• /
  • Log in
  • Free account

Set up network flow data monitoring

Set up your network devices so they send network data to New Relic One.

Prerequisites

New Relic One account prerequisites

Linux host prerequisites

  • Docker installed in a Linux host.
  • SSH access to the Docker host, with the ability to launch new containers.

Network flow data devices prerequisites

Network security prerequisites

Direction

Source

Destination

Ports

Protocol

Outbound

Docker host

ktranslate image on Docker Hub

443

TCP

Outbound

Docker host

New Relic Event API US Endpoint: https://insights-collector.newrelic.com EU Endpoint: https://insights-collector.eu01.nr-data.net

443

TCP

Outbound

Docker host

New Relic Log API US Endpoint: https://log-api.newrelic.com EU Endpoint: https://log-api.eu.newrelic.com

443

TCP

Inbound

Source devices for network flow data

Docker host

9995 (default)

UDP

Supported types of network flow data

NPM flow monitoring supports the four primary types of network flow data and their derivatives. When running the ktranslate container, you will specify which major type you want to monitor using the -nf.source option.

Important

The ktranslate container only supports monitoring one type of network flow data type at a time. If you want to monitor several types, each will require a container.

IPFIX and NetFlow v9 can be sent to the same container, but we recommend running a separate container as a best practice.

Network flow data type

-nf.source value

IPFIX

ipfix

NetFlow v5

netflow5

NetFlow v9

netflow9

sFlow

sflow

AppFlow

netflow5

Argus

netflow5

cflowd

netflow5

J-Flow

netflow5

NetStream

netflow5

RFlow

netflow5

Cisco NSEL

netflow9

Scaling network flow collection

When planning your strategy for collecting network flows at scale, New Relic recommends 1 CPU per 2000 flows-per-second (120,000 flows-per-minute). Deciding whether to run more small containers to distribute load or fewer large containers to consolidate management is a matter of personal preference.

Set up network flow data monitoring in New Relic One

  1. Go to one.newrelic.com and click Add more data.
  2. Scroll down until you see Network performance monitoring and click Network Flows.
  3. Follow the steps in New Relic One. Network Flows guided setup
    one.newrelic.com > Add more data > Network performance monitoring > Network Flows to set up network flow data monitoring.
  4. To get better visibility into your network device performance, set up SNMP data monitoring.
  5. Visualize your network performance data in New Relic.

Find and use your metrics

All network flow logs exported from the ktranslate container use the KFlow namespace, via the New Relic Event API. Currently, these are the default fields populated from this integration:

Attribute

Type

Description

application

String

The class of program generating the traffic in this flow record. This is derived from the lowest numeric value from l4_dst_port and l4_src_port. Common examples include http, ssh, and ftp.

device_name

String

The display name of the sampling device for this flow record.

dst_addr

String

The target IP address for this flow record.

dst_as

Numeric

The target Autonomous System Number for this flow record.

dst_as_name

String

The target Autonomous System Name for this flow record.

dst_endpoint

String

The target IP:Port tuple for this flow record. This is a combination of dst_addr and l4_dst_port.

dst_geo

String

The target country for this flow record, if known.

in_bytes

Numeric

The number of bytes transferred for ingress flow records.

in_pkts

Numeric

The number of packets transferred for ingress flow records.

input_port

Numeric

If_Index value for the interface at the source of this flow record.

l4_dst_port

Numeric

The target port for this flow record.

l4_src_port

Numeric

The source port for this flow record.

output_port

Numeric

If_Index value for the interface at the destination of this flow record.

protocol

String

The display name of the protocol used in this flow record, derived from the numeric IANA protocol number.

provider

String

This attribute is used to uniquely identify various sources of data from ktranslate. Network flow logs will always have the value of kentik-flow-device.

sample_rate

Numeric

Sampling rate applied by either the sampling device configuration, or the sample_rate argument in ktranslate.

src_addr

String

The source IP address for this flow record.

src_as

Numeric

The source Autonomous System Number for this flow record.

src_as_name

String

The source Autonomous System Name for this flow record.

src_endpoint

String

The source IP:Port tuple for this flow record. It's a combination of src_addr and l4_src_port.

src_geo

String

The source country for this flow record, if known.

tcp_flags

Numeric

TCP flags in this flow record.

timestamp

Numeric

The time, in Unix seconds, when this flow record was received by the New Relic Event API.

Create issueEdit page
Copyright © 2022 New Relic Inc.