The Explore page is used to query the traffic database and generate charts.
Topics:
- Which Database should I select?
- How do I trend utilization for a specific network interface?
- How do I select a particular time interval?
- How do I see top contributors to traffic?
- How do I drill-down and select specific traffic?
- How do I create a custom filter?
- How do I include a chart in a report?
See Also:
Which Database should I select?
There are three types of data:
- Interface Counters These databases contain counters collected for each interface. The counters databases are useful for trending long term interface statistics (such as utilization).
- Interface Traffic These databases contain detailed traffic flow information for interfaces. The interface traffic databases are used to break down traffic on a particular interface by source, protocol, priority or any other attribute of the packet flows. These databases are useful for troubleshooting traffic on an interface, identifying the top contributors to the interface traffic. Note: The Historical Interface Traffic database only contains information for routed traffic; hop-by-hop details on switched traffic is lost as part of the data consolidation process.
- Traffic These databases contain end-to-end traffic flow information. Traffic can be filtered to select any subgroup of flows (for example selecting only traffic to a particular address). The selected traffic can then be broken out by source, protocol, priority or any other attribute of the packet flows. These databases are useful for general traffic reporting, reporting on specific hosts or protocols, trending growth in network traffic.
There are two versions of each database:
- Recent, contains raw data before it is processed and stored in the historical database. The raw data is useful if you need to query very recent information (within the last hour), or if you need to see details that are not preserved in the historical database.
- Historical, contains an accurate long term history of network traffic. Wherever possible the historical databases should be used since they are faster and more accurate than the recent databases; combining duplicate measurements to ensure the greatest possible accuracy and discarding details that are mainly used for short-term troubleshooting (for example, detailed layer-2 paths).
How do I trend utilization for a specific network interface?
- Select the Historical Interface Counters database.
- Select the interface from the Interface list. If the interface isn't in the list, go to the Sentinel:Search>Agent/Interface page to find the interface, then click on the Explore button to return to the Explore page. Alternatively, navigate to the interface using the Sentinel:Traffic>Status page. Once the interface has been selected, click on the Explore button.
- Select the set of counters to plot by choosing a Value setting (in this case select % Utilization).
- Select an Interval to plot.
How do I select a particular time interval?
Each chart has an Interval setting that allows the time range to be specified.
Time intervals are always relative to the current time (e.g. Yesterday, Last 6 Hours etc.). Relative
times are useful when creating reports since the chart will automatically update it's interval whenever
the report is run.
Note: The actual interval used is displayed in chart subtitle.
In trend charts it is possible to zoom in on particular subintervals of interest. Just position the mouse at the beginning of the subinterval you are interested in, click on the mouse button and drag to the end of the interval. Release the mouse button and the chart will zoom into the subinterval. To unzoom, click on the Unzoom button above the chart.
How do I see top contributors to traffic?
If any of the Traffic databases are selected, you will be able to pick a Category and Value for the chart. The Category determines the packet flow attribute that will be used to construct the categories in the chart and the Value determines the value that will be plotted. For example, setting Category = Source Address and Value = Bytes will display the total number of bytes transmitted by each source address.
The Truncate setting specifies the number of values to display. For example, setting Truncate = 5 in the previous example would display the top 5 Sources Address (by bytes transmitted).
The Chart Type setting is used to determine the type of chart to display; such as bar chart, pie chart or trend chart.
The Show setting determines if names or numeric addresses will be used in the chart.
How do I drill-down and select specific traffic?
Clicking on bars, pie segments or legend items in trend charts will add a filter in the Where box that selects traffic matching the indicatated category. A quick way to drill-down through traffic and construct a filter is to select a Category, click on a value, switch Category and click on another value. The filter in the Where box can be altered manually at any point (see How do I create a custom filter?). At any point the filter can be removed by clicking on the Clear button.
How do I create a custom filter?
The Where box is used to filter traffic queries so that only selected traffic is shown. A filter expression can be entered directly into the input box. Clicking on the OK button applies the filter. Clicking on the Clear button will remove the filter.
An easier way to construct filters is to click on the Edit button to display additional inputs used to construct the filter expression. The first input consists of a selection box containing attributes that can be compared, a selection box containing comparison operators and an input area to specify that values to be compared to the selected attribute. Clicking the Add button appends the comparison to the current filter. There are also boolean operator buttons (& and |) and bracket buttons that can be used to combine comparison expressions to form more complex filters. The filter builder only enables buttons and inputs when they are allowed in the filter expression that is being constructed. Once the desired filter has been constructed, click on the OK button to apply it.
Note: If you just want to filter on a Host or Protocol then it is easier to set the Host and Protocol options in the Filter bar, rather than constructing a Where filter.
A basic filter expression consists of the name of an attribute, an operator and a set of comma separated values. The allowed operators are:
- = equals
- != not equals
- ~ matches a reqular expression
- !~ does not match a regular expression
Expressions can be combined using brackets and the boolean operators:
- & boolean AND
- | boolean OR
The following examples illustrate typical where filters:
- ipsource = 10.1.1.23
- ipdestination != 10.0.0.0/24,10.0.1.0/24
- serverport = TCP:80,TCP:81,TCP:8080-8088
- sourcezone ~ research.*
- ipsource = 10.0.0.1 & ipdestination = 10.0.0.2
- ipsource = 10.0.0.1 & (sourceport = TCP:80 | destinationport = TCP:80)
- sourcezone = EXTERNAL | destinationzone = EXTERNAL
Note: The special zone EXTERNAL refers to addresses that aren't contained in any of the CIDRs specified using File > Configure.
WARNING Care should be taken if a value in a filter expression contains any of the following special characters: (, ), &, |, !, =, ~, ",', \, comma or space. If the value contains any of these characters then the whole value string can be enclosed in single or double quotes, or the special characters can be individually escaped with a \. The following examples show different ways of using the value "Research & Development" in filters:
- serverzone = "Research & Development", Sales
- clientzone = 'Research & Development'
- sourcezone = Research\ \&\ Development
- serverpath = ">>Research & Development>Data Center"
Note: Special characters typically occur because they are used in Zone or Group names when configuring Traffic Sentinel (see File>Configure). Care should be taken when filtering on zone, group or path attributes.
How do I include a chart in a report?
The Copy to Editor button will be enabled if you have a report open in the Sentinel:Report>Edit page. Clicking on the button will switch to the Edit page and add a section matching the current query results. The new section can be modified to add a title and description (see How do I change section settings?).
Note: If the Copy to Editor button is disabled, click on the Edit tab and open an existing report, or create a new report. Return to your query results and the button will be enabled.