Network Traffic Reporting

Overview

Reporting is the interface customers spend the most time in. This page outlines the functionality that can be found in all of the menus of the status tab. If the user is more of a visual learner, training videos are available on the plixer web site.

Templates

Unlike NetFlow v5, NetFlow v9 and IPFIX use templates to dynamically define what is being sent in the flows. Templates are the decoder that is provided by flow exporter. They are used by the flow collector to decipher and ingest the flows.

The reporting options (I.e. menu) available on every flow exporting device is dependent on the values in the template. For example, when clicking on a flow exporting device to launch the report menu, the report “Vendor by MAC” under “Source Reports” will not appear if the MAC address is not exported in the template from the device. If another flow exporting device is selected the user may find that the “Vendor by MAC” report does appear. It all depends on what is being exported in the templates from each device.

This template intelligence becomes critically important when trying to understand why the system is behaving differently with oddly formatted vendor flow exports. For example, some flow exports do not provide an ingress or egress interface. When this is the case, the device will not show up in the interface list of the Status tab. To run reports, the user will have to find the device in the Device Explorer.

The available reports for each device can be observed by navigating to Status > System > Available Reports. The Available Reports view provides the ability to view, sort, and filter report lists by Group Name, Report Name, and Template Count.

Report Types

There are hundreds of report types in the database. Most will never appear in the menu because they only appear if the necessary elements are available in the templates exported by the device. When reports are run, they group on the fields displayed. For example, the report Conversation WKP groups on Source IP address, WKP (common port) and Destination IP address. For answers to questions about anything not listed here, please contact Plixer support directly.

Current Report

The Current Report frame is displayed in the left hand pane when selecting an interface or after selecting the Run Report Wizard from the Trends menu in the Status tab. The graph and table data for the flow report is displayed in the main section of the screen to the right of the Current Report frame.

  • Colors: In the table below the graph, the top 10 or more entries are displayed. Only the Top 10 are in color. Entries 11 and up are rolled into the color gray. Notice the ‘Other’ entry at the bottom of the table. This is the total non Top 10 traffic. The ‘Total’ represents all traffic (i.e. Top 10 and Other traffic added together). These same colors are used in the graph to represent the Top 10 table entries. Greater than 11 entries can be displayed by visiting the gear menu.

Tip

The color selections can be changed in Admin > Security > User Accounts > {select a user} > Preferences > Rank Colors.

Warning

If the flow device (e.g. router) is exporting multiple templates for different flows it is exporting, utilization could be overstated if the flows contain the same or nearly the same information. The front end of Scrutinizer will render reports using data from all templates with matching information. Be careful when exporting multiple templates from the same device! If this is the case, use the filters to select a single template.

No Data Found

The “No Data Found” message in a report indicates that historical data is not available for the time period requested. This could happen for either of the following reasons:

  1. Historical data settings are too low for the time frame requested. To increase the historical data retention, go to Admin tab -> Settings -> Data History.
  2. Flows are not being, or have not been, received from the exporter(s) during the time frame requested.

Current Report (frame contents)

At the top of the Current Report frame is a row of icons providing the following actions available for the report.

  • Clear (trashcan) is used to remove all items in the “Current Filter”.
  • Save (diskette) is used to save a collection of report filters and parameters to create a Saved Report.
  • Save As (double diskette) is used to make a copy of a current Saved Report with a new name, leaving the original report intact.
  • Schedule (clock) is used to schedule a saved report.
  • Dashboards (grid) is used to place a saved report in a selected Dashboards sub tab.
  • Print (printer) is used to print the current report listed in the filter.
  • CSV (CSV) is used to export the data in the current report in CSV format.
  • PDF (PDF) downloads a pdf file containing the current report.
  • Email (@) is used to email the report displayed using the current filter(s). Separate multiple destination email addresses with a comma or semi colon.

Next in the Current Report frame are these additional reporting options.

  • Report: Enter a name if the report and filter(s) are to be saved for future reference.

  • Filters / Details: Button: clicking this opens the Report Details modal with the following tabs:

    • Collector Details: displays the collectors(s) that contained the flow exporters for this report.
    • Exporter Details: details about the exporters that are providing flows for this report.
    • Filters: view/edit/remove existing and add new filters to the report.
    • Threshold: view/edit/remove existing thresholds or add a threshold to the report.
    • Report JSON (API)

Gear icon

Clicking on the Gear icon will display many more reporting options:

  • Change Report Type button: Report types are displayed based on the data available in the templates selected.
  • Direction: Inbound, Outbound and Bidirectional. In Bidirectional mode, the outbound is displayed on the bottom of the trend. The reporting engine will try to use ingress flows to display inbound traffic however, if ingress flows are not available, it will try to use egress flows if available. The same logic holds true when displaying outbound traffic. The reporting engine will try to use egress flows however if none are available, it will use ingress flows. Switching the configuration on the router from exporting ingress to egress flows or vice versa will not be recognized by the reporting engine until after the top of hour.
  • Rate / Total: Select Rate to display Rate per second or Total for total amount per interval (e.g. 1 min, 5 min, 30 min, 2 hr, etc.). Some reports (e.g. Cisco Perf Monitor) default to Total. When the report is changed to display ‘Rate’, this value will not change automatically and will have to be changed back to Total manually. The opposite is also true.
  • Data Source: Auto, 1m, 5m, 30m, 2hr, 12hr, 1d, 1w. This tells the system which tables to take flows from when querying data used in the report. Generally the default is taken as the database has been optimized for this setting. This option allows the system to query several days of 1 minute tables (i.e. non rolled up data) when searching for specific values that may have been dropped in the higher interval data.

Warning

Selecting 1m (i.e. 1 minute tables) for a 24 hour time frame can take a significant amount of time to render depending on the volume of flows coming from the device. Expect results that vary between flow exporting devices.

Note

The number of intervals used for granularity is set via the “Target graph interval” setting found under the Admin tab > Settings > reporting.

  • Number of Rows: 10, 25, 50, 100, … 10000 This is the top number of results to be displayed in the table below the trend. The default can be set under Admin tab -> Security -> User Preferences.
  • Show Host Names: Toggle between displaying IP addresses or DNS Host names in the table data.
  • Show Raw Values: Formatted/Raw displays the data in certain columns either formatted (5.364 Mb/s) or raw value (5364239).
  • Bits / Bytes / % Util: Can be used when available to change the type of data used for the trend/table. This option does not apply to all report types. Percent utilization (% Util) is not available unless the interface speed is picked up via SNMP. Interface speed can also be entered manually via the Interface Details View or as a report filter. When multiple interfaces are included in a report, the calculated interface speed with be the SUM of all interface speeds. Inbound is calculated separately from outbound. The summed port speed is used for percent calculations. All interfaces are required to have a defined speed for percentage reports. If ‘Percent’ is selected in the drop down box, it represents the overall percent of the entire interface. The preceding percent column that can’t be changed represents the percent of the overall bandwidth consumed.
  • Show Peak: If ‘Yes’ is selected, a Peak column is added to the report. Peak values are the highest data point in the graph in the same interval the graph is reporting in.
  • Show 95th: If ‘Yes’ is selected, a 95th (percentile) column is added to the report. The 95th percentile is a mathematical calculation used to indicate typical bandwidth utilization. The top 5% data points in the graph are dropped, making the “95th” data point now the top bandwidth usage point. For example, in a graph with 100 data points, the 5 highest values are removed, and the next highest becomes the 95th percentile.

Note

How is the 95th percentile calculated?

The data points in the graph are sorted from smallest to largest. Then the number of data points is multiplied by .95 and rounded up to the next whole number. The value in that position is the 95th percentile.

Example -

Data points = [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25]

25 data points *.95 = 23.75

Round 23.75 up to the next whole number = 24

The value in position 24 is the 95th percentile, which in this example = 24

Why are the peak and 95th percentile values the same in some reports?

  • If a report has less than 21 data points, the largest number is always the 95th percentile. Increase the granularity in the report for increased accuracy.
  • Show Interfaces: Adds an ‘in Int’ and an ‘out Int’ column to the report, showing inbound and outbound interfaces for the flow data reported.
  • Data Mode: This specifies the source of the data. The two values are Summary or Forensic. Both values at one minute intervals represent 100% of the data with some significant differences:
    • Summary: Has been aggregated based on a definable tuple. The default aggregation is on the Well Known Port. This means that the source and destination ports are dropped as is everything else in the flows that isn’t needed to run most of the reports. Visit Data Aggregation to learn more about what is kept in Summary tables. As result of this optimization, the table sizes are much smaller which results in faster rendering of reports. This is the default data used to create the higher rollups (E.g. 5 min, 30 min, 2hr, etc. intervals).
    • Forensic: This is the raw flows with no aggregation and all of the elements are retained. It is used for vendor specific reports and for a few reports which display the source and destination ports. These tables are not rolled up in SAF mode and therefore, history trends that use the forensic tables will be limited to the length of time that the 1 minute interval data is saved. If however, the server is running in traditional mode, roll ups will occur as summary tables are not created in traditional mode.

Graph Options

  • Graph Type: Line, Step, Bar, Pie, Matrix is the type of graphical presentation to be displayed. Try clicking and dragging on the line chart to zoom in on time frames. All graphing options are not available for all Report Types. For example, the Matrix graph will only work with reports that have a source and destination field, such as reports in the Pairs report group.

    Note

    The system will auto determine the number of intervals or data points in a trend. Click here to learn how trends determine intervals.

  • Stacked/Unstacked: Select Stacked to display the total amount. Select Unstacked to display the top 10 individually. Some reports (e.g. Cisco PfM reports) default to Unstacked. When the report is changed to a report normally displayed as Stacked, this value will not change automatically and will have to be changed to Stacked manually.

  • Show Others: Set this option to ‘No’ to hide the gray ‘other’ traffic in the trend or pie chart. Other traffic is discussed in depth in the section on Data Aggregation. This option is often used in sFlow reports. Other traffic:

    • In the trending graph it is the non Top 10 traffic and shows up as gray in color.
    • In the table below the graph, the Other value at the bottom of a report table is the total traffic, minus the sum of the line items displayed. Notice as the pagination is clicked, the total Other traffic increases.
    • Some report types will have this option set to ‘No’ by default. When changing to another report, it should be manually changed to ‘Yes’

Note

In a standard interface trend (e.g. Top Protocols) with no filters other than the interface, the graph is first built using data from the totals tables and then the data from the Top 10 in the related Summary or Forensic table is subtracted from the total and then added back individually to display the colors for each of the Top 10. These two tables are discussed in further detail in the section below on Filters. As the pagination is clicked at the bottom of the table, all of the data that makes up the 11th color (I.e. gray) comes into view.

Date / Time Options

Timezone: server timezone is displayed here

  • Reporting & Timezones: Flow timestamps are stored in epoch format, which is time zone agnostic. When a report is loaded, Scrutinizer uses the browser’s time zone setting to format the epoch timestamps into a human-readable date format. Individual users can change their time zone setting in the Admin > Security > [User] view. A setting of “Automatic” will default to the browser’s configured time zone.
  • Range: A drop down box to select a reporting time frame.
  • Report Start / Report End: The actual date text can be altered or the arrows to the left and right of the displayed time can be clicked to shift the time period displayed. Avoid saving a report with a ‘Custom’ time frame as each time the report is run, it will execute with the exact same start and end time. If the data necessary for the custom time frame report has been deleted, the report will display with a “no data available” message. Suggested save times include “Last 5 minutes” or “Last 24 hours”.
  • Apply Dates: Click this button after making any date / timeframe changes to have the changes take effect.
  • Business Hours: This is configured with a filter. See the Business Hours entry in the Filters - Include or Exclude Data section below.

Saved Reports

Refer to the Saved Reports section in the Status Tab Overview page for more information on the Saved Reports view.

Filters - Include or Exclude Data

It is often necessary to filter on the flow data to narrow in on desired traffic. For this reason, data in a report can be included or excluded. Clicking on the “Filters / Details” button in the left pane of the screen will popup a modal.

  1. First option is to select the type of filter. Included in this list are:

    • General filter names are commonly used filters with familiar names. They allow certain boolean expressions for example, host to host, domain to domain, subnet range or Application Defined (i.e. defined range of ports and IP addresses). These filters are not always in the actual NetFlow or sFlow export rather, they are derived via portions or combinations of fields.

      • Not all devices (i.e. switches and routers) include TCP flags or nexthop in their NetFlow exports. If a field is not included in the NetFlow export for a device, it will not be part of the filter list for that device.
    • Advanced filter lists all of the fields that are collectively in all of the templates being used in a report. For example, if the device is exporting MAC addresses in only one of two templates being used in a report, MAC address will appear.

    • Calculated Column Filter lists any calculated columns available in the current report, ie. sum_octetdeltacount, sum_packetdeltacount.

    • The following special case filters are also available:

      • Business Hours filter provides the ability to limit the reporting data between the start and end times, change the reporting timezone, and also select the days of the week for the report. The default Business Hours settings are defined in Admin > Reports > Settings > Business Hours End and Business Hours Start. Business hours days of week default to Monday - Friday.

      • Port Speed, this filter allows the user to set a port speed for a report.

      • Sample Multiplier filter allows the user to set a multiplier value for sampled flows to recalculate to full flow values.

      • Wildcard Mask, this filter allows the user to add a custom mask to filter on networks “like” the search criteria.

        For example:

        Network: 10.0.11.3
        Mask: 0.255.128.240
        Results:
        10.1.11.51
        10.30.11.3
        10.27.11.3
        10.26.11.35
        10.26.11.3
        10.26.11.19
  2. After selecting a filter type/name, other type specific options will appear. If the filter type has a predefined list of items, a dropdown list will appear to select from, otherwise a textbox will be displayed for entering the filter data. If Source or Destination are applicable, another dropdown selector will appear for selecting Source, Destination, or Both. If it is a calculated column, a dropdown selector of numerical comparisons will appear.

  3. The next option is to select whether this will be an Include or an Exclude filter. Include filters will only display flow data where the filter criteria is equal. Exclude filters will display everything except the filtering criteria.

  4. When all options are completed, the Add Filter button will appear, allowing the new filter to be added to the existing filters. After adding the new filter, the Update Report button displays and clicking that button is the last step to apply a new filter.

    • Report filters can also be added by simply dragging an item in the table portion of the report and dropping that item in either the Include Filter (green) or Exclude Filter (red) boxes that display on the left.
    • New or existing filters can be edited at any time by clicking on the edit link for the appropriate filter. After editing is completed, click the Save button in the filter, then click they Apply button at the top of the filter list.

Archived Data: Three types of historical tables are maintained for each NetFlow exporting device.

  • Forensic - This was formally the Conversations table. This table contains the actual raw flows.
  • Summary - This table contains 100% of the aggregated raw flows with no dropping. By default flows are aggregated based on the WKP (common port). Aggregation can be read about in the Data History section. If filters are used, these are the only tables used in the report.
  • Totals - This contains the actual amount of total traffic in and out an interface for each interval before flows are rolled up into the Summary table. This table must be maintained as the 5 minute interval and higher Summary tables only contain the top 1,000 by default for each interval. This can be increased in Admin > Settings > Data History > Flow Maximum Conversations. If filters are used, this table is no longer part of the report. A report with only a single interface filter (i.e. selected interface) will use this table so that total utilization is accurate over time.

Note

Interface utilization reports based on NetFlow or IPFIX flows seldom, if ever, match exactly to the same interface utilization report based on SNMP counters. Remember, it can take 15 or more seconds before a flow is exported. SNMP, on the other hand, is more realtime and the counters include other types of data not reflected in flows (e.g. ethernet broadcasts).

Filter Logic:

  • Including and excluding data using the same filter field twice creates a logical ‘OR’ relationship (e.g. display all traffic if it includes 10.1.1.1 OR 10.1.1.2).

  • Including and excluding data using different filter fields creates a logical ‘AND’ relationship (e.g. display all 10.1.1.1 traffic AND that uses port 80).

  • When adding an ‘IP Host’ to an ‘IP Range’ or an ‘IP Host’ to a ‘Subnet’ filter, the ‘AND’ rule applies. For example, if an IP Range filter of 10.1.1.1 - 10.1.1.255 is added and then an IP Host filter of 65.65.65.65 is added, the flows must match both filters.

  • When using Source or Destination or Both with IP Host, IP Range or Subnet, keep the following in mind:

    1. If the IP Host filter of ‘Source’ A (e.g. 10.1.1.4) is applied, then there may be data for inbound, but most likely not outbound. This is because what comes in as the Source, typically doesn’t go out the same interface as the Source. The same holds true with Destination addresses.
    2. If the IP Host filter of ‘Source’ A (e.g. 10.1.1.4) is applied and then a second filter of ‘Destination’ B (e.g. 10.1.1.5) is applied then only flows where the Source is A and the Destination is B will appear. Although this is adding the same filter ‘IP Host’ twice, the AND logic applies because host A is the source and host B is the destination and thus are different filter types. Note again that data for inbound may appear, but most likely there won’t be any outbound or vice versa. This is because what comes in as the Source, typically doesn’t go out the same interface as the Source. The opposite case applies when data appears for outbound using this type of filter.
    3. If trying to observe traffic between two IP Addresses, use the Host to Host Filter. There is also a filter for subnet to subnet.
    4. If the filter “Src or Dst” or ‘Both” is applied to an IP Host filter then all flows to or from A will appear and traffic both inbound and outbound will likely display data from A. If a second filter is added as “Src or Dst is B”, then traffic again will appear from both hosts in both directions. However, all flows must involve A or B as the Source or Destination.
  • The Interface filter is the first option that must be exercised prior to any other filter.

    • When mixing NetFlow and sFlow interfaces in a report, NetFlow data will usually dominate. This is due to NetFlow’s 100% accuracy with IP traffic where sFlow is sampled traffic.
    • Although sFlow samples packets, it can send interface counters that are 100% accurate. However, the totals tables used for total in / out traffic per interface are not referenced when mixing sFlow with NetFlow interfaces in reports. This leads to understating the ‘Other’ traffic in reports.
    • When reporting on the ‘ALL’ Interfaces option for a device, inbound should equal outbound in the trends. What goes in ALL interfaces generally goes out ALL interfaces.

Thresholds

Any report, with any combination of filters, can be turned into a traffic monitoring policy by adding a Threshold to the report. See the Report Thresholds page for more information.

Report Navigation

Clicking on any value in a row within the table located below the report graphic will present a menu of available report types. Remember, the report options displayed is dependent on the values in the templates coming from the device(s) used in the current report. When selecting a report in this way, the value selected will automatically be added as a filter to the new report generated.

If the selected table data is an IP Address, a menu option called “Other Options” will be listed as described below.

Other Options

In Other Options, the IP address selected is passed in the URL to the application. Default menu options are:

  • Report to ISP - Report suspicious behavior

  • Search

  • Alarms

  • Lookup - Whois Lookup

  • GEO IP - Geographical lookup

  • Talos Reputation Center - Leverages the Talos Geographical and detailed IP address information.

  • New applications can be added by editing the applications.cfg file in the /home/plixer/scrutinizer/files/ directory. The format for applications.cfg is: (title),(link),(desc) – one per line. The description is optional. For example:

    • FTP, ftp://%i, this will launch an ftp session to the IP address
    • Google, http://www.google.com/search?q=%i, this will launch a google search on the IP address

    Updates to the languages.english table also need to be made for the new menu option to show up:

    • The following is an example for the ‘WMI Usernames” script.

      • INSERT INTO languages.english (id, string) VALUES(‘WMIUsers’, ‘Current Users’),(‘WMIUsersDescr’, ‘Use WMI to identify users currently logged into the address above.’);

      • WMIUsers is the language key for the button name.

      • WMIUsersDescr is the language key for the description.

      • Then, in applications.cfg, add an entry to reference these language keys and associate the URL with them.

        • Open applications.cfg and add the following line without quotes: “WMIUsers, /cgi-bin/currentUsers.cgi?addr=%i, WMIUsersDescr”

Note

The applications.cfg file is located in the /home/plixer/scrutinizer/files/ folder and is used to map the URL of the new menu options to the language keys in the languages database table. (as explained above)