In addition to capability to track number of packets or bytes per second for variety of traffic types (pre defined and flexible) FastNetMon can calculate number of incoming and outgoing flows per second for each IP address.
This capabilities is enabled by default and you can ensure that it’s enabled this way:
sudo fcli show main enable_connection_tracking
After that you total number of flows per second in your network:
sudo fcli show total_traffic_counters incoming traffic 63676 pps incoming traffic 573 mbps incoming traffic 771 flows outgoing traffic 24668 pps outgoing traffic 50 mbps outgoing traffic 762 flows internal traffic 362 pps internal traffic 0 mbps other traffic 6475 pps other traffic 70 mbps
In addition to total counters we maintain flow / second counters for all the hosts in your network:
sudo fcli show host_counters incomnig flows 10.1.2.237 6406 pps 61 mbps 33 flows/s 10.1.2.236 5494 pps 53 mbps 32 flows/s 10.1.2.238 5951 pps 52 mbps 31 flows/s 10.1.2.235 4470 pps 42 mbps 30 flows/s 10.1.2.88 454 pps 2 mbps 20 flows/s 10.1.2.93 748 pps 5 mbps 11 flows/s 10.1.2.85 529 pps 5 mbps 5 flows/s 10.1.2.77 689 pps 6 mbps 3 flows/s 10.1.2.139 357 pps 2 mbps 2 flows/s 10.1.2.185 236 pps 1 mbps 2 flows/s
Optionally you can get this counter for specific host:
sudo fcli show single_host_counters 10.1.2.236 dropped_in_bytes 0 dropped_in_packets 0 dropped_out_bytes 0 dropped_out_packets 0 fragmented_in_bytes 0 fragmented_in_packets 0 fragmented_out_bytes 0 fragmented_out_packets 0 icmp_in_bytes 131 icmp_in_packets 0 icmp_out_bytes 1051 icmp_out_packets 0 in_bytes 7870565 in_flows 35 in_packets 6282 out_bytes 756743 out_flows 28 out_packets 2560 tcp_in_bytes 4103972 tcp_in_packets 3005 tcp_out_bytes 133730 tcp_out_packets 1493 tcp_syn_in_bytes 556569 tcp_syn_in_packets 456 tcp_syn_out_bytes 48821 tcp_syn_out_packets 279 udp_in_bytes 3766431 udp_in_packets 3261 udp_out_bytes 621930 udp_out_packets 1043
It implemented via capability called connection tracking. FastNetMon accumulates all unique 5 tuples (source IP, destination IP, source port, destination port and protocol number) for each IP address which belong to your network and calculates their number for each second. It’s pretty CPU intensive operation and you can track performance of it it using following flags:
sudo fcli show system_counters|grep flow_counters_calculation_time ipv4_local_host_flow_counters_calculation_time 0.000188
By default we use 5 tuple to calculate unique flows but you can optionally change this logic to avoid using ports and stick with 3 tuple (source IP, destination IP, protocol):
sudo fcli set main connection_tracking_skip_ports true sudo fcli commit
With this capability enabled flow / second metric will calculate number of unique IPs which contacted your network per second.
Please note, that if your network telemetry protocol uses any kind of sampling then you will not have flow / second counters working.
In majority of cases sampling on switches and routers is implemented on packet basis. For example, when router observes 1000 packets and sampling rate is set to 1:1000 then it will send to FastNetMon only single flow.
FastNetMon can recover bytes per second and packets per second rate by multiplying length of this flow by sampling rate.
Unfortunately, flow / s information cannot be recovered similar way. All these 1000 packets may equally belong to just single flow or it may be 1000 unique flows. So we cannot get flow / second counters in this case.
If you can accept such inaccuracy you can multiply flow / s rate calculated by FastNetMon by sampling rate used in your network but it will mathematically inaccurate.