Traffic analyzer management

Sampling interval

Within a single sampling interval, multiple communications between two hosts that use the same protocol and ports are aggregated into a single record.

• High-precision traffic statistics: The sampling interval can be set to 1 minute, 10 minutes, or 1 hour.

• Long-period traffic statistics: The sampling interval defaults to 1 day.

Aggregation dimensions

Traffic Analyzer supports custom aggregation dimensions to further downsample raw network logs.

For VPC traffic, the following aggregation dimensions are supported:

• 1-tuple: Aggregates traffic data by the internal IP dimension, downsampling raw logs. This provides analysis at the cloud resource and subnet levels, offering insights into traffic trends and distribution for traffic monitoring.

• 2-tuple: Aggregates flow data by the source IP and destination IP dimensions, downsampling raw logs. This helps you analyze and track the origin and destination of your traffic and provides more fine-grained insights for traffic monitoring.

• 5-tuple: Aggregates flow data by the source IP, source port, destination IP, destination port, and protocol dimensions, downsampling raw logs. This allows for granular observation of traffic distribution, trends, and summaries by port and protocol. It is ideal for application-level traffic troubleshooting, root cause analysis, and operational analytics.

For Transit Router (TR) traffic, the following aggregation dimensions are supported:

• 2-tuple plus DSCP: Aggregates data by the source IP, destination IP, and DSCP dimensions.

• 5-tuple plus DSCP: Aggregates data by the source IP, source port, destination IP, destination port, protocol, and DSCP dimensions.

Storage duration

The storage duration determines how far back you can query historical traffic data. The maximum storage duration is 366 days.

Choosing the sampling interval and storage duration

A higher-precision sampling interval, more comprehensive aggregation dimensions, and a longer storage duration result in higher Traffic Analyzer fees. To optimize costs:

• Real-time requirements: For quickly troubleshooting network issues such as traffic bursts, quality degradation, or abnormal interruptions, select high-precision sampling and a short storage duration.

• Periodic requirements: For regular network traffic statistics, such as usage assessment and cost allocation, select long-period sampling and a long storage duration.

Create a traffic analyzer

1. Navigate to the Traffic Analyzer page in the Network Intelligence Service (NIS) console and click Create Traffic Analyzer.

2. On the Create Traffic Analyzer page, configure the Custom Analytics Configuration:

   • High-precision Traffic Statistics: Enabled by default, but you can disable it.

     • Traffic Analysis Sampling Interval: The secondary sampling interval for raw logs from the data source. Available options are 1 minute, 10 minutes, and 1 hour.

       Important

       When you add a data source, the sampling interval of the data source logs must be less than or equal to the sampling interval of the Traffic Analyzer.

     • Storage Duration for Traffic Analysis: Select the aggregation dimensions (1-tuple, 2-tuple, or 5-tuple). For each dimension, set a storage duration from 1 to 366 days.

   • Long-period Traffic Statistics: Disabled by default, but you can enable it manually.

     • Traffic Analysis Sampling Interval: The default is 1 day.

     • Storage Duration for Traffic Analysis: Select the aggregation dimensions (1-tuple, 2-tuple, or 5-tuple). For details about the differences, see aggregation dimensions. For each dimension, set a storage duration from 31 to 366 days.

   You must enable at least one of the following: High-precision Traffic Statistics or Long-period Traffic Statistics. You can also enable both.

3. A Traffic Analyzer starts automatically upon creation and begins analyzing traffic as soon as a data source is added.

Edit a traffic analyzer

1. In the Actions column of the target Traffic Analyzer, click Edit.

2. On the Configure a Traffic Analyzer instance page, you can modify the sampling interval, aggregation dimensions, storage duration, and the Traffic Analyzer name, and remove data sources.

   When you modify a Traffic Analyzer's sampling interval, ensure that it is greater than or equal to the sampling interval of any associated data source logs.

Stop or start a traffic analyzer

In the Actions column of the target Traffic Analyzer, click Stop or Start.

Stopping a Traffic Analyzer prevents future traffic analysis processing fees, but traffic analysis storage fees for existing data will still apply. For more information, see Traffic Analyzer fees.

Additionally, flow log collection fees for the data sources will continue to apply. For details, see VPC flow log billing and TR flow log billing.

Delete a traffic analyzer

On the Traffic Analyzer page, find the instance you want to delete and click Delete in the Actions column.

You must stop the Traffic Analyzer before deleting it. After deletion, it no longer incurs traffic analysis processing or storage fees, and the system also deletes the traffic analysis data.

Note that deleting a Traffic Analyzer does not delete the raw flow logs, which continue to incur collection fees. For details, see VPC flow log billing and TR flow log billing.

Stop all traffic analyzer-related billing

Stopping or deleting a Traffic Analyzer alone does not stop all associated charges. To stop all related billing completely, you must:

1. Delete the Traffic Analyzer once you no longer need the analysis results. This action stops all future traffic analysis processing and storage fees.

2. Stop the collection of VPC flow logs or TR flow logs to end all future flow log collection fees. For more information, see VPC flow logs and TR flow logs.