This Module reports TCP Health by detecting hosts with the most TCP Resets (RST). In order to provide accurate count of resets the Module selects a definitive NetFlow exporter - the exporter that sees the most TCP resets for each host.
Top hosts are defined by percent of TCP resets to the total number of resets reported by a definitive NetFlow exporter or by percent of TCP resets to the total number of host’s connections. These thresholds are configurable - see Parameters section below.
This information is provided by a definitive NetFlow exporter.
Default thresholds are:
% of Total Resets = 10%
% of Resets to local host connections = 50%
This means that the host and RST count will be reported if it issued over 10% of resets observed by the definitive exporter OR if the number of RST is over 50% of all connections made by the host.
Data Collection Interval, sec
Module logic execution interval
min = 5 sec, max = 600 sec, default = 30 sec
N - reporting threshold in percent of total resets number
% of Total Resets
min = 0 %, max = 100 %, default = 10 %
N - reporting threshold in percent of resets to the number of host connections
% of Resets to local host connections
min = 0 %, max = 100 %, default = 50 %
NetFlow v5, v9, IPFIX, and Palo Alto Networks NetFlow v9. sFlow and sampled NetFlow are specifically excluded from processing by this Module. Cisco ASA NSEL is not supported by this Module as it does not have TCP flags.
Syslog/JSON Message Fields - Hosts
Message type identifier
NetFlow exporter IP address
Source host IPv4 address
Source host IPv6 address
Source host name
<string>, included when FQDN is on
Count of Resets
Percent of the total number of resets sent by source host
Percent of the resets to the total number of the source host connections
Observation time interval, msec
(1) Host name field is optional and included only if FQDN Service is enabled.