Chart/Sankey/Metrics/Geo
The Flow Explorer is WhiteOwl's primary traffic analysis interface. It provides real-time and historical visibility into all network flow data — NetFlow, sFlow, and AWS VPC Flow Logs — through interactive charts, tables, and visualizations. Every element on the page is interactive: click a pie chart slice to filter, drag across a time series to zoom in, or click an IP address in a table to instantly drill down.
Global Controls
The top toolbar provides controls that apply across all views.
Source Selector
The Source dropdown filters all data to flows from a specific collector source. Select All Sources to see aggregated traffic from all NetFlow/sFlow exporters and VPC Flow Logs, or choose a specific source to isolate traffic from a single device or collector.
Time Range
Preset time windows are available as buttons:
| Preset | Window |
|---|---|
| 15m | Last 15 minutes |
| 1h | Last 1 hour |
| 6h | Last 6 hours |
| 24h | Last 24 hours |
| 7d | Last 7 days |
| 30d | Last 30 days |
The refresh button re-fetches data for the current time window. The Auto-Refresh toggle (labeled Off by default) can be enabled to automatically refresh at a set interval.
You can also set a custom time range by dragging across any time series chart. See Drag-to-Zoom below.
Filter Builder
Click + Filter to open the filter builder. Click Clear to remove all active filters.
Each filter condition consists of three parts:
- Field — The flow field to filter on (e.g., Source IP, Dest IP, Source Port, Protocol, Application, Country, ASN, Device, Interface, and all cloud-specific fields).
- Operator — The comparison operator.
- Value — The value to match against.
Available Operators
| Operator | Description |
|---|---|
| = | Exact match. |
| ≠ | Not equal to. |
| contains | Field value contains the specified string. |
| not contains | Field value does not contain the specified string. |
| starts with | Field value starts with the specified string. |
| ends with | Field value ends with the specified string. |
| in (comma sep) | Field value matches any item in a comma-separated list (e.g., 192.168.1.1,10.0.0.1). |
| in subnet | IP address falls within the specified CIDR subnet (e.g., 192.168.100.0/24). |
| not in subnet | IP address does not fall within the specified CIDR subnet. |
Click + Add condition to add additional filter conditions. Multiple conditions are combined with AND logic. Press Enter or click Apply to execute the filter. Click the ✕ next to any condition to remove it.
The in subnet and not in subnet operators are particularly useful for isolating traffic to or from specific network segments. For example, filter Source IP in subnet 10.0.0.0/8 to see all RFC 1918 traffic, or Dest IP not in subnet 192.168.0.0/16 to find traffic leaving your private network.
Views
The Flow Explorer offers four views, accessible via the tab bar below the filter controls.
Charts
The default view displays interactive charts and tables providing a comprehensive traffic overview.
Time Series Charts
Two line charts span the top of the page:
- Traffic by Application — Shows bandwidth over time broken down by detected application (e.g., DHCP-SERVER, DNS, HTTP, HTTPS, MDNS, MQTT, NETBIOS-NS, NETFLOW, NTP, RADIUS, SNMP, SIP, SSH). Each application is a separate colored line in the chart legend.
- Top Interfaces (Mbps) — Shows bandwidth over time per interface (e.g.,
cisco-edge...Gi1,cisco-router...Gi1). Hovering over the chart displays a tooltip with the exact timestamp, interface name, and throughput value.
Both charts support drag-to-zoom and legend click filtering.
Drag-to-Zoom
Click and drag horizontally across any time series chart to select a time window. When you release the mouse, WhiteOwl re-queries ClickHouse at the appropriate granularity for the zoomed window — this is a true server-side zoom, not client-side filtering. The data is re-aggregated at finer time intervals to reveal detail that wasn't visible at the original zoom level.
A Reset button appears when zoomed in, allowing you to return to the original preset time range.
Donut Charts
Four donut charts provide proportional breakdowns of traffic:
| Chart | Groups by | Description |
|---|---|---|
| Top Devices | Exporter device | Traffic distribution across NetFlow/sFlow exporters. |
| Top Countries | GeoIP country | Traffic distribution by destination country (requires MaxMind GeoIP integration). |
| Top Protocols | IP protocol | Breakdown by protocol (UDP, TCP, ICMP, etc.). |
| Top Dest Server Ports | Destination port | Most common destination service ports (443, 80, 53, 123, 161, etc.). |
Top Source / Destination Address Tables
Two tables at the bottom of the Charts view list the highest-volume IP addresses:
Top Source Addresses:
| Column | Description |
|---|---|
| Source IP | The source IP address. Clickable to add as a filter. |
| Mbps | Average throughput from this source. |
| pps | Packets per second. |
| fps | Flows per second. |
Top Destination Addresses:
| Column | Description |
|---|---|
| Dest IP | The destination IP address. Clickable to add as a filter. |
| Mbps | Average throughput to this destination. |
| pps | Packets per second. |
| fps | Flows per second. |
Reverse DNS Hostname Resolution
Where available, IP addresses in the source and destination tables display the resolved hostname beneath the IP address (e.g., 192.178.218.113 with yiaetq-in-f113.1e100.net shown below). WhiteOwl performs reverse DNS lookups and caches the results using Redis, achieving high cache hit rates for repeated lookups. This makes it easy to identify the actual services behind IP addresses — for example, recognizing Google, Cloudflare, or CDN endpoints at a glance.
Sankey
The Sankey diagram view visualizes traffic flows as proportional bands connecting sources to destinations. The width of each band represents the relative volume of traffic between the two endpoints. This view is useful for understanding traffic patterns and identifying which sources are communicating with which destinations, and through which protocols or ports.
Metrics
The Metrics view provides aggregate traffic statistics broken down by site and device. This view focuses on throughput and volume metrics (BPS, PPS, FPS) rather than individual flow details, making it useful for capacity planning and trend analysis.
GeoMap
The GeoMap view displays traffic flows on an interactive world map, with arcs connecting source and destination countries. Circle markers indicate traffic volume at each location, and arc thickness represents relative bandwidth between country pairs. This view requires the MaxMind GeoIP integration to be configured.
Clicking on a location marker or flow arc adds a filter for that country, allowing you to drill into traffic for a specific geographic region.
Point-and-Click Filtering
Nearly every visual element in the Flow Explorer is clickable and adds a filter condition automatically. This enables rapid drill-down without manually typing filter values.
Clickable Elements
| Element | Action |
|---|---|
| Pie / donut chart slice | Adds an equals filter for the clicked segment (e.g., clicking "UDP" in Top Protocols filters to Protocol = UDP). |
| Chart legend entry | Toggles the visibility of that series in the chart, or adds a filter for the selected item. |
| Table cell (IP address) | Adds a Source IP or Dest IP equals filter for the clicked address. |
| Table cell (port, protocol, app) | Adds a filter for the clicked value. |
| GeoMap location / arc | Adds a country filter for the clicked source or destination country. |
Filters added via point-and-click appear in the filter bar at the top of the page, where they can be reviewed, modified, or removed.
A typical drill-down workflow: Start with the 1-hour view → notice a spike in the Traffic by Application chart → click the application name in the legend to filter → see which IPs are driving that traffic in the tables → click a suspicious source IP → zoom into the time series to isolate the exact time window → switch to Sankey to see the full conversation map for that source.