3.3. Top N

The Top N tab displays charts that show the top N contributors to the network traffic and how the top N contributors change over time.

This tab includes a control bar that allows you to select the switch (Section 3.5, “Selecting a switch”) and interface (Section 3.6, “Selecting an interface”) for which you would like to analyse and view traffic data, and the type of chart to display. You can also select a specific time interval (Chapter 9, Selecting a time period ) and filter on specific traffic (Chapter 10, Filtering)

When you have made changes to the selections for the chart, including creating a filter, you can save these selections in a bookmark (see Section 1.4, “Navigating around sFlowTrend-Pro using the history navigator”) so that you can easily return to the same chart at a later date.

With sFlowTrend, or with sFlowTrend-Pro when the Time setting is relative to now (for example Last hour see Chapter 9, Selecting a time period ), these charts are automatically updated when the next data point is available. The Progress indicator shows how long it will be before the chart is next updated.

3.3.1. Top N charts

The Top N charts show the top N contributors to the network traffic and how the top N contributors change over time. These charts are generated from the sampled packets exported by sFlow. Top N traffic charts are shown using stacked bar charts.

The following network traffic top N charts are available:

Top sources
The top sources of traffic.
Top destinations
The top destinations of traffic.
Top input VLANs
The VLANs which are providing the most input traffic to the switch.
Top output VLANs
The VLANs which are receiving the most output traffic from the switch.
Top source-destination pairs
The top source address and destination address pairs.
Top source-destination flows
The top source address, source port, destination address and destination port flows.
Top inter-VLAN pairs
The VLANs between which most traffic is flowing.
Top connections
Top connections is similar to Top source-destination flows, but combines both directions of the traffic belonging to a client/server connection.
Top servers
The top servers.
Top clients
The top clients.
Top protocols
The top protocols.
Top broadcast flows
The top flows of layer 2 broadcast traffic.
Top L2 multicast flows
The top flows of layer 2 multicast traffic.
Top IP multicast flows
The top flows of IP multicast traffic.
Most connected sources
The top sources ordered by the number of destinations that each has connected to. This is also referred to as 'fan-out'. This chart is useful for security analysis, to help identify hosts that are exhibiting address scanning behaviour.
Most connected destinations
The top destinations ordered by the number of sources that has connected to each. This is also referred to as 'fan-in'. This chart is useful for security analysis, to help identify hosts that might be victims of a distributed denial-of-service attack.
Most popular protocols
The top protocols ordered by the number of source/destination address pairs. This chart is also useful for security analysis, and shows the protocols that are most likely being used to perform scanning.
Top wireless versions
The wireless versions in use, for example 802.11a, 802.11g.
The top 802.11 wireless SSIDs in use.
Top channels
The top 802.11 wireless channels being used.
Top cipher suites
The top cipher suites being used to encrypt the 802.11 wireless traffic.

In the VLAN charts, a VLAN of 0 indicates that no specific VLAN is being used, or the VLAN could not be determined.

The 802.11 wireless charts will only display data if sFlowTrend-Pro is receiving sFlow from wireless devices that support the sFlow 802.11 Structures Custom Top N charts

In addition to the standard Top N charts, you can also define custom Top N charts. With a custom Top N chart you can choose the attributes (key fields) that are used to identify the top contributors. To define a custom Top N chart, click on the button next to the Chart selector. This will display the Edit custom Top N dialog. In the dialog, click on the Add custom Top N button to display a dialog that allows you to define the key fields for the custom Top N.

For example, if you would like to see the top source addresses before NAT has taken place and the associated addresses after NAT, select sourceNATAddress from the Available fields list and click Add -> to add this key field to the selected fields list, then select and add sourceAddress. See Table 16.1, “Database key fields available for flows” for descriptions of the available fields. You must enter a unique name for this custom Top N, before you click OK. After you click OK in the Edit custom Top N dialog, the custom Top N will be selected in the Chart selector and the corresponding custom Top N chart displayed. Custom Top N charts are listed after the standard Top N charts in the selector. You can use the Edit custom Top N dialog to edit or remove existing custom Top N definitions.

The Available fields list includes a type-in text field that allows you to filter the available fields for fields whose names match the typed in text. For example, you can type addr into the type-in field to see only those fields which include addr in their names.

Address translation data is available only if sFlowTrend-Pro is receiving sFlow from devices that support the extended_nat structure.

3.3.2. Units

You can use the Units selector to choose the measurement units used to calculate the top contributors. There are two types of Top N traffic charts:

Rate-based charts

These charts show the top N contributors based on their associated traffic rate in either bits/s or frames/s. Example rate-based charts are Top sources, Top source VLANs, Top broadcast flows . Use the Units selector to choose whether the top contributors should be sorted based on their traffic rate in either bits/s or frames/s.

If a specific interface is selected, then the rate-based charts will show ingress traffic (above the x-axis) and egress traffic (below the x-axis). This shows the top N contributors of traffic entering or exiting the selected the interface. If the Units selector is set to Bits/s, the left y-axis will show the volume of traffic in bits/s, while the right y-axis will show the traffic volume in terms of % utilization of the interface bandwidth. If the Units selector is set to Frames/s, the traffic volume will be shown in frames/s.

If a specific wireless interface is selected, the Units selector includes an additional option, Air %. Air % is the percentage of the available bandwidth used by the traffic, taking into account the actual speed of transmission. Traffic transmitted at a low speed will have high air % utilization. This means that a host with poor signal strength may use a disproportionately large amount of wireless bandwidth and degrade performance for other users.

If the Interface selector is set to All, the charts will show the top contributors over the whole switch. If a connection oriented, client/server chart (Top connections, Top servers, Top clients, Top Protocols) is chosen, the chart will show traffic flowing to the server above the x-axis, while traffic flowing from the server will be shown below the x-axis. For the other rate-based charts, selecting All interfaces results in one overall rate for the switch. You can use the Units selector options of Bits/s and Frames/s to show top contributors based on the their traffic rate in terms of bits/s or frames/s respectively.

Count-based charts
These charts (Most connected sources, Most connected destinations, Most popular protocols) show an absolute count value for each of the top contributors. For example, the Most connected sources chart shows the count of destinations for each of the sources that talk to the most destination hosts. When these charts are selected, the Units, selector automatically changes to Count and cannot be altered.

3.3.3. Understanding the Top N traffic chart

The legend in the Top N traffic chart shows the top contributors for the selected interval. The outlined time stamp, for example , on the x-axis indicates the currently selected interval. You can select an interval and see the top contributors in that interval by clicking with the left mouse button on the bar corresponding to the interval of interest. Each other bar in the chart will then be recoloured to show how much traffic was generated, in the interval represented by the bar, by the top contributors from the currently selected interval. This allows you to see how the top contributors change over time.

If the latest (right most) bar is selected and the Time setting is relative to now (for example Last hour see Chapter 9, Selecting a time period , the charts will be updated automatically and always display the contributors for the most recent minute.

The grey part of each bar represents traffic not attributable to the top N shown in the legend (ie it represents the contribution from other sources, destinations etc. that are not in the top N).

If the whole of a bar is grey, the traffic in its interval is not attributable to any of the top contributors in the currently selected interval. You can click on this bar to make it the currently selected interval and see its top contributors.

3.3.4. Displaying end host information

You can find out more information about an end host by clicking on to the left of the host address in the legend. This will open the Lookup host dialog using the end host address. If the Lookup host dialog is already open, then the dialog will be changed to show information for the newly selected host. See Chapter 11, End host information for more information.

3.3.5.  Using the legend to drilldown on specific traffic

You can use the legend in the network traffic top N charts to drilldown on traffic of interest. For example, if you are viewing a Top sources chart and you notice that one host is responsible for the majority of the traffic, you can investigate who this host is talking to and which application is generating the traffic by clicking with the left mouse button on legend item that corresponds to the host. The Top source-destination flows chart will then be displayed with a filter for the selected host applied. This will show you the top source-destination flows for which the host of interest is the source.

See Section 3.3.6, “Filtering for specific traffic” for more information of filtering on specific traffic.

3.3.6. Filtering for specific traffic

sFlowTrend-Pro allows the information displayed in a Top N traffic chart to be filtered. This allows you to focus on traffic that may be of interest. For example, if you only wanted to look at web traffic, you could set a filter for only TCP port 80 traffic. See Chapter 10, Filtering for details.