Skip to main content
Lantern Home

 

Splunk Lantern

Network traffic data

  1. Last updated
  2. Save as PDF

 

Network traffic data refers to the collection of information about the flow of data packets across a network. In a software context, it encompasses metrics, logs, and patterns that provide insights into how data is transmitted between devices, servers, applications, and other endpoints. This data is essential for understanding the behavior, performance, security, and efficiency of the network that supports software systems.

By analyzing network traffic data, software teams can monitor bandwidth usage, detect anomalies, troubleshoot communication issues, and ensure secure and efficient data transmission. Teams can also use this data to help determine whether the network can handle future growth and to meet regulatory requirements such as GDPR and HIPAA.

Network traffic data typically includes:

  • Data packet volume: The number of packets transmitted over a specific period
  • Bandwidth usage: The amount of data being transmitted per second (for example, Mbps or Gbps)
  • Packet loss: The percentage of packets that fail to reach their destination
  • Latency (round-trip time): The time it takes for a packet to travel from a source to a destination and back
  • Throughput: The rate at which data is successfully transmitted over a network
  • Protocol usage: The types of protocols involved in network communication (for example, HTTP, HTTPS, FTP, TCP, UDP)
  • Source and destination IP addresses: The IP addresses of devices sending and receiving data packets
  • Port information: The network ports used for communication between applications or services
  • Traffic patterns: Data flow trends over time, including peak and idle periods
  • Network errors: Issues such as checksum errors or malformed packets
  • Application traffic distribution: The proportion of traffic generated by different applications or services
  • Inbound vs. outbound traffic: The amount of data flowing into and out of a network or system
  • Encrypted vs. unencrypted traffic: The proportion of traffic that is secured using encryption (for example, SSL/TLS) versus plain text
  • Traffic anomalies: Suspicious or unexpected patterns, such as sudden spikes or unusual destinations  
  • Device or endpoint traffic: Traffic attributed to specific devices or endpoints

The Splunk Common Information Model (CIM) add-on contains a Network traffic data model with fields and tags that describe flows of data across network infrastructure components. The network traffic in this data model is allowed or denied based on simple network connection rules, which are using network parameters such as TCP headers, destination, ports, and so on. These rules are usually triggered when the network connection is being established. 

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: