Network Classification |
Note: These settings are accessed via the Admin menu, which is displayed to Admin users only (hidden from Member users). |
Network Classification is covered in the following topics:
top |
About Network Classification |
General information about network classification is provided in the following topics:
top | section |
Network Classification Overview |
Network classification uses source and destination information related to IPs and ASes to determine the direction of network traffic with respect to your network. The following types of classification are supported:
top | section |
Network Classification Dimensions |
The two categories of Network Classification directionality listed above are supported by several Network Classification Dimensions that can be applied to each flow as it is ingested into the main tables of KDE:
The dimensions described above are available throughout Kentik Detect as:
Note: The use of Network Classification in Alerting enables you to monitor traffic that comes from outside the network separately from traffic that is internal to the network.
Traffic Profile |
This dimension categorizes traffic into the following specific directionalities:
Simple Traffic Profile |
This dimension, primarily used in Kentik v4 (e.g. Network Explorer, Insights & Alerting, etc.) categorizes traffic into the following general directionalities, which are illustrated in the diagram below:
The key to accurate assignment of a Simple Traffic Profile value is to thoroughly apply both Network Classification and Interface Classification. The table below shows how the values of other dimensions in the same flow record are evaluated to determine the Simple Traffic Profile value for a given flow.
If... | ...and... | ...then Simple Traffic Profile is: |
Traffic Profile is not Internal Cloud | - Network Boundary is External; and - Ultimate Exit Network Boundary is Internal |
Inbound |
Traffic Profile is not Internal Cloud | - Network Boundary is External; and - Ultimate Exit Network Boundary is None; and - Traffic Termination is Inside |
Inbound |
Traffic Profile is not Internal Cloud | - Traffic Termination is AWS; and - Cloud Provider is not null |
Inbound |
Traffic Profile is not Internal Cloud | - Traffic Termination is Azure; and - Cloud Provider is not null |
Inbound |
Traffic Profile is not Internal Cloud | - Traffic Termination is IBM Cloud; and - Cloud Provider is not null |
Inbound |
Traffic Profile is not Internal Cloud | - Traffic Termination is GCP; and - Cloud Provider is not null |
Inbound |
Traffic Profile is not Internal Cloud | - Traffic Origination is Inside; and; - Destination Network Boundary is External |
Outbound |
Traffic Profile is not Internal Cloud | - Traffic Origination is AWS; and - Cloud Provider is not null |
Outbound |
Traffic Profile is not Internal Cloud | - Traffic Origination is Azure; and - Cloud Provider is not null |
Outbound |
Traffic Profile is not Internal Cloud | - Traffic Origination is IBM Cloud; and - Cloud Provider is not null |
Outbound |
Traffic Profile is not Internal Cloud | - Traffic Origination is GCP; and - Cloud Provider is not null |
Outbound |
Network Boundary is External | Ultimate Exit Network Boundary is External | Through |
Traffic Termination is Outside | - Network Boundary is External; and - Ultimate Exit Network Boundary is None |
Through |
Traffic Profile is Internal | - Network Boundary is not External; and - Destination Network Boundary is not External |
Internal |
Traffic Profile is Internal Cloud | - Network Boundary is not External; and - Destination Network Boundary is not External |
Internal |
None of the above | None of the above | Other (see Traffic Classified as Other) |
Traffic Classified as Other |
Ideally most traffic flows are assigned a Simple Traffic Profile of Inbound, Outbound, Internal, or Through. The most common reasons for traffic to be assigned a profile of Other are as follows:
top | section |
Network Directionality Use Case |
One application of Network Classification is to use the Network Directionality dimensions to investigate spikes in traffic. Suppose, for example, that we used Data Explorer to run a query for top-X customers, and the resulting graph revealed a big spike in flows to a customer called Pear, Inc. (as shown below).
To dig deeper into this anomaly, we’d start in the table (not shown) beneath the graph in the Explorer display area. Clicking the Action menu at the right of the row corresponding to Pear, Inc., we choose Show By to open the Show By Dimensions dialog, then choose one of our new Network Classification dimensions, Traffic Origination (listed under Source). After closing the dialog by clicking the Show By Selected Dimensions button, we re-run the query. In the resulting graph (below) we can now see that the spike is made up of traffic that originated outside of our network (having a Traffic Origination value of “outside”). If we wanted to continue digging further, we would use Show By again, this time looking at source ASN or IP address.
top | section |
Host Directionality Use Case |
Another use case for Network Classification is specific to host traffic captured by kprobe (Kentik’s software host agent). Since most hosts have only a single interface through which traffic can pass, kprobe captures both inbound and outbound traffic. Host directionality enables you to separate traffic that was coming in from traffic that was leaving. To do so, set the Devices pane of the Data Explorer sidebar to include the hosts that you want to check, then run a query with Host Direction (in the Full category) as the group-by dimension. As shown in the graph below, you can now see separately the flows in and out of your hosts.
top |
Network Classification Page |
Before using Network Classification you must first enable Kentik Detect to determine what is inside and what is outside of your network. Network classification is configured on the Network Classification page, which is accessed from the sidebar of the portal’s Admin section.
The Network Classification page is made up of the following UI elements:
top |
Configuring Network Classification |
To set up network classification:
In this article: