Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Aggregating Flows

JSA combines information together to give you more information about a single flow without sending more flow records. This process is known as aggregation.

The flow shows a communication session between two hosts by normalizing the packet attributes into a flow record that includes the following information:

  • Source IP address

  • Source port

  • Destination IP address

  • Destination port

  • Protocol

  • Flow ID (log source dependent)

  • VLAN ID (log source dependent)

As the hosts continue to communicate, information such as the byte and packet counters and the payload capture is aggregated into a single flow record. For communications that span more than 1 minute, JSA reports on the current metrics for the flow at the end of each 1-minute interval. The entire communication session is represented by multiple flow records that have the same First Packet Time, but with incremental Last Packet Time values.

The flow information is updated if the attributes are the same. When one or more attributes change, the flow is assumed to be unique, and a new flow record is created.

Flow Capacity Limits

Flow capacity limits ensure that the Flow Processor process in JSA is not overloaded.

When the Flow Processor process receives more traffic than it can deal with, an overflow record is created for each protocol that is observed in the excess traffic. These records are easily identified because they have a source IP address of 127.0.0.4 and a destination IP address of 127.0.0.5.

For example, JSA determines that the flow capacity limit of your Flow Processor is 100,000 flows. During a peak period, the appliance captures 120,000 flows in a one minute interval. The excess 20,000 flows are not parsed, but instead an overflow record is created for each protocol that is seen in the 20,000 flows. The overflow record includes byte and packet counters, but information such as source or destination IP addresses, ports, and payload capture is not collected and stored.

Flow Capacity Limits

Flow capacity is determined based on a number of different factors:

  • Deployment flow limit

    This flow limit is based on the sum of all flow licenses across your deployment.

    Hardware flow limit

    The hardware flow limit is the recommended number of flows calculated based on the available CPUs and memory.

    User flow limits

    You can set the maximum number of flows that you want JSA to process at one time.

If a user flow limit is set, it takes precedence over the hardware limit, as long as the user limit is less than the deployment limit.

If no user limit is set, the minimum of either the hardware limit or the deployment limit is used.

Note:

Flow capacity limits are enforced after aggregation. Updates to existing flows within the 1-minute reporting interval do not contribute to your flows per minute (FPM) license limit.