NFO 2.8.1
Powered By GitBook
Network Subnets Monitor (10011 / 20011)

Description

This Module reports top bandwidth consumers for each monitored subnet. This information is provided per NetFlow exporter and monitored subnet.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 600 sec, default = 30 sec
Monitored subnet IPv4 address and subnet mask
List of the watched subnets’ IPv4 addresses and masks (CIDR notation)
e.g. 67.202.0.0,18; 72.44.32.0,24
Monitored subnet IPv6 address and subnet mask
List of the watched subnets’ IPv6 addresses and masks (CIDR notation)
e.g. 2620:0:2d0:200::7,24
N – number of reported hosts
Top N (number of reported hosts per subnet)
min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, sFlow.

Required NetFlow Fields

Information Element (IE)
IE id
IE size, B
Description
sourceIPv4Address or sourceIPv6Address
8 or 27
4 or 16
The IPv4 or IPv6 source address in the IP packet header
destinationIPv4Address or destinationIPv6Address
12 or 28
4 or 16
The IPv4 or IPv6 destination address in the IP packet header
protocolIdentifier
4
1
The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
nfc_id=20011
exp_ip
NetFlow exporter IP address
<IPv4 address>
subnet
Subnet IPv4
<IPv4 address>
subnet
Subnet IPv6
<IPv6 address>
mask
Mask
<number>
src_ip
Source host IPv4 address
<IPv4 address>
src_ip6
Source host IPv6 address
<IPv6 address>
protocol
Transport Protocol ( TCP = 6, UDP = 17)
<number>
bytes_out
Bytes Out (Traffic)
<number>
bytes_in
Bytes In (Traffic)
<number>
packets_out
Packets Out count
<number>
packets_in
Packets In count
<number>
flow_count
Number of flows
<number>
percent_of_total
Percent of Total Traffic of the Source Host within Subnet
<decimal>, e.g. 25.444% is 25.444
t_int
Observation time interval, msec
<number>
Last modified 1yr ago