The Top N tab displays charts that show the top N contributors to the network traffic and how the top N contributors change over time.
This tab includes a control bar that allows you to select the
switch (Section 4.6, “Selecting a switch”) and interface
(Section 4.7, “Selecting an interface”) for which you would like
to analyze and view traffic data, and the type of chart to display.
You can also select a specific time interval (Chapter 10, Selecting a time period 
)
and filter on specific traffic (Chapter 11, Filtering)
![[Note]](images/note.png) |
Note |
|---|---|
|
When you have made changes to the selections for the chart, including creating a filter, you can save these selections in a bookmark (see Section 1.4, “Navigating around sFlowTrend-Pro using browser history and bookmarks”) so that you can easily return to the same chart at a later date. |
With sFlowTrend, or with sFlowTrend-Pro when the
Time
setting is relative to now (for example
Last hour
see Chapter 10, Selecting a time period ),
these charts are automatically updated when the next data
point is available. The Progress indicator shows how long it
will be before the chart is next updated.
The Top N charts show the top N contributors to the network traffic and how the top N contributors change over time. These charts are generated from the sampled packets exported by sFlow. Top N traffic charts are shown using stacked bar charts.
The following network traffic top N charts are available:
- Top sources
- The top sources of traffic.
- Top destinations
- The top destinations of traffic.
- Top input VLANs
- The VLANs which are providing the most input traffic to the switch.
- Top output VLANs
- The VLANs which are receiving the most output traffic from the switch.
- Top source-destination pairs
- The top source address and destination address pairs.
- Top source-destination flows
- The top source address, source port, destination address and destination port flows.
- Top inter-VLAN pairs
- The VLANs between which most traffic is flowing.
- Top connections
- Top connections is similar to Top source-destination flows, but combines both directions of the traffic belonging to a client/server connection.
- Top servers
- The top servers.
- Top clients
- The top clients.
- Top protocols
- The top protocols.
- Top broadcast flows
- The top flows of broadcast traffic.
- Top IP multicast flows
- The top flows of IP multicast traffic.
- Most connected sources
- The top sources ordered by the number of destinations that each source has connected to. This is also referred to as 'fan-out'. This chart is useful for security analysis, to help identify hosts that are exhibiting address scanning behavior.
- Most connected destinations
- The top destinations ordered by the number of sources that has connected to each destination. This is also referred to as 'fan-in'. This chart is useful for security analysis, to help identify hosts that might be victims of a distributed denial-of-service attack.
- Most popular protocols
- The top protocols ordered by the number of source/destination address pairs. This chart is also useful for security analysis, and shows the protocols that are most likely being used to perform scanning.
- Top wireless versions
- The wireless versions in use, for example 802.11a, 802.11g.
- Top SSIDs
- The top 802.11 wireless SSIDs in use.
- Top channels
- The top 802.11 wireless channels being used.
- Top cipher suites
- The top cipher suites being used to encrypt the 802.11 wireless traffic.
|
Note |
|---|---|
|
For any Top N charts where the contributors are addresses, the legend will display addresses and their DNS names (where addresses can be resolved to names) if Resolve IP addresses to hostnames in charts is selected in User preferences (see Section 13.1.2, “Chart settings”) |
|
Note |
|---|---|
|
In the VLAN charts, a VLAN of 0 indicates that no specific VLAN is being used, or the VLAN could not be determined. |
|
Note |
|---|---|
|
The 802.11 wireless charts will only display data if sFlowTrend-Pro is receiving sFlow from wireless devices that support the sFlow 802.11 Structures |
In addition to the standard Top N charts, you can also
define custom Top N charts. With a custom Top N chart
you can choose the attributes (key fields) that are used
to identify the top contributors. To define a custom Top N
chart, click on the
button next to the Chart selector. This
will display the Edit custom Top N
dialog. In the dialog, click on the
Add custom Top N button to display
a dialog that allows you to define the key fields for the
custom Top N.
For example, if you would like to see the top source addresses before NAT has taken place and the associated addresses after NAT, select sourceAddress from the Available fields list to add this key field to the selected fields list, then select sourceNATAddress. See Table 16.1, “Database key fields available for flows” for descriptions of the available key fields
You can also use key functions in a custom Top N chart definition. For example, if you would like to see the top subnets sourcing traffic click on the Function button to bring up the function editor dialog and enter subnet(ipSource). See Section 16.4.2, “Key functions” for details of key functions.
You can drag fields in the selected fields list to reorder the fields. You must enter a unique name for this custom Top N, before you click OK. After you click OK in the Edit custom Top N dialog, the custom Top N will be added to the Chart selector. Custom Top N charts are listed after the standard Top N charts in the selector. You can use the Edit custom Top N dialog to edit or remove existing custom Top N definitions.
|
Note |
|---|---|
|
The Available fields list includes
a type-in text field that allows you to filter the
available fields for fields whose names match the typed
in text. For example, you can type
|
|
Note |
|---|---|
|
Address translation data is available only if
sFlowTrend-Pro is receiving sFlow from devices that support
the |
You can use the Units selector to choose the measurement units used to calculate the top contributors. There are two types of Top N traffic charts:
- Rate-based charts
-
These charts show the top N contributors based on their associated traffic rate in either bits/s or frames/s. Example rate-based charts are Top sources, Top source VLANs, Top broadcast flows . Use the Units selector to choose whether the top contributors should be sorted based on their traffic rate in either bits/s or frames/s.
If a specific interface is selected, then the rate-based charts will show ingress traffic (above the x-axis) and egress traffic (below the x-axis). This shows the top N contributors of traffic entering or exiting the selected the interface. If the Units selector is set to Bits/s, the left y-axis will show the volume of traffic in bits/s, while the right y-axis will show the traffic volume in terms of % utilization of the interface bandwidth. If the Units selector is set to Frames/s, the traffic volume will be shown in frames/s.
If a specific wireless interface is selected, the Units selector includes an additional option, Air %. Air % is the percentage of the available bandwidth used by the traffic, taking into account the actual speed of transmission. Traffic transmitted at a low speed will have high air % utilization. This means that a host with poor signal strength may use a disproportionately large amount of wireless bandwidth and degrade performance for other users.
If the Interface selector is set to All, the charts will show the top contributors over the whole switch. If a connection oriented, client/server chart (Top connections, Top servers, Top clients, Top Protocols) is chosen, the chart will show traffic flowing to the server above the x-axis, while traffic flowing from the server will be shown below the x-axis. For the other rate-based charts, selecting All interfaces results in one overall rate for the switch. You can use the Units selector options of Bits/s and Frames/s to show top contributors based on the their traffic rate in terms of bits/s or frames/s respectively.
- Count-based charts
- These charts (Most connected sources, Most connected destinations, Most popular protocols) show an absolute count value for each of the top contributors. For example, the Most connected sources chart shows the count of destinations for each of the sources that talk to the most destination hosts. When these charts are selected, the Units, selector automatically changes to Count and cannot be altered.
The legend in the Top N traffic chart shows the top
contributors for the selected interval. The outlined
time stamp, for example
,
on the x-axis indicates the currently
selected interval. You can select an interval and
see the top contributors in that interval by
clicking with the
mouse button on the bar corresponding to the
interval of interest. Each other bar in the chart
will then be recolored to show how much traffic was
generated, in the interval represented by the bar,
by the top contributors from the currently selected
interval. This allows you to see how the top
contributors change over time.
If you are having difficulty in selecting a specific bar (because a mouse drag is detected and therefore a range is selected), you can use Control+ mouse button (or on a Mac Command+ mouse button) to select the bar.
If the latest (right most) bar is selected and the
Time
setting is relative to now (for example
Last hour
see Chapter 10, Selecting a time period ,
the charts will be updated automatically and
always display the contributors for the most recent
minute.
The grey part of each bar represents traffic not attributable to the top N shown in the legend (ie it represents the contribution from other sources, destinations etc. that are not in the top N).
If the whole of a bar is grey, the traffic in its interval is not attributable to any of the top contributors in the currently selected interval. You can click on this bar to make it the currently selected interval and see its top contributors.
You can find out more information about an end host
by clicking on
to the left of the host address in the legend.
This will open the Lookup host dialog
using the end host address. If the
Lookup host dialog is already open,
then the dialog will be changed to show
information for the newly selected host. See
Chapter 12, End host information for more information.
You can use the legend in the network traffic top N charts to drill-down on traffic of interest. For example, if you are viewing a Top sources chart and you notice that one host is responsible for the majority of the traffic, you can investigate who this host is talking to and which application is generating the traffic by clicking with the mouse button on legend item that corresponds to the host. The Top source-destination flows chart will then be displayed with a filter for the selected host applied. This will show you the top source-destination flows for which the host of interest is the source.
See Section 4.3.6, “Filtering for specific traffic” for more information of filtering on specific traffic.
sFlowTrend-Pro allows you to filter information displayed in a Top N traffic chart. This allows you to focus on traffic that may be of interest. For example, if you only wanted to look at web traffic, you could set a filter for only TCP port 80 traffic. See Chapter 11, Filtering for details.