NFO 2.8.1
TCP Health Monitor (10060 / 20060)

Description

This Module reports TCP Health by detecting hosts with the most TCP Resets (RST). In order to provide accurate count of resets the Module selects a definitive NetFlow exporter - the exporter that sees the most TCP resets for each host.
Top hosts are defined by percent of TCP resets to the total number of resets reported by a definitive NetFlow exporter or by percent of TCP resets to the total number of host’s connections. These thresholds are configurable - see Parameters section below.
This information is provided by a definitive NetFlow exporter.
Default thresholds are:
  1. 1.
    % of Total Resets = 10%
  2. 2.
    % of Resets to local host connections = 50%
This means that the host and RST count will be reported if it issued over 10% of resets observed by the definitive exporter OR if the number of RST is over 50% of all connections made by the host.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 5 sec, max = 600 sec, default = 30 sec
N - reporting threshold in percent of total resets number
% of Total Resets
min = 0 %, max = 100 %, default = 10 %
N - reporting threshold in percent of resets to the number of host connections
% of Resets to local host connections
min = 0 %, max = 100 %, default = 50 %

Input

NetFlow v5, v9, IPFIX, and Palo Alto Networks NetFlow v9. sFlow and sampled NetFlow are specifically excluded from processing by this Module. Cisco ASA NSEL is not supported by this Module as it does not have TCP flags.

Syslog/JSON Message Fields - Hosts

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20060"
exp_ip
NetFlow exporter IP address
<IPv4 address>
src_ip
Source host IPv4 address
<IPv4 address>
src_ip6
Source host IPv6 address
<IPv6 address>
[src_host](1)
Source host name
<string>, included when FQDN is on
reset_count
Count of Resets
<number>
total_share
Percent of the total number of resets sent by source host
<number>
local_share
Percent of the resets to the total number of the source host connections
<number>
t_int
Observation time interval, msec
<number>
(1) Host name field is optional and included only if FQDN Service is enabled.
Last modified 3mo ago