Distribution by conversation shows who is talking with whom (end to end), i.e. which conversation is consuming most of the traffic, information valuable for further bandwidth usage optimization, application distribution or even security.

To see top conversations:

  1. Choose a section (Exporters, Traffic Patterns or End Users) in the Menu Panel
  2. Select desired node in the Node Tree
  3. Choose Conversation in the Tab panel





In/Out definition depends on the selected node. For interface traffic In traffic corresponds to traffic that entered the exporter through that interface. For Traffic Patterns In traffic corresponds to the Inbound traffic - destined to Internal Network in Traffic Pattern definition.


The screenshot above indicates that top conversation is between X.X.20.5 and X.X.2.5, using SIP service and UDP protocol. It is also notable that the conversation consumed Max 144 bps of Out traffic and 143 bps of In traffic.





For each conversation participant, DNS and WHOIS lookup are performed. IP is presented as Hostname, whereas WHOIS description is shown in a tooltip when specific conversation is hovered. Tooltip contains information about organization name, description, country, address, network range and more, depending on data availability. By clicking on the arrow keys in the bottom left corner of the tooltip you can switch to info for the other address in this conversation.

In screenshot above, you can see that the first address relates to organization located in Serbia, you can also see its address and network range. 




In the screenshot above you can see Initiator/Responder traffic by clicking on the Ini/Res button above the chart. You get 2 separate charts giving you the exact information about the Initiator and Responder traffic. The logic behind relies on well-known ports (destination port) as always being Responders. Ports are defined in Settings/Display Names/Service. In specific situations where the port is not well-know (not defined in settings) it is checked for the first flow NetVizura receives and that one is defined as Initiator.

  • Conversation consists of two IP addresses/hosts, service and protocol. Traffic between two hosts is treated as one conversation only if same service and protocol are used.
  • Initiator IP (host that started the conversation - Client) is placed first, Responder IP (host that also participated in the conversation - Server) is placed second - the order does not depend on whether host is a lower/higher number, packet source/destination, private/public address or belongs to internal/external network.
  • Service is not the same as port - one service can use more different ports. In this case, traffic between two hosts using any port associated to a same service is treated as one conversation.


  • No labels