FlowTraq's hardware requirements depend heavily on the number of flow records it receives per second. The more flow records FlowTraq must process, the bigger the hardware investment becomes.
In order to provide full forensic recall capability, FlowTraq stores every flow record it receives to disk indefinitely, as long as there is room in the database. In addition to storing flow records on disk, FlowTraq Server keeps a memory cache of recently received records. The larger this cache, the larger the number of records which can be accessed quickly. If your network is very busy, you may need to dedicate more RAM to the server installation, or you may need to install multiple server machines in a cluster. If the client is looking for records that are not in the RAM cache, then the FlowTraq server will have to access these records on disk, which will take substantially longer. If further history is kept in a separate archive (an optional configuration) that in turn may take even longer.
This full-fidelity feature allows for more powerful analysis and forensic capabilities than traditional flow collectors. However, it also means that FlowTraq can be more demanding of the hardware it's running on than traditional flow collectors.
A FlowTraq server handling a 24/7 sustained flow rate of 25,000 updates per second should be configured, at minimum, with an 8-core CPU and with 8GB of RAM per core, for a total of 64GB. Disk space configuration should be driven by your required retention period. Full fidelity retention of 25,000 flow updates per second will consume about 1TB per week; therefore, keeping 3 months of flow data at a saturated 10Gbit network will take about 12TB.
![[Tip]](../common/images/admon/tip.png) | Tip |
|---|---|
The following hardware guidelines apply both to the vApp-based FlowTraq server as well as FlowTraq server daemons installed directly on dedicated physical hardware. |
Table 2.1. FlowTraq Server Hardware Configuration Guidelines
| Flow Rate at 10Gbps | 25,000 updates per second at 10Gbps saturation (unsampled) |
| CPU | 8 cores at ~2.5GHz |
| RAM | 64GB minimum, at least 8GB per core |
| Disk | 12TB for 90 days, 1TB per week of history |
The preceding configurations should be interpreted as guidelines. To determine your requirements, test the software's performance in your network environment. There are many alternatives offered by hardware vendors that fall in the same general categories. Also, based on your personal preference, you may get the job done with less powerful hardware. A smaller configuration will certainly handle 25,000 flow updates per second, but it will take additional time to display graphs and tables, will be able to host fewer active connections gracefully (including NBI detectors) and in extreme cases may drop flows during periods of high disk usage.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
Remember that most flow exporters send multiple updates per flow, so that the updates/second rate is on average 2x-3x higher than the flows/second rate. |
In demanding environments (such as those with a flow load higher than 25,000 updates per second, many FlowTraq users, or heavy external API/script usage), you may need to run more than one FlowTraq server in a cluster configuration. This automatically balances the processing load over multiple systems and is completely transparent to the user. A cluster of 8 FlowTraq nodes can generally handle a 200,000 update per second load with a similar speed to a single node handling 25,000 updates per second. Contact FlowTraq support for guidance.
![[Caution]](../common/images/admon/caution.png) | Caution: 32-bit environments |
|---|---|
Although FlowTraq will work in a 32-bit environment, we strongly recommend that FlowTraq Server be installed on a 64-bit platform. On 32-bit platforms, FlowTraq Server will only be able to use approximately 3GB of RAM. This is unlikely to be sufficient in most environments. Using a 64-bit operating system will allow FlowTraq Server software to allocate more RAM, which allows for a longer instant recall history and a higher input flow rate. Note that in order to be able to take advantage of a 64-bit platform, both the CPU and the operating system must be 64-bit. The FlowTraq vApp is a 64-bit system which can be configured to use large quantities of RAM if needed. |
| Caution: shared environments |
|---|---|
FlowTraq is a very resource-intensive program, and its performance can be greatly impacted by other tasks and software running in its environment, particularly disk-intensive applications. In a shared virtual environment, it is important to consider carefully the impact of other virtual machines on core and RAM availability, and on disk throughput. |
Although recommendations for CPU are based on your peak flow rate, recommendations for disk retention periods are based on average sustained rates. This is usually about 1/3 to 1/8 of your peak rate at the busiest times of day.
The total forensic recall history will depend on the amount of disk that you dedicate to the FlowTraq database, and your sustained flow rate. The table below gives a guideline on the estimated RAW disk space required for your FlowTraq database.
| Tip |
|---|---|
When building a FlowTraq cluster, the disk space requirements are spread equally over all participating worker nodes. Therefore this table gives the total amount of storage requirement in the whole cluster. |
| Tip |
|---|---|
FlowTraq can benefit from using compressed filesystems such as ZFS. Some customers report storage compression performance of up to 3x. Filesystem compression is transparent to the FlowTraq server daemon. |
Table 2.2. FlowTraq Forensic Recall Disk Storage Requirements
| Sustained Flow Rate | 3 Months | 6 Months | 1 Year |
|---|---|---|---|
| 100/second | 71.9 GB | 143.9 GB | 287.8 GB |
| 1,000/second | 719.4 GB | 1.4 TB | 2.8 TB |
| 3,000/second | 2.2 TB | 4.3 TB | 8.6 TB |
| 5,000/second | 3.6 TB | 7.2 TB | 14.4 TB |
| 10,000/second | 7.2 TB | 14.4 TB | 28.8 TB |
| 25,000/second | 18.0 TB | 36.0 TB | 72.0 TB |
| 50,000/second | 36.0 TB | 72.0 TB | 143.8 TB |
Similar to disk storage requirements, RAM retention must be computed based on the sustained flow rate, which is typically 1/3 to 1/8 of your peak flow rate.
Since queries serviced from RAM are substantially faster than queries serviced from the disk database, it is recommend you size your RAM based on the typical timeframe that your analysts will query. For instance, if most analysis work is performed in a historical timeframe of up to 48 hours into the past, use the table below to estimate the amount of RAM you would need to service those queries rapidly.
| Tip |
|---|---|
When building a FlowTraq cluster, the RAM storage requirements are spread equally over all participating worker nodes. Therefore this table gives the total amount of RAM required in the whole cluster. |
| Tip |
|---|---|
FlowTraq recommends a CPU/RAM ratio of 1 core per 4-8GB of installed RAM. |
Table 2.3. FlowTraq Forensic Recall RAM Recall Requirements
| Sustained Flow Rate | 24 hours | 48 hours | 7 days |
|---|---|---|---|
| 100/second | 1.3 GB | 2.7 GB | 9.3 GB |
| 1,000/second | 13.3 GB | 26.6 GB | 93.0 GB |
| 3,000/second | 39.9 GB | 79.8 GB | 279.1 GB |
| 5,000/second | 66.5 GB | 132.9 GB | 456.2 GB |
| 10,000/second | 132.9 GB | 256.8 GB | 930.5 GB |
| 25,000/second | 332.3 GB | 664.6 GB | 2.3 TB |
| 50,000/second | 664.6 GB | 1.3 TB | 4.7 TB |
- FlowTraq vApp
The FlowTraq virtual appliance is delivered in a compressed "Open Virtualization Format" file (OVA), which is compatible with most virtualization technologies. It is recommended that you use a 64-bit virtualization platform to run the FlowTraq vApp.
- FlowTraq Server Daemon
FlowTraq Server supports Windows Vista, 7, 8, server 2008, 2008R2, and 2012 (x86 and x86-64 architectures); Mac OS X (10.7+, x86 and x86-64 architectures); Linux (Kernel 2.6+, x86 and x86-64 architectures); Solaris 10 (SPARC and x86-64 architectures); and FreeBSD 8.2 and up.
