33. Reports » Devices » Sensors¶
Clicking on a Sensor opens a tab with specific information. The tab includes a few sub-tabs located at the lower side of the window. All sub-tabs share the following common toolbar fields:
● Sensor Interfaces – Select the Sensor interfaces you are interested in, or select “All”. Administrators can restrict which Sensors are accessible by guest accounts● Time Range – Select a predefined time range, or select “Custom…” to enter a specific time interval
33.1. Sensor Dashboard¶
This tab allows you to view the most relevant data collected by Sensors in form of widgets. The configuration of the Sensor Dashboard does not apply to a particular Sensor, so the changes you make here are visible for other Sensor Dashboards as well. The operation of dashboards is described in the Reports » Dashboards section.
The configuration of Sensor widgets is outlined in the following paragraphs.
33.2. Sensor Graphs¶
This sub-tab allows you to view a variety of Sensor-related histograms for the selected Sensor Interface(s):
● Data Units – Select one or more data units:◦ Most Used – Frequently-used data units◦ Packets – Inbound packets/second (+ on Y-axis) and outbound packets/second (- on Y-axis)◦ Bits – Inbound bits/second (+ on Y-axis) and outbound bits/second (- on Y-axis)◦ Applications – Sensor can collect application-specific distribution data for HTTP, HTTPS, SMTP, POP3, IMAP, SNMP, FTP, SSH, TELNET, SQL, NETBIOS, MS-DS, MS-RDP, DNS, ICMP, and OTHERS. These graphs are not generated when the Sensor’s Stats Engine parameter is set to “Disabled”◦ Internal & External IPs – Number of IP addresses that send or receive traffic. The “internal” and “external” IPs are the hosts located inside or outside the IP Zone. The Sensor’s “Stats Engine” parameter enables or disables monitoring of external IPs. A spike in the Internal IPs graph usually means that an IP class scan was performed against your IP blocks. A spike in the external IPs graph usually means that you have received a spoofed attack◦ Received Frames – For Packet Sensor, it represents the number of packets/s received before IP or MAC validation. For Flow Sensor, it represents the number of flows/s received before IP or AS validation◦ Dropped Frames – For Packet Sensor, it represents the number of packets dropped by the packet capturing engine. A high number indicates a sniffing performance problem. For Flow Sensor, it represents the number of unaccounted flows. A high number indicates a wrong configuration or a network connectivity issue with the flow exporter◦ Unknown Frames – For Packet Sensor, it represents the rate of packets not passing IP validation. For Flow Sensor, it represents the rate of invalidated flows◦ Unknown Sources – Source IP addresses that did not pass IP validation◦ Unknown Destinations – Destination IP addresses that did not pass IP validation◦ Avg. Packet Size – Average packet size in bits/packet◦ CPU% – Percentage of CPU resources used by the Sensor process◦ RAM – Amount of RAM used by the Sensor process◦ Load – Load reported by the Linux kernel for 5 minute intervals◦ IP Graphs – Number of IP graphs files updated◦ IP Accounting – Number of IP accounting records updated◦ Profile Graphs – Number of profiling files updated◦ IP Graphs Time – Seconds needed to update the IP graphs files◦ Profile Graphs Time – Seconds needed to update the profiling files◦ Processing Time – Seconds needed to perform traffic analysis functions◦ IP Structures – Number of Internal IP structures necessary to keep track of IPs◦ IP Structure RAM – RAM bytes used by each IP structure◦ Dataplane – Parameters collected from the DPDK-based Capture Engine◦ Bytes/time unit – Bytes/<time unit> throughput value● Size – Select a predefined graph dimension or enter a custom one in “<X> x <Y>” format, where <X> and <Y> are the X-axis and Y-axis pixels● Title – Graphs have an automatically-generated title for the “Auto” option, no title for the “None” option, or you can enter your own text to be rendered as a title● Legend – Select the level of detail for the graph’s legend● Consolidation – If you are interested in spikes, choose the MAXIMUM aggregation type. If you are interested in average values, choose the AVERAGE aggregation type. If you are interested in low values, choose the MINIMUM aggregation type● Grouping◦ Sensor Interfaces – Select to generate a single graph for the Sensor Interfaces selected Stacking◦ Sensor Interfaces – Select to view the summed up, stacked values for multiple Sensor Interfaces
33.3. Sensor Tops¶
This sub-tab allows you to generate various traffic tops per Sensor Interface. The Stats Engine parameter from the Sensor configuration manages the collection of various Sensor tops.
● Decoders – Select the decoder that analyzes the type of traffic that interests you● Top Unit – Select a top type:◦ Talkers – Hosts from your network that sent or received the most traffic for the selected decoder. Not available when the Stats Engine parameter from the Sensor configuration is set to “Disabled”◦ IP Groups – IP groups that sent or received the most traffic for the selected decoder. Not available when the Stats Engine parameter from the Sensor configuration is set to “Disabled”◦ External IPs – External IPs that sent or received the most traffic for the selected decoder. Available when the Stats Engine parameter from the Sensor configuration is set to “Extended” or “Full”◦ Autonomous Systems – Autonomous systems that sent or received the most traffic. Available only when the Stats Engine parameter from the Sensor configuration is set to “Extended” or “Full”◦ Transit Autonomous Systems – Transit autonomous systems that sent or received the most traffic. Available only when the Sensor is configured to extract Transit AS data from a BGP dump file◦ Countries – Countries that sent or received the most traffic. Available only when the Stats Engine parameter from the Sensor configuration is set to “Extended” or “Full”◦ TCP Ports – Most-used TCP ports. Not available when the Stats Engine parameter from the Sensor configuration is set to “Disabled”◦ UDP Ports – Most-used UDP ports. Not available when the Stats Engine parameter from the Sensor configuration is set to “Disabled”◦ IP Protocols – Most-used IP protocols (the protocol used in the data portion of the IP datagram). Not available when the Stats Engine parameter from the Sensor configuration is set to “Disabled”◦ IP Versions – Counters for IPv4 traffic and IPv6 traffic. Not available when the Stats Engine parameter from the Sensor configuration is set to “Disabled”● Traffic Direction – Direction of traffic, All, Inbound or Outbound● Display Options – Various display options● Grouping◦ Sensor Interfaces – When unchecked, a different top is generated for each selected Sensor Interface. When checked, top data is combined
You can increase the number of top records and add new decoders in Configuration » General Settings » Graphs & Storage
Generating tops for many Sensor Interfaces and for long time ranges may take minutes. If the report page timeouts, increase the max_execution_time parameter from php.ini.
33.4. Sensor Events¶
This sub-tab lists events generated by the selected Sensor(s) for the selected time range. The events are described in the Event Reporting section.
33.5. Anomaly Overview¶
This sub-tab displays trends and summarizations of the anomalies detected by the selected Sensor Interfaces.
33.6. AS Graphs¶
Flow Sensor and Packet Sensor can generate per-autonomous system bandwidth histograms. This feature is enabled for Packet Sensor when the Stats Engine parameter is set to “Full”, and for Flow Sensor when the Stats Engine parameter is set to “Full” or “Extended”.
The inbound traffic represents the traffic received by the AS, while the outbound traffic represents the traffic sent from the AS.
● AS Number(s)Select one of the following options:◦ Upstream – Select to see the traffic sent to or coming from the Autonomous Systems from the list on the right◦ Transit – Select to see the traffic that transited the Autonomous Systems from the list on the right◦ Peering – Select to see traffic to/from your AS peers (PrevAdjacentAS and NextAdjacentAS in NetFlow v9) from the list on the right◦ Downstream – Select to see the traffic to/from your downstream Autonomous Systems from the list on the rightClick the star icon on the right to open a window containing the correct syntax for the AS list. Frequently-searched AS numbers can be saved there, and used at a later time. To see a list of AS numbers owned by a particular organization, go to Help » IP & AS Information » AS Numbers List or consult https://bgp.he.net● Size – Select a predefined graph dimension or enter a custom one in a “<X> x <Y>” format, where <X> and <Y> are the X-axis and Y-axis pixels● Title – Graphs have an automatically-generated title for “Auto”, no title for “None”, or you can enter your own text to be rendered as a title● Legend – Select the level of detail for the graph’s legend● Grouping◦ Sensor Interfaces – When unchecked, a different graph is generated for each selected Sensor Interface. When checked, the data is combined◦ ASNs – Select if you want to view a single graph for multiple AS numbers● Stacking◦ ASNs – Select to stack up to 20 ASNs into a single graph
33.7. Country Graphs¶
Flow Sensor and Packet Sensor can generate per-country bandwidth histograms. This feature is enabled when the Sensor’s Stats Engine parameter is set to “Full” or “Extended”.
● Countries – Select the country or countries from the drop-down list, or click the star icon on the right to open a window with saved selections for continents and world regions● Size – Select a predefined graph dimension or enter a custom one in a “<X> x <Y>” format, where <X> and <Y> are the X-axis and Y-axis pixels● Title – Graphs have an automatically-generated title for “Auto”, no title for “None”, or you can enter your own text to be rendered as a title● Legend – Select the level of detail for the graph’s legend● Grouping◦ Sensor Interfaces – Select to generate a single graph for the selected Sensor Interfaces◦ Countries – Select to view a single graph when multiple countries are selected● Stacking◦ Countries – Select to stack up to 20 countries into a single graph
33.8. Flow Records¶
You can list and filter the flow data collected for the selected Flow Sensor Interfaces. The options are described in detail in the Reports » Tools » Flows section.