After a flow monitoring session has been collected, the results are analyzed and can be filtered for use in grouping objects and firewall rules.

Analyzed flows can be filtered to limit the number of flows in a working set. The filter option icon is next to the Processed View drop-down menu on the right.


Before analysis, a flow monitoring session must have been collected from selected vNICs or VMs.


  1. After flows have been collected, click Analyze.

    Defined services are resolved, the IP address to VM translation begins, and duplicates are removed.

  2. Once analyzed, the following data is provided for flows:




    IN - flow is coming into one of the VM and VNIC selected as part of the input seed.

    OUT - flow is generated from one of the VM and VNIC selected as part of the input seed.

    INTRA- flow is between VM- and VNIC selected as part of the input seed.


    VM Name, if the Source IP address of the flow record is resolved to one VM in the NSX inventory. Note that IP address can be resolved to VM, only if VM Tools has been enabled on those VMs.

    Raw IP, if there is no VM found for this source IP address in NSX Inventory. Note that multicast and broadcast IP addresses will not be resolved to VMs.

    Number of VMs (Ex:2 Virtual Machines) if the IP address is an overlapping IP address mapped to multiple VMs in different networks, the user needs to resolve Virtual machines to the correct Virtual Machine related to this flow record.


    Same values as Source field.


    NSX defined service for protocol/port.

    Raw protocol/port, if there is no defined service in the NSX Manager.

    Number of services. If there is more than one service mapped to the same protocol/port and the user needs to resolve it to one service applicable to the flow record.

What to do next

Analyzed flows can be modified for further customization. Next, use the analyzed flows to create firewall rules.