SuperNetflow
The Network Observability Engine for Agentic AI
Organisations seeking to optimise user experience, strengthen cybersecurity posture, and maintain control over AI adoption can complement endpoint monitoring with network traffic analysis (aka Network Observability) to gain deeper end-to-end visibility into application and device activity for faster issue identification and resolution. Legacy observability methods are built for humans navigating dashboards, reacting in hours and days. The move towards autonomous Agentic systems that can react within seconds requires a new approach fuelled by data that is both rich and real-time. SuperNetflow is that high-octane Network Observability fuel that is built to power Agentic AI.
AI-Retrofit vs. AI-Native
AI Retrofit Network Observability
(Slapping AI on top of existing low-quality data)
AI Retrofit means adding AI assistants on top of traditional monitoring data and tools.
In retrofit systems, AI mainly works like a copilot that helps humans query and analyze data. The underlying network tools are still built for human investigation via dashboards.
In this model:
- AI answers questions when humans ask in natural language
- It summarizes dashboard data and logs for easier analysis
- Humans still have to think of the next action at each step
- The system does not do any unprompted thinking or inferencing
AI Retrofit improves the efficiency of humans in analysing Network Observability data, but it does not automate tasks.
AI Native Network Observability
(Redefining data quality and immediacy for Agentic decisioning)
AI Native means designing workflows to be autonomous from the beginning.
In AI Native systems, human workflows are replaced by autonomous AI workflows that can directly interpret the data and take a sequence of actions that achieve a desired outcome without human input.
In this model:
- The rich underlying data is consumed in real-time by Agentic workflows
- Data is accompanied by context for AI interpretation
- AI agents do the thinking and decide on next steps at each stage
- The higher-level outcome is achieved without human intervention
AI-native architecture allows humans to offload high-level tasks to AI, only needing to validate the outputs rather than perfoming the steps.
SuperNetflow: AI-Native Network Observability for the Agentic AI Era
"SuperNetflow adds context to Netflow. It's the difference between data and insight."
Tells you who is talking to whom, for how long, using how many bytes/packets, without any context on application or experience.
Tells you who did what, on which application, with what user experience, providing context and intelligence.
No application visibility; crude application inference possible from server IP address/port.
Provides application classification of every flow, including streaming video, live video, gaming, conferencing, social media and much more.
Only provides measures of volume and throughput; no measures of Quality of Experience (QoE).
Provides fine-grained continous QoE measures including video resolution, buffer stalls, gaming lag spikes, jitters, giving a complete view of user experience and application behavior.
Samples packets, often as low as 1 in 1000, effectively ignoring a vast majority of traffic, creating large visibility gaps that leave critical network events undetected.
Tracks 100% of packets/flows, providing comprehensive visibility into every user and every application.
The Intelligence Pipeline
The SuperNetflow deployment architecture is shown below. The "probe" or "sensor" software takes a feed of packet traffic (either via optical taps or port mirrors or brokers) from the carrier/enterprise network, which can range from Mbps to Tbps. The probe outputs the SuperNetflow data stream in real-time, which includes flow classification and application experience measures. This data stream is typically 0.1% of the original traffic stream, namely a 100 Gbps traffic stream will generate about 100 Mbps of SuperNetflow data. The SuperNetflow data (record formats described in the "Engine" tab) is accessible as a Kafka stream, and can be taken into data lakes, dashboards, and AI Agents (examples provided in the "AI Agents" tab).
Traffic Capture
Ingests raw packet streams from 5G core, BNG, and Enterprise Taps using eBPF-accelerated ingestion engines.
Classification and Behavioral Analysis
Real-time classification of packet streams by application and category (e.g., Netflix → Video), providing accurate QoE measures such as video resolution, buffering, lag spikes, etc.
Kafka Export
High-fidelity telemetry streamed as structured SuperNetflow records into high-performance Kafka message buses.
AI Consumption
Downstream data lakes, dashboards and AI agents ingest these real-time streams for autonomous network operations.
AI Agents built on SuperNetflow
Leveraging Real-Time Network Observability to Power Autonomous Actions.
The SuperNetflow real-time data stream has been used to build AI agents serving use-cases in Telecom and Enterprise networks, ranging from autonomous investigation of user experience degradations, to root-cause analysis of network spikes and outages. The catalogue of AI Agents continues to grow as we build new use-cases with networks serving various sectors.
Spike Agent
Problem: The organization was experiencing intermittent traffic spikes that were leading to link saturation, degrading user experience and causing firewall performance drops.
Current state: The operator required several hours of manual forensic analysis to identify the cause of the spike (software updates, scientific transfers, DDoS attacks) by piecing together various system logs.
Agentic solution: An autonomous AI agent was built that analyzed SuperNetflow data in real-time to identify composition of the spike traffic and alert the operator via email if it was suspicious and required action.
Benefits: Provided the operator with immediate intelligence to block or throttle traffic that was impacting the network, ensuring high network stability and uptime.
Application Degradation Agent
Problem: Users often blame the network for poor user experience while using applications like YouTube, WhatsApp, and Teams.
Current state: The operator conducts manual troubleshooting across disparate monitoring tools to investigate application performance drops, frequently resulting in inconclusive 'No fault found' reports after hours of investigation.
Agentic solution: An autonomous AI agent was built that continuously correlates application performance metrics with various network and server measures to determine if degradation was caused by external outages or internal network congestion, automatically informing the operator of the root cause.
Benefits: Reduced time wasted on investigating issues outside operator control and improved user experience by liaising with content providers.
Misbehaving Host Agent
Problem: A malfunctioning campus host initiated a TCP SYN flood, exhausting firewall connection states and resulting in a total network service outage.
Current state: Security teams lacked a centralized mechanism to track real-time host behavior, requiring manual correlation of disparate security logs to identify and block misbehaving hosts (compromised devices, internal port scanning, or botnet activity) before they could impact the network.
Agentic solution: An autonomous AI agent was built that tracked every connected asset at sub-minute intervals to flag unexpected host behavior and automatically block malicious traffic before it could compromise the network or trigger a firewall outage.
Benefits: Enabled campus network operators to nip misbehaving hosts in the bud, with the proactive action ensuring uninterrupted campus connectivity.