NFO 2.8.1
Powered By GitBook
Top Traffic Monitor (10067 / 20067)

Description

This Module identifies hosts with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields:
    Source IP address
    Destination IP address
    Source port number
    Destination port number
    Layer 3 protocol
    Input interface
    Output interface
This information is provided per NetFlow exporter.
Deduplication: optionally the Module can report consolidated flows only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections (flows) for each consolidated flow is considered authoritative, and flows reported by all other exporters are discarded.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 5 sec, max = 600 sec, default = 30 sec
N – number of reported hosts
The number of top hosts reported per NetFlow exporter
min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)
Enable(1) or disable (0) reporting flow denied events
If set to 1, enable reporting firewall denied flows. If set to 0, firewall denied flows are not reported
default = 1
Enable(1) or disable (0) reporting by authoritative exporters only
If set to 1 (deduplication enabled), the Module reports flows only from authoritative exporters
default = 0
Enable(1) or disable (0) reporting client port
If set to 1, the ephemeral client port number is reported. If set to 0, client port number is not taken into account for consolidation, and reported as 0
default = 1
Enable(1) or disable (0) multiplying by sampling rate
If set to 1, when *flow is sampled (e.g. sFlow, sampled NetFlow/IPFIX), the sampling rate is used to multiply bytes and packets to report total traffic as statistical approximation
default = 0
Default sampler rate
If sampling information is not available, use this rate to multiply bytes and packets to report total traffic as statistical approximation
default = 1

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.

Required NetFlow fields

Information Element (IE)
IE id
IE size, B
Description
IPv4
sourceIPv4Address
8
4
The IPv4 source address in the IP packet header
destinationIPv4Address
12
4
The IPv4 destination address in the IP packet header
IPv6
sourceIPv6Address
27
16
The IPv6 source address in the IP packet header
destinationIPv6Address
28
16
The IPv6 destination address in the IP packet header

Syslog/JSON Message Fields

Key
Description
Comments
nfc_id
Message type identifier
“nfc_id=20067”
exp_ip
NetFlow exporter IP address
<IPv4 address>
input_snmp
NetFlow exporter ingress interface SNMP index
<number>
output_snmp
NetFlow exporter egress interface SNMP index
<number>
[protocol] (1)(2)
Transport Protocol (TCP = 6, UDP = 17)
<number>
src_ip
Source host IPv4 address
<IPv4 address>
src_ip6
Source host IPv6 address
<IPv6 address>
[src_host] (3)
Source host name
<string>, included when FQDN is on
src_port
Source port number
<number>
dest_ip
Destination host IPv4 address
<IPv4 address>
dest_ip6
Destination host IPv6 address
<IPv6 address>
[dest_host] (3)
Destination host name
<string>, included when FQDN is on
dest_port
Destination port number
<number>
[interface-id]
Interfce ID for AWS VPC Flow logs
<string>
tcp_flag
Cumulative OR of TCP flags
<string>, e.g. “SYN,ACK,FIN”
packets_in
Packets in the flow received by the input interface
<number>
bytes_in
Total number of Layer 3 bytes in the packets of the flow received by the input interface
<number>
src_tos
Inbound IP type of service
<number>
dest_tos
Outbound IP type of service
<number>
src_asn
Source AS
<number>
dest_asn
Destination AS
<number>
flow_count
Number of Flows
<number>
percent_of_total
Percent of Total (bytes)
<decimal>, e.g. 25.444% is 25.444
[flow_smpl_id]
Flow Sampler ID
<number>
t_int
Observation time interval, msec
<number>
(1) Optional message fields are enclosed in square brackets (2) Protocol field is optional. It is reported only if there is a corresponding field in NetFlow. (3) Host name field is optional and included only if FQDN Service is enabled
Last modified 1mo ago