Top VM Traffic Monitor (10167 / 20167)

Description

This Module identifies VMs with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields:
    Source IP address
    Destination IP address
    Source port number
    Destination port number
    Layer 3 protocol
    Input interface
    Output interface
    VxLAN ID
    Source VM IPv4 address
    Destination VM IPv4 address
    Source VM port number
    Destination VM port number
    VM protocol
    VM ingress interface SNMP index
    VM egress interface SNMP index
This information is provided per NetFlow exporter.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 5 sec, max = 600 sec, default = 30 sec
N – number of reported hosts
The number of top hosts reported per NetFlow exporter
min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)

Input

VMware IPv4 VXLAN Template.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=200167”
exp_ip
NetFlow exporter IP address
<IPv4_address>
vxlanId
VxLAN ID
<number>
sourceIPv4Address
Source host IPv4 address
<IPv4_address>
destinationIPv4Address
Destination host IPv4 address
<IPv4_address>
octetDeltaCount
Total number of Layer 3 bytes in the packets of the flow received by the input interface
<number>
packetDeltaCount
Packets in the flow received by the input interface
<number>
sourceTransportPort
Source host port number
<number>
destinationTransportPort
Destination host port number
<number>
ingressInterface
Exporter ingress interface SNMP index
<number>
egressInterface
Exporter egress interface SNMP index
<number>
protocolIdentifier
Transport Protocol (TCP = 6, UDP = 17)
<number>
tcpFlags
Cumulative OR of TCP flags
<string>, e.g. “SYN,ACK,FIN”
IPv4TOS
IP type of service (ToS)
<number>
tenantSourceIPv4
Source VM IPv4 address
<IPv4_address>
tenantDestIPv4
Destination VM IPv4 address
<IPv4_address>
tenantSourcePort
Source VM port number
<number>
tenantDestPort
Destination VM port number
<number>
tenantProtocol
VM protocol
<number>
vm_adjacency
VM adjacency indicator. If equal “Y”, VMs are residing on the same host.
<string> “Y” or “N”
flow_count
Number of Flows
<number>
percent_of_total
Percent of Total (bytes) VXLAN traffic
<decimal>
t_int
Observation time interval, msec
<number>
Last modified 1yr ago