Top Traffic Monitor (10067 / 20067)
Description
This Module identifies hosts with the most traffic. It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Layer 3 protocol
- Input interface
- Output interface
This information is provided per NetFlow exporter.
Deduplication: optionally the Module can report consolidated flows only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections (flows) for each consolidated flow is considered authoritative, and flows reported by all other exporters are discarded.
Logic Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| N – number of reported hosts | Top N Reported Hosts per Exporter (set to 0 to report all flows) | min = 0, max = 100000, default = 50 |
| Enable(1) or disable (0) reporting flow denied events | If set to 1, the ephemeral client port number is reported. If set to 0, client port number is not taken into account for consolidation, and reported as 0. To preserve client ports for specific destination ports, refer to the TIP below the table | default - 1 |
| Enable(1) or disable (0) reporting by authoritative exporters only | If set to 1 (deduplication enabled), the Module reports flows only from authoritative exporters | default = 0 |
| Enable(1) or disable (0) reporting client port | If set to 1, the ephemeral client port number is reported. If set to 0, client port number is not taken into account for consolidation, and reported as 0 | default = 1 |
| Enable(1) or disable (0) multiplying by sampling rate | If set to 1, when *flow is sampled (e.g. sFlow, sampled NetFlow/IPFIX), the sampling rate is used to multiply bytes and packets to report total traffic as statistical approximation | default = 0 |
| Default sampler rate | If sampling information is not available, use this rate to multiply bytes and packets to report total traffic as statistical approximation | default = 1 |
Reducing NetFlow Volume by Ignoring Client Ports
The Benefits of Not Reporting Client Port
Modern applications, especially web browsers, generate a high volume of short-lived connections, each with unique client ports. This results in a massive volume of NetFlow data, even for single user sessions. Ignoring client ports during short-term NetFlow consolidation dramatically reduces this data load. By aggregating flows based on source IP, destination IP, and destination port, we consolidate numerous connections into single, representative records. This can achieve data reduction ratios of 20 to 100 times or more.
This optimization yields significant benefits. It reduces bandwidth consumption for NetFlow transmission, lowers storage requirements, and improves performance in receiving systems. . In essence, ignoring client ports for consolidation provides a practical and effective means of managing NetFlow data volume without sacrificing essential network visibility.
If you choose not to report ephemeral client ports, you may still want to see client ports for some conversations, for example, DNS traffic with destination port = 53. To enable this option, click on the List of known server destination port numbers Watch list, download it as a CSV file, set the ### Do not aggregate clients column to 1, and upload the CSV file back to the Module.
Data Consolidation Parameter
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 5 sec, max = 86400 sec, default - 30 sec |
Data Sets and Enrichment Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| List of known server destination port numbers | List of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one with a smaller port number. This parameter is ignored for unidirectional flows. | This parameter is pre-loaded with values from: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml |
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow.
Required NetFlow fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| IPv4 | |||
| sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
| destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
| IPv6 | |||
| sourceIPv6Address | 27 | 16 | The IPv6 source address in the IP packet header |
| destinationIPv6Address | 28 | 16 | The IPv6 destination address in the IP packet header |
Syslog/JSON Message Fields
| Key | Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20067” |
| flow_type | Type of Flow | string, e.g. NFv5, NFv9, sFlow, IPFIX, AWS, Azure, OCI, ... |
| exp_ip | NetFlow exporter IPv4 address | IPv4 address |
| exp_ip6 | NetFlow exporter IPv6 address | IPv6 address |
| input_snmp | NetFlow exporter ingress interface SNMP index | number |
| output_snmp | NetFlow exporter egress interface SNMP index | number |
| protocol [^1] | Transport Protocol (TCP = 6, UDP = 17) | number |
| src_ip | Source host IPv4 address | IPv4 address |
| src_ip6 | Source host IPv6 address | IPv6 address |
| src_host [^2] | Source host name | string, included when FQDN is on |
| src_port | Source port number | number |
| dest_ip | Destination host IPv4 address | IPv4 address |
| dest_ip6 | Destination host IPv6 address | IPv6 address |
| dest_host [^2] | Destination host name | string, included when FQDN is on |
| dest_port | Destination port number | number |
| [interface-id] | Interfce ID for AWS VPC Flow logs | string |
| tcp_flag | Cumulative OR of TCP flags | string, e.g. “SYN,ACK,FIN” |
| packets_in | Packets in the flow received by the input interface | number |
| bytes_in | Total number of Layer 3 bytes in the packets of the flow received by the input interface | number |
| src_tos | Inbound IP type of service | number |
| dest_tos | Outbound IP type of service | number |
| src_asn | Source AS | number |
| dest_asn | Destination AS | number |
| flow_count | Number of Flows | number |
| action [^3] | Flow action | string, The action is determined from IPFIX element 233 - firewallEvent and NFv9 / IPFIX element 89 - forwardingStatus |
| percent_of_total | Percent of Total (bytes) | decimal, e.g. 25.444% is 25.444 |
| [flow_smpl_id] | Flow Sampler ID | number |
| t_int | Observation time interval, msec | number |
[^1] Protocol field is optional. It is reported only if there is a corresponding field in NetFlow.
[^2] Host name field is optional and included only if FQDN Service is enabled
[^3] Action is reported as follows:
action=blockedfor firewallEvent 0 (ignored), 2 (deleted), and 3 (denied)action=allowedfor firewallEvent 1 (created), 4 (alert), and 5 (update)action=unknownfor forwardingStatus 00action=forwardedfor forwardingStatus 01action=droppedfor forwardingStatus 10action=consumedfor forwardingStatus 11