Network monitoring plays a crucial role in network management by enabling the analysis, control, and optimization of data traffic. It allows administrators to detect anomalies, enhance security, and ensure efficient resource utilization. In PANDDA, we leverage IP flow-based network monitoring, utilizing the flexibility of the IPFIX flow format to enrich flow data extensively. This approach allows us to strike an optimal balance between flow-based and packet-based monitoring, maximizing visibility and analytical capabilities.
P flow records are summaries of IP traffic observed on a network. Instead of storing full packet captures (which can be massive), flow records capture metadata about the communication between endpoints, providing a lightweight and scalable way to monitor and analyze network traffic.
A flow is typically defined as a unidirectional sequence of packets sharing common properties such as:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Layer 3 protocol (e.g., TCP, UDP)
- Input interface
- Type of service
These flows are collected by flow exporters (e.g., routers or specialized probes) and exported to a flow collector, where they are stored and analyzed. The typical flow record looks like:
| IPFIX Information Element | Value |
|---|---|
| flowStartMilliseconds | 2025-04-24 14:00:01.123 |
| flowEndMilliseconds | 2025-04-24 14:00:03.987 |
| sourceIPv4Address | 192.168.1.10 |
| destinationIPv4Address | 93.184.216.34 |
| sourceTransportPort | 52345 |
| destinationTransportPort | 443 |
| protocolIdentifier | 6 (TCP) |
| packetDeltaCount | 12 |
| octetDeltaCount | 8460 |
| ingressInterface | 2 |
| egressInterface | 4 |
| tcpControlBits | 0x18 (PSH, ACK) |
| ipClassOfService | 0x00 |
| flowDirection | 0 (Ingress) |
The flows can be generated and transported via several protocols. PANDDA supports IPFIX protocol (RFC7011)—the most novel and advanced flow export protocol that allows templating and exporting arbitrary features.
PANDDA uses ipfixprobe flow exporter with broad support of different network interfaces. Within the PANDDA project, we mainly support these two interfaces:
- AF_PACKET — A raw socket interface that is suitable for slower monitoring interfaces up to 1Gbps.
- DPDK — Interface suitable for high-speed network monitoring. DPDK input can monitor lines reaching up to 400Gbps. To use the DPDK interface, you need a DPDK-compatible card. More information can be found below.
DPDK is a high-performance framework designed to accelerate packet processing by bypassing the traditional Linux kernel networking stack and leveraging user-space drivers. It enables applications to achieve low latency and high throughput by utilizing poll mode drivers (PMDs), hugepages, and CPU core pinning to process packets directly in user space. DPDK is the de facto standard in high-speed network monitoring and line-rate packet processing.
The DPDK is relatively complex to set up. Fortunately, PANDDA will autodetect your server hardware and suggest optimal DPDK settings. Nevertheless, still the DPDK might cause some problems that might be undetected by PANDDA resulting in suboptimal flow monitoring. Thus, we suggest to check the following:
- You are using one of the recommended network cards on the recommended HW page.
- Your card is connected to the PCIE x16 slot.
- Check various statistics in /var/stats/ipfixprobe. You should focus on the number of packets processed by each input thread.