Flows in Bytes per second or bits per second

[techteamz-io]

Hi,

how can I translate the "Bytes" field to "Bytes per second" or "bits per second" to know the bandwidth of an interface (in_if, out_if)?. In the data provided by goflow2 time_flow_start_ns and time_flow_end_ns are the same so can not calculate it.

Thanks

[lspgn]

Hi, You need a tool to aggregate the samples in a bucket and calculate how many bytes per interval. For IPFIX/NetFlow samples, unlike sFlow, they contain a non null interval but you would still need to aggregate per interface.

This can be done using additional tools and a database like ClickHouse. Check out the compose folder. There are dashboards that will show you this info. It is not possible to do it with just GoFlow2.

[techteamz-io]

Thanks for the explanation, I'm using Sflow streams and feeding logstash/opensearch, do you know why time_flow_start_ns and time_flow_end_ns are equal? should I use the opensearch timestamp?

[lspgn]

do you know why time_flow_start_ns and time_flow_end_ns are equal?

This is pretty much because sFlow is a packet sent at a specific time. It is now a "flow" per se, unlike NetFlow/IPFIX which can contain multiple packets over an interval. This is why the start and end are the same.

[lspgn]

Closing. Feel free to re-open if you have more questions.