Services Performance Monitor (10017 / 20017)
Description
This Module monitors services performance characteristics. A service is defined as a combination of a host IP address, a destination port number and an IP protocol. The Module calculates average response time over a specified Data Collection Interval and reports it for each of the listed servers. A special port number value (0) indicates that response time should be calculated over all ports serviced by that server (e.g. an FTP server in the passive mode). Along with response time measurements the Module also provides traffic volume in each direction and the number of flows.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 5 sec, max = 600 sec, default = 30 sec |
| List of monitored IPv4 address, destination port number and IP protocol tuples | List of the watched services (IPv4 address, destination port number and IP protocol) | e.g. 67.202.0.200 / 80/6; 72.44.32.1 / 53/ 17 |
| List of monitored IPv6 address, destination port number and IP protocol tuples | List of the watched services (IPv6 address, destination port number and IP protocol) | e.g. 2620:0:2d0:200::7/ 53/ 17 |
Input
NetFlow v5 and v9, Cisco ASA NSEL, Palo Alto Networks NFv9.
Required NetFlow Fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| sourceIPv4Address or sourceIPv6Address | 8 or 27 | 4 or 16 | The IPv4 or IPv6 source address in the IP packet header |
| destinationIPv4Address or destinationIPv6Address | 12 or 28 | 4 or 16 | The IPv4 or IPv6 destination address in the IP packet header |
| protocolIdentifier | 4 | 1 | The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. |
| sourceTransportPort | 7 | 2 | The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. |
| destinationTransportPort | 11 | 2 | The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. |
| octetDeltaCount | 1 | 4 or 8 | The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. |
| flowStartSysUpTime | 22 | 4 | The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). sysUpTime can be calculated from systemInitTimeMilliseconds. |
| flowEndSysUpTime | 21 | 4 | The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). sysUpTime can be calculated from systemInitTimeMilliseconds. |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20017" |
| exp_ip | NetFlow exporter IP address | <IPv4_address> |
| dest_ip | Service IPv4 address | <IPv4_address> |
| dest_ip6 | Service IPv6 address | <IPv6_address> |
| dest_port | Service transport port number | <number> |
| protocol | IP protocol (TCP = 6, UDP = 17) | <number> |
| min_time | Min service response time, msec | <number> |
| max_time | Max service response time, msec | <number> |
| avg_time | Average service response time, msec | <number> |
| flow_count | Number of observed flows | <number> |
| bytes_in | Traffic received, bytes | <number> |
| bytes_out | Traffic sent, bytes | <number> |
| t_int | Observation time interval, msec | <number> |