Flow Collection and Retention Settings

The NTA Settings dialog (SETTINGS menu > Network Traffic Analyzer > NTA Settings) provides NTA system and application settings such as logging, listening port, data retention, and data management properties.

(General Settings)

Listener(s). Enter the TCP/IP port numbers or IP address on which the Network Traffic Analyzer collector service should use to listen for flow information. Network Traffic Analyzer can listen on one or more ports/IP addresses, with port 9999 being the default. If no IP address is defined, the default address of 0.0.0.0 is used. The sources sending flow information to Network Traffic Analyzer must send data using one of these port numbers and/or IP addresses.

Note: If you configure Network Traffic Analyzer to listen on more than one port, or on a port other than the default port, you should verify that the port is not being used by another service. Additionally, if you are using Windows Firewall, ensure that an exception is added to the firewall.

Log level. Select the log level details. Each level includes higher levels of severity. Verbose includes normal and Error, for example.
- Errors Only. Record log messages that are errors.
- Normal. Record log messages with error and information-level severity.
- Verbose. Select for the highest level of logging detail. Best for troubleshooting. This option can generate a lot of log messages and be resource intensive.
Data collection interval. Select how often Flow Monitor writes raw data from its sources to the database. You may select 1, 2, 3, 4, 5, or 10 minutes. By default, raw data is written to the database every 2 minutes.

Note: Modifying collection interval settings affects the granularity and sampling revealed in Network Traffic Analyzer reports. If the interval is set to five minutes, you cannot distinguish traffic collected during the first minute from traffic collected during the fourth minute.

Resolve private address interval. When the Network Traffic Analyzer collector service encounters an IP address, it tries to determine information about the host attached to the IP address. After this information is resolved, it is stored in the Network Traffic Analyzer database. Enter the interval (in hours) that you want Network Traffic Analyzer to wait, before it checks the private IP address again, to resolve information that may have changed for the address. By default, private addresses are resolved every 48 hours.
Resolve public address interval. When the Network Traffic Analyzer collector service encounters an IP address, it tries to determine information about the host attached to the IP address. After this information is resolved, it is stored in the Network Traffic Analyzer database. Enter the interval (in hours) that you want Network Traffic Analyzer to wait, before it checks the public IP address again, to resolve information that may have changed on the address. By default, public addresses are resolved every 720 hours (30 days).

Tip: Because public IP addresses are less likely to be changed, you may want to use longer intervals than used for the Resolve private address interval option.

Expire unclassified traffic after. Enter the number of hours after which Network Traffic Analyzer should purge unclassified traffic. Unclassified traffic is traffic transmitted over ports that are currently not monitored by Network Traffic Analyzer. By default, this option is set to 0 (zero), which causes Network Traffic Analyzer to aggregate and retain data for all unclassified ports as a single value; detailed information about the individual unclassified ports over which traffic was transmitted is immediately discarded.

Important: Be cautious about increasing the time for Expire unclassified traffic after value because the database can grow very large as the time is increased.

Note: The collector will purge any unclassified data that has no activity after the Expire unclassified traffic after value is satisfied.

Data Retention

You can use the data retention section of the Flow Monitor Settings dialog to set data retention parameters for flow and interface data. Periodic roll-up and archival of flow data minimizes system resources needed for data storage and improves system responsive during data intensive operations.

Data retention settings

Network Traffic Analyzer allows you to manually tune data retention or to allow Network Traffic Analyzer to automatically tune the retention of flow data, which in turn actively manages the growth rate of the Network Traffic Analyzer databases.

Flow data includes many parameters (input and output interfaces, source and destination IP addresses, port numbers, byte rates, flow end times, and so on) which provide useful information at the price of storage. Rolling up the data makes for efficient storage, but there may be losses of time-related information within individual flows.

The following parameters are used to control the cleanup of flow data.

Auto tune flow data retention. When selectedNetwork Traffic Analyzer optimizes the flow data cleanup settings. This aids to manage database size with regards to system performance. This is set by default.
Percentage of traffic to retain. Use this option to determine the percentage of raw traffic the collector will write to the database. You must clear the Auto tune flow data retention check box for access to this setting.

Caution: While the default settings for data cleanup are conservative, when you modify the roll-up settings it can directly affect the size of the Network Traffic Analyzer databases and the performance of the application. We recommend that you modify these settings cautiously, and monitor the effects of changes to these settings on database size and application performance.

Note: When you place the cursor in a box to change a value, a message appears at the bottom of the dialog. This message provides information about the number and percentage of the recommended maximum flow records being stored in the Network Traffic Analyzer data and archive databases. As you make changes, the message predicts how the change affects the number of records stored in the Network Traffic Analyzer data and archive databases.

Retain raw data for. Enter the number of hours of raw flow data you would like to maintain. This setting establishes a sliding time window of raw data that spans the specified period. Raw data that reaches the end of the period is rolled up. The roll up of raw data happens every hour on the hour. After data has been rolled up, Network Traffic Analyzer can only report using the hourly summations. By default, raw data is rolled up after 4 hours.
Retain hourly data for. Enter the number of days you would like to maintain hourly data. This setting establishes a sliding time window of hourly data that spans the specified number of days. As hourly data ages beyond this period it is rolled up. The roll up of hourly data takes place daily. After hourly data is rolled up, Network Traffic Analyzer can only report aggregated totals for the entire 24-hour block of time. By default, hourly data is maintained for one day.
Retain daily data for. Enter the number of days of daily data you would like to maintain before archiving. As daily data ages beyond this period, it is archived. Network Traffic Analyzer continues to have visibility into archived data with some restrictions. By default, daily data is archived after three days. This is implemented using a sliding time window of daily data. For example, if you save one day's data before archiving, the limits of the period would be all data between 24 hour period in the past until now.
Retain archive data for. Enter the number of days of daily data you would like to maintain in the archive database. This setting establishes a sliding time window of archived daily data that spans the specified number of days. As the archived daily data ages beyond this period it is purged from the database. After archived data is purged, Network Traffic Analyzer can no longer report on the data. By default, archive data is purged from the database after seven days.