Vunetrix Network Monitor vCloud

Vunetrix Manual: Toplists

Packet Sniffer and xFlow (NetFlow, jFlow, sFlow, IPFIX) sensor types can not only measure the total bandwidth usage, they can also break down the traffic by IP address, port, protocol, and other parameters. The results are shown in so-called Toplists. This way Vunetrix is able to tell which IP address, connection, or protocol uses the most bandwidth. Vunetrix looks at all network packets (or streams) and collects the bandwidth information for all IPs, ports, and protocols. At the end of the toplist period, Vunetrix stores only the top entries of each list in its database.

Only Top Entries are Stored

Storing all available analysis data in a database during the analysis process would create a huge amount of data which would be very slow to transfer between probe and core and also retrieving data would be too slow. By storing only the top 100 entries for short periods of time it is possible to reduce the amount of data to a minimum while still being able to identify devices with huge bandwidth usage.

Toplists Overview

Toplists are available for xFlow, IPFIX, and Packet Sniffer sensors only. Toplist graphs are displayed right on the sensor overview page. By default, there are three different toplists predefined for each sensor:

  • Top Connections: Shows bandwidth usage by connection.
  • Top Protocols: Shows bandwidth usage by protocol.
  • Top Talkers: Shows bandwidth usage by IP address.
     
Toplist Top Protocols for a Packet Sniffer Sensor

Toplist Top Protocols for a Packet Sniffer Sensor

Click on one of these items to view a distribution chart and a list of source and destination IP and port, protocols, kind of traffic in different channels, etc. It depends on the selected list which information is available. Click on an entry in the Toplist Periods lists on the left side to view data for a certain time span. By default, a time span of 15 minutes is set. Additionally, several table list options are available.

In order to print a toplist, click on the Print this toplist button to view a printer-friendly version and then use the print option of your browser to send it to your printer. With Sensor Overview you will return to the current sensor's overview tab. For a quick selection of other toplists of the current sensor, click on one of the toplist icons at the top of the page.

In the sensor overview, you can add or delete new toplists, or edit existing ones.

Add

Click on the Add Toplist item in the sensor overview to create a new toplist. The available options are the same as for editing a list.

Edit

Click on the small gear icon of a toplist item in the sensor overview to modify it.

Toplist Settings

Name

Enter a meaningful name to identify the toplist.

Type

  • Top Talkers (Which IPs use the most bandwidth?): Shows bandwidth usage by IP address.
  • Top Connections (Which connections use most bandwidth?): Shows bandwidth usage by connection.
  • Top Protocols (Which protocols use the most bandwidth?): Shows bandwidth usage by protocol.
  • Custom (Create your own toplist): Create your own list by selecting criteria below.

Toplist is based on

This setting is only available if a custom type is selected above. Select the fields you want to add to the toplist by adding a check mark in front of the respective field name. The available options depend on the type of sensor used. They're different for Packet Sniffer, NetFlow v5, v9 (and IPFIX), and sFlow. Note: For performance reasons, only select the field you really want to monitor. Please see Performance Considerations section below.

Period (Minutes)

Define the interval for the toplist in minutes. Please enter an integer value. Toplists always cover a certain time span. Once a time span has passed, the top results are stored and a new toplist is started. Note: In order to avoid load problems on your probe system, please do not set this interval too long. Default setting is 15 minutes. Please see Performance Considerations section below.

Top Count

Define the length of your toplist. Only this number of entries will be stored for each period. Please enter an integer value. Note: In order to avoid load problems on your probe system, please do not set this value as low as possible. Default setting is 100, in order to store the top 100 entries for each period. Please see Performance Considerations section below.

Probe/Core Data Transfer

Define how the probe sends the toplist dataset to the core server. Choose between:

  • According to sensor interval (default): Send data in the interval defined in the settings of the sensor this toplist is created for. This can create a lot of bandwidth and CPU load with many sniffer sensors, complex traffic, or long toplists.
  • Wait until toplist period ends (less cpu&bandwidth usage): Send data once a toplist period has finished. This will create less bandwidth usage and CPU load, but you cannot see the current toplist in the web interface, but only toplists with finished periods.

For more information, please see Performance Considerations section below.

Memory Limit (MB)

Define the maximal amount of memory in MB the probe will use for collecting the different connection information. Every toplist adds its amount to the probe's memory consumption. Increase this value if the number of captured connections is not sufficient. Please enter an integer value.

Click on the Save button to store your settings. If you change tabs or use the main menu, all changes to the settings will be lost!

Delete

Click on the small trashcan icon of a toplist item in the sensor overview to delete it. Confirm with Delete to delete the list.

Details

Click on the windows symbol to show details of a toplist.

Performance Considerations

If you create toplists for data lines with considerable usage (for example, steady bandwidth over 10 Mbit/s) or if the traffic is very diverse (for example, many IPs/ports with only little traffic each) please consider the following aspects:

  • The probe gathers all information needed for the toplist in RAM memory during each period. Only the top 100 entries are transferred to the core. Depending on the toplist type and traffic patterns the required memory can grow into many megabytes.
  • Choose periods as short as desirable (especially important when traffic has a high level of diversity) to minimize memory usage.
  • Memory requirements can grow almost exponentially with each field used in the toplists definition (depending on traffic pattern). Avoid complex toplists for high and diverse traffic. For example, Top Connections (5 fields) needs a lot more memory than Top Talkers (1 field).
  • If you experience high bandwidth usage between core and probe try to choose the Wait until toplist period ends option in the toplist settings.
  • If you experience Data incomplete, memory limit was exceeded messages try to increase the memory limit in the toplist settings but keep an eye on the probe process' memory usage.

Notes

  • When working with toplists be aware that privacy issues can come up for certain configurations of this feature. Using toplists you can track all single connections of an individual PC to the outside world and you, as the administrator, must make sure that it is legal for you to configure Vunetrix like this.
  • Keep in mind that toplists can be viewed through the web interface. You may not want to show lists of domains used in your network to others. So you should restrict access to sensor types having toplists.
  • Note that diagrams, for example, for top connections are not meant to be used for detailed analysis. Rather they should indicate if there is an uncommon bigger change in this toplist.

More

 

 

Next Topic

Keywords: Flow,Flow Toplists,Packet Sniffing,Packet Sniffing Toplists,Toplists