Why your flow data might be lying to you (and how to fix it)

In theory, flow data should give us a nice, accurate view of what’s happening in our network. In reality, there’s a big elephant in the room: you never really know if the data you’re getting is complete. Flow exports are typically sent using UDP, and that means there are no guarantees. If a packet doesn’t make it to your collector – too bad, it’s gone.

For people who depend on flow data for analytics, capacity planning, security, and troubleshooting, that’s not just annoying; it’s dangerous. And most of the time, neither the user nor the collector has a way to detect if something’s missing.

We often hear: “Well, if my collector drops packets, I’ll know about it.” True – most collectors can log packet loss. And while the network in between could theoretically drop packets, in our experience, that’s rarely the bottleneck.

The real troublemaker? The exporter. That’s the router or switch generating the flows in the first place.

If the exporter silently drops flow data due to an internal issue, like a full buffer, nobody notices. Not the user. Not the collector. You just end up working with incomplete data, drawing the wrong conclusions, and maybe even alarming or scaling unnecessarily. The worst part? This often happens gradually as traffic grows, long after the initial configuration was done.

There are specific configuration parameters you can tweak to make flow exports more reliable and insightful. Here’s what matters most:

This defines how many packets the router skips before recording one. A lower number means better accuracy.

• 1:1000 is a solid recommendation from us. It balances visibility into smaller flows with the router’s resource limits. With this, you can spot flows down to 1 Mbps or even less.
• A 1:1 sampling rate (every packet counted) gives you perfect insight, but comes with a cost: your router needs more memory. And guess what happens if the buffer overflows? Yep – data loss.

This defines how long the exporter waits without seeing new packets for a flow before it sends it out. We recommend 15 seconds. It keeps the buffers clean and prevents long-hanging flows from clogging up the memory.

This is the maximum duration a flow is kept “open” before being sent, even if new packets keep arriving.

If your analytics work in 5-minute buckets, this is crucial. If you use the vendor default (often 1800 seconds or more!), flows will straddle multiple buckets and make your data messy. We recommend 60 seconds to ensure clean aggregation.

Most major vendors give you tools to see if you’re dropping flow records at the source:

• Nokia: show router flow-export statistics
• Juniper: show services flow-monitoring statistics
• Cisco: show flow exporter statistics
• Huawei: display netstream statistics export

Check these regularly, especially if traffic volume has changed recently.

Each vendor has their own flavor of config:

• Nokia: Look for sampling, active-timeout, inactive-timeout under flow-export
• Juniper: Uses flow-monitoring and export-profile definitions
• Cisco: Classic NetFlow or Flexible NetFlow; keep an eye on buffer size
• Huawei: NetStream config; especially check active/inactive timeouts

Always validate configs against your version’s documentation.

If you’re sampling on both ingress and egress interfaces, you’re doing double the work (and seeing double the data!). We recommend ingress-only. It’s the earliest point you can capture a flow, and it prevents duplication.

Default configurations are not your friend. They are built for generic scenarios and not optimized for the accurate, actionable analytics we all depend on.

Take the time to check, tweak, and validate your exporter configuration. The benefits will ripple through the whole system: from better performance monitoring to more accurate security insights.