5.2. Data

In Data menu, there are main functions for traffic analysis.

History.  If you have enabled JavaScript functionality it's possible to use previously entered values in the dialog windows. If you would like to open a new history dialog window click on the icon located next to the selected field. The history dialog window will contain the last 30 entered values. The following window is an example of protocol history. If you want to clear the protocol history click on the "clear history" link.

Figure 5.3. History dialog window.

History dialog window.


5.2.1. Trends

Trends are the most used menu in the whole system. This menu can run all wanted statistics. List of available statistics depends on selected table fields.

5.2.1.1. Trends conditions

To select table in "Table selector" first select the collector and then the table that you want to see. If you haven't enabled JavaScript, please, click on the "Select" button to choose the collector and then the wanted table. Your selection will be displayed in the information window below.

In "General parameters" first select one of the following statistic:

  1. Bytes.
  2. Packets.
  3. Top source hosts per byte.
  4. Top source hosts per packet.
  5. Top source hosts distribution.
  6. Top destination hosts per byte.
  7. Top destination hosts per packet.
  8. Top destination hosts distribution.
  9. Top hosts conversations per byte. [1]
  10. Top hosts conversations per packet. [1]
  11. Top applications per byte.
  12. Top applications per packet.
  13. Top protocols per byte.
  14. Top protocols per packet.
  15. Top ToS/DSCP per byte.
  16. Top ToS/DSCP per packet.
  17. Top source TCP/UDP ports per byte.
  18. Top source TCP/UDP ports per packet.
  19. Top destination TCP/UDP ports per byte.
  20. Top destination TCP/UDP ports per packet.
  21. Top source interfaces per byte.
  22. Top source interfaces per packet.
  23. Top destination interfaces per byte.
  24. Top destination interfaces per packet.
  25. Top interface conversations per byte.
  26. Top interface conversations per packet.
  27. Top source ASes per byte.
  28. Top source ASes per packet.
  29. Top destination ASes per byte.
  30. Top destination ASes per packet.
  31. Top AS conversations per byte.
  32. Top AS conversations per packet.
  33. Top next hops per byte.
  34. Top next hops per packet.
  35. Top ICMP messages per byte.
  36. Top ICMP messages per packet.

Figure 5.4. Specifying trends conditions.

Specifying trends conditions.

The next options are related to formatting output, you can select if you want to generate a graph, table or both and what types of graph you want to see.

In the "time field" you can specify the time interval that you see. For example the tenth hourly table is: 10:20-10:45, and the weekly table is: 2006/02/15 - 2006/02/17. The list of times is separated by a comma. Click on the icon to display history window.

In the "bytes or packets field" you can specify which bytes or packets range you want to see. For example if you type in packet field value: 1 you will only see flows where only one packet is transferred.

In "protocols field" you can specify which protocols are seen. For example: TCP, UDP. The list of protocols is separated by a comma. A complete list of protocols is located in the system file /etc/protocols. Click on the icon to view list of defined protocols, applications or detected interfaces.

In applications field you can specify which applications you want to see.

Applications field can have the following formats:

  • tcp/<portname> (e.g. tcp/smtp)
  • tcp/<portnumber> (e.g. tcp/25)
  • udp/same as for tcp (e.g udp/53, udp/domain)
  • <protocolname> (e.g. gre, icmp, udp)
  • <application_shortname> (e.g. dc). For application list see Section 4.7, “Application settings”.
  • <application_number> (e.g. 300001).

In "TCP flags" you can specify flags which you want to see. TCP flags field consists of one or two sets of characters <SAFRPU*> <SAFRPU*> separated by a space. Where character S stands for TCP flag synchronization, A for acknowledgment, F for finish, R for reset, P for push, U for urgent and * means all of the above. The first set of characters indicates which TCP flags must be set up, the second indicates which TCP flags you are checking.

Examples:

  • SA * - find all flows with set up SYN and ACK flags, the remaining flags are not set
  • SA SA - find all flows with set up SYN and ACK flags and ignore other flags
  • S SF - find all flows with set up SYN flag and FIN flag is not set
  • * - find all flows with set up all flags

[Note]Note
If you enter only one set of characters (e.g. SA), the second is automatically set to "*".

The TOS byte in the IPv4 header has had various purposes over the years, and has been defined in different ways by five different RFCs ( RFC 791, RFC 1122, RFC 1349, RFC 2474, and RFC 3168). The modern definition of the TOS byte is a six-bit Differentiated Services Code Point and a two-bit Explicit Congestion Notification field. For a full history of the TOS byte, see section 22 of RFC 3168.

Current CFI version accepts the following values:

  • ToS values: 0-255
  • DSCP values: AF11, AF12, AF13, AF21, AF22, AF23, AF31, AF32, AF33, AF41, AF42, AF43, BE, EF, CS1 - CS7, NC1 and NC2.
  • RFC 791 specification: P0-P7DTR

    where P0-7 means precedence value, character 'D' means minimize delay, character 'T' means maximize throughput and character 'R' means maximize reliability.

You can use arithmetic logic between source and destination window. Possible values are:

  1. source AND destination,
  2. source OR destination,
  3. source->destination OR destination->source.

In "Optional parameters" you can: disable domain names resolving, disable counting of total sums, enable displaying of residual part (residue of top ten), displaying exact size values (bytes instead of kilo or mega bytes equivalent) or convert byte values to the bits per second. You can specify link capacity that will be displayed in the graph. Link capacity is in the bits per second, but you can use values in kilobits or megabits, for example 10m means ten megabits per second.

Fields in source or destination windows can be different depending on the selected table.

The following are able to be viewed:

  • IP address range (possible values):
    • Single IP address (10.1.1.1).
    • Domain name (web.mydomain.com).
    • List of IP addresses (10.1.1.1, 10.2.1.1, web.mydomain.com).
    • Range of IP addresses (10.3.1.1-10.3.255.255).
    • IP networks (10.0.0.0/8, 192.168.0.0/16).
    • IP network list defined via Section 4.6, “Network settings”.
    • Exclude range of network (10.0.0.0/8, !10.1.0.0-10.5.255.255)

    All previous types can be combined. Field separator can be comma or semicolon. You can also use an exclude character '!' which excludes single IP or range of IP from the list.

    [Warning]Warning
    Domain names can't be used when you use IP address ranges!
  • IP network list. You can select network lists defined in Section 4.6, “Network settings”.
  • Port range. In "Port" field you can use values that are same as those used in the "Applications" field but without application specific extensions (application short name or application number). (e.g. 80,135,137-139).
  • Interface. You can use interface ifIndex number, list of interfaces or range (e.g. 1,10,20-25).
  • AS range. You can use autonomous system number, list of autonomous systems or range (e.g. 1000,1902,5000-5005).

After completing the search conditions, you can start searching by clicking on the "Search" button or you can save search conditions in the trends profile by clicking on the "Save to profile" button. After saving conditions you will see information window (see picture bellow).

Figure 5.5. Saving conditions into profile.

Saving conditions into profile.

5.2.1.2. Trends output

The pictures below show various examples of search results formatted into a graph.

Figure 5.6. Accumulated lines graph.

Accumulated lines graph.

Figure 5.7. Non-accumulated lines graph.

Non-accumulated lines graph.

Figure 5.8. Accumulated bars graph.

Accumulated bars graph.

This product offers various formats of search results. One of these options is format to table. An example of this is shown in the following picture:

Figure 5.9. Search results formatted into table.

Search results formatted into table.

5.2.1.3. Trends data export

Output data can be exported into CSV formatted file. This file can be opened in other applications for example in Microsoft Excel or in Open Office package. When you click on link "Export" in the left dialog menu, an export window will be displayed. You can then specify filename, time format and field header.

For time format you can use the codes listed bellow:

  • %y - year as a decimal number without a century (range 00 to 99),
  • %m - month as a decimal number (range 01 to 12),
  • %d - day of the month as a decimal number (range 01 to 31),
  • %H - hour as a decimal number using a 24-hour clock (range 00 to 23),
  • %M - minute as a decimal number,
  • %S - second as a decimal number,
  • %Y - year as a decimal number including the century,
  • %x - preferred date representation for the current locale without the time,
  • %X - preferred time representation for the current locale without the date.

For example you can use time format: %x %X.

You can find a complete list of time formats in PHP documentation. Check web page: http://www.php.net/manual/en/function.strftime.php.

Export is saved into a temporary file. You can download this file via main menu "Exports". After successfully downloading it is recommended deleting this file to save disk space.

5.2.1.4. Trends email data

This feature allows you to send output data via SMTP protocol to a specific email address. When you click on the "Email results" link in the left dialog menu, an email window will be displayed. You can then specify an email address, subject and comment.

Figure 5.10. Email dialog window.

Email dialog window.



[1] If the statistic top conversations is chosen, domain name resolution is disabled in the graph.