• Getting Started
• Tutorials
• Server
• Monitor
• Reports
• Queries
• Host
• Site Traffic
• Site Service
• AddressLocation
• AddressMap
• Events
• Event Counts
• Find Multi
• Interface Counters
• Interface Traffic
• Inventory
• Multi-Chart
• RRD
• WAN Traffic
• WAN Service
• Multi-Site
• Routing
• Security
• Support

Help : Queries : Interface Traffic

The form is accessed from the Query>Other>Interface Traffic menu. Traffic queries against the per port minute data are made using the URL /its/query/Monitor?action=query. The following arguments are recognized:

• filterProtocol
• sourceAddress
• sourcePort
• destinationAddress
• destinationPort
• resultSort
• resultTruncate
• resultField
• resultFormat
• resultProtocol
• startTime
• startSeconds
• startAfterTime
• startAfterSeconds
• intervalSize
• intervals
• agentAddress
• agentName
• agentInterface
• path

Note: If the interface is omitted then all interfaces will be included. If the agent is omitted then all agents will be included.

The protocol layer on which to filter flows. Possible filter protocols are:

• PORTS
• AS
• SUBNETS
• NEXTHOP
• VLAN
• MAC
• MAC_VLAN
• Ethernet
• IEEE8023_8022
• SNAP
• IPV4
• IPV6
• ICMP
• ICMPV6
• TCP
• UDP
• RTP
• IPX
• DDP
• AARP
• DEC4
• FRAME_RELAY
• USER_ID

Constrain the results to only include entries with selected source addresses.

The format of an address depends on the type of address being specified. The following table gives examples of addresses of each type:

Note: Partial ASPATH addresses can be used to match ASPATHs in queries. For example,

Address ranges may be specified in the following ways:

Addresses and subnets can be combined in lists, for example:

10.8.0.0/16,10.9.0.0/16,10.11.9.5 would include all addresses in the 10.8.* and the 10.9.* subnets as well as the address 10.11.9.5

In order to exclude addresses an exclamation mark (!) can be placed at the beginning of the list, so:

!10.8.0.0/16,10.9.0.0/16,10.11.9.5 would exclude all the addresses in the list.

Note: If the selected tableType contains IP addresses, then domain names may be used to specify addresses.

The configuration file defines the network in terms of sites containing zones, each of which contains a set of IP subnets. The site:zone:subnet notation can be used whenever the tableType contains IP addresses. For example,

HQ:1st Floor: would include all subnets in the 1st Floor zone at the HQ site.

Note: Omitted names will be treated as wild cards. The expression :1st Floor: would match any zones with the name "1st Floor", irrespective of the site that contained them.

Finally, the site name _local can be used to refer to the local site (i.e. the site that the Traffic Server processing the query is monitoring). For example,

_local:: would include all subnets on the local site.

A port may refer to a port, type or sap depending on the table type being analyzed (see tableType). For example, when analyzing a TCP traffic matrix for http traffic, specify sourcePort=80).

Ranges and lists of ports can be constructed, for example:

sourcePort=20,21 specifies ftp data and control traffic.

sourcePort=1-1023 specifies all "well known" ports.

Note: Certain well known ports can be specified using their names, for example:
sourcePort=ftp_data,ftp is equivalent to sourcePort=20,21

Constrain the results to only include entries with selected destination addresses. See sourceAddress for more information on specifying addresses lists.

Note: If the selected tableType contains MAC addresses, then the special address, multicast, is recognised and used to specify MAC multicast addresses (MAC broadcast addresses are easily specified as 0xffffffffffff). For example:
destinationAddress=multicast would find all traffic to MAC multicast addresses.

A port may refer to a port, type or sap depending on the table type being analyzed (see tableType). For example, when analyzing a TCP traffic matrix for http traffic, specify destinationPort=80).

Ranges and lists of ports can be constructed, for example:

destinationPort=20,21 specifies ftp data and control traffic.

destinationPort=1-1023 specifies all "well known" ports.

Note: Certain well known ports can be specified using their names, for example:
destinationPort=ftp_data,ftp is equivalent to destinationPort=20,21

Specifies whether results should be sorted by bytes or by frames. In order for results to be sorted, a resultTruncate value must be specified. For example,

resultSort=frames will sort the result table by the number of frames in each entry.

resultSort=bytes will sort the result table by the number of bytes in each entry.

resultSort=count will sort the result table by the count field in each entry.

Leave blank if no sorting is required and all results should be returned.

Specify the number of rows to return in the result table. A truncation value is usually specified in conjunction with resultSort to generate a top N table. For example,

resultSort=frames&resultTruncate=10 would return the top 10 entries sorted by frames.

Leave blank if no truncation is required and all results should be returned.

Results returned as a table containing whichever columns were requested using resultField.

If key fields are omitted, then the result will be aggregated, ensuring that each row represents a unique combination of keys.

Result fields are specified as a list of field names. For example,

resultField=sourceAddress,destinationAddress,frames,bytes would return a table with the specified columns.

The following result formats are recognized:

• csv Returns a plain text table of results with each field separated by a comma.
• html Returns a formatted html table of results.
• debug Returns an html table containing the argument list, as well as a separate result table. Also provides a means of viewing error messages relating to improperly constructed queries.

The protocol layer to display in results. Possible result protocols are:

• PORTS
• AS
• SUBNETS
• NEXTHOP
• VLAN
• MAC
• MAC_VLAN
• Ethernet
• IEEE8023_8022
• SNAP
• IPV4
• IPV6
• ICMP
• ICMPV6
• TCP
• UDP
• RTP
• IPX
• DDP
• AARP
• DEC4
• FRAME_RELAY
• USER_ID
• FIRST Return the first protocol layer in the flow.
• LAST Return the last protocol layer in the flow.
• ALL Return all the protocol layers in the flow.

Return the required number of intervals starting at the specified startTime. If startTime is absent, the intervals are counted back from the current time.

A startTime has the following format:
yyyyMMddhhmm

e.g. 200101051309 starts at 1:09pm on the 5th of January 2001

Return the required number of intervals starting at the specified startSeconds. If startSeconds is absent, the intervals are counted back from the current time. startSeconds is expresses as the number of seconds since the Epoch (1st January 1970).

startSeconds is an alternative to startTime that is easier to use in scripts.

Return the required number of intervals starting immediately after the specified startAfterTime. If startAfterTime is absent, the intervals are counted back from the current time.

A startAfterTime has the following format:
yyyyMMddhhmm

e.g. 200101051309 starts at 1:10pm on the 5th of January 2001 (assuming an intervalSize of 1 minute).

Return the required number of intervals starting immediately after the specified startAfterSeconds. If startAfterSeconds is absent, the intervals are counted back from the current time. startAfterSeconds is expresses as the number of seconds since the Epoch (1st January 1970).

startAfterSeconds is an alternative to startAfterTime that is easier to use in scripts.

The size of interval to be used when computing top flows. intervalSize is expressed as a number of minutes.

The number of intervals to return. Each interval will be intervalSize minutes long.

The IP address of the switch or router.

The IP address or domain name of the switch or router.

The interface index (ifIndex) of the interface.

Scope the query to the ports within the specified path. A path is the hierarchical name given to a part of the network.

Paths have the following form:

<enterprise>:<site>:<zone>:<subnet>:<agent>:<port>

e.g. InMon Corp.:San Francisco:Backbone  would specify the Backbone zone on the San Francisco site of the InMon Corp. network.

If the path is omitted then all ports on the site will be considered (unless the agent or interface parameters are set).