Help

Index Top > Traffic > Top N

The Top N page displays top sources, protocols and connections.

Topics:

• How do I navigate the network hierarchy?
• How do I select the information displayed on the chart?
• How do I display information on items in the chart?
• How do I create a filter to select specific flows?
• How do I create a custom flow chart?

See Also:

• Tutorial: Drill-down traffic analysis

---

How do I navigate the network hierarchy?

The Filter bar at the top of the screen provides a way to navigate through the network hierarchy (see File>Configure to see how to group network devices). At the top level, a list of Zones is shown, once you have selected a zone, the view will drill down to only show information from the selected zone, and a list of Groups will appear. Select a group and the view will drill down to only show the information from the selected group and a list of Agents will appear. Finally if you select an agent, its Interfaces will be shown. Click on the links at any level in the path and you will move back up the tree to that level. Click on the Show Map button to view a map of the selected part of the network (see Sentinel:Maps>Layer 2). If a single agent has been selected an Agent Details button will appear. Click on the button to see detailed information about the agent (see Sentinel:Search>Agent/Interface). Finally, if a single interface is selected an Explore button will appear. Click on the button to see long term trends for the interface (see Sentinel:Report>Explore).

---

How do I select the information displayed on the chart?

The following Filter options are available:

• Chart selects the data to be displayed, details of the different chart options are given below.
• Host,Client,Server This button allows you to select traffic for a selected address. Any address that has been clicked on or entered on the Sentinel:Search>Host page during this session will be offered in the list. If you want to filter on an address that is not in the list, navigate to the Sentinel:Search>Host page, enter the address, and then come back to this page afterwards.
• Protocol This button allows you to add a filter to show only traffic for a selected protocol. Any protocol that has been clicked on or entered on the Sentinel:Search>Protocol page during this session will be offered in the list. If you want to filter on a protocol that is not in the list, navigate to the Sentinel:Search>Protocol page, enter the protocol, and then come back to this page afterwards. Some common protocol filters are always included here for convenience.
• Units specifies the scaling used on the vertical axis of the chart (when applicable - see the chart options below).
• Date select a date, Today will track most recent data.
• Time selects the hour at the start of the Interval, Now will track most recent data.
• Interval select the number of minutes of data to display. The interval starts from the specified Time, or if Time is set to Now displays an interval going back from the current minute. Setting a large Interval will cause the bars to change from 1 minute per bar to 2 or more minutes per bar, reducing the number of bars so that they are wide enough to display.
• Where is used for custom filtering of the flows (see How do I create a filter to select specific flows?).

The charts can be divided into two broad categories: charts based on unidirectional packet flows (expressed in terms of source and destination addresses for packets) and charts based on bidirectional connections (expressed in terms of traffic in and out of clients and servers).

In order to see flow or connection based charts, there needs to flow data available from the network devices in the selected navigation path. You can see the availability of flow and counters data by the colors of the status boxes in the Traffic>Status view.

The following flow based charts are available:

• Top Sources shows the top sources of packets.
• Top Destinations shows the top destinations for packets.
• Top Source,Destination Pairs show the top source address, destination address pairs.
• Top Source,Destination Flows shows the top source address, source protocol, destination address, destination protocol flows.
• Top Sources by #Destinations shows the top sources addresses by the number of destination addresses they send packets to. This chart is useful for finding hosts that may be scanning your address space. This type of activity is typical of worms.
• Top Destination Protocols by #Pairs shows the top destination protocols by the number of source,destination pairs. This chart is useful for identify the protocol associated with scanning activity and the service that an attacker is trying to compromise.
• Top Destinations by #Sources shows the top destinations by the number of sources sending them packets. This chart can identify victims of DDoS attacks. It can also identify scanning behavior by the error traffic that is generated by a typical scan.
• Top IP DSCP shows the top IP Differentiated Services Code Point (DSCP) values. This chart is useful for monitoring the amount of traffic in each service class and identifying traffic that is incorrectly marked.
• Top RTP Codecs shows the top codecs used in RTP traffic. This chart is useful for managing voice and video traffic.
• Top IP Multicast Flows shows the top source address, source protocol, destination address, destination protocol IP multicast flows. Select Units of Frames/sec. to diagnose the cause of multicast threshold events or high levels of multicasts in the Counters chart.
• Top IP Multicasts Flows by #Ports shows the top multicast flows by the number of switch ports that have seen them. The count of switch ports is useful for monitoring the reach of the multicast flows.
• Top IGMP Sources shows the top IGMP (Internet Group Management Protocol) sources. This chart is useful for examining the hosts subscribing to IP multicast streams.
• Top ICMP Unreachable Ports shows the TCP/UDP ports from packets that generated an ICMP port unreachable response. This chart is useful for identifying misconfigured hosts and port scanning activity on the network.
• Top AS Paths show the top BGP AS paths.
• Top Sources for AS Path shows the top sources of packets on a selected BGP AS path.
• Top Destinations for AS Path shows the top destination for packets on a selected BGP AS path
• Top Pairs for AS Path shows the top source,destination address pairs on a selected BGP AS path.
• Top Flows for AS Path shows the top source address, source protocol, destination address, destination protocol flows on a selected BGP AS path.
• Top Protocols for AS Path shows the top destination ports on a selected BGP AS path.
• Top L2 Broadcast Flows shows the top sources of layer 2 broadcast packets. Select Units of Frames/sec. to diagnose the cause of broadcast threshold events or high levels of broadcasts in the Counters chart.
• Top L2 Multicast Flows shows the top sources of layer 2 multicast packets (with IP multicast flows excluded). Select Units of Frames/sec. to diagnose the cause of multicast threshold events or high levels of multicasts in the Counters chart.
• Top L2 Unicast Flows by #Ports shows the top layer 2 unicast traffic flows by the number of switch ports that have seen them. This chart is useful for identifying unicast flooding, often a symptom of layer 2 loops.
• Top ARP Requests shows the top ARP requests, including ARP sender and IP Target.
• Top ARP Responses shows the top ARP responses, including ARP sender, IP Target and MAC Target.
• Top VLANs shows the top VLANs.
• Top STP Roots shows the top spanning tree root MAC addresses. This chart is useful for identifying spanning tree problems where multiple roots may cause loops.
• Top TRILL Pairs shows the top TRILL ingress/egress bridge pairs.
• Top TRILL Hops shows the top TRILL inter-bridge hops by TRILL ingress/egress bridge and source and destination MAC addresses.
• Custom N shows a custom flow, see How do I create a custom flow chart?

The following connection based charts are available:

• Top Protocols shows the top protocols and the amount of traffic to and from servers of each protocol.
• Top Protocol Groups, shows the top protocol groups and the amount of traffic to and from servers in each protocol group.
• Top Servers shows the top servers and the protocol they serve.
• Top Clients shows the top clients and the protocol they consume.
• Top Connections shows the top client,server connections.
• Top FCoE Targets shows the top FCoE servers.
• Top FCoE Initiators shows the top FCoE connections.
• Top FCoE Operations shows the top FCoE operations.
• Top AoE Targets shows the top AoE servers.
• Top AoE Initiators shows the top AoE connections.
• Top AoE Operations shows the top AoE operations.

---

How do I display information on items in the chart?

By default, the legend in a bar chart will reflect the top contributors to the latest bar. Click on any bar to see the top contributors during that minute (and any traffic they may have generated at other times). Click on the last bar to restore the default behavior of displaying contributors to the most recent minute. The gray part each bar represents traffic not attributable to the sources in the legend.

Click on links in the legend to perform actions on that item. The color boxes are also clickable, representing the entire row in the table. Clicking on an item opens a dialog box with buttons for each action.

One or more of the following actions may be available:

• Filter Create a Where filter to select flows containing the selected item.
• Exclude Create a Where filter to exclude flows containing the selected item.
• Search Go to the search page to find out additional information on the selected item. Click on the Traffic tab to return to your chart.

---

How do I create a filter to select specific flows?

The simplest way to filter traffic is to click on the legend item and create filters based on the selected item (see How do I display information on items in the chart?). For more complex filtering tasks, the following instruction describe how to manually enter a filter:

The Where box is used to filter traffic queries so that only selected traffic is shown. A filter expression can be entered directly into the input box. Clicking on the OK button applies the filter. Clicking on the Clear button will remove the filter.

An easier way to construct filters is to click on the Edit button to display additional inputs used to construct the filter expression. The first input consists of a selection box containing attributes that can be compared, a selection box containing comparison operators and an input area to specify that values to be compared to the selected attribute. Clicking the Add button appends the comparison to the current filter. There are also boolean operator buttons (& and |) and bracket buttons that can be used to combine comparison expressions to form more complex filters. The filter builder only enables buttons and inputs when they are allowed in the filter expression that is being constructed. Once the desired filter has been constructed, click on the OK button to apply it.

Note: If you just want to filter on a Host or Protocol then it is easier to set the Host and Protocol options in the Filter bar, rather than constructing a Where filter.

A basic filter expression consists of the name of an attribute, an operator and a set of comma separated values. The allowed operators are:

• = equals
• != not equals
• ~ matches a reqular expression
• !~ does not match a regular expression

Expressions can be combined using brackets and the boolean operators:

• & boolean AND
• | boolean OR

The following examples illustrate typical where filters:

• ipsource = 10.1.1.23
• ipdestination != 10.0.0.0/24,10.0.1.0/24
• serverport = TCP:80,TCP:81,TCP:8080-8088
• sourcezone ~ research.*
• ipsource = 10.0.0.1 & ipdestination = 10.0.0.2
• ipsource = 10.0.0.1 & (sourceport = TCP:80 | destinationport = TCP:80)
• sourcezone = EXTERNAL | destinationzone = EXTERNAL

Note: The special zone EXTERNAL refers to addresses that aren't contained in any of the CIDRs specified using File > Configure.

WARNING Care should be taken if a value in a filter expression contains any of the following special characters: (, ), &, |, !, =, ~, ",', \, comma or space. If the value contains any of these characters then the whole value string can be enclosed in single or double quotes, or the special characters can be individually escaped with a \. The following examples show different ways of using the value "Research & Development" in filters:

• serverzone = "Research & Development", Sales
• clientzone = 'Research & Development'
• sourcezone = Research\ \&\ Development
• serverpath = ">>Research & Development>Data Center"

Note: Special characters typically occur because they are used in Zone or Group names when configuring Traffic Sentinel (see File>Configure). Care should be taken when filtering on zone, group or path attributes.

---

How do I create a custom flow chart?

The charts at the bottom of the list, labelled Custom N by default, are configurable by each user. When a customizeable chart is selected, an Edit Columns button will appear immediately to the right of the chart name. Click on the Edit Columns button to reveal additional options. Each flow key will appear as an option button allowing the keys to be changed. Setting a key to None will remove it. An additional option button allows keys to be added. The Label field allows the chart to be named. Click on the Submit button to commit the changes.

Note:The number of custom charts can be configured using the Sentinel:Home>Settings form.

Copyright © 1999-2010 InMon Corp. ALL RIGHTS RESERVED