Learning more about the Flow Monitor Others report category

What is the "Others" application category on Flow Monitor reports?

The optional Others row in each Flow Monitor Interface Details report displays a summation of all of the unspecified items data of each report category. The unspecified items are those items not specifically displayed in the top "n" items. The Others row provides a comparison between the specified items, or top "n" items selected for display, and the rest of the traffic on the interface. When displayed, the Others row provides a perspective of the relative size of the specified items in comparison to the total traffic on the interface.

The Others setting is available to provide a contrast to the top protocols listed above in the report and to show the rest of the traffic on the interface. It is not unusual, to see a higher percentage of interface traffic in the Others category.

Others is calculated as the difference between the interface traffic coming from the Interface Traffic table with respect to the flows coming from the Flow table in the corresponding report:

Others = Interface traffic - sum of the report items not in the Others report category (including possible filters)

How does Other information display in a Flow Monitor report?

Each report shows traffic items (ports, applications, sources, etc...) in descending order until you reach the configured displayed items ("n") limit. If you increase the displayed report items limit to 30, for example, the report will show more item categories and Others will contain less of the overall traffic in the report (because the items that were previously grouped into the Others category will instead be displayed in the report). Remember, however, that the purpose of the top "n" reports is to show those few items that are being highly/over utilized so that you can determine if corrective action needs to be taken. The top reports are not for displaying all of the Netflow traffic items during the specified time.

Why is the Others data sometimes larger than expected?

Flow data is rolled up more frequently than interface traffic. Flow data is moved to the archive database (NFArchive) after few days while interface data is kept in the Netflow database (NetFlow) longer. Flow data is even deleted after 7 days or so in the archive database.

Flows are kept in the NetFlow database for the sum of the data retention periods (raw, hourly and daily). But interface details report does not query both databases at the same time, only one database at the time, depending on the date range. So, if the date range includes a time where flows are in the current database, it will query only the current database. With Others report data potentially coming from two different sources (depending on the date range): one data source that is actively polling devices and another data source that provides the flow data based on the sum of the flows per device interface, this can result in some lost data details in the Others application category.

We recommend carefully considering how far back in time you search to evaluate interface details traffic. If this information is required on a routine basis, we recommend changing the data rentention time in the Flow Monitor Settings dialog. However, if you are receiving a lot of network flow data, keep in mind that flow data is much larger (easily 1000 times) than total interface data, so increasing the data retention time will have a significant effect on the database size and how rapidly the data expands.

Also, in sampled NetFlow environments such as SFlow, because the network flow is sampled at intervals, we do not get the complete picture of flow data. Because of this, the Others category can be much larger percentage of the interface traffic.