Performance measurement goes Flow at EPF

Ever wondered how a probe’s ‘alert’ footprint really maps to the rest of your network? Ever struggled to connect a quality degradation alert back to the exact interconnect point, and then figure out what else might be affected?

Let’s demystify that.

At EPF25 next week, Stephan will walk us through a clear, practical example of how to:

Map each probe precisely to its corresponding interconnect point. No guesswork, just solid mapping.
Then, go one step further: identify which other traffic flows are likely tangled up in the same issue.

Whether you’re refining monitoring, speeding up incident response, or just curious about making flow-level visibility actionable, this talk shows you how to turn scattered alerts into coherent, signal-rich insight.

Be sure to also stop by the BENOCS booth while you’re there. Stephan, Péter, Ingmar and Suraj look forward to welcoming you!

RONOG

Right after EPF 25, the conversations continue at RONOG 10 in Bucharest! 🇷🇴

On September 18, Péter will be there representing BENOCS and ready to meet the Romanian networking community to exchange thoughts on how traffic visibility and analytics can simplify network operations and improve performance.

Hit Peter up for a coffee and get all the latest updates on the BENOCS product roadmap.

EPF 2025

It’s almost time for European Peering Forum 2025, this year in beautiful Bucharest!

From September 15-17, you can catch Péter, Ingmar, Suraj, and Stephan representing BENOCS at EPF 25. They’re looking forward to connecting with the peering community, diving into the latest on interconnection, and sharing ideas on how visibility into traffic flows can make networks run smoother.

If you’re attending, come find us! We’d love to talk peering strategies, network analytics, or just grab a coffee and catch up.

See you in Bucharest!

NL-ix Late Summer Drink

Sun, sea, and… networking.

On September 11, Hari and Stephan will be at the beach in Scheveningen, for the annual NL-ix Late Summer Drink. Always a great chance to catch up with peers, exchange ideas, and enjoy the unique mix of seaside vibes and serious conversations about networks.

If you’re around, come say hi and join us for a beer. We’d love to chat about traffic visibility, peering, and what’s next for network analytics.

Why Geo-IP data can mislead you and what to use instead

What is a Geo-IP database?

Ever wondered where your network traffic is sourcing from or going to? Many network operators today rely on Geo-IP databases to answer these questions. A geo-IP database is a collection of data that links IP addresses to their corresponding geographic locations. Geo-IP databases usually provide information such as country, region, city, ZIP code, latitude, longitude and sometimes more specific details such as ISP name and also the type of connection (either a DSL or Mobile).

There are several Geo-IP databases available such as Maxmind, IP2Location, IPgeolocation, IPinfo, Netacuity etc. There is a significant difference of accuracy of a commercial database compared to a free version since the features and the updates that come with it vary greatly depending on the version type.

How is IP to location mapping done?

IP to location mapping is a continuous, multi-source data enrichment process that leverages a combination of methods and data sources to assign geographic identities to IP address ranges. Some of the sources are as follows:

Internet Service Provider (ISP) assignment – ISPs allocate IP addresses to users based on service areas. When an ISP assigns a range of IPs in a specific region, those IPs are mapped to that location in the geolocation database.
Public registry records – Regional Internet Registries (RIRs), such as RIPE NCC, APNIC & LACNIC, maintain records of IP address allocations. These records usually identify which ISPs have been assigned specific IP blocks, often including their registered addresses.
Network routing & topology – Physical internet infrastructure and routing information help estimate locations. Data about how networks route traffic (such as trace routes) can tell where an IP is likely hosted.
Data mining and user contributions – Some databases leverage information from websites when users voluntarily provide location data e.g. during account registration. This user-input is then associated with their IP addresses for added accuracy.
Active geolocation techniques – Pinging an IP from multiple servers worldwide and using the response times to estimate the user’s physical location. This technique is known as multilateration and this improves accuracy to the city or postal code for some addresses.

When do you use a Geo-IP database?

Geo-IP databases are widely used for web analytics or targeted content/ads. The next time you use a Starbucks W-Fi and get an ad for a store that you just walked past, don’t be surprised. In the telecommunications world, network operators generally use Geo-IP location to optimize and manage their network. Some of the widely known use cases are:

Traffic routing & load balancing Geo-IP data helps direct user traffic through the most efficient or regionally relevant routers and infrastructure, reducing latency and improving service quality.
Capacity planning Understanding where users are densely concentrated enables ISPs to allocate resources, plan infrastructure upgrades and optimize peerings in regions with high demand.
Anomaly detection Rapidly identifying access from unexpected geographies can flag potentially fraudulent account activity or security breaches.
DDoS detection & mitigation Geo-IP can filter or block malicious traffic from specific countries or regions reducing spam and DDoS attacks.
Regulatory compliance ISPs can enforce region-based policies and also fulfil legal obligations regarding customer data storage and access based on end-users’ location.

Limitations of Geo-IP databases

Let’s take the first use case – traffic routing – and look at it more closely. Geo-IP databases work reasonably well when identifying where user traffic originates from and are reliable for country-level detection and broad regional insights. However, some operators also use these databases to correlate flow data with the physical location of subnets within their own network to determine where a specific customer’s traffic is coming from. While operators typically already know where their infrastructure and customer allocations are located based on internal records, that information often lives in separate static inventories that aren’t easily integrated into flow analysis tools. As a result, they turn to Geo-IP data to fill that gap. The problem? Although the accuracy is typically high (90-99%) for country level, it drops down significantly to 43%¹ for city level detection. Precision is usually better in large, urbanized areas but considerably worse in small towns or rural regions, and the databases may revert to the nearest major city sometimes missing suburbs or towns. We decided to do a small comparison of our own to run a Berlin IP address lookup on some of these databases to test the accuracy, and the results are striking.

Screenshot of ipgeolocation website — ipgeolocation predicts that the IP is from Bremen some 400km away from Berlin

Screenshot of the ipinfo website — ipinfo is the most accurate of all predicting Berlin and almost the correct district too

Screenshot from the website dbip — dbip predicted the same IP to be from Frankfurt, 550km from Berlin

There are many factors contributing to the inaccuracies. Cellular networks and mobile IPs often have much lower localization accuracy compared to broadband or Wi-Fi. Errors of tens or even hundreds of kilometers² are common for mobile users. Secondly, the usage of VPN, proxies, carrier grade NAT and very recently Apple Private Relay further obscures the true location, resulting in greater inaccuracies. From our experience in analyzing data from 25+ networks, we often see the same IP block being used across multiple regions or cities because of the frequent change in network topologies, which results in IP block reassignment. The external databases can become outdated quite quickly and the reliability is questionable unless updates are more frequent. Lastly, the privacy regulations may restrict access to certain information, impacting the completeness or refresh rate of data, especially in strict jurisdictions. This makes it risky to rely on Geo-IP for regional-level insights, especially when misclassification can lead to wrong decisions about peering, routing, or capacity planning.

A better alternative: ingress-egress router-based geo-location

Specifically for the routing- and capacity-planning usecases, BENOCS Analytics takes a fundamentally different approach than relying on external Geo-IP databases: we use what your network actually sees.

BENOCS collects and cross-correlates data from standardized network protocols, including BGP, Flow, SNMP, IGP, and DNS, directly from the operator’s infrastructure. Leveraging our proprietary data-processing engine, we visualize this information in an intuitive multi-dimensional Sankey diagram, with up to twelve traffic dimensions, including but not limited to Source, Handover, Ingress, Egress, Nexthop, and Destination dimensions.

Screenshot from the BENOCS website showing the Sankey diagram — Six-dimensional view of the internet traffic ingressing and egressing an operator's network

This visualization allows you to trace the full journey of a packet, from where the traffic is sourcing from (Source AS) to where it terminates (Destination AS) – all grounded in your actual routing and flow data, not approximations.

Flow data is collected at the ingress interface of all internet-facing edge routers. When combined with BGP information, we can infer the forwarding path, including the corresponding egress routers, both of which are displayed within the Sankey’s respective dimensions.

To take it even further, BENOCS enables you to tag and group these routers by city, country, region, or custom groupings, making traffic analysis geographically meaningful and accurate.

Screenshot from BENOCS Analytics showing the Taggin & Grouping feature — Grouping ingress routers by city, region, or vendor

This gives you a precise and actionable view of traffic exchange between locations in your network. You’re not relying on a third-party’s guess: you’re seeing real, topologically and geographically grounded data from your own routers. Why settle for outdated or inaccurate geolocation databases when your network already holds the truth? And also, the geo-location of an IP might be very different than the location of your egress-router, which is the last point your network sees this packet.

Screenshot of BENOCS Analytics Sankey diagram showing rouer locations

When accuracy matters, trust your network

Geo-IP databases offer a convenient, quick-glance view of where traffic might be coming from, and for many applications, that’s good enough. But when you’re a network operator responsible for making high-stakes decisions about traffic engineering, capacity planning, or routing optimization, “good enough” simply isn’t.

As we’ve seen, Geo-IP data can be outdated, inaccurate at city-level, and increasingly unreliable due to VPNs, mobile networks, and evolving topologies. It’s a blunt tool for what should be a precise task.

At BENOCS, we believe that your network already contains the most reliable source of truth. By analyzing real-time BGP, Flow, and IGP data directly from your own routers, we empower you to see not just where your traffic might be coming from but where it actually enters and exits your infrastructure. With this ground-truth visibility, you gain clarity, confidence, and control over your network’s geographic traffic flows – no guesswork required.

So the next time you’re questioning where your traffic comes from, don’t ask a third-party database. Ask your network. It knows.

References:

Should we trust the geolocation databases to geolocate routers- https://blog.apnic.net/2017/11/03/trust-geolocation-databases-geolocate-routers/
Location accuracy of commercial IP address Geolocation Databases- https://itc.ktu.lt/index.php/ITC/article/view/14451

Why your flow data might be lying to you (and how to fix it)

In theory, flow data should give us a nice, accurate view of what’s happening in our network. In reality, there’s a big elephant in the room: you never really know if the data you’re getting is complete. Flow exports are typically sent using UDP, and that means there are no guarantees. If a packet doesn’t make it to your collector – too bad, it’s gone.

For people who depend on flow data for analytics, capacity planning, security, and troubleshooting, that’s not just annoying; it’s dangerous. And most of the time, neither the user nor the collector has a way to detect if something’s missing.

Where the flow can fail

We often hear: “Well, if my collector drops packets, I’ll know about it.” True – most collectors can log packet loss. And while the network in between could theoretically drop packets, in our experience, that’s rarely the bottleneck.

The real troublemaker? The exporter. That’s the router or switch generating the flows in the first place.

If the exporter silently drops flow data due to an internal issue, like a full buffer, nobody notices. Not the user. Not the collector. You just end up working with incomplete data, drawing the wrong conclusions, and maybe even alarming or scaling unnecessarily. The worst part? This often happens gradually as traffic grows, long after the initial configuration was done.

The good news: it’s fixable

There are specific configuration parameters you can tweak to make flow exports more reliable and insightful. Here’s what matters most:

1. Sampling rate

This defines how many packets the router skips before recording one. A lower number means better accuracy.

1:1000 is a solid recommendation from us. It balances visibility into smaller flows with the router’s resource limits. With this, you can spot flows down to 1 Mbps or even less.
A 1:1 sampling rate (every packet counted) gives you perfect insight, but comes with a cost: your router needs more memory. And guess what happens if the buffer overflows? Yep – data loss.

2. Inactive timeout

This defines how long the exporter waits without seeing new packets for a flow before it sends it out. We recommend 15 seconds. It keeps the buffers clean and prevents long-hanging flows from clogging up the memory.

2. Active timeout

This is the maximum duration a flow is kept “open” before being sent, even if new packets keep arriving.

If your analytics work in 5-minute buckets, this is crucial. If you use the vendor default (often 1800 seconds or more!), flows will straddle multiple buckets and make your data messy. We recommend 60 seconds to ensure clean aggregation.

How to check for flow generation failures

Most major vendors give you tools to see if you’re dropping flow records at the source:

Nokia: show router flow-export statistics
Juniper: show services flow-monitoring statistics
Cisco: show flow exporter statistics
Huawei: display netstream statistics export

Check these regularly, especially if traffic volume has changed recently.

Recommended config summary

Parameter	Recommended value	Why it matters
Sampling rate	1:1000	Balanced accuracy and router performance
Inactive timeout	15 seconds	Flush idle flows quickly to free buffer
Active timeout	60 seconds	Clean 5-minute time buckets, avoid overflow

Vendor config quirks

Each vendor has their own flavor of config:

Nokia: Look for sampling, active-timeout, inactive-timeout under flow-export
Juniper: Uses flow-monitoring and export-profile definitions
Cisco: Classic NetFlow or Flexible NetFlow; keep an eye on buffer size
Huawei: NetStream config; especially check active/inactive timeouts

Always validate configs against your version’s documentation.

Avoid redundant sampling

If you’re sampling on both ingress and egress interfaces, you’re doing double the work (and seeing double the data!). We recommend ingress-only. It’s the earliest point you can capture a flow, and it prevents duplication.

Ditch the default

Default configurations are not your friend. They are built for generic scenarios and not optimized for the accurate, actionable analytics we all depend on.

Take the time to check, tweak, and validate your exporter configuration. The benefits will ripple through the whole system: from better performance monitoring to more accurate security insights.

Optimizing Eurasian network resilience

How RETN leveraged BENOCS Analytics to overcome submarine cable outages

About RETN

RETN, a leading provider of telecommunications and data transmission services, is a global internet backbone, operating a Eurasian network that seamlessly connects Europe and Asia through its extensive fiber-optic infrastructure. Founded in 2003, the company delivers services such as IP transit, Ethernet, and cloud connectivity to enterprises and carriers. With a presence in over 40 countries, RETN operates one of the largest independent networks, ensuring high-performance connectivity across key international markets.

Challenges

Managing a network across Eurasia comes with its own challenges, especially when geopolitical issues and unexpected disruptions occur. In 2024, submarine cable outages became a major problem for connectivity providers. Several key cables in the Red Sea, including Seacom/TGN, AAE-1, and EIG, were damaged on February 24 and remained offline until August 7, 2024. This created significant pressure for operators relying on these routes. To make matters worse, the SMW-5 cable had a fault on April 19, adding to the difficulties. RETN has capacity in both AAE-1 and SMW-5 cable systems and now had to quickly reroute large amounts of traffic going via these two terrestrial links to keep their network running smoothly and serve their customers.

A screenshot of a colorful sankey diagram and a time series diagram at the bottom showing a sudden drop in traffic levels — Screenshot: Traffic dropped abruptly on April 20 when the submarine cables were cut.

Solution

BENOCS Analytics has been deployed and operational in RETN’s network since 2022. Our solution offers end to end visualization of all traffic traversing through the network. Specifically, the ability to see ingress and egress points of all the traffic in our 6 dimensional Sankey diagram proved crucial to RETN’s current challenge.

25%

traffic shifted swiftly

100%

service upheld

Implementation

Back when we released the Tagging and Grouping module, which has the ability to group different dimensions, RETN grouped all their ingress & egress routers into different regions such as Western Europe, Central & Southern Europe and Asia Pacific. The ability to see both the ingress and egress routers in one view and, in addition, grouping them based on different regions helped RETN identify all the traffic traversing through the terrestrial links. With this visibility, the operations team could further reroute some of the traffic from the terrestrial links to their local backbone in Asia.

Results and Benefits

By April 23, 2024, RETN were able to remove a further 25% of the traffic from their expensive and in-demand terrestrial links running from Europe to Asia and shift it locally to Asia. This allowed them to keep serving their customers in Asia without any disruptions. As a consequence, this freed up more bandwidth to serve other customers. Resulting from this experience, RETN was also able to further deepen their expertise in the area of network vulnerability and resilience.

A screenshot showing a colorful sankey diagram and a time series at the bottom with a cyclic traffic flow pattern — Screenshot: The BENOCS Flow Analytics 6-dimensional view of traffic flowing through the RETN network

“With the help of BENOCS Analytics we managed to remove about 25% of the traffic from terrestrial links and shift it locally to Asia. This helped us a lot with traffic localization and keeping existing (and new) customers served in Asia. Might not look a lot, but back then it was quite an achievement! Moreover, we had a clear view of what else we could optimize to save some bandwidth for other customers. Happily, it wasn’t required in the end, but it was good to be assured we had enough room.”

Andrey Gazizov

Chief Operating Officer

RETN

Recent Improvements

RETN wanted to have visibility at IP subnet level, so recently implemented the Raw Network Analyzer (RNA) module in their BENOCS Analytics deployment. For RETN, this means more than 30 different data fields, sourced from BENOCS’ complex data and intelligence model, providing comprehensive visibility of their entire IP traffic flow.

Conclusion

RETN’s ability to overcome significant challenges in network management during the 2024 submarine cable outages highlights its commitment to ensuring uninterrupted service to its customers. By leveraging BENOCS Analytics, RETN achieved exceptional operational efficiency and traffic optimization. The six-dimensional visualization and regional tagging capabilities enabled RETN to swiftly identify and reroute traffic, reducing reliance on costly terrestrial links and improving network resilience.

The results – such as a 25% reduction in traffic on critical links and seamless service continuity – underscore the value of BENOCS Analytics in addressing complex network challenges. RETN’s proactive approach, coupled with its partnership with BENOCS, demonstrates its focus on delivering high-performance connectivity, even during unforeseen disruptions.

TNC25

It’s almost time for one of the biggest events on the research and education networking calendar: TNC25!

From June 9-13 in Brighton, UK, Péter György, Hari Jayaraman, and Ingmar Poese will be representing BENOCS and are looking forward to some seriously good conversations with the NREN community.

Whether you’re curious about what’s new in network analytics, want to chat about traffic visibility challenges, or just feel like geeking out over some top-tier infrastructure – come find us at booth number 12!

We’re excited to share what we’ve been working on and to hear what’s on your radar.

See you in Brighton!

1&1 Versatel relies on BENOCS to optimize its fiber optic network

Berlin, Germany, May 21, 2025 – The telecommunications provider 1&1 Versatel, which specializes in enterprise customers, has recently deployed the German technology BENOCS Analytics to monitor traffic flows in its fiber optic network. BENOCS is a specialized provider of network analysis software. The Berlin-based team supports 1&1 Versatel in visualizing and optimizing its networks.

By using BENOCS Analytics, 1&1 Versatel receives a detailed and transparent overview of traffic flows across the entire network. The tool processes flow and routing information to provide a comprehensive picture of network traffic. This allows individual components of network flows to be precisely identified and classified, enabling more precise capacity planning and continuous optimization of network operations.

“It is always our goal to provide our corporate customers with first-class service quality,” explains Frank Rosenberger, CEO of 1&1 Versatel. “The precise data from the BENOCS Analytics Tool helps our engineering team and our colleagues in capacity management to immediately identify any changes, quickly eliminate bottlenecks, and ensure optimal network quality for our customers at all times.

Thanks to its advanced analytics capabilities, 1&1 Versatel can not only identify potential traffic anomalies but also identify optimization opportunities to improve performance. This includes, among other things, the targeted management of traffic peaks to avoid bottlenecks and use resources more efficiently. Precise monitoring and early error detection also lead to shorter response times in the event of disruptions.

“We are delighted to partner with 1&1 Versatel and are proud to provide our network transparency and optimization technology in one of Germany’s most modern networks. 1&1 Versatel is a strong partner for us, helping us further develop BENOCS Analytics to meet the growing demands of high-performance fiber optic networks,” emphasizes Stephan Schröder, CEO of BENOCS.

The use of AI will further improve the automated control and optimization of the fiber optic network in the future and ensure high security and performance in the long term.

RIPE 90

The time is RIPE! (See what we did there? 😉 )

Next week, from May 12-16, BENOCS Co-Founder and CTO Ingmar Poese, Customer Success Manager Péter György, and Daniel Sosnowski, DevOps Engineer at BENOCS, are off to beautiful Lisbon to attend RIPE 90.

Send us a message if you’d like to set up a meeting to find out the latest BENOCS Analytics updates or hit them up when you see them there!