7.4. Tuning options
This section describes options available to tweak flow handling.
7.4.1 Packet capture vs Netflow
The primary differences between them are :
| Packet capture mode | Netflow mode |
|---|---|
| reconstructs TCP sessions from network traffic | uses uni-directional netflow records to construct a single bi-directional one |
| creates and stores a single bi-directional flow record | de-duplicates by pinning a flow to the first router reporting it |
| flows are subordinates to traffic metering because we meter each packet directly | traffic metering is subordinate to flows because we extract metering information from flows |
| reassembles TCP flows and extracts resource identifiers and additional traffic metering | not available |
7.4.2 Optimize flow handling
In the rare cases where you need to customize flow handling :
Login as
admin and select Context:default → profile0 → Session GroupsDescription of flow handling and tuning parameters
| Option | Default Value | Description |
|---|---|---|
| Time out | 120 (seconds) | Time out interval. If a flow is inactive for this many seconds it is presumed to have been terminated. It will be treated as another flow if it resumes later than this timeout. |
| TrackHiWater | 2000 | Highest threshold value (internal tuning parameter) |
| TrackLoWater | 1000 | Lowest threshold value (internal tuning parameter) |
| Active Tracking Age Limit | 30 | Periodically update database with ongoing flows this many seconds. You can set this to zero to only store completed flows, but keep in mind that long lived flows will not be seen until they terminate. |
| Volume Cutoff Bytes | 100 | Do not store flows that have not transferred a total of this many bytes in both directions combined. This includes ethernet and ip headers. |
| Status | Active | Shows whether the session group is enabled or disabled |