Top Traffic Monitor (10067)
The Top Traffic Monitor is a primary foundational module optimized for high-performance consolidation of unidirectional flow data. It is specifically designed for bandwidth management, capacity planning, and "Top N" reporting. While it offers a streamlined feature set compared to the Network Conversations Monitor, it is the ideal choice for high-volume environments where essential traffic metrics and minimal processing overhead are the priority.
Functionality
This module focuses on efficient traffic summarization and volume-based reporting:
- Unidirectional Consolidation: Aggregates flow records sharing the same 5-tuple (Source/Dest IP, Source/Dest Port, Protocol) over a Data Collection Interval (DCI). It reports total traffic volume per host pair without the overhead of bidirectional stitching.
- High-Performance "Top N" Reporting: Highly optimized to identify and report only the top bandwidth consumers (Top N) per exporter, significantly reducing SIEM ingestion costs while maintaining visibility into peak traffic loads.
- Authoritative Deduplication: Identifies the primary network device in multi-hop paths to ensure traffic is only counted once, preventing skewed volume statistics.
- Traffic Directionality: Uses defined local subnets to classify traffic as
inbound,outbound,internal, orunknown. - Statistical Sampling Support: Correctly handles sampled telemetry (like sFlow or Sampled NetFlow), automatically multiplying bytes and packets by the sampling rate to provide accurate statistical approximations of total traffic.
Supported Inputs
The Top Traffic Monitor processes a wide range of standard network telemetry:
- Standard Protocols: NetFlow (v5, v9), IPFIX, and sFlow.
- Cloud Flow Logs: AWS VPC, Microsoft Azure NSG and VNet, Oracle Cloud (OCI), and Google Cloud (GCP) Flow Logs.
- Specialized Inputs: Citrix AppFlow and standard router/switch telemetry.
Flow Enrichment
To maintain maximum performance, the Top Traffic Monitor provides essential enrichment focused on identification and location:
- FQDN: Resolves IP addresses to hostnames.
- SNMP Integration: Can be configured to pull interface names and aliases from the NFO SNMP service to provide physical context to the flow data.
Configuration Parameters
To tune the module, click on 10067: Top Traffic Monitor in the NFO Web UI.
Core Logic Parameters
| Parameter Name | Description | Default / Constraints |
|---|---|---|
| Top N per exporter (0 for all traffic) | Limits output to the top bandwidth consumers per exporter. Set to 0 to report all traffic. | 50 (Min: 0, Max: 100,000) |
| Enable (1) or disable (0) deduplication | If enabled, reports flows only from authoritative exporters to prevent double-counting. | 0 (Disabled) |
| Enable (1) or disable (0) reporting client port | If disabled (0), ignores ephemeral ports during consolidation to achieve massive volume reduction. | 1 (Enabled) |
| Enable (1) or disable (0) multiplying by sampling rate | Automatically scales sampled data (sFlow/IPFIX) to reflect total traffic volume. | 0 (Disabled) |
| Default sampler rate | Fallback rate used if sampling information is missing from the flow record. | 1 |
| Enable (1) or disable (0) reporting flow denied events | Includes or excludes flows rejected by firewall/ACL policies. | 1 (Enabled) |
| Enable (1) or disable (0) SNMP enrichment | Enriches flows with sysName and interface ifName from the SNMP service. | 1 (Enabled) |
Maximizing Data Reduction by Ignoring Client Port
While NFO inherently reduces volume through flow consolidation, you can achieve massive additional gains by ignoring ephemeral client ports.
By aggregating flows based only on Source IP, Destination IP, and Destination Port, you can achieve data reduction ratios of 20x to 100x. This significantly lowers SIEM costs and improves search performance without losing visibility into the services being accessed.
- Selective Visibility: To keep client ports for specific traffic (e.g., DNS), use the List of known server destination port numbers to exempt those ports from aggregation.
Data Consolidation Parameter
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | The timeframe over which flows are consolidated. | default - 30s (Min: 5s, Max: 86400s) |
Converter Configuration
This Module has a fixed set of output fields.
Syslog/JSON Message Fields
| Field Name | Description | Type | Example / Notes |
|---|---|---|---|
| nfo_hostname | NFO server hostname or FQDN | string | |
| site | Deployment location name | string | Optional. Used in logs and dashboards |
| nfc_id | Message type identifier | string | nfc_id=20062 |
| flow_type | Type of flow | string | NFv5, NFv9, sFlow, IPFIX, AWS, Azure, OCI |
| exp_ip | NetFlow exporter IPv4 address | IPv4 address | Added for public clouds for compatibility with other flow types |
| exp_ip6 | NetFlow exporter IPv6 address | IPv6 address | Added for public clouds for compatibility with other flow types |
| input_snmp | Input SNMP index | number | |
| output_snmp | Output SNMP index | number | |
| exp_name | Exporter name | string | Populated from SNMP sysName |
| input_if_name | Input interface name | string | Populated from SNMP ifName |
| input_if_alias | Input interface alias | string | Populated from SNMP ifAlias |
| output_if_name | Output interface name | string | Populated from SNMP ifName |
| output_if_alias | Output interface alias | string | Populated from SNMP ifAlias |
| protocol | Transport protocol | number | TCP = 6, UDP = 17, ICMP = 1. See IANA Protocol Numbers |
| src_ip | Source IPv4 address | IPv4 address | |
| src_ip6 | Source IPv6 address | IPv6 address | |
| src_host | Source host name | string | Present when FQDN resolution is enabled |
| src_port | Source transport port | number | |
| dest_ip | Destination IPv4 address | IPv4 address | |
| dest_ip6 | Destination IPv6 address | IPv6 address | |
| dest_host | Destination host name | string | Present when FQDN resolution is enabled |
| dest_port | Destination transport port | number | |
| interface-id | Interface ID for AWS VPC Flow Logs | string | AWS only |
| tcp_flag | TCP flags | string | e.g. SYN, ACK, FIN |
| packets_in | Packets received by destination IP from source IP | number | |
| bytes_in | Layer 3 bytes received by destination IP from source IP | number | |
| src_tos | Source type of service | number | DSCP/ToS byte from the IP header |
| dest_tos | Destination type of service | number | DSCP/ToS byte from the IP header |
| src_asn | Source AS number | number | |
| dest_asn | Destination AS number | number | |
| flow_count | Number of consolidated flows reported in this event | number | |
| action (*) | Flow action | string | Determined from IPFIX element 233 (firewallEvent) and NFv9/IPFIX element 89 (forwardingStatus) |
| percent_of_total | Percentage of total bytes | decimal | e.g. 25.444% is represented as 25.444 |
| flow_smpl_id | Flow sampler ID | number | |
| t_int | Observation time interval | number (msec) | The consolidation window during which similar flows are aggregated into this record |
(*) Action field values
| Value | Condition |
|---|---|
action=R | firewallEvent 0 (ignored), 2 (deleted), or 3 (denied); Rejected cloud flow logs |
action=A | firewallEvent 1 (created), 4 (alert), or 5 (update); Allowed cloud flow logs |
action=U | forwardingStatus 00 (unknown) |
action=F | forwardingStatus 01 (forwarded) |
action=D | forwardingStatus 10 (dropped) |
action=C | forwardingStatus 11 (consumed) |