Powered By GitBook
Top Bandwidth Consumers for NSX Distributed Firewall (10118 / 20118)

Description

This Module utilizes Distributed Firewall data and provides a list of top network bandwidth consumers operating on the internal network. Top bandwidth consumers are reported by ESXi Host and by Destination Port over a time interval T. Only TCP/IP and UDP traffic is accounted for. The number of reported top consumers (N) and the observation interval (T, sec) are configurable.
This information is provided per ESXi Host (NetFlow exporter).

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 600 sec, default = 30 sec
Application protocol (l4_dst_port) list
List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports.
e.g. 80, 443
N – number of reported VMs
Top N (number of reported destinations)
min = 0, max = 100000, default = 50 (0 indicates all VMs are reported)
Enable (1) or disable (0) reporting by destination port
If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0)
default = 0
Enable (1) or disable (0) reporting VM MoRef
If set to 1, enable reporting VM MoRef. If set to 0, src_vm_id field will be omitted
default = 0
Enable (1) or disable (0) reporting VM UUID
If set to 1, enable reporting VM UUID. If set to 0, src_vm_uuid field will be omitted
default = 0
Enable (1) or disable (0) reporting VM vCenter UUID
If set to 1, enable reporting VM vCenter UUID. If set to 0, src_vm_vc_id field will be omitted
default = 0
Enable (1) or disable (0) reporting VM vNIC key
If set to 1, enable reporting VM vNIC key. If set to 0, src_vm_vnic_key field will be omitted
default = 0
Enable (1) or disable (0) reporting Distributed Switch port group name
If set to 1, enable reporting Distributed Switch port group name. If set to 0, src_pg_name field will be omitted
default = 0
List of vCenter VMs
List of records {ESXi VM MAC address, VM IPv4 address, VM IPv6 address, VDS Port ID, vNIC key, Port Group name, VM name, VM MoRef, VM instance UUID, vCenter UUID}
This watch list is populated by External Data Feeder for NFO Agent by connecting to one or several vCenters

Inputs

IPFIX from NSX Distributed Firewall.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20118”
exp_ip
NetFlow exporter IPv4 address
<IPv4_address>
src_ip
Source VM IPv4 address
<IPv4_address>
src_ip6
Source VM IPv6 address
<IPv6_address>
[src_host]
Source host name
<string>, included when FQDN is on
[src_vm_name]
Source VM name
<string>, included when source IP is a known VM
[src_vm_id]
Source VM MoRef
<string>, included when source IP is a known VM and ‘reporting VM MoRef’ parameter is enabled
[src_vm_uuid]
Source VM UUID
<string>, included when source IP is a known VM and ‘reporting VM UUID’ parameter is enabled
[src_vm_vc_id]
Source VM vCenter UUID
<string>, included when source IP is a known VM and ‘reporting VM vCenter UUID’ parameter is enabled
[src_vm_vnic_key]
Source VM vNIC key
<number>, included when source IP is a known VM and ‘reporting VM vNIC key’ parameter is enabled
[src_pg_name]
Source VM Port Group name
<string>, included when source IP is a known VM and ‘reporting Distributed Switch port group name’ parameter is enabled
dest_port
Destination port number (e.g. 80 for http)
<number>
created_count
Created flows count
<number>
denied_count
Denied flows count
<number>
bytes
Bytes total (Traffic)
<number>
percent_of_total
Percent of Total (Traffic)
<decimal>, e.g. 25.444% is 25.444
t_int
Observation time interval, msec
<number>
Last modified 1yr ago