Blog, Events & Press

1 Jul

Detecting Backup Traffic During Working Hours With Flow Alerting


Backup is a network-intensive operation, and network traffic has physical constraints. If you time it poorly, backup can lead to significant network slowdown, resulting in performance issues for the whole server infrastructure. To alleviate this, backup operations should be performed during days and hours with low traffic (during holidays or at night) so as to leave enough bandwidth for more urgent tasks.

In order to do this, you first need to identify the backup traffic that goes through the network when it is not supposed to. Once the origin of such traffic is discovered, appropriate measures can be taken to fix the problem.

Once the network congestion problems are detected and resolved on time, users and clients can use the network uninterrupted by system administration tasks.

The SevOne 5.6 platform – along with Cisco iOS NetFlow – can achieve this goal.

1. Make sure your SevOne installation is configured to Allow NetFlow traffic. This can be achieved by going to Administration -> Flow Configuration -> Flow Rules. On the interface, make sure all rules have Allow permission.


2. Setup SevOne as a NetFlow collector in your network and make sure you start to receive NetFlow traffic by going to Administration -> Flow Configuration -> Flow Interface Manager. You should see a non-zero number in Total Flows column for the routers. Also, make sure you allow all directions.


3. Now we have to create a Filter for backup traffic. Let’s assume your backup machines have the following subnet: and you are using rsync on port 873 for your daily backups. Create a new filter from Applications -> FlowFalcon Reports -> Filters section.

Under the filters section add a rule for the port:

  • Field: Application Port
  • Boolean: Is
  • Operator: Equal To
  • Value: 873


Add another rule for subnet:

  • Field: Application IP
  • Boolean: Is
  • Operator: Mask
  • Value:
  • AND:


Click Save Filter As New and choose a name for your filter e.g. Backup Ops.

Your filter should look like this:


4. Now we can create alert policy from Events -> Configuration -> Policy Browser -> New Policy.

  • Technology Type: Flow
    It allows you to enter NetFlow-specific settings
  • Name: Backup During Working Hours
    The name of our new Policy
  • Aggregated view: Top Conversations and Direction
    That aggregated view contains Client IP, Application IP and Bandwidth
  • Filter: Backup Ops
    Only traffic from / to backup subnet
  • Direction: Any
    All backup or restore operations from backup subnet
  • Schedule: Choose the hours when you don’t want backup to occur


  • Email: Add the e-mails of the users you want to be notified e.g.


General Settings should look like this:


Click on Trigger Condition and create a trigger condition with the following settings:

  • Fields: Bandwidth
  • Aggregation: Total
  • Comparison: Is Greater Than


Then click Save As New to save your new policy. You’re all set.

Now, when a backup action occurs during the working hours, the SevOne platform will trigger an alert, and you will receive email notification.


Visit our Flow Monitoring page for complete details on our reporting capabilities.


Written by Martin Kunev
Sr. Software Developer

Martin Kunev joined SevOne in 2014 and since then has been back-end developer in a dedicated NetFlow team. He studied Computer Sciences in Sofia University. After graduation, he worked on several startups as network developer with C, Objective-C, perl and Python and web developer with node.js and PHP.

Subscribe To Our Blog