This table on the Application Flows tab displays bidirectional flow data that is stored in memory. Use it to view aggregated flow data for a given
client, server, server port, application, and protocol. All matching flows are
aggregated to show the flow count, total duration, amount of data
transmitted, and additional information. The bidirectional report presents flow data for real-time troubleshooting purposes, and is not designed for historical long-term flow collection. A check mark (
) in the table denotes a tracked application or a tracked site.
By default, the top 100 entries are displayed in the table. However, you can change this value using the Max Rows field at the bottom of the view.
Text at the bottom of the table shows:
- The CSV Export icon
- allows you to save report data to a CSV file and to provide report data in table form - Aggregate Flows data - uses an X number of days, hh:mm:ss format and includes Current Load and Peak Load calculations in flows per second
Following are definitions for the table columns:
Rest the cursor over the first column in the table and select the 
arrow to open the Flow Summary window. Flow summary information can include response times, Uniform Resource Identifier, and header data for the flow. In the Flow Summary window, use the Menu icon 
to access additional functionality, such as the ability to modify the application fingerprint or create a policy rule.
Flows
The number of base flows included in the aggregate flow. Select a link in the Flows column to open a Flow Details tab that displays the individual flows that contributed to the aggregate flow.
Client Address
The IP address or hostname of the system where the flow originated. Select the Client address link to open a PortView for the client (if it is in the database) or a PortView for the switch configured as the NetFlow sensor.
Server Address
The IP address or hostname of the server handling the flow.
Server Port
Either the TCP or UDP port on the server handling the flow.
Application
The name of the application as identified by the ExtremeAnalytics engine using the Fingerprint database.
Application Group
The flow application group to which the application belongs.
Application Info
Additional information about the flow provided by the ExtremeAnalytics engine. Hover over the flow and a table of the information displays.
Type
The content type of a flow, such as sound, video, or text. Select the Type icon to open the flow's URI.
Network Response
The response time (in milliseconds) that it took for the TCP request to complete.
Application Response
The response time (in milliseconds) that it took the application request to complete.
Site
The name of the site that matches the client's IP address.
Detailed Site
The client's switch IP and switch port (wired), or controller IP, AP, and SSID (wireless).
Device Family
The operating system family for the client end-system.
User
The username used when the client system connected.
Profile
The ExtremeCloud IQ Site Engine profile assigned to the client end-system.
Threat
Indicates if the flow contains potential threat activity from IP addresses known to be suspicious. IP addresses can be flagged as suspicious for a variety of reasons, including forced IP anonymity through the use of a Tor exit node, being listed as a threat by the Emerging Threats project, or classified as suspicious by internet users.
Protocol
The connection type protocol used by the flow.
Last Seen Time
The last time a unidirectional (base) flow was aggregated into this bidirectional flow.
Duration
The duration of a bidirectional (aggregate) flow is the sum of the durations of the unidirectional (base) flows that make up the bidirectional flow. The duration of a bidirectional flow can be greater than or less than the period of time indicated by the First Seen and Last Seen Time. This is because there can be times during that time period when no flow is active or when several flows are active at the same time.
| NOTE: | Bidirectional flows can be greater than the period of time between the First Seen and Last Seen Time columns because they display the sum of all flow records for a client and a server on a server port. For a flow that lasts for 60 seconds, there are two flow records (a client to server flow and a server to client flow), so the total duration can exceed 60 seconds. Multiple simultaneous connections from the client to the same server port (e.g. multiple browser windows open to a web-based email client) can also increase the duration. |
Rate
The average bandwidth for the flow based on the total flow duration. Because bandwidth calculations are based on the total duration (not on the First Seen and Last Seen Time), they represent the average throughput for each flow considered separately, not as an aggregate.
Tx Packets
The number of packets transmitted for this flow. For flows collected via Application Telemetry, this number can be estimated.
Rx Packets
The number of packets received for this flow. For flows collected via Application Telemetry, this number can be estimated.
Tx Bytes
The number of bytes transmitted for this flow. For flows collected via Application Telemetry, this number can be estimated.
Rx Bytes
The number of bytes received for this flow. For flows collected via Application Telemetry, this number can be estimated.
Traffic Records
The number of records received in each flow.
Flow Source
The IP address of the NetFlow source switch, Application Telemetry source switch, or wireless controller sending the NetFlow data to the NetFlow collector.
Input Interface
The interface receiving the flow on the NetFlow sensor.
Output Interface
The interface transmitting the flow on the NetFlow sensor.
Client TOS
The DSCP (Diffserv Codepoint) value for the client to server flow. The TOS/DSCP value is used to configure quality of service for network traffic.
Server TOS
The DSCP (Diffserv Codepoint) value for the server to client flow. The TOS/DSCP value is used to configure quality of service for network traffic.
TTL
The TTL (IP Time to Live) value of the flow. The TTL field indicates the maximum number of router hops the packet can make before being discarded. The TTL field is set by the packet sender and reduced by every router on the route to its destination. When the value hits zero, the packet is dropped.
For information on related help topics: