Maximizing Peering Through Flow Analysis
- Cloud networking
- July 23, 2025
- RSS Feed
By Rob Parker, Interconnection Director
Discover how to use flow data to pinpoint your most valuable traffic, identify missing peer opportunities, and make smarter peering choices across your internet exchanges.
In previous peering blogs, we’ve shared how you can maximize the value of your connection to an IX by peering with the IX route servers, and identify and contact specific peers via bilateral sessions. But as traffic over your new IX connection grows, you may want to start digging a little deeper on which peers are involved in your most important traffic flows – or which ones are present at the IX, but aren’t exchanging traffic with you via the IX.
In order to start identifying traffic like this, you’ll need to explore tools and network configurations that allow you to analyze traffic flows.
Flow data exporters: Netflow, jFlow, sFlow, IPFIX
The first step of any flow analysis tool is to configure the collection of flow data. Available flow data formats and standards depend on your routing hardware vendor, although Netflow (Cisco), jFlow (Juniper), and sFlow (a relatively open “generic” flow format) are all relatively similar in structure and capability.
IPFIX is a similar IETF-defined standard that allows some level of vendor interoperability. Any and all of these standards operate in a similar way and will give you similar insight into your traffic; which one you choose will mostly depend on your hardware vendor and use case.
How flow data exporters work
At a high level, flow data is collected by your hardware on a sampled basis – typically one in every two thousand packets would be inspected and a flow record created. This provides a relatively representative view of traffic sources, destinations, and protocols, along with a few other pieces of data that might be useful for network monitoring (packet size distribution, Ethertype, etc.). Those samples are then batched and exported to a collector.
Flow export should be enabled on all “edge” interfaces on your network. If you want a complete view, this data should be enabled for internet exchanges, upstream transit providers, private network interconnects, and the like. Enabling on only some devices will only give you a view of traffic traversing those devices.
There are many situations where enabling flow export on other interfaces within your network will also make sense, so this isn’t an extensive blog.
Flow collectors
Once collected, the batched flow data is then sent by your network hardware to a flow collector. A flow collector is a piece of software running on a server—ideally located within your own network and close to flow-data-exporting hardware—which aggregates and analyzes the contents of the flow records exported to it.
Flow collectors come in both open-source and proprietary systems – some examples of flow collectors are pmacct, Cflowd, and Akvorado. Vendors often have their own tools, too. There are also third parties who will collect and analyze the data for you in an “as a service” fashion, such as Kentik.
Flow visualization and enrichment
The best flow analysis tools (such as Akvorado and Kentik) will enrich the collected data and visually present it to allow you to see what’s actually happening within traffic flows through your network.
This allows you to easily take a look at top talkers on each interface – for example, you could identify the top ten sources and destinations for traffic to and from your upstream transit providers, then try to find those top ten networks at a local internet exchange in order to peer. This process improves the experience for your end users, and reduces both your transit use and costs.
Similarly, you can review top talkers across your internet exchange connections and make sure they’re the networks you expect. Ensure that you see traffic to/from bigger CDNs or ISPs; if not, this is a good sign you may need to reach out to those networks for bilateral sessions because they’re often not present on route servers (as we’ve previously discussed).
Once you’ve optimized the top ten talkers, you can start on the next ten, and so on. There will always be the so-called “long tail” of source/destination networks where optimizing will not make sense, because flows are smaller and/or less valuable – this is normal.
The aim is simply to optimize the biggest or most valuable traffic flows in your network for performance and cost, while keeping an eye on up-and-coming networks that make their way up your “top talkers to optimize” list.
Third-party flow analysis
You’ll find that some networks or internet exchanges you connect with may offer you a way to see flow data from “their side” of the connection. This highly valuable data allows you to directly gain insight into traffic without building a flow collection and analysis platform, or exporting your own flows.
Megaport offers third-party flow analysis at all MegaIX locations. You can find this feature in the Megaport Portal under the “Tools” menu for each of your MegaIX connections, or via the graph icon “IX Telemetry” against an IX service. It looks like this in our portal:
This will present you with a view of in and out traffic, sorted by top five networks by default. Here’s an example taken from a real peer and anonymized for use here. (Normally, you’d see the name of the networks you’re exchanging with and not “PeerX”.)
Our MegaIX partners LINX and AMS-IX offer flow analysis via their portals as well.
Other platforms such as Kentik also exist; Kentik offers a turnkey, fully managed flow analysis platform and can also assist in configuring your network hardware correctly, too.
In summary, flow data can bring great insight into your traffic, allowing you to further optimize and get the absolute most out of each and every peering relationship and transit upstream.
Although the initial setup can be tricky, you can always leverage third-party flow analysis tools where offered—such as those built into the Megaport Portal—or work with a provider like Kentik to save time and effort.
