Skip to main content
Version: 2.10.1

TCP Health Monitor (10060 / 20060)

Description

This Module reports TCP Health by detecting hosts with the most TCP Resets (RST). In order to provide accurate count of resets the Module selects a definitive NetFlow exporter - the exporter that sees the most TCP resets for each host.

Top hosts are defined by percent of TCP resets to the total number of resets reported by a definitive NetFlow exporter or by percent of TCP resets to the total number of host’s connections. These thresholds are configurable - see Parameters section below.

This information is provided by a definitive NetFlow exporter.

Default thresholds are:

  1. % of Total Resets = 10%
  2. % of Resets to local host connections = 50%

This means that the host and RST count will be reported if it issued over 10% of resets observed by the definitive exporter OR if the number of RST is over 50% of all connections made by the host.

Parameters

Parameter NameDescriptionComments
Data Collection Interval, secModule logic execution intervalmin = 5 sec, max = 600 sec, default = 30 sec
N - reporting threshold in percent of total resets number% of Total Resetsmin = 0 %, max = 100 %, default = 10 %
N - reporting threshold in percent of resets to the number of host connections% of Resets to local host connectionsmin = 0 %, max = 100 %, default = 50 %

Input

NetFlow v5, v9, IPFIX, and Palo Alto Networks NetFlow v9. sFlow and sampled NetFlow are specifically excluded from processing by this Module. Cisco ASA NSEL is not supported by this Module as it does not have TCP flags.

Syslog/JSON Message Fields - Hosts

KeyField DescriptionComments
nfc_idMessage type identifier"nfc_id=20060"
exp_ipNetFlow exporter IP address<IPv4 address>
src_ipSource host IPv4 address<IPv4 address>
src_ip6Source host IPv6 address<IPv6 address>
[src_host](1)Source host name<string>, included when FQDN is on
reset_countCount of Resets<number>
total_sharePercent of the total number of resets sent by source host<number>
local_sharePercent of the resets to the total number of the source host connections<number>
t_intObservation time interval, msec<number>

(1) Host name field is optional and included only if FQDN Service is enabled.