Analysis flow filtering based on time interval





Analysis flow filtering based on the time interval selected in the advanced analysis is explained in this article.


I cannot see expected flows in the short interval, even though the flow should be present.

The advanced analysis (except the "show in time" feature) filters flow data based on their received time on the collector.

E.g., the TCP session started at 5:00 and was finished at 5:06. Let's consider a default active timeout of 300 seconds and inactive timeout of 30 seconds (default values for Flowmon appliances). 

There will be two flows generated:
1. flow, start time 5:00, end time 5:05 (active timeout reached), the flow will be received on the collector around 5:05:03 (based on the flow cache of the flow source, network speed, and collector load)

2. flow, start time 5:05, end time 5:06, the flow will be received on the collector around 5:06:33 (it is necessary to add an inactive timeout of 30 seconds). 

The advanced analysis queried for the interval 5:00 - 5:05 doesn't show any of these flows, even though the TCP session was active then. The reason is that both flows were received on the collector in the interval 5:05 - 5:10, so they will be visible in the advanced analysis only in this interval (or longer, like 5:05 - 5:15,...).


