Author: Rebecca Maschke

Why your flow data might be lying to you (and how to fix it)

A graph showing a discrepancy between the flow data (pink) and the green SNMP line

In theory, flow data should give us a nice, accurate view of what’s happening in our network. In reality, there’s a big elephant in the room: you never really know if the data you’re getting is complete. Flow exports are typically sent using UDP, and that means there are no guarantees. If a packet doesn’t make it to your collector – too bad, it’s gone.

For people who depend on flow data for analytics, capacity planning, security, and troubleshooting, that’s not just annoying; it’s dangerous. And most of the time, neither the user nor the collector has a way to detect if something’s missing.

Where the flow can fail

We often hear: “Well, if my collector drops packets, I’ll know about it.” True – most collectors can log packet loss. And while the network in between could theoretically drop packets, in our experience, that’s rarely the bottleneck.

The real troublemaker? The exporter. That’s the router or switch generating the flows in the first place.

If the exporter silently drops flow data due to an internal issue, like a full buffer, nobody notices. Not the user. Not the collector. You just end up working with incomplete data, drawing the wrong conclusions, and maybe even alarming or scaling unnecessarily. The worst part? This often happens gradually as traffic grows, long after the initial configuration was done.

The good news: it’s fixable

There are specific configuration parameters you can tweak to make flow exports more reliable and insightful. Here’s what matters most:

1. Sampling rate

This defines how many packets the router skips before recording one. A lower number means better accuracy.

  • 1:1000 is a solid recommendation from us. It balances visibility into smaller flows with the router’s resource limits. With this, you can spot flows down to 1 Mbps or even less.
  • A 1:1 sampling rate (every packet counted) gives you perfect insight, but comes with a cost: your router needs more memory. And guess what happens if the buffer overflows? Yep – data loss.

2. Inactive timeout

This defines how long the exporter waits without seeing new packets for a flow before it sends it out. We recommend 15 seconds. It keeps the buffers clean and prevents long-hanging flows from clogging up the memory.

2. Active timeout

This is the maximum duration a flow is kept “open” before being sent, even if new packets keep arriving.

If your analytics work in 5-minute buckets, this is crucial. If you use the vendor default (often 1800 seconds or more!), flows will straddle multiple buckets and make your data messy. We recommend 60 seconds to ensure clean aggregation.

How to check for flow generation failures

Most major vendors give you tools to see if you’re dropping flow records at the source:

  • Nokia: show router flow-export statistics
  • Juniper: show services flow-monitoring statistics
  • Cisco: show flow exporter statistics
  • Huawei: display netstream statistics export

Check these regularly, especially if traffic volume has changed recently.

Recommended config summary

Parameter Recommended value Why it matters
Sampling rate 1:1000 Balanced accuracy and router performance
Inactive timeout 15 seconds Flush idle flows quickly to free buffer
Active timeout 60 seconds Clean 5-minute time buckets, avoid overflow

Vendor config quirks

Each vendor has their own flavor of config:

  • Nokia: Look for sampling, active-timeout, inactive-timeout under flow-export
  • Juniper: Uses flow-monitoring and export-profile definitions
  • Cisco: Classic NetFlow or Flexible NetFlow; keep an eye on buffer size
  • Huawei: NetStream config; especially check active/inactive timeouts

Always validate configs against your version’s documentation.

Avoid redundant sampling

If you’re sampling on both ingress and egress interfaces, you’re doing double the work (and seeing double the data!). We recommend ingress-only. It’s the earliest point you can capture a flow, and it prevents duplication.

Ditch the default

Default configurations are not your friend. They are built for generic scenarios and not optimized for the accurate, actionable analytics we all depend on.

Take the time to check, tweak, and validate your exporter configuration. The benefits will ripple through the whole system: from better performance monitoring to more accurate security insights.

Optimizing Eurasian network resilience

RETN logo

How RETN leveraged BENOCS Analytics to overcome submarine cable outages

About RETN

RETN, a leading provider of telecommunications and data transmission services, is a global internet backbone, operating a Eurasian network that seamlessly connects Europe and Asia through its extensive fiber-optic infrastructure. Founded in 2003, the company delivers services such as IP transit, Ethernet, and cloud connectivity to enterprises and carriers. With a presence in over 40 countries, RETN operates one of the largest independent networks, ensuring high-performance connectivity across key international markets.

RETN logo

Challenges

Managing a network across Eurasia comes with its own challenges, especially when geopolitical issues and unexpected disruptions occur. In 2024, submarine cable outages became a major problem for connectivity providers. Several key cables in the Red Sea, including Seacom/TGN, AAE-1, and EIG, were damaged on February 24 and remained offline until August 7, 2024. This created significant pressure for operators relying on these routes. To make matters worse, the SMW-5 cable had a fault on April 19, adding to the difficulties. RETN has capacity in both AAE-1 and SMW-5 cable systems and now had to quickly reroute large amounts of traffic going via these two terrestrial links to keep their network running smoothly and serve their customers.

A screenshot of a colorful sankey diagram and a time series diagram at the bottom showing a sudden drop in traffic levels
Screenshot: Traffic dropped abruptly on April 20 when the submarine cables were cut.

Solution

BENOCS Analytics has been deployed and operational in RETN’s network since 2022. Our solution offers end to end visualization of all traffic traversing through the network. Specifically, the ability to see ingress and egress points of all the traffic in our 6 dimensional Sankey diagram proved crucial to RETN’s current challenge.

25%
traffic shifted swiftly
100%
service upheld

Implementation

Back when we released the Tagging and Grouping module, which has the ability to group different dimensions, RETN grouped all their ingress & egress routers into different regions such as Western Europe, Central & Southern Europe and Asia Pacific. The ability to see both the ingress and egress routers in one view and, in addition, grouping them based on different regions helped RETN identify all the traffic traversing through the terrestrial links. With this visibility, the operations team could further reroute some of the traffic from the terrestrial links to their local backbone in Asia.

Results and Benefits

By April 23, 2024, RETN were able to remove a further 25% of the traffic from their expensive and in-demand terrestrial links running from Europe to Asia and shift it locally to Asia. This allowed them to keep serving their customers in Asia without any disruptions. As a consequence, this freed up more bandwidth to serve other customers. Resulting from this experience, RETN was also able to further deepen their expertise in the area of network vulnerability and resilience.

A screenshot showing a colorful sankey diagram and a time series at the bottom with a cyclic traffic flow pattern
Screenshot: The BENOCS Flow Analytics 6-dimensional view of traffic flowing through the RETN network
“With the help of BENOCS Analytics we managed to remove about 25% of the traffic from terrestrial links and shift it locally to Asia. This helped us a lot with traffic localization and keeping existing (and new) customers served in Asia. Might not look a lot, but back then it was quite an achievement! Moreover, we had a clear view of what else we could optimize to save some bandwidth for other customers. Happily, it wasn’t required in the end, but it was good to be assured we had enough room.”
Bald man with a beard, wearing a black shirt, against a dark background; Andrey Gazizov, COO of RETN.
Andrey Gazizov
Chief Operating Officer
RETN

Recent Improvements

RETN wanted to have visibility at IP subnet level, so recently implemented the Raw Network Analyzer (RNA) module in their BENOCS Analytics deployment. For RETN, this means more than 30 different data fields, sourced from BENOCS’ complex data and intelligence model, providing comprehensive visibility of their entire IP traffic flow.

Conclusion

RETN’s ability to overcome significant challenges in network management during the 2024 submarine cable outages highlights its commitment to ensuring uninterrupted service to its customers. By leveraging BENOCS Analytics, RETN achieved exceptional operational efficiency and traffic optimization. The six-dimensional visualization and regional tagging capabilities enabled RETN to swiftly identify and reroute traffic, reducing reliance on costly terrestrial links and improving network resilience.

The results – such as a 25% reduction in traffic on critical links and seamless service continuity – underscore the value of BENOCS Analytics in addressing complex network challenges. RETN’s proactive approach, coupled with its partnership with BENOCS, demonstrates its focus on delivering high-performance connectivity, even during unforeseen disruptions.

TNC25

In the background is Brighton Pier with the sun setting behind it. The text reads: TNC 25, June 9.13, Brighton. At the bottom is the BENOCS logo.

It’s almost time for one of the biggest events on the research and education networking calendar: TNC25!

From June 9-13 in Brighton, UK, Péter György, Hari Jayaraman, and Ingmar Poese will be representing BENOCS and are looking forward to some seriously good conversations with the NREN community.

Whether you’re curious about what’s new in network analytics, want to chat about traffic visibility challenges, or just feel like geeking out over some top-tier infrastructure – come find us at booth number 12!

We’re excited to share what we’ve been working on and to hear what’s on your radar.

See you in Brighton!

1&1 Versatel relies on BENOCS to optimize its fiber optic network

1und1 logo

Berlin, Germany, May 21, 2025 – The telecommunications provider 1&1 Versatel, which specializes in enterprise customers, has recently deployed the German technology BENOCS Analytics to monitor traffic flows in its fiber optic network. BENOCS is a specialized provider of network analysis software. The Berlin-based team supports 1&1 Versatel in visualizing and optimizing its networks.

By using BENOCS Analytics, 1&1 Versatel receives a detailed and transparent overview of traffic flows across the entire network. The tool processes flow and routing information to provide a comprehensive picture of network traffic. This allows individual components of network flows to be precisely identified and classified, enabling more precise capacity planning and continuous optimization of network operations.

“It is always our goal to provide our corporate customers with first-class service quality,” explains Frank Rosenberger, CEO of 1&1 Versatel. “The precise data from the BENOCS Analytics Tool helps our engineering team and our colleagues in capacity management to immediately identify any changes, quickly eliminate bottlenecks, and ensure optimal network quality for our customers at all times.

Thanks to its advanced analytics capabilities, 1&1 Versatel can not only identify potential traffic anomalies but also identify optimization opportunities to improve performance. This includes, among other things, the targeted management of traffic peaks to avoid bottlenecks and use resources more efficiently. Precise monitoring and early error detection also lead to shorter response times in the event of disruptions.

“We are delighted to partner with 1&1 Versatel and are proud to provide our network transparency and optimization technology in one of Germany’s most modern networks. 1&1 Versatel is a strong partner for us, helping us further develop BENOCS Analytics to meet the growing demands of high-performance fiber optic networks,” emphasizes Stephan Schröder, CEO of BENOCS.

The use of AI will further improve the automated control and optimization of the fiber optic network in the future and ensure high security and performance in the long term.

 

RIPE 90

In the background, a street in Lisbon with two trams driving along it. The text reads: RIPE 90, May 12-16, Lisbon. At the bottom is the BENOCS logo.

The time is RIPE! (See what we did there? 😉 )

Next week, from May 12-16, BENOCS Co-Founder and CTO Ingmar Poese, Customer Success Manager Péter György, and Daniel Sosnowski, DevOps Engineer at BENOCS, are off to beautiful Lisbon to attend RIPE 90.

Send us a message if you’d like to set up a meeting to find out the latest BENOCS Analytics updates or hit them up when you see them there!

Matching routes to traffic levels at EPF 2025

Photo of Stephan presenting. Text: Global Peering Forum, apr 13-16. Forward Path: Matching routes to traffic levels. Aptil 14. 11:40am. At the bottom is the BENOCS logo.

Next week at The Global Peering Forum, Inc., Stephan Schroeder will give some insight into identifying asymmetrical traffic, which, if left unremedied, can cause latency and performance issues, load-balancing problems, routing instability and poor quality of service.

Global Peering Forum

In the background a Denver train station with the words "Union Station, travel by train" on it. The text reads: Global Üeering Forum, Apr 13-16, Denver. At the bottom is the BENOCS logo.

We are excited to be heading over to Colorado, USA, next week for this year’s Global Peering Forum. We are more than excited to announce that we are also first-time sponsors of the event this year!

Péter and Stephan will be present at the BENOCS booth during the whole event to give updates, tips, and insights around peering and BENOCS Analytics, and to answer any questions you might have.

Peering Days – Matching routes to traffice levels

A photo of Péter at the bottom right, the text on the reast of the image reads: Peering Days, Mar 25-27, Split. Forward Path: Matching routes to traffic levels. Mar 27, 12:10pm. At the bottom is the BENOCS logo.

ICYMI: Péter György is heading over to Croatia to attend Peering Days 2025 next week. While there he will present “Forward Path: Matching routes to traffic levels” on Thursday, March 27, just before the lunch break at 12:10pm.

Be sure to check it and all the other presentations out! https://lnkd.in/d99t-ffZ

Peering Days 2025

Old town in Split, Croatia. The text reads: Peering Days, Mar 25-27. Split. At the bottom is the BENOCS logo.

Peering Days is coming up next week and Péter György drew the lucky card!

From March 25-27 he will be in beautiful Croatia to take part in the 2025 edition of Peering Days. While there he will present “Forward Path: Matching routes to traffic levels” on Thursday, March 27, just before the lunch break at 12:10pm.

Take a look at the program here: https://lnkd.in/d99t-ffZ

Be sure to have a chat with Péter should you see him, or arrange something with us in advance!

APAN 59 – Use cases for NRENs

APAN 59, Mar 3-7, Yokohama. Deep insights through network visibility - use cases for NRENs. Mar 3:30pm. At the bottom is the BENOCS logo, at the bottom right is a photo of Stephan Schroeder.

Hot on the heels of this year’s APRICOT, Stephan Schroeder in exchanging the tropics for the more temperate climate of Japan this week.

From March 3-7, Stephan is looking forward to connecting with the NREN crowd at APAN 59.  While there, he will present some analytics use cases of interest to the community.