Network Subnets Monitor (10011 / 20011)
Description
This Module reports top bandwidth consumers for each monitored subnet. This information is provided per NetFlow exporter and monitored subnet.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 600 sec, default = 30 sec |
| Monitored subnet IPv4 address and subnet mask | List of the watched subnets’ IPv4 addresses and masks (CIDR notation) | e.g. 67.202.0.0,18; 72.44.32.0,24 |
| Monitored subnet IPv6 address and subnet mask | List of the watched subnets’ IPv6 addresses and masks (CIDR notation) | e.g. 2620:0:2d0:200::7,24 |
| N – number of reported hosts | Top N (number of reported hosts per subnet) | min = 0, max = 100000, default = 50 (0 indicates all hosts are reported) |
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, sFlow.
Required NetFlow Fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| sourceIPv4Address or sourceIPv6Address | 8 or 27 | 4 or 16 | The IPv4 or IPv6 source address in the IP packet header |
| destinationIPv4Address or destinationIPv6Address | 12 or 28 | 4 or 16 | The IPv4 or IPv6 destination address in the IP packet header |
| protocolIdentifier | 4 | 1 | The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | nfc_id=20011 |
| exp_ip | NetFlow exporter IP address | <IPv4 address> |
| subnet | Subnet IPv4 | <IPv4 address> |
| subnet | Subnet IPv6 | <IPv6 address> |
| mask | Mask | <number> |
| src_ip | Source host IPv4 address | <IPv4 address> |
| src_ip6 | Source host IPv6 address | <IPv6 address> |
| protocol | Transport Protocol ( TCP = 6, UDP = 17) | <number> |
| bytes_out | Bytes Out (Traffic) | <number> |
| bytes_in | Bytes In (Traffic) | <number> |
| packets_out | Packets Out count | <number> |
| packets_in | Packets In count | <number> |
| flow_count | Number of flows | <number> |
| percent_of_total | Percent of Total Traffic of the Source Host within Subnet | <decimal>, e.g. 25.444% is 25.444 |
| t_int | Observation time interval, msec | <number> |