Top Packets Monitor (10068 / 20068)
Description
This Module identifies hosts with the most packets. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Layer 3 protocol
- Input interface
- Output interface
This information is provided per NetFlow exporter. Deduplication: optionally the Module can report consolidated flows only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections (flows) for each consolidated flow is considered authoritative, and flows reported by all other exporters are discarded.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 5 sec, max = 600 sec, default = 30 sec |
| N – number of reported hosts | The number of top hosts reported per NetFlow exporter | min = 0, max = 100000, default = 50 (0 indicates all hosts are reported) |
| Enable(1) or disable (0) reporting flow denied events | If set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reported | default = 1 |
| Enable(1) or disable (0) reporting by authoritative exporters only | If set to 1 (deduplication enabled), the Module reports flows only from authoritative exporters | default = 0 |
| Enable(1) or disable (0) reporting client port | If set to 1, the ephemeral client port number is reported. If set to 0, client port number is not taken into account for consolidation, and reported as 0 | default = 1 |
| Enable(1) or disable (0) multiplying by sampling rate | If set to 1, when *flow is sampled (e.g. sFlow, sampled NetFlow/IPFIX), the sampling rate is used to multiply bytes and packets to report total traffic as statistical approximation | default = 0 |
| Default sampler rate | If sampling information is not available, use this rate to multiply bytes and packets to report total traffic as statistical approximation | default = 1 |
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow Fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| IPv4 | |||
| sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
| destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
| IPv6 | |||
| sourceIPv6Address | 27 | 16 | The IPv6 source address in the IP packet header |
| destinationIPv6Address | 28 | 16 | The IPv6 destination address in the IP packet header |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | nfc_id=20068 |
| exp_ip | NetFlow exporter IP address | IPv4 address |
| input_snmp | NetFlow exporter ingress interface SNMP index | number |
| output_snmp | NetFlow exporter egress interface SNMP index | number |
| protocol [^1] | Transport Protocol (TCP = 6, UDP = 17) | number |
| src_ip | Source host IPv4 address | IPv4 address |
| src_ip6 | Source host IPv6 address | IPv6 address |
| src_host [^2] | Source host name | string, included when FQDN is on |
| src_port | Source port number | number |
| dest_ip | Destination host IPv4 address | IPv4 address |
| dest_ip6 | Destination host IPv6 address | IPv6 address |
| dest_host [^2] | Destination host name | string, included when FQDN is on |
| dest_port | Destination port number | number |
| tcp_flag | Cumulative OR of TCP flags | string, e.g. SYN,ACK,FIN |
| packets_in | Packets in the flow received by the input interface | number |
| bytes_in | Total number of Layer 3 bytes in the packets of the flow received by the input interface | number |
| src_tos | Inbound IP type of service | number |
| dest_tos | Outbound IP type of service | number |
| src_asn | Source AS | number |
| dest_asn | Destination AS | number |
| flow_count | Number of flows | number |
| action [^3] | Flow action | string, The action is determined from IPFIX element 233 - firewallEvent and NFv9 / IPFIX element 89 - forwardingStatus |
| percent_of_total | Percent of Total (packets) | decimal, e.g. 25.444% is 25.444 |
| flow_smpl_id | Flow Sampler ID | number |
| t_int | Observation time interval, msec | number |
[^1] Protocol field is optional. It is reported only if there is a corresponding field in NetFlow.
[^2] Host name field is optional and included only if FQDN Service is enabled.
[^3] Action is reported as follows:
action=blockedfor firewallEvent 0 (ignored), 2 (deleted), and 3 (denied)action=allowedfor firewallEvent 1 (created), 4 (alert), and 5 (update)action=unknownfor forwardingStatus 00action=forwardedfor forwardingStatus 01action=droppedfor forwardingStatus 10action=consumedfor forwardingStatus 11