Top Traffic Monitor (10067)
The Top Traffic Monitor is a primary foundational module optimized for high-performance consolidation of unidirectional flow data. It is specifically designed for bandwidth management, capacity planning, and "Top N" reporting. While it offers a streamlined feature set compared to the Network Conversations Monitor, it is the ideal choice for high-volume environments where essential traffic metrics and minimal processing overhead are the priority.
Functionality
This module focuses on efficient traffic summarization and volume-based reporting:
- Unidirectional Consolidation: Aggregates flow records sharing the same 5-tuple (Source/Dest IP, Source/Dest Port, Protocol) over a Data Collection Interval (DCI). It reports total traffic volume per host pair without the overhead of bidirectional stitching.
- High-Performance "Top N" Reporting: Highly optimized to identify and report only the top bandwidth consumers (Top N) per exporter, significantly reducing SIEM ingestion costs while maintaining visibility into peak traffic loads.
- Authoritative Deduplication: Identifies the primary network device in multi-hop paths to ensure traffic is only counted once, preventing skewed volume statistics.
- Traffic Directionality: Uses defined local subnets to classify traffic as
inbound,outbound,internal, orunknown. - Statistical Sampling Support: Correctly handles sampled telemetry (like sFlow or Sampled NetFlow), automatically multiplying bytes and packets by the sampling rate to provide accurate statistical approximations of total traffic.
Supported Inputs
The Top Traffic Monitor processes a wide range of standard network telemetry:
- Standard Protocols: NetFlow (v5, v9), IPFIX, and sFlow.
- Cloud Flow Logs: AWS VPC, Microsoft Azure NSG and VNet, Oracle Cloud (OCI), and Google Cloud (GCP) Flow Logs.
- Specialized Inputs: Citrix AppFlow and standard router/switch telemetry.
Flow Enrichment
To maintain maximum performance, the Top Traffic Monitor provides essential enrichment focused on identification and location:
- FQDN: Resolves IP addresses to hostnames.
- SNMP Integration: Can be configured to pull interface names and aliases from the NFO SNMP service to provide physical context to the flow data.
Configuration Parameters
To tune the module, click on 10067: Top Traffic Monitor in the NFO Web UI.
Core Logic Parameters
| Parameter Name | Description | Default / Constraints |
|---|---|---|
| Top N per exporter (0 for all traffic) | Limits output to the top bandwidth consumers per exporter. Set to 0 to report all traffic. | 50 (Min: 0, Max: 100,000) |
| Enable (1) or disable (0) deduplication | If enabled, reports flows only from authoritative exporters to prevent double-counting. | 0 (Disabled) |
| Enable (1) or disable (0) reporting client port | If disabled (0), ignores ephemeral ports during consolidation to achieve massive volume reduction. | 1 (Enabled) |
| Enable (1) or disable (0) multiplying by sampling rate | Automatically scales sampled data (sFlow/IPFIX) to reflect total traffic volume. | 0 (Disabled) |
| Default sampler rate | Fallback rate used if sampling information is missing from the flow record. | 1 |
| Enable (1) or disable (0) reporting flow denied events | Includes or excludes flows rejected by firewall/ACL policies. | 1 (Enabled) |
| Enable (1) or disable (0) SNMP enrichment | Enriches flows with sysName and interface ifName from the SNMP service. | 1 (Enabled) |
While NFO inherently reduces volume through flow consolidation, you can achieve massive additional gains by ignoring ephemeral client ports.
By aggregating flows based only on Source IP, Destination IP, and Destination Port, you can achieve data reduction ratios of 20x to 100x. This significantly lowers SIEM costs and improves search performance without losing visibility into the services being accessed.
- Selective Visibility: To keep client ports for specific traffic (e.g., DNS), use the List of known server destination port numbers to exempt those ports from aggregation.
Data Consolidation Parameter
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | The timeframe over which flows are consolidated. | default - 30s (Min: 5s, Max: 86400s) |
Converter Configuration
This Module has a fixed set of output fields.
Syslog/JSON Message Fields
| Key | Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20067” |
| flow_type | Type of Flow | string, e.g. NFv5, NFv9, sFlow, IPFIX, AWS, Azure, OCI, ... |
| exp_ip | NetFlow exporter IPv4 address | IPv4 address |
| exp_ip6 | NetFlow exporter IPv6 address | IPv6 address |
| input_snmp | NetFlow exporter ingress interface SNMP index | number |
| output_snmp | NetFlow exporter egress interface SNMP index | number |
| protocol (*) | Transport Protocol (TCP = 6, UDP = 17) | number |
| src_ip | Source host IPv4 address | IPv4 address |
| src_ip6 | Source host IPv6 address | IPv6 address |
| src_host (**) | Source host name | string, included when FQDN is on |
| src_port | Source port number | number |
| dest_ip | Destination host IPv4 address | IPv4 address |
| dest_ip6 | Destination host IPv6 address | IPv6 address |
| dest_host (**) | Destination host name | string, included when FQDN is on |
| dest_port | Destination port number | number |
| [interface-id] | Interfce ID for AWS VPC Flow logs | string |
| tcp_flag | Cumulative OR of TCP flags | string, e.g. “SYN,ACK,FIN” |
| packets_in | Packets in the flow received by the input interface | number |
| bytes_in | Total number of Layer 3 bytes in the packets of the flow received by the input interface | number |
| src_tos | Inbound IP type of service | number |
| dest_tos | Outbound IP type of service | number |
| src_asn | Source AS | number |
| dest_asn | Destination AS | number |
| flow_count | Number of Flows | number |
| action (***) | Flow action | string, The action is determined from IPFIX element 233 - firewallEvent and NFv9 / IPFIX element 89 - forwardingStatus |
| percent_of_total | Percent of Total (bytes) | decimal, e.g. 25.444% is 25.444 |
| [flow_smpl_id] | Flow Sampler ID | number |
| t_int | Observation time interval, msec | number |
(*) Protocol field is optional. It is reported only if there is a corresponding field in NetFlow.
(**) Host name field is optional and included only if FQDN Service is enabled
(***) Action is reported as follows:
action=blockedfor firewallEvent 0 (ignored), 2 (deleted), and 3 (denied)action=allowedfor firewallEvent 1 (created), 4 (alert), and 5 (update)action=unknownfor forwardingStatus 00action=forwardedfor forwardingStatus 01action=droppedfor forwardingStatus 10action=consumedfor forwardingStatus 11