Top Pairs Monitor (10064 / 20064)
Description
This Module reports top Host Pairs network conversations. In contrast to Module 10067 which reports consolidated unidirectional flows, this Module stitches client-server request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields.
Server destination port: Source port of client hosts is not reported, and ignored while consolidating client-server communications. Destination port of server hosts is reported. The Module determines which host is a client and which is a server as follows: a server sends more traffic (bytes) than a client. This logic can be overridden by specifying the list in “List of known server destination port numbers” parameter.
Deduplication: optionally the Module can report host pairs only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections (flows) for each host pair is considered authoritative, and host pair conversations reported by all other exporters are discarded.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 5 sec, max = 600 sec, default = 30 sec |
| N - number of reported host pairs | The number of top host pairs reported per NetFlow exporter | min = 0, max = 100000, default = 50, (0 indicates all hosts are reported) |
| List of known server destination port numbers | List of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one sending more traffic than receiving | e.g. 53, 80, 443 |
| Enable(1) or disable (0) reporting flow denied events | If set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reported | default = 1 |
| Enable(1) or disable (0) reporting by server port | If set to 1, enable traffic reporting by destination port. If set to 0, dest_port field will be omitted | default = 1 |
| Enable(1) or disable (0) reporting by authoritative exporters only | If set to 1, the Module reports host pairs only from authoritative exporters | default = 0 |
| Enable(1) or disable (0) multiplying by sampling rate | If set to 1, when *flow is sampled (e.g. sFlow, sampled NetFlow/IPFIX), the sampling rate is used to multiply bytes and packets to report total traffic as statistical approximation | default = 0 |
| Default sampler rate | If sampling information is not available, use this rate to multiply bytes and packets to report total traffic as statistical approximation | default = 1 |
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| IPv4 | |||
| sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
| destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
| IPv6 | |||
| sourceIPv6Address | 27 | 16 | The IPv6 source address in the IP packet header |
| destinationIPv6Address | 28 | 16 | The IPv6 destination address in the IP packet header |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20064" |
| exp_ip | NetFlow exporter IPv4 address | IPv4 address |
| exp_ip6 | NetFlow exporter IPv6 address | IPv6 address |
| protocol [^1] | Transport Protocol (TCP = 6, UDP = 17) | number |
| dest_ip | Server IP address | IPv4 address |
| dest_ip6 | Server IPv6 address | IPv6 address |
| dest_host [^2] | Server host name | string, included when FQDN is on |
| dest_port [^3] | Server port number | number |
| src_ip | Client IP address | IPv4 address |
| src_ip6 | Client IPv6 address | IPv6 address |
| src_host [^2] | Client host name | string, included when FQDN is on |
| packets_in | Packets from client to server | number |
| bytes_in | Layer 3 bytes from client to server | number |
| packets_out | Packets from server to client | number |
| bytes_out | Layer 3 bytes from server to client | number |
| bytes | Layer 3 bytes in both directions | number |
| flow_count | Number of flows | number |
| action [^4] | Flow action | string, The action is determined from IPFIX element 233 - firewallEvent and NFv9 / IPFIX element 89 - forwardingStatus |
| percent_of_total | Percent of Total (bytes) (Client + Server) | decimal, e.g. 25.444% is 25.444 |
| [flow_smpl_id] | Flow Sampler ID | number |
| t_int | Observation time interval, msec | number |
[^1] Protocol field is optional. It is reported only if there is a corresponding field in NetFlow.
[^2] Host name field is optional and included only if FQDN Service is enabled
[^3] Server destination port is optional
[^4] Action is reported as follows:
action=blockedfor firewallEvent 0 (ignored), 2 (deleted), and 3 (denied)action=allowedfor firewallEvent 1 (created), 4 (alert), and 5 (update)action=unknownfor forwardingStatus 00action=forwardedfor forwardingStatus 01action=droppedfor forwardingStatus 10action=consumedfor forwardingStatus 11