37. Reports » Devices » Sensors¶
Clicking on a Sensor anywhere in the Console opens a tab with specific information. The tab includes a few sub-tabs located at the lower side of the window. Every sub-tab shares the following common toolbar fields:
● Sensor Interfaces – Select the Sensor interfaces you are interested in, or select All. Administrators can restrict which Sensors are accessible by guest accounts● Time Range – Select a predefined time range, or select Custom… to enter a specific time interval
37.1. Sensor Dashboard¶
In this sub-tab you can view widgets with the data collected by Sensors. The configuration of the Sensor Dashboard does not apply solely to a particular Sensor, so the changes you make here are visible for other Sensor Dashboards as well. The operation of dashboards is described in the Reports » Dashboards chapter.
The configuration of Sensor widgets is outlined in the following paragraphs.
37.2. Sensor Graphs¶
In this sub-tab you can view a variety of Sensor-related histograms for the selected Sensor Interface(s):
● Data Units – Select one or more data units:• Most Used – Frequently-used data units• Packets – Inbound packets/second (+ on Y-axis) and outbound packets/second (- on Y-axis)• Bits – Inbound bits/second (+ on Y-axis) and outbound bits/second (- on Y-axis)• Applications – Sensor can collect application-specific distribution data for HTTP, HTTPS, SMTP, POP3, IMAP, SNMP, FTP, SSH, TELNET, SQL, NETBIOS, MS-DS, MS-RDP, DNS, ICMP, and OTHERS. These graphs are not generated when the Sensor’s Stats Engine parameter is set to Disabled• Internal & External IPs – Number of IP addresses that send or receive traffic. The “internal”/“external” IPs are the hosts located inside/outside the IP Zone. The Sensor’s Stats Engine parameter enables or disables monitoring of external IPs. A spike in the Internal IPs graph usually means that an IP class scan was performed against your IP blocks. A spike in the external IPs graph usually means that you have received a spoofed attack from random sources• Received Frames – For Packet Sensor, it represents the number of packets/s received before IP or MAC validation. For Flow Sensor, it represents the number of flows/s received before IP or AS validation• Dropped Frames – For Packet Sensor, it represents the number of packets dropped by the packet capturing engine. A high number indicates a sniffing performance problem. For Flow Sensor, it represents the number of unaccounted flows. A high number indicates a wrong configuration or a network connectivity issue with the flow exporter• Unknown Frames – For Packet Sensor it represents the rate of packets not passing IP validation. For Flow Sensor it represents the rate of invalidated flows• Unknown Sources – Source IP addresses that did not pass IP validation• Unknown Destinations – Destination IP addresses that did not pass IP validation• Avg. Packet Size – Average packet size calculated as bits/packet• CPU% – Percentage of CPU resources used by the Sensor process• RAM – Amount of RAM used by the Sensor process• Load – Load reported by the Linux kernel for 5-minute intervals• IP Graphs – Number of IP graphs files updated• IP Accounting – Number of IP accounting records updated• Profile Graphs – Number of profiling files updated• IP Graphs Time – Seconds needed to update the IP graphs files• Profile Graphs Time – Seconds needed to update the profiling files• Processing Time – Seconds needed to perform traffic analysis functions• IP Structures – Number of Internal IP structures necessary to keep track of IPs• IP Structure RAM – RAM bytes used by each IP structure• Flow Interface Packets – For Flow Sensor it represents the packets/second before any IP/AS validation (should match interface counters), without doing flow-duration adjustment or considering the interface direction. Useful for troubleshooting, available only with InfluxDB• Flow Interface Bits – For Flow Sensor it represents the bits/second before any IP/AS validation (should match interface counters), without doing flow-duration adjustment or considering the interface direction. Useful for troubleshooting, available only with InfluxDB• Flow Export Time – On the positive side, it shows the delay distribution of the Start Time of the flows, and on the negative side, it shows the delay distribution of the Stop Time of the flows. Available only with InfluxDB• Dataplane – Parameters collected from the DPDK-based Capture Engine• Bytes/time unit – Bytes/<time unit> throughput value● Size – Select a predefined graph dimension or enter a custom one in “<X> x <Y>” format, where <X> and <Y> are the X-axis and Y-axis pixels● Title – Graphs have an automatically-generated title for the Auto option, no title for the None option, or you can enter your own text to be rendered as a title● Legend – Select the level of detail for the graph legend● Consolidation – If you are interested in spikes, choose the MAXIMUM aggregation type. If you are interested in average values, choose AVERAGE. If you are interested in low values, choose the MINIMUM aggregation type● Grouping• Sensor Interfaces – Select to generate a single graph for the Sensor Interfaces selected● Stacking• Sensor Interfaces – Select to view the summed up, stacked values for multiple Sensor Interfaces
37.3. Sensor Tops¶
In this sub-tab you can generate various traffic tops.
● Decoders – Select the decoder that analyzes the traffic that interests you● Top Unit – Select a top unit:• Talkers – Hosts from your network that sent or received the most traffic for the selected decoder. Not available when the Stats Engine parameter from the Sensor configuration is set to Disabled• IP Groups – IP groups that sent or received the most traffic for the selected decoder. Not available when the Stats Engine parameter from the Sensor configuration is set to Disabled• External IPs – External IPs that sent or received the most traffic for the selected decoder. Available when the Stats Engine parameter from the Sensor configuration is set to Extended or Full• Upstream ASNs – Autonomous systems that sent or received the most traffic. Available only when the Stats Engine parameter from the Sensor configuration is set to Extended or Full• Transit/Peering/Downstream ASNs – Available only when the Sensor is configured to extract Transit AS data from a BGP dump file in MTR format• Countries – Countries that sent or received the most traffic. Available only when the Stats Engine parameter from the Sensor configuration is set to Extended or Full• TCP Ports – Most-used TCP ports. Not available when the Stats Engine parameter from the Sensor configuration is set to Disabled• UDP Ports – Most-used UDP ports. Not available when the Stats Engine parameter from the Sensor configuration is set to Disabled• IP Protocols – Most-used IP protocols (the protocol used in the data portion of the IP datagram). Not available when the Stats Engine parameter from the Sensor configuration is set to Disabled• IP Versions – Counters for IPv4 traffic and IPv6 traffic. Not available when the Stats Engine parameter from the Sensor configuration is set to Disabled● Traffic Direction – Direction of traffic: All, Inbound or Outbound● Display Options – Various display options● Grouping• Sensor Interfaces – When unchecked, a different top is generated for each selected Sensor Interface. When checked, the top data is combined
You can increase the number of top records and add new decoders in General Settings » Graphs & Storage. Generating tops for many Sensor Interfaces and long time ranges may take minutes. If the report page timeouts, increase the value of the max_execution_time parameter from php.ini.
37.4. Sensor Events¶
In this sub-tab you can see the events generated by the selected Sensor(s) during the specified time range.
37.5. Anomaly Overview¶
In this sub-tab you can generate trends and summarizations of the anomalies detected by the selected Sensor Interfaces.
37.6. AS Graphs¶
Flow Sensor and Packet Sensor can generate per Autonomous System bandwidth histograms. This feature is enabled in Packet Sensor when the Stats Engine parameter is set to Full, and in Flow Sensor when the Stats Engine parameter is set to Full or Extended. The inbound traffic represents the traffic received by the AS, while the outbound traffic represents the traffic sent from the AS.
● AS Number(s) – Select one of the following options:• Upstream – Shows the traffic sent to or coming from the Autonomous Systems from the list on the right• Transit – Shows the traffic that transited the Autonomous Systems from the list on the right• Peering – Shows the traffic to/from your AS peers (PrevAdjacentAS and NextAdjacentAS in NetFlow v9) from the list on the right• Downstream – Shows the traffic to/from your downstream Autonomous Systems from the list on the rightClick the star icon on the right to open a window containing the correct syntax for the AS list. Frequently-searched AS numbers can be saved there and used at a later time. To see a list of AS numbers owned by a particular organization, go to Help » IP & AS Information » AS Numbers List or search https://bgp.he.net● Size – Select a predefined graph dimension or enter a custom one in a “<X> x <Y>” format, where <X> and <Y> are the X-axis and Y-axis pixels● Title – Graphs have an automatically-generated title for Auto, no title for None, or you can enter your own text to be rendered as a title● Legend – Select the level of detail for the graph legend● Grouping• Sensor Interfaces – When unchecked, a different graph is generated for each selected Sensor Interface. When checked, the data is combined• ASNs – Select if you want to view a single graph for multiple AS numbers● Stacking• ASNs – Select to stack up to 20 ASNs into a single graph
37.7. Country Graphs¶
Flow Sensor and Packet Sensor can generate per-country bandwidth histograms. This feature is enabled when the Stats Engine parameter from the Sensor configuration is set to Full or Extended.
● Countries – Select the country or countries from the drop-down list, or click the star icon on the right to open a window with saved selections for continents and world regions● Size – Select a predefined graph dimension or enter a custom one in a “<X> x <Y>” format, where <X> and <Y> are the X-axis and Y-axis pixels● Title – Graphs have an automatically-generated title for Auto, no title for None, or you can enter your own text to be rendered as a title● Legend – Select the level of detail for the graph legend● Grouping• Sensor Interfaces – Select to generate a single graph for the selected Sensor Interfaces• Countries – Select to view a single graph when multiple countries are selected● Stacking• Countries – Select to stack up to 20 countries into a single graph
37.8. Flow Records¶
In this sub-tab you can list and filter the flow data collected for the selected Flow Sensor Interfaces. The options are described in detail in the Reports » Tools » Flows chapter.