media="all">
"; for ($i = 0; $i < count($nav); $i++){ if ($dirMax >= $pthSize){ if(($nav[$i][2] != 1) && (getfilepath($nav[$i][1]) == $parsedpath)) echo "Help : ".$nav[$i][0]; if (parsefilepath($nav[$i][1]) == $dirs[$pthSize]){ if ((getfilepath($nav[$i][1]) != $pth) || getfilepath($nav[$i][1]) != $pth."index.php") echo "Help : "; if (getfilepath($nav[$i][1]) == $parsedpath) echo $nav[$i][0]; else { echo "".$nav[$i][0]." : "; for ($j = 0; $j < count($nav[$i][3]); $j++){ if(getfilepath($nav[$i][3][$j][1]) == $parsedpath) echo $nav[$i][3][$j][0]; if(parsefilepath($nav[$i][3][$j][1]) == $dirs[$pthSize + 1]) { if ((getfilepath($nav[$i][3][$j][1]) == $parsedpath));// echo $nav[$i][3][$j][0]; else { echo "".$nav[$i][3][$j][0]." : "; for($k = 0; $k < count($nav[$i][3][$j][3]); $k++) { if(getfilepath($nav[$i][3][$j][3][$k][1]) == $parsedpath) echo $nav[$i][3][$j][3][$k][0]; if (parsefilepath($nav[$i][3][$j][3][$k][1]) == $dirs[$pthSize+2] && getfilebase($nav[$i][3][$j][3][$k][1]) == $path_parts["basename"]) { if (getfilepath($nav[$i][3][$j][3][$k][1]) == $parsedpath) ; //echo $nav[$i][3][$j][3][$k][0]; else if (parsefilepath($nav[$i][3][$j][3][$k][1]) == $dirs[$pthSize+3] && $nav[$i][3][$j][3][$k][2] == 1) { for ($l = 0; $l < count($nav[$i][3][$j][3][$k][3]); $l++){ if (getfilepath($nav[$i][3][$j][3][$k][3][$l][1]) == $parsedpath) echo "".$nav[$i][3][$j][3][$k][0]." : "; echo $nav[$i][3][$j][3][$k][3][$l][0]; } } } } } } } } } } } echo ""; ?>

The form is accessed from the Query>Site Traffic menu. Traffic queries against the consolidated hourly data are made using the URL /its/query/Traffic. The following arguments are recognized:


The Traffic Query differs from the Service Query in that it deals with unidirectional flows. Only flows matching the direction established by the sourceAddress, sourcePort, destinationAddress and destinationPort fields are included in the result.


tableType

Traffic matrices are stored as individual tables. To access a traffic matrix you must specify the type of table to query.

The table types currently recognized are:

  • MAC
  • MAC_VLAN
  • Ethernet
  • IEEE8023_8022
  • SNAP
  • IPV4
  • TCP
  • UDP
  • RTP
  • ICMP
  • AS
  • IPV6
  • TCPV6
  • UDPV6
  • RTPV6
  • ICMPV6
  • IPX
  • DEC4
  • DDP


hour

The hours in the day to include. Hours are specified by the start of the hour (i.e. 0 = midnight to 1am and 23 = 11pm to midnight).

Hours can be included in lists, or in ranges.

hour=9-16 Work hours (9am to 5pm).
hour=17-8 Non-work hours (5pm to 9am)
hour=12,13 Lunch (Noon and 1pm hours)

Hours are interpreted in conjunction with the selected time zone (see TZ).


day

The days of the week to include in the result. The values are:

1 Sunday
2 Monday
3 Tuesday
4 Wednesday
5 Thursday
6 Friday
7 Saturday

Days can be listed or included in ranges

date=2-6 Include only workdays (Mon-Fri).
date=7-1 Include only weekend days (Sat-Sun).
date=3,5 Include only Tuesdays and Thursdays.

Days are interpreted in conjunction with the selected time zone (see TZ).


date

Dates and times are specified in the following formats:

yyyymmdd Includes all the hours in the specified date.
yyyymmddhh Includes a specific hour.
today All hours from midnight to current hour.
yesterday All hours yesterday.
thisWeek All hours from Midnight Sunday to current hour.
lastWeek All hours last week.
thisMonth All hours from start of month to current hour.
lastMonth All hours last month.
lastHour Last hour.
last24Hours Last 24 hours.
last7Days Last 7 days to current hour.
last30Days Last 30 days to current hour.

Times and dates are interpreted in conjunction with the selected time zone (see TZ).

Dates can be combined in a list or specified as ranges, for example:

date=19990901,19990905-1999091212

would include all the hours on 1-Sep-1999 and all the hours between midnight 5-Sep-1999 and noon 12-Sep-1999.

If the argument is omitted, then the hours since midnight today will be used.


TZ

The time zone used to interpret dates, times, days of week and hours. It is also the time zone used when returning date and time information in results.

Currently recognized time zones are:

ID Name Offset from GMT
server Time zone of the Traffic Server  
AET Australia Eastern Time 10
AGT Argentina Standard Time -3
ART (Arabic) Egypt Standard Time 2
AST Alaska Standard Time -9
BET Brazil Eastern Time -3
BST Bangladesh Standard Time 6
CAT Central African Time -1
CST Central Standard Time -6
CTT China Standard Time 8
EAT Eastern African Time 3
ECT European Central Time 1
EET Eastern European Time 1
EST Eastern Standard Time -5
GMT Greenwich Mean Time 0
HST Hawaii Standard Time -10
IET Indiana Eastern Standard Time -5
JST Japan Standard Time 9
MIT Midway Islands Time -11
MST Mountain Standard Time -7
NET Near East Time 4
NST New Zealand Standard Time 12
PLT Pakistan Lahore Time 5
PNT Phoenix Standard Time -7
PST Pacific Standard Time -8
SST Solomon Standard Time 11
VST Vietnam Standard Time 7

Note: If the time zone is unspecified, it defaults to server.


sourceAddress

Constrain the results to only include entries with selected source addresses.

The format of an address depends on the type of address being specified. The following table gives examples of addresses of each type:

IP 10.8.56.128
IPX 51.28.45.50:0x0060B0ED45EB
DEC 32.12
APPLETALK 23.10
MAC 0x080009F2C59A
ASPATH 1-3-7-10

Note: Partial ASPATH addresses can be used to match ASPATHs in queries. For example,

-12 Destination AS must be 12.
12- Peer AS must be 12.
-12-15- Path must pass through AS 12 and AS 15.

Address ranges may be specified in the following ways:

address e.g. 10.8.56.128
<address>/<mask> e.g. 10.8.56.0/255.255.255.0
<address>/<maskbits> e.g. 10.8.56.0/24
<site name>:<zone name>:<subnet name> e.g. HQ:1st Floor

Addresses and subnets can be combined in lists, for example:

10.8.0.0/16,10.9.0.0/16,10.11.9.5 would include all addresses in the 10.8.* and the 10.9.* subnets as well as the address 10.11.9.5

In order to exclude addresses an exclamation mark (!) can be placed at the beginning of the list, so:

!10.8.0.0/16,10.9.0.0/16,10.11.9.5 would exclude all the addresses in the list.

Note: If the selected tableType contains IP addresses, then domain names may be used to specify addresses.

The configuration file defines the network in terms of sites containing zones, each of which contains a set of IP subnets. The site:zone:subnet notation can be used whenever the tableType contains IP addresses. For example,

HQ:1st Floor: would include all subnets in the 1st Floor zone at the HQ site.

Note: Omitted names will be treated as wild cards. The expression :1st Floor: would match any zones with the name "1st Floor", irrespective of the site that contained them.

Finally, the site name _local can be used to refer to the local site (i.e. the site that the Traffic Server processing the query is monitoring). For example,

_local:: would include all subnets on the local site.


sourcePort

A port may refer to a port, type or sap depending on the table type being analyzed (see tableType). For example, when analyzing a TCP traffic matrix for http traffic, specify sourcePort=80).

Ranges and lists of ports can be constructed, for example:

sourcePort=20,21 specifies ftp data and control traffic.

sourcePort=1-1023 specifies all "well known" ports.

Note: Certain well known ports can be specified using their names, for example:
sourcePort=ftp_data,ftp is equivalent to sourcePort=20,21


destinationAddress

Constrain the results to only include entries with selected destination addresses. See sourceAddress for more information on specifying addresses lists.

Note: If the selected tableType contains MAC addresses, then the special address, multicast, is recognised and used to specify MAC multicast addresses (MAC broadcast addresses are easily specified as 0xffffffffffff). For example:
destinationAddress=multicast would find all traffic to MAC multicast addresses.


destinationPort

A port may refer to a port, type or sap depending on the table type being analyzed (see tableType). For example, when analyzing a TCP traffic matrix for http traffic, specify destinationPort=80).

Ranges and lists of ports can be constructed, for example:

destinationPort=20,21 specifies ftp data and control traffic.

destinationPort=1-1023 specifies all "well known" ports.

Note: Certain well known ports can be specified using their names, for example:
destinationPort=ftp_data,ftp is equivalent to destinationPort=20,21


groupMask

Group masks are used to aggregate addresses based on subnet. A group mask has the following form:

<Address>/<Scope>/<Mask>

Scope and Mask are two subnet masks that are used in conjunction with Address to specify an grouping policy. If an address falls within the subnet specified by Address/Scope, then Mask is applied to the address to extract a subnet.

If more than one group mask is given in a list, then the mask with the narrowest scope is applied. If no masks match, then the address will pass through unchanged.

The following examples illustrate the use of group masks.

groupMask=10.0.0.0/255.0.0.0/255.255.255.0 (or more compactly groupMask=10.0.0.0/8/24) applies the subnet mask 255.255.255.0 to all addresses in the 10.* range.

groupMask=10.23.0.0/16/25,10.0.0.0/8/24 applies a 25 bit subnet mask to addresses in the 10.23.* subnet while applying a 24 bit mask to all other addresses in the 10.* range.

A variant of the group mask allows address ranges to be associated with names:

groupMask=10.0.0.0/8/internal,0.0.0.0/0/external would substitute the string "internal" for any address in the 10.* range and the string "external" would be substituted for all other addresses.

Finally, group masks can be automatically constructed using the site:zone:subnet information in the Traffic Server configuration file. The following automatic groupMask options are available:

  • enterprise All subnets in enterprise grouped together
  • site Group by site
  • zone Group by site.zone
  • zone.subnet Group by site.zone.subnet
  • subnet Group by subnets learned from traffic

groupPeriod

Create a time series using the specified grouping period. Recognized periods include:

  • hour
  • day
  • week
  • month

Leave blank or omit argument in order to aggregate over entire interval.

Intervals are interpreted in conjunction with the selected time zone (see TZ).


resultSort

Specifies whether results should be sorted by bytes or by frames. In order for results to be sorted, a resultTruncate value must be specified. For example,

resultSort=frames will sort the result table by the number of frames in each entry.

resultSort=bytes will sort the result table by the number of bytes in each entry.

resultSort=count will sort the result table by the count field in each entry.

Leave blank if no sorting is required and all results should be returned.


resultTruncate

Specify the number of rows to return in the result table. A truncation value is usually specified in conjunction with resultSort to generate a top N table. For example,

resultSort=frames&resultTruncate=10 would return the top 10 entries sorted by frames.

Leave blank if no truncation is required and all results should be returned.


resultField

Results returned as a table containing whichever columns were requested using resultField.

Category Field Description
Key Field time The time at the start of the interval.
seconds The time at the start of the interval in seconds since 1 Jan 1970 GMT.
sourceAddress Source address.
sourceName Domain name of source.
sourcePort Source port.
sourcePortName "Well known" port name for source port.
destinationAddress Destination address.
destinationName Domain name of destination.
destinationPort Destination port.
destinationPortName "Well known" port name for destination port.
sourceAS AS number for source address.
sourcePeerAS AS number for peer network on path to source address.
destinationAS AS number for destination address.
destinationPeerAS AS number for peer network on path to destination address.
protocolGroup Name for service identified by source and destination ports (Configured using protocol.group setting).
Value Field frames Number of frames in interval for given keys.
framesVariance Variance in the number of frames.
framesSDEV Standard deviation in the number of frames.
framesLower Lower bound (95% confidence) on the number of frames.
framesUpper Upper bound (95% confidence) on the number of frames.
bytes Number of bytes in interval for given keys.
bytesVariance Variance in the number of bytes.
bytesSDEV Standard deviation in the number of bytes.
bytesLower Lower bound (95% confidence) on the number of bytes.
bytesUpper Upper bound (95% confidence) on the number of bytes.
count(key1,key2..) Count the number of distinct key values and collapse the rows, returning the count. For example,
resultField=sourceAddress,count(destinationAddress,clientPort)
will return the source addresses along with a count of the number of destination address, port combinations.

If key fields are omitted, then the result will be aggregated, ensuring that each row represents a unique combination of keys.

Result fields are specified as a list of field names. For example,

resultField=sourceAddress,destinationAddress,frames,bytes

would return a table with the specified columns.


resultFormat

The following result formats are recognized:

  • csv Returns a plain text table of results with each field separated by a comma.
  • html Returns a formatted html table of results.
  • debug Returns an html table containing the argument list, as well as a separate result table. Also provides a means of viewing error messages relating to improperly constructed queries.