The resources required to collect, decode and process flow records is dependent on the type of record (Netflow, IPFIX or sFlow), and the specific contents of those records.
The decoding and processing flow records is primarily a CPU-centric load. While there are various factors that will affect throughput, the following table provides guidance on the expected throughput per core on current server-class processors.
As mentioned, the above values are an approximate range of records per second. Depending on the specific content of flow records in a given environment,and the actually performnance of the CPU, actual throughput may be less (or more) than the indicated range.
The collector will cache various pieces of information, such an Netflow v9 and IPFIX templates, DNS names, Interfaces names, and more. This cached data is held in memory. Memory usage is generally less than a 1-2GB. However environments which observe a high number of public IP addresses, for which Maxmind or RiskIQ enrichment options are enabled, will have higher memory requirements.
The high volume of UDP packets experienced in many environments, combined with less than optimal default Linux kernel network parameters, can result in kernel buffer overflows and dropped packets. To minimize the chance of such data loss, especially during sudden peaks in packet volume, the Linux kernel network parameters should be modified as shown in the following examples.
The recommended settings should be added to a file in
/etc/sysctl.d so that they are applied automatically when the system is booted.
For light to moderate ingest rates (less than 75000 flows per second):
For heavy ingest rates (more than 75000 flows per second):