CySight

Flows per second can be misleading because it doesn't account for factors like flow retention rate, alerting speed, reporting flexibility, and scalability under high-flow variance or bursts. A high flows-per-second rate doesn't guarantee the ability to retain or analyze flows effectively for tasks like anomaly detection or network forensics.

You should consider flow retention rate per minute, the impact of high-flow variance or sudden bursts, the ability to handle multiple devices and interfaces, reporting speed over time, and the capacity to retain short-term and historical collections. These factors collectively determine the tool's scalability.

Small flows, such as those from DDoS attacks or botnets, can cause significant network issues but are often overlooked by netflow analyzers that focus only on top bandwidth abusers. Many tools lack the granularity to capture and analyze these small flows, leaving organizations vulnerable to risks.

Ask about the burst vs. sustained flows-per-second rate, how flow variance (e.g., DDoS) affects collection and retention, the impact of adding devices/interfaces or extra fields (e.g., MPLS, URL), and how many flow records are retained per minute. Also, inquire about the flow retention logic and data granularity over time.

Flow retention logic determines which flows are stored for analysis. Some tools only retain top bandwidth users, missing critical small flows. Understanding this logic is essential because you can only analyze what has been retained, and poor retention can leave blind spots in network visibility.

Yes, some netflow tools reduce the time granularity of retained data as it ages. For example, data might be stored per minute for the first day, per hour for the next two days, and per quarter for older data. This degradation can limit historical analysis capabilities.