Network Conversations Monitor (10062)
The Network Conversations Monitor is the primary foundational module for modern network observability within NFO. It is designed to transform high-volume, fragmented flow records into structured, enriched "conversations." This module is the recommended starting point for all new deployments, especially those requiring deep security forensics, user attribution, and cloud visibility.
Functionality
This module performs sophisticated analysis on raw telemetry to provide a complete picture of network interactions:
- Conversation Stitching (Bidirectional): Unlike traditional collectors that report two separate records for a single exchange, this module "stitches" forward and reverse flows into a single bidirectional event. It reports
bytes_in/bytes_outandpackets_in/packets_outfields, providing an immediate view of the symmetry and health of a connection. - Intelligent Consolidation: It aggregates flow records that share the same 5-tuple (Source/Dest IP, Source/Dest Port, Protocol) over a Data Collection Interval (DCI). This significantly reduces the volume of data sent to your SIEM while preserving the essential details of the interaction.
- State Tracking: The module tracks the lifecycle of every conversation:
- B (Begin): A new conversation is detected.
- C (Continuing): An ongoing conversation that spans multiple collection intervals.
- E (End): A conversation that has timed out or completed.
- Authoritative Deduplication: In complex networks where multiple routers see the same packet, NFO identifies the "authoritative" exporter and discards redundant records to prevent inflated traffic statistics.
- Conversation Duration: Network Conversation duration is calculated as a difference between the earliest
flow_start_timeof a conversation when its state=Band the latestflow_end_timefor state =CorE. - Traffic Directionality: By defining local subnets, the module automatically labels traffic as
inbound,outbound,internal, orunknown.
Supported Inputs
The Network Conversations Monitor is protocol-agnostic and normalizes a wide array of telemetry sources into a unified schema:
- Standard Protocols: NetFlow (v5, v9), IPFIX, and sFlow.
- Cloud Flow Logs: AWS VPC, Microsoft Azure NSG and VNet, Oracle Cloud (OCI), and Google Cloud (GCP) Flow Logs.
- Application Delivery: Cisco AVC, Palo Alto Networks App-ID Technology, Fortinet App Identification, Citrix AppFlow.
Flow Enrichment
The Network Conversations Monitor is where all EDFN-based enrichment is applied. It is the only module that uses EDFN-provided data sets to enrich flow records. Enriched fields will only appear in its output. It enriches raw flows with the following contextual metadata:
- User Identity: Maps IP addresses to Active Directory, Okta, or Azure Entra ID usernames, allowing you to see who is responsible for specific traffic.
- Cyber Threat Intelligence: Correlates source and destination IPs against real-time reputation lists (e.g., Botnets, C2 servers). Malicious communications are always reported, even if they fall outside of "Top N" traffic thresholds.
- GeoIP & ASN: Resolves IP addresses to geographic locations, country codes, cities, coordinates, and Autonomous System Numbers.
- Reverse DNS: Resolves IP addresses to hostnames using your existing DNS infrastructure.
- Application Context: Identifies the specific application (e.g., Office 365, Facebook, SSH) using device-reported DPI data and configurable lookup lists. See Application Enrichment for the full resolution logic.
- Cloud & Virtualization Metadata: Adds cloud service, region, VM names, and VPC/VNet context for AWS, Azure, GCP, OCI, and VMware environments.
- Cisco ACI: Maps flows to ACI Bridge Domain and tenant context for visibility into ACI fabric traffic.
For configuration details on each enrichment type, see Data Enrichment.
Configuration Parameters
To tune the module, click on 10062: Network Conversation Monitor in the NFO Web UI.
Core Logic Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Top N per exporter (0 for all traffic) | Top N Reported Hosts per NetFlow Exporter (set to 0 to report all flows). NOTE: Conversations with malicious hosts are reported regardless of whether they are in Top N by traffic volume or not! | min = 0, max = 100000, default = 50 |
| Session report timeout, sec | Inactivity threshold to determine when a conversation has ended. When reached, an event is reported with state="E". | default - 60s (Min: 0, Max: 600). Should exceed device inactive timeout. Set to 0 to disable duration/state tracking for maximum performance. |
| Report inactive sessions | If set to 1, report inactive session with 0 bytes/packets, even if there were no flows during DCI. If set to 0, inactive sessions are not reported. | default - 0 |
| Report long flows with cumulative bytes and packets | If set to 1, cumulative bytes and packets are reported for long sessions. If set to 0, incremental bytes and packets are reported for long flows (state = "C"). | default - 0 |
| Enable (1) or disable (0) deduplication | If set to 1 (de-duplication enabled), the Module reports flows only from authoritative exporters. | default - 0 |
| Enable (1) or disable (0) multiplying by sampling rate | If set to 1, when a flow is sampled (e.g. sFlow, sampled NetFlow/IPFIX), the sampling rate is used to multiply bytes and packets to report total traffic as a statistical approximation. | default - 0 |
| Default sampler rate | If sampling information is not available, use this rate to multiply bytes and packets to report total traffic as a statistical approximation. | default - 1 |
| Enable (1) or disable (0) reporting bidirectional conversations | If set to 1, stitch client-server flows reporting bytes_in and bytes_out, packets_in and packets_out in one consolidated message. | default - 0 |
| Enable (1) or disable (0) reporting client port | If set to 1, the ephemeral client port number is reported. If set to 0, client port number is not taken into account for consolidation, and reported as 0. To preserve client ports for specific destination ports, refer to the TIP below the table. | default - 1 |
| Enable (1) or disable (0) reporting flow denied events | If set to 1, denied or rejected flows are reported. If set to 0, only allowed or accepted flows are reported. | default - 1 |
| Enable (1) or disable (0) generating end of conversation events | If set to 1, events at the end of conversations (state=E) are created and reported. If set to 0, events with state=E are not reported. | default - 0 |
| Enable (1) or disable (0) SNMP enrichment | If set to 1, the Module will call SNMP service to enrich flow data with sysName and interface names. If set to 0, SNMP service is not called. | default - 1 |
| Enable (1) or disable (0) NetFlow timestamp correction | If set to 1, the Module will correct out of sequence flow_start_time and flow_end_time, which can occur due to a bug in the NetFlow implementation on certain devices. | default - 0 |
| Enable (1) or disable (0) data quality filter | If set to 1, the module drops malformed records, including 0.0.0.0/8 IPs (except DHCP requests), invalid byte/packet counts, and flow_start_time / flow_end_time that fall outside a one-year range from the current date. | default - 0 |
| Enable (1) or disable (0) flow start/end time substitution | If set to 1, the module uses the record's internal timestamp to populate missing flow_start_time and flow_end_time fields (e.g. for protocols like sFlow). | default - 0 |
| Enable (1) or disable (0) collecting application info from devices reporting it | If set to 1, NFO builds the App ID catalog from NetFlow Options (app_id, app_name, app_desc). If set to 0, only app fields carried directly in flow records are used. | default - 1 |
| Enable (1) or disable (0) enriching other devices with application info | If set to 1, the App ID catalog is used to enrich flows from all exporters, including those that did not export app fields themselves. If set to 0, only flows that already carry app fields are enriched. | default - 1 |
| Output filename for application info | Path to application collector file. Used for troubleshooting purposes. | default - ../../logs/app_info.log |
Maximizing Data Reduction by Ignoring Client Port
While NFO inherently reduces volume through flow consolidation, you can achieve massive additional gains by ignoring ephemeral client ports.
By aggregating flows based only on Source IP, Destination IP, and Destination Port, you can achieve data reduction ratios of 20x to 100x. This significantly lowers SIEM costs and improves search performance without losing visibility into the services being accessed.
- Selective Visibility: To keep client ports for specific traffic (e.g., DNS), use the List of known server destination port numbers to exempt those ports from aggregation.
Data Consolidation Parameter
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | The timeframe over which flows are consolidated. | default - 30s (Min: 5s, Max: 86400s) |
Data Sets and Enrichment Parameters
Application Name Resolution
NFO resolves app_name using a priority order across the four application lists below. For a full explanation of the resolution logic, see Application Enrichment.
| Parameter Name | Description | Comments |
|---|---|---|
| List of known server destination port numbers | List of server destination ports used to determine which host is a client and which is a server. If the list is empty, the server is assumed to be the one with the smaller port number. Ignored for unidirectional flows. | Pre-loaded from IANA service names |
| List of local subnets | Used to identify direction for IPv4 traffic: inbound, outbound, or internal. | default - { 10.0.0.0,8; 172.16.0.0,12; 192.168.0.0,16 } |
| List of local IPv6 prefixes | Used to identify direction for IPv6 traffic: inbound, outbound, or internal. | default - fc00:0:0:0:0:0:0:0,7 |
| List of Users by IPv4 address | Maps IPv4 addresses to usernames logged in from those addresses. Populated automatically by EDFN agent from configured identity providers. | Provided by EDFN agent. See User Identity Enrichment |
| List of Users by IPv6 address | Maps IPv6 addresses to usernames logged in from those addresses. Populated automatically by EDFN agent from configured identity providers. | Provided by EDFN agent. See User Identity Enrichment |
| Custom Threat list | List of public and private IP addresses with reputation known to be malicious. Flows matching these IPs are always reported regardless of the Top N threshold. | Provided by EDFN agent. See Cyber Threat Intelligence |
| IPv4 address block and country code | Mapping of country codes to IPv4 address blocks. Used to populate src_cc and dest_cc fields. | Provided by EDFN agent. See GeoIP and ASN Enrichment |
| IPv4 address block and city location | Mapping of city and country codes to IPv4 address blocks. Used to populate city, region, and geo-coordinate fields. | Provided by EDFN agent. See GeoIP and ASN Enrichment |
| AS Numbers IPv4 Blocks | Mapping of Autonomous System Numbers to IPv4 address blocks. Used to populate src_asn and dest_asn fields. | Provided by EDFN agent. See GeoIP and ASN Enrichment |
| AS Numbers IPv6 Blocks | Mapping of Autonomous System Numbers to IPv6 address blocks. Used to populate src_asn and dest_asn fields for IPv6 traffic. | Provided by EDFN agent. See GeoIP and ASN Enrichment |
| IPv4 address ranges for cloud services | Lookup table mapping IPv4 ranges to cloud provider, service name, and region. Used to populate src_cloud_service, dest_cloud_service, src_cloud_region, and dest_cloud_region fields. | Provided by EDFN agent. See Cloud Service & Region |
| IPv6 address ranges for cloud services | Lookup table mapping IPv6 ranges to cloud provider, service name, and region. | Provided by EDFN agent. See Cloud Service & Region |
| AWS EC2 instances list | List of EC2 instances with IPs, VPC names, and related metadata. Used to populate src_vm_name, dest_vm_name, and related AWS fields. | Provided by EDFN agent. See AWS Cloud Enrichment |
| AWS VPC IPv4 Routes | List of AWS VPC IPv4 routes used for flow correlation and subnet context. | Provided by EDFN agent. See AWS Cloud Enrichment |
| AWS VPC IPv6 Routes | List of AWS VPC IPv6 routes used for flow correlation and subnet context. | Provided by EDFN agent. See AWS Cloud Enrichment |
| GCP VM instances list | List of Google Cloud Compute Engine instance names and associated metadata. Used to populate src_vm_name and dest_vm_name for GCP flows. | Provided by EDFN agent. See Google Cloud Enrichment |
| GCP IPv4 routes list | List of Google Cloud VPC routes used for flow correlation and subnet context. | Provided by EDFN agent. See Google Cloud Enrichment |
| Azure VM Instances | List of Azure VM names and associated metadata. Used to populate azure_src_vm_name and azure_dest_vm_name fields. | Provided by EDFN agent. See Azure Cloud Enrichment |
| Azure IPv4 Routes | List of Azure IPv4 routes used for flow correlation and virtual network context. | Provided by EDFN agent. See Azure Cloud Enrichment |
| Azure IPv6 Routes | List of Azure IPv6 routes used for flow correlation and virtual network context. | Provided by EDFN agent. See Azure Cloud Enrichment |
| Custom applications list | Maps ip/port/protocol → app_name/app_desc. Evaluated first for all flows. Overrides everything, including device-reported app_id names. The ignore list is never applied to custom matches. | Created manually |
| Applications override list | Maps app_id → app_name/app_desc. Applied when no custom application matched and app_name is not directly in the flow. Overrides the auto-built App ID catalog. | Created manually |
| App ID catalog | Auto-built from NetFlow Options (app_id type 95, app_name type 96, app_desc type 94). Read-only. Resolves app_name for flows carrying an app_id when no custom or override match is found. Subject to ignore list. | Populated automatically from flow data |
| Application names to be ignored | Device-reported app names suppressed from NFO output (e.g. unknown, incomplete, not-applicable). Applied to all sources except Custom applications list matches. | Created manually. default - { incomplete; not-applicable; unknown-udp; unknown-tcp; unknown-p2p } |
| List of vCenter Virtual Machines | List of VMware vCenter VMs including VDS IPv4 address, VM IPv4/IPv6 address, VDS Port ID, vNIC key, Port Group name, VM name, VM MoRef, and vCenter UUID. Used to populate src_vm_name and dest_vm_name for VMware environments. | Provided by EDFN agent. See VMware vCenter Enrichment |
| List of BD subnets to Tenant mapping | Maps Cisco ACI Bridge Domain subnets to tenant names. Used to populate src_tenant_name, dest_tenant_name, src_bd_name, and dest_bd_name fields. | Provided by EDFN agent. See Cisco ACI BD Subnets |
Converter Configuration
The Converter transforms the module's internal flow records into the syslog/JSON output format before sending to your configured outputs. It controls which fields are included and in what order, independently of the module's internal processing.
To configure the Converter, click on Converter for Network Conversation Monitor.
Output Fields
To configure output fields, including the order, click on List of output fields.
In this pop-up you can select and reorder fields for the Module output.
note
nfo_hostnamefield is added by the NFO server in Output Options, and therefore not selectable here.src_ip6anddest_ip6are selected automatically whensrc_ipanddest_ipfields are selected.
Syslog/JSON Message Fields
| Key | Field Description | Comment |
|---|---|---|
| nfc_id | Message type identifier | string, nfc_id=20062 |
| flow_type | Type of Flow | string, e.g. NFv5, NFv9, sFlow, IPFIX, AWS, Azure, OCI, ... |
| exp_ip | NetFlow exporter IPv4 address | IPv4 address (for public clouds added for compatibility with other flows) |
| exp_ip6 | NetFlow exporter IPv6 address | IPv6 address (for public clouds added for compatibility with other flows) |
| input_snmp | Input SNMP index | number |
| output_snmp | Output SNMP index | number |
| exp_name | Exporter name | string |
| input_if_name | Input interface name | string |
| input_if_alias | Input interface alias | string |
| output_if_name | Output interface name | string |
| output_if_alias | Output interface alias | string |
| protocol | Transport Protocol | number, e.g. TCP = 6, UDP = 17 |
| src_ip | Source IPv4 address | IPv4 address |
| src_ip6 | Source IPv6 address | IPv6 address |
| src_port | Source transport port | number |
| src_tos | Source type of service | number |
| src_asn | Source AS | number |
| src_cc | Source Country Code | string |
| src_region | Source region | string |
| src_city | Source city | string |
| src_lon | Source longitude | number |
| src_lat | Source latitude | number |
| src_mac | Source MAC address | string, e.g. e0:46:9a:2b:83:13 |
| src_cloud_region | Cloud source region | string |
| src_cloud_service | Cloud source service | string |
| src_host | Source host name | string, included when FQDN is on |
| src_vlan | Source VLAN | string |
| src_vm_name | Source VM name, AWS EC2 instance name, or OCI Compute Instance name | string |
| src_vpc_name | Source VPC name | string |
| src_subnet_name | Source subnet name | string |
| src_tenant_name | Cisco ACI source tenant | string |
| src_bd_name | Cisco ACI source bridge domain | string |
| dest_ip | Destination IPv4 address | IPv4 address |
| dest_ip6 | Destination IPv6 address | IPv6 address |
| dest_port | Destination transport port | number |
| dest_tos | Destination type of service | number |
| dest_asn | Destination AS | number |
| dest_cc | Destination Country Code | string |
| dest_region | Destination region | string |
| dest_city | Destination city | string |
| dest_lon | Destination longitude | number |
| dest_lat | Destination latitude | number |
| dest_vm_name | Destination VM name, AWS EC2 instance name, or OCI Compute Instance name | string |
| dest_vpc_name | Destination VPC name | string |
| dest_subnet_name | Destination subnet name | string |
| dest_tenant_name | Cisco ACI destination tenant | string |
| dest_bd_name | Cisco ACI destination bridge domain | string |
| dest_cloud_region | Cloud destination region | string |
| dest_cloud_service | Cloud destination service | string |
| dest_mac | Destination MAC address | string, e.g. e0:46:9a:2b:83:13 |
| dest_vlan | Destination VLAN | string |
| dest_host | Destination host name | string, included when FQDN is on |
| tcp_flag | TCP flags | string, e.g. SYN,ACK,FIN |
| packets_in | Packets in the flow received by destination IP from source IP | number |
| bytes_in | Total number of Layer 3 bytes in the packets of the flow received by destination IP from source IP | number |
| packets_out | Packets in the flow sent by destination IP to source IP | number |
| bytes_out | Total number of Layer 3 bytes in the packets of the flow sent by destination IP to source IP | number |
| flow_count | Number of consolidated flows reported in this event | number |
| action (*) | Flow action | string, determined from IPFIX element 233 - firewallEvent and NFv9 / IPFIX element 89 - forwardingStatus |
| state | Flow state | string, B = Begin, C = Continuing, E = End |
| latency | As reported in flow records in msec | number |
| duration | Session duration - unidirectional / Conversation duration - bidirectional. Reported in sec | number |
| direction | Direction of the flow, if reported, or direction determined based on local subnets | string, inbound (local IP address is dest), outbound (local IP address is src), internal (both src and dest IP addresses are local), unknown (both src and dest IP addresses are not local) |
| netscaler_client_retrans_count | NetScaler client TCP retransmission count | integer |
| netscaler_server_retrans_count | NetScaler server TCP retransmission count | integer |
| netscaler_client_rtt | NetScaler client Round-Trip time, msec | integer |
| netscaler_server_rtt | NetScaler server Round-Trip time, msec | integer |
| idp | Identity provider for the user | string |
| username | User name provided by EDFN Agent (UserName Type 371 - upcoming) | string |
| app_id | Application ID (Type 95) | string, Class Eng. ID:Selector ID (see Section 4 https://www.rfc-editor.org/rfc/rfc6759.html) |
| app_name | Application Name (Type 96) or proprietary IPFIX or NFv9 elements (Palo Alto Networks, NetScaler) | string |
| app_desc | Application Description (Type 94) or proprietary IPFIX or NFv9 elements (Palo Alto Networks, NetScaler) | string |
| app_engine_id | Application (Classification) Engine ID | string, Class Eng. ID description for part 1 of Type 95 (Type 101 - upcoming) |
| threat_list_name | The name of a cybersecurity threat list | string |
| reputation | Reputation from the threat list | string |
| aws_vpc_id | AWS VPC identifier | string |
| aws_vpc_name | AWS VPC name | string |
| aws_interface_id | AWS Interface ID | string |
| aws_account_id | AWS Account ID | string |
| gcp_reporter | GCP VPC Flow logs Reporter | string, SRC or DEST |
| gcp_exp | GCP VPC Flow logs Exporter. Calculated field based on reporter = SRC or DEST | string, Project ID/VPC/Subnet |
| gcp_subnet_id | GCP Subnet ID | string |
| src_vm_ip_pub | Source EC2 or OCI Instance public IPv4 address | IPv4 address |
| aws_src_inst_id | Source EC2 instance ID | string, e.g. i-390d7032 or i-0c0a6ac75d9d87b7e |
| gcp_src_project_id | GCP Source Project ID | string |
| gcp_src_vm_zone | GCP Source VM Zone | string |
| azure_src_subs_id | Azure Source Subscription ID | string |
| azure_src_subs_name | Azure Source Subscription Name | string |
| azure_src_nsg_name | Azure Source NSG Name | string |
| azure_src_vnet_name | Azure Source Virtual Network Name | string |
| azure_src_res_grp_name | Azure Source Resource Group Name | string |
| dest_vm_ip_pub | Destination EC2 or OCI Instance public IPv4 address | IPv4 address |
| aws_dest_inst_id | Destination EC2 instance ID | string |
| gcp_dest_project_id | GCP Destination Project ID | string |
| gcp_dest_vm_zone | GCP Destination VM Zone | string |
| azure_dest_subs_id | Azure Destination Subscription ID | string |
| azure_dest_subs_name | Azure Destination Subscription Name | string |
| azure_dest_nsg_name | Azure Destination NSG Name | string |
| azure_dest_vnet_name | Azure Destination Virtual Network Name | string |
| azure_dest_res_grp_name | Azure Destination Resource Group Name | string |
| oci_src_vcn_name | Source VCN name | string |
| oci_src_subnet_name | Source subnet name | string |
| oci_src_compartment_name | Source Compartment name | string |
| oci_src_tenancy_name | Source Tenancy name | string |
| oci_src_ip_pub | Source OCI Instance public IPv4 address | IPv4 address |
| oci_dest_vcn_name | Destination VCN name | string |
| oci_dest_subnet_name | Destination subnet name | string |
| oci_dest_compartment_name | Destination Compartment name | string |
| oci_dest_tenancy_name | Destination Tenancy name | string |
| oci_dest_ip_pub | Destination OCI Instance public IPv4 address | IPv4 address |
| flow_start_time | Start time of the first consolidated flow | time |
| flow_end_time | End of the last consolidated flow | time |
| t_int | Observation time interval, msec | number |
(*) Action is reported as follows:
action=Rfor firewallEvent 0 (ignored), 2 (deleted), and 3 (denied), and Rejected cloud flow logsaction=Afor firewallEvent 1 (created), 4 (alert), and 5 (update), and Allowed cloud flow logsaction=Ufor forwardingStatus 00 (unknown)action=Ffor forwardingStatus 01 (forwarded)action=Dfor forwardingStatus 10 (dropped)action=Cfor forwardingStatus 11 (consumed)