Skip to main content
Version: 2.9.1

Top Pairs Monitor (10064 / 20064)

Descriptionโ€‹

This Module reports top Host Pairs network conversations. In contrast to Module 10067 which reports consolidated unidirectional flows, this Module stitches client-server request-response flows, reporting bytes and packets server-to-client and client-to-server in separate fields.

Server destination port: Source port of client hosts is not reported, and ignored while consolidating client-server communications. Destination port of server hosts is reported. The Module determines which host is a client and which is a server as follows: a server sends more traffic (bytes) than a client. This logic can be overridden by specifying the list in โ€œList of known server destination port numbersโ€ parameter.

Deduplication: optionally the Module can report host pairs only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections (flows) for each host pair is considered authoritative, and host pair conversations reported by all other exporters are discarded.

Parametersโ€‹

Parameter NameDescriptionComments
Data Collection Interval, secModule logic execution intervalmin = 5 sec, max = 600 sec, default = 30 sec
N - number of reported host pairsThe number of top host pairs reported per NetFlow exportermin = 0, max = 100000, default = 50, (0 indicates all hosts are reported)
List of known server destination port numbersList of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one with a smaller port numbere.g. 53, 80, 443
Enable(1) or disable (0) reporting flow denied eventsIf set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reporteddefault = 1
Enable(1) or disable (0) reporting by server portIf set to 1, enable traffic reporting by destination port. If set to 0, dest_port field will be omitteddefault = 1
Enable(1) or disable (0) reporting by authoritative exporters onlyIf set to 1, the Module reports host pairs only from authoritative exportersdefault = 0
Enable(1) or disable (0) multiplying by sampling rateIf set to 1, when *flow is sampled (e.g. sFlow, sampled NetFlow/IPFIX), the sampling rate is used to multiply bytes and packets to report total traffic as statistical approximationdefault = 0
Default sampler rateIf sampling information is not available, use this rate to multiply bytes and packets to report total traffic as statistical approximationdefault = 1

Inputโ€‹

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow fieldsโ€‹

Information Element (IE)IE idIE size, BDescription
IPv4
sourceIPv4Address84The IPv4 source address in the IP packet header
destinationIPv4Address124The IPv4 destination address in the IP packet header
IPv6
sourceIPv6Address2716The IPv6 source address in the IP packet header
destinationIPv6Address2816The IPv6 destination address in the IP packet header

Syslog/JSON Message Fieldsโ€‹

KeyField DescriptionComments
nfc_idMessage type identifier"nfc_id=20064"
exp_ipNetFlow exporter IPv4 addressIPv4 address
protocol 1Transport Protocol (TCP = 6, UDP = 17)number
dest_ipServer IP addressIPv4 address
dest_ip6Server IPv6 addressIPv6 address
dest_host 2Server host namestring, included when FQDN is on
dest_port 3Server port numbernumber
src_ipClient IP addressIPv4 address
src_ip6Client IPv6 addressIPv6 address
src_host 2Client host namestring, included when FQDN is on
packets_inPackets from client to servernumber
bytes_inLayer 3 bytes from client to servernumber
packets_outPackets from server to clientnumber
bytes_outLayer 3 bytes from server to clientnumber
bytesLayer 3 bytes in both directionsnumber
flow_countNumber of flowsnumber
action 4Flow actionstring, The action is determined from IPFIX element 233 - firewallEvent and NFv9 / IPFIX element 89 - forwardingStatus
percent_of_totalPercent of Total (bytes) (Client + Server)decimal, e.g. 25.444% is 25.444
[flow_smpl_id]Flow Sampler IDnumber
t_intObservation time interval, msecnumber

1 Protocol field is optional. It is reported only if there is a corresponding field in NetFlow.
2 Host name field is optional and included only if FQDN Service is enabled
3 Server destination port is optional
4 Action is reported as follows:

  • action=blocked for firewallEvent 0 (ignored), 2 (deleted), and 3 (denied)
  • action=allowed for firewallEvent 1 (created), 4 (alert), and 5 (update)
  • action=unknown for forwardingStatus 00
  • action=forwarded for forwardingStatus 01
  • action=dropped for forwardingStatus 10
  • action=consumed for forwardingStatus 11