34. Reports » Tools » Flows

The Reports » Tools panel contains the Flows item only when there is at least one Flow Sensor in use. In this tab you can list, aggregate, filter, and sort flow records, generate traffic tops and statistics. The raw flow data is stored on disk at five-minute intervals, meaning that after a flow is sent, it can take up to five minutes before it becomes queryable.

34.1. Flow Records

In this sub-tab you can list and filter flow data.

● Sensor Interfaces – Select the interfaces that interest you. Guest accounts may have limited visibility

● Flow Filtering Expression – You can enter a filtering expression for flows. Click the star icon on the right to open a window that shows the correct syntax. Frequently-used filtering expressions can be saved there and reused at any later time

● Export – The output can be viewed in several formats such as HTML, TEXT, JSON or CSV, converted to PDF, emailed or printed. If you need to list very large amounts of flow data, doing it solely from the web browser is not a good idea because the page will timeout after a few minutes. In this case, select the CLI option to view the shell command used for listing flows. You can then execute that command from the shell and forward the output to a file

● Time Range – Select a predefined time range, or select Custom… to enter a specific time interval in order to list only the flows that started or ended inside the interval. Time zone differences between the Console server and remote Flow Sensor servers are not adjusted automatically

● Limit – Show only the first <number> flows. To list more than 50000 flows, use the CLI option from the Export menu

● Aggregation – By default, flows are not aggregated. By checking the appropriate options, you can choose how to aggregate flows. You can aggregate entire subnets by selecting src(dst)IPv4(IPv6)/<subnet bits>

● Sorting – When listing flows sent by different interfaces, you can sort them after the start time of the flows. Otherwise, the flows are listed in the order of the Sensor Interfaces

● Display – You can select several predefined output formats, or you can enter your own format by selecting Custom…. Each predefined output format changes the options from the Display Options menu

● Display Options – Click this button to choose how to display several columns. Check Include Unmonitored Ifs if you want to include flow data generated by interfaces not monitored by Flow Sensor

Note

If no data is shown and the Flow Sensor is not running on the Console server, follow the NFS configuration steps.

34.2. Flow Tops

In this sub-tab you can generate tops from flow data.

● Sensor Interfaces – Select the interfaces that interest you. Guest accounts may have limited visibility

● Flow Filtering Expression – You can enter a filtering expression for flows. Click the star icon on the right to open a window that shows the correct syntax. Frequently-used filtering expressions can be saved there and reused at any later time

● Top Type – Select one of the items from the drop-down menu

● Order By – Select the sorting unit

● Export – The output can be viewed in several formats such as HTML, TEXT, JSON or CSV, converted to PDF, emailed or printed. If you need to list very large amounts of top data, doing it solely from the web browser is not a good idea because the page will timeout after a few minutes. In this case, select the CLI option to view the shell command used for generating the top. You can then execute that command from the shell and forward the output to a file

● Time Range – Select a predefined time range, or select Custom… to enter a specific time interval in order to analyze only the flows that started or ended inside the interval. Time zone differences between the Console server and remote Flow Sensor servers are not adjusted automatically

● Top – Limit the top listing to the first <number> records. To list more than 500 records, use the CLI option from the Export menu

● Aggregation – By default, flows are not aggregated. By checking the appropriate options, you can select how to aggregate flows. You can aggregate entire subnets by selecting src(dst)IPv4(IPv6)/<subnet bits>

● Limit – Limit the output to only those records whose packets or bytes match the specified condition

● Display – You can select several predefined output formats, or you can enter your own format by selecting Custom…. Each predefined output format changes the options from the Display Options menu

● Display Options – Click this button to choose how to display several columns. Check Include Unmonitored Ifs if you want to include flow data generated by interfaces not monitored by Flow Sensor

Note

If no data is shown and the Flow Sensor is not running on the Console server, follow the NFS configuration steps.