This article provides a basic introduction to Kentik Detect, with answers to the following questions:
Kentik Detect is an open, scalable platform for collecting, analyzing, and visualizing network traffic and performance. Providing instant access to both real-time and historical data, Kentik Detect alerts operators to performance issues and attacks while providing fast, simple tools that help isolate, identify, and explain unusual activity or behavior. Our purpose-built data platform sets up in minutes and integrates with each operator’s own tools and systems using industry standard SQL and the Kentik REST API. The Kentik Detect portal is a Web-based user interface that allows you to configure, query, and control alerts, mitigation, and tuning.
The main data source for Kentik Detect is “flow” data. A flow is a collection of packets that traverses a device, such as a router, switch, or host, and shares certain properties including protocol and source and destination IP address About Flow. If a given device is configured to enable it, flow data can be collected in a cache and exported by sending it to a specified destination (e.g. Kentik Detect) at a specified interval. The primary protocols in use for flow are sFlow, IPFIX, and NetFlow version 9 or version 5.
The flow data collected by Kentik Detect is augmented with a variety of additional data that is correlated and stored in time series flow records within the Kentik Data Engine, Kentik Detect’s distributed back end. These data types include the following (for a more detailed look at what’s stored in KDE, see Main Table Schema).
- SNMP: Used to determine interface names/descriptions and to validate flow levels (see SNMP OID Polling).
- GeoIP: Used to determine country, region, and city of flow source and destination.
- BGP: Correlated with flow data to extract source and destination AS Path and community information on a per-flow basis (see BGP Overview), enabling features such as Peering Analytics.
- Host traffic data: Correlated with flow data to provide information from hosts, including URLs, DNS queries, and performance information (retransmits, fragments, etc.). See Host Traffic Dimensions and Host Traffic Metrics.
- Threat feeds: Obtained daily from Spamhaus and correlated with flow data to identify source and destination hosts and IPs that have been identified as a security threat (see Threat Feed Columns).
Kentik Detect can receive flow from sources including routers and switches (directly) as well as hosts/servers (via an agent). Host monitoring provides enhanced debugging of performance issues because data from the host agent enables display and analysis of TCP retransmits per flow.
Flow data may come to Kentik Detect from any of the following sources:
- Direct: From routers or switches directly to Kentik Detect servers (see About Devices).
- Host agent: From hosts that are monitored using kprobe, Kentik’s software host agent (see Host Configuration).
- Proxy agent: From routers or switches via a locally hosted instance of chfagent, Kentik’s NetFlow Proxy Agent, which can be configured to collect, munge, encrypt, and redirect both flow and SNMP.
Kentik Detect provides three ways to access and view your stored traffic data (flow records, BGP, etc.):
- Portal: Access via the views available in the Kentik Detect portal (UI), including the Data Explorer, Dashboards, and the Query Editor.
- APIs: Access via one of the Kentik V5 APIs; see About the V5 APIs.
- SQL: Access via a PostgreSQL interface to Kentik Data Engine (KDE), Kentik’s flow datastore engine (see KDE Overview).
The following resources should help you get up to speed with Kentik Detect:
- Check the rest of this Knowledge Base for helpful information on the setup and use of Kentik Detect, including administration (e.g. adding device and users), querying, and peering analytics. To find a specific topic, check the Contents tab or use the Search tab in the sidebar at left.
- We’re happy to answer any questions you may have about setting up and using Kentik Detect. See Customer Support.
Ready to get started? See Kentik Quick Start.