The Layer 3 page shows discovered routers and the subnets they connect.
Topics:
- How do I navigate the network hierarchy?
- What controls are available on the map?
- How do I get detailed information on a device?
- How do I display status on the map?
- How do I display traffic flows on the map?
- How do I create a filter to select specific flows?
How do I navigate the network hierarchy?
The map organizes network elements using the network hierarchy (see File>Configure). At the top level, Zones are shown as circles on the map. Click on a zone to expand it into the Groups it contains. Groups are shown as ovals on the map. Click on a group to see the devices within the zone. Switches and routers are shown as rectangular shapes (routers have curved corners).
Click on Zone, Group or Agent links at the top of the screen to show all the zones, groups or agents respectively.
What controls are available on the map?
The following operations are supported on the map:
- To zoom in, use mouse wheel or click right-button and select Zoom In menu option.
- To zoom out again, use mouse wheel or click right-button and select Zoom Out menu option.
- To pan, hold down left-button and drag mouse.
- If a node has a bold outline, click left-button on it to expand it's links.
- Click right-button on background, node or link to bring up pop-up menu with more options.
When clicking on the map background, the right button menu provides the following options:
- Back go back to the previous map view
- Zoom In increase the zoom level
- Zoom Out decrease the zoom level
- Zoom Out (fit all) scale the map so that it fits on the screen
- Expand Groups expand any groups on the screen and show the devices they contain
- Collapse Groups collapse devices into groups
When clicking a device, link, group or zone, one or more of the following options will appear in the right button menu:
- Open displays the contents of the zone or group and collapses the rest of the network into a cloud
- Expand expands the map to show the contents of the zone or group
- Collapse Path collapses all the devices in the path into their zone or group
- Search search for additional information on the device, or link
How do I get detailed information on a device?
Double-click on a switch, router or link to search for more details (see Sentinel:Search>Agent/Interface).
How do I display status on the map?
Set the Show option to Status. The color of Zones, Groups, Agents and links will reflect the worst status of any component of the item.
The following status colors are used:
Unknown No status information associated with this item.- Good The status of all components of this item is
acceptable.
- Warn At least one component of this item is indicating a warning.
- Critical At least one component of this item is
indicating a critical warning.
Note: The width of each link is proportional to the total amount of traffic (in bits/s) on the link. The Time setting (in the Filter bar) determines the period over which link traffic is computed.
How do I display traffic flows on the map?
Set the Show option to Flows. The thickness of lines will be determined by the amount of traffic during the specified Time that matches the filter.
The following filter settings are available:
- Host This button allows you to select traffic for a selected address. Any address that has been clicked on or entered on the Sentinel:Search>Host page during this session will be offered in the list. If you want to filter on an address that is not in the list, navigate to the Sentinel:Search>Host page, enter the address, and then come back to this page afterwards.
- Protocol This button allows you to add a filter to show only traffic for a selected protocol. Any protocol that has been clicked on or entered on the Sentinel:Search>Protocol page during this session will be offered in the list. If you want to filter on a protocol that is not in the list, navigate to the Sentinel:Search>Protocol page, enter the protocol, and then come back to this page afterwards. Some common protocol filters are always included here for convenience.
- AS Path This button allows you to select traffic with a specified AS path. Any AS number or AS path that has been clicked on or entered on the Sentinel:Search>ASN page during this session will be offered in the list. If you want to filter on an AS path that is not in the list, navigate to the Sentinel:Search>ASN page, enter the path, and then come back to this page afterwards.
- Where is used for custom filtering of the flows (see How do I create a filter to select specific flows?).
Note: The map displays measured traffic; if a device does not support flow monitoring then the map will not be able to scale its links correctly.
How do I create a filter to select specific flows?
The Where box is used to filter traffic queries so that only selected traffic is shown. A filter expression can be entered directly into the input box. Clicking on the OK button applies the filter. Clicking on the Clear button will remove the filter.
An easier way to construct filters is to click on the Edit button to display additional inputs used to construct the filter expression. The first input consists of a selection box containing attributes that can be compared, a selection box containing comparison operators and an input area to specify that values to be compared to the selected attribute. Clicking the Add button appends the comparison to the current filter. There are also boolean operator buttons (& and |) and bracket buttons that can be used to combine comparison expressions to form more complex filters. The filter builder only enables buttons and inputs when they are allowed in the filter expression that is being constructed. Once the desired filter has been constructed, click on the OK button to apply it.
Note: If you just want to filter on a Host or Protocol then it is easier to set the Host and Protocol filters, rather than constructing a Where filter.
A basic filter expression consists of the name of an attribute, an operator and a set of comma separated values. The allowed operators are:
- = equals
- != not equals
- ~ matches a reqular expression
- !~ does not match a regular expression
Expressions can be combined using brackets and the boolean operators:
- & boolean AND
- | boolean OR
The following examples illustrate typical where filters:
- ipsource = 10.1.1.23
- ipdestination != 10.0.0.0/24,10.0.1.0/24
- serverport = TCP:80,TCP:81,TCP:8080-8088
- sourcezone ~ research.*
- ipsource = 10.0.0.1 & ipdestination = 10.0.0.2
- ipsource = 10.0.0.1 & (sourceport = TCP:80 | destinationport = TCP:80)
- sourcezone = EXTERNAL | destinationzone = EXTERNAL
Note: The special zone EXTERNAL refers to addresses that aren't contained in any of the CIDRs specified using File > Configure.
WARNING Care should be taken if a value in a filter expression contains any of the following special characters: (, ), &, |, !, =, ~, ",', \, comma or space. If the value contains any of these characters then the whole value string can be enclosed in single or double quotes, or the special characters can be individually escaped with a \. The following examples show different ways of using the value "Research & Development" in filters:
- serverzone = "Research & Development", Sales
- clientzone = 'Research & Development'
- sourcezone = Research\ \&\ Development
- serverpath = ">>Research & Development>Data Center"
Note: Special characters typically occur because they are used in Zone or Group names when configuring Traffic Sentinel (see File>Configure). Care should be taken when filtering on zone, group or path attributes.