The Filter bar at the top of the screen provides a way to navigate through the network hierarchy (see File>Configure to see how to group network devices). At the top level, a list of Zones is shown, once you have selected a zone, the view will drill down to only show information from the selected zone, and a list of Groups will appear. Select a group and the view will drill down to only show the information from the selected group and a list of Agents will appear. Finally if you select an agent, its Interfaces will be shown. Click on the links at any level in the path and you will move back up the tree to that level. If a single agent has been selected a Details button will appear. Click on the button to see detailed information about the agents (see Search>Agent/Interface).
The following Filter options are available:
- Chart selects the data to be displayed, details of the different chart options are given below.
- Host,Client,Server filters the data to show only the specified host. Select All to disable host filtering. Hosts are added to the list when you search for them (see Search>Host).
- Protocol filters the data to show only the selected protocol. Select All to disable protocol filtering. Protocols are added to the list when you search for them (see Search>Protocol).
- Units specifies the scaling used on the vertical axis of the chart (when applicable - see the chart options below).
- Time selects the time period displayed.
The charts can be divided into three broad categories: charts based on packet counters, charts based on unidirectional packet flows (expressed in terms of source and destination addresses for packets) and charts based on bidirectional connections (expressed in terms of traffic in and out of clients and servers).
Counter based charts are only available when you drill down to individual interfaces (see Filter above for information on selecting an interface). The following counter based charts are available:
- Counters shows basic interface counters. Click on a counter name in the chart legend to display only that counter. Click again to display all counters. The counters view is useful for examining the number of errors, broadcasts, multicasts or discards on an interface. High error rates can indicate a bad cable or interface card. High discard rates may indicate that the device cannot keep up with traffic. Use Top Broadcast/Multicast Sources charts to help identify the sources high broadcast or multicast levels.
- Utilization shows utilization of the interface. The utilization chart is useful for identifying any capacity problems with the interface. If utilization approaches 100% for sustained periods then action should be taken to increase the capacity of the link, reorganize the topology of the network, or limit the applications making use of the link. Use Top Sources with Units set to Bits/sec. to start diagnosing the major sources of high utilization.
In order to see flow or connection based charts, there needs to flow data available from the network devices in the selected navigation path. You can see the availability of flow and counters data by the colors of the status boxes in the Traffic>Status view.
By default, the legend in a bar chart will reflect the top contributors to the latest bar. Click on any bar to see the top contributors during that minute (and any traffic they may have generated at other times). Click on the last bar to restore the default behavior of displaying contributors to the most recent minute. The gray part each bar represents traffic not attributable to the sources in the legend.
Click on addresses, protocols, or flows in the legend to obtain further information on the selected item. If you click on an address, information about the address (including its location in the network will be displayed (see Search>Host). If you click on a protocol, information about the protocol will be displayed (see Search>Protocol). Finally if you click select a source,destination flow you will see information about the path that the traffic takes through the network (see Search>Path). Click on the Traffic tab to return to your chart.
Note: You must click on a protocol or host if you want to be able to use it as a filter in other Chart selections.
The following flow based charts are available:
- Top Sources shows the top sources of packets.
- Top Destinations shows the top destinations for packets.
- Top Source,Destination Pairs show the top source address, destination address pairs.
- Top Source,Destination Flows shows the top source address, source protocol, destination address, destination protocol flows.
- Top L2 Broadcast Flows shows the top sources of layer 2 broadcast packets. Select Units of Frames/sec. to diagnose the cause of broadcast threshold events or high levels of broadcasts in the Counters chart.
- Top L2 Multicast Flows shows the top sources of layer 2 multicast packets (with IP multicast flows excluded). Select Units of Frames/sec. to diagnose the cause of multicast threshold events or high levels of multicasts in the Counters chart.
- Top IP Multicast Flows shows the top source address, source protocol, destination address, destination protocol IP multicast flows. Select Units of Frames/sec. to diagnose the cause of multicast threshold events or high levels of multicasts in the Counters chart.
- Top AS Paths show the top BGP AS Paths.
- Top Sources by #Destinations shows the top sources addresses by the number of destination addresses they send packets to. This chart is useful for finding hosts that may be scanning your address space. This type of activity is typical of worms.
- Top Destination Protocols by #Pairs shows the top destination protocols by the number of source,destination pairs. This chart is useful for identify the protocol associated with scanning activity and the service that an attacker is trying to compromise.
- Top Destinations by #Sources shows the top destinations by the number of sources sending them packets. This chart can identify victims of DDoS attacks. It can also identify scanning behavior by the error traffic that is generated by a typical scan.
The following connection based charts are available:
- Top Protocols shows the top protocols and the amount of traffic to and from servers of each protocol.
- Top Protocol Groups, shows the top protocol groups and the amount of traffic to and from servers in each protocol group.
- Top Servers shows the top servers and the protocol they serve.
- Top Clients shows the top clients and the protocol they consume.
- Top Connections shows the top client,server connections.