. Phase 5: Remediating and Monitoring
After identifying the source, protocol, and cause of the traffic anomaly, implement remediation steps and use Flowalyzer to confirm success.
Apply Traffic Control Measures: Depending on your findings, apply rate-limiting on the switch/router, block the malicious IP at the firewall, or adjust Quality of Service (QoS) policies.
Clear the Active View: Refresh or clear the current session cache in Flowalyzer.
Verify Traffic Reduction: Monitor the targeted interface for 10 to 15 minutes. Confirm that the offending IP address or protocol drops off the “Top Talkers” list and that total bandwidth utilization returns to baseline operational levels. If you want, tell me: The specific version of Flowalyzer you are using
The flow protocol your network uses (NetFlow, sFlow, or IPFIX) The exact network issue you are trying to solve right now
I can tailor the steps or add troubleshooting commands for your specific routers and switches.
Leave a Reply