TCP Health Monitor (10060 / 20060)
This Module reports TCP Health by detecting hosts with the most TCP Resets (RST). In order to provide accurate count of resets the Module selects a definitive NetFlow exporter - the exporter that sees the most TCP resets for each host.
Top hosts are defined by percent of TCP resets to the total number of resets reported by a definitive NetFlow exporter or by percent of TCP resets to the total number of host’s connections. These thresholds are configurable - see Parameters section below.
This information is provided by a definitive NetFlow exporter.
Default thresholds are:
- % of Total Resets = 10%
- % of Resets to local host connections = 50%
This means that the host and RST count will be reported if it issued over 10% of resets observed by the definitive exporter OR if the number of RST is over 50% of all connections made by the host.
|Data Collection Interval, sec||Module logic execution interval||min = 5 sec, max = 600 sec, default = 30 sec|
|N - reporting threshold in percent of total resets number||% of Total Resets||min = 0 %, max = 100 %, default = 10 %|
|N - reporting threshold in percent of resets to the number of host connections||% of Resets to local host connections||min = 0 %, max = 100 %, default = 50 %|
NetFlow v5, v9, IPFIX, and Palo Alto Networks NetFlow v9. sFlow and sampled NetFlow are specifically excluded from processing by this Module. Cisco ASA NSEL is not supported by this Module as it does not have TCP flags.
Syslog/JSON Message Fields - Hosts
|nfc_id||Message type identifier||"nfc_id=20060"|
|exp_ip||NetFlow exporter IP address||<IPv4 address>|
|src_ip||Source host IPv4 address||<IPv4 address>|
|src_ip6||Source host IPv6 address||<IPv6 address>|
|[src_host](1)||Source host name||<string>, included when FQDN is on|
|reset_count||Count of Resets||<number>|
|total_share||Percent of the total number of resets sent by source host||<number>|
|local_share||Percent of the resets to the total number of the source host connections||<number>|
|t_int||Observation time interval, msec||<number>|
(1) Host name field is optional and included only if FQDN Service is enabled.