The Factors page displays identifies common elements or "factors" in network traffic.
- How is the factors table constructed?
- How do I navigate the network hierarchy?
- How do I select the information displayed on the chart?
- How do I display information on items in the chart?
- How do I create a filter to select specific flows?
The factors table is constructed by computing all combinations of different source and destination attributes of packet flows. Each unique combination of attributes represents a single "factor" and each factor is represented as a row in the table. For example, a distributed denial of service attack might appear as a factor with 50% of frames originating from the EXTERNAL Zone and Group with the Data Center as the destination Zone, a particular web server as the destination address and TCP:80 (www-http) as the destination port.
The factors table consists of three parts:
- Weights, these bars represent the relative contribution of each
row in the table to the following metrics:
- #Flows, the number of packet flows or connections associated with the row. Scanning behavior or a denial of service attach may be associated with a large number of flows.
- Frames, the number of frames or packets associated with the row. Broadcast/multicasts storms or denial of service attacks may be associated with large frame counts.
- Bytes, the number of bytes or octets associated with the row. Congestion problems are associated with high byte counts.
- Source, attributes relating to the source of packets, including the source Zone, Group, Address and Port/Protocol.
- Destination, attributes relating to the destination of packet, including the destination Zone, Group, Address and Port/Protocol.
Clicking on one of the Weight column headings sorts the table by the column (changing the Sort setting in the filter bar performs the same function). Clicking on a source or destination address or a port links to additional information (see Search>Host and Search>Protocol). Finally, clicking on one of the weight bars filters the table so that only traffic matching the factor is selected and sorts the results by the selected weigth.
The Filter bar at the top of the screen provides a way to navigate through the network hierarchy (see File>Configure to see how to group network devices). At the top level, a list of Zones is shown, once you have selected a zone, the view will drill down to only show information from the selected zone, and a list of Groups will appear. Select a group and the view will drill down to only show the information from the selected group and a list of Agents will appear. Finally if you select an agent, its Interfaces will be shown. Click on the links at any level in the path and you will move back up the tree to that level. Click on the Show Map button to view a map of the selected part of the network (see Sentinel:Maps>Layer 2). If a single agent has been selected an Agent Details button will appear. Click on the button to see detailed information about the agent (see Sentinel:Search>Agent/Interface). Finally, if a single interface is selected an Explore button will appear. Click on the button to see long term trends for the interface (see Sentinel:Report>Explore).
The following Filter settings are available:
- Show Specifies whether to show data from all network interfaces, or only those for which there are current threshold violations.
- Host This button allows you to select traffic for a selected address. Any address that has been clicked on or entered on the Sentinel:Search>Host page during this session will be offered in the list. If you want to filter on an address that is not in the list, navigate to the Sentinel:Search>Host page, enter the address, and then come back to this page afterwards.
- Protocol This button allows you to add a filter to show only traffic for a selected protocol. Any protocol that has been clicked on or entered on the Sentinel:Search>Protocol page during this session will be offered in the list. If you want to filter on a protocol that is not in the list, navigate to the Sentinel:Search>Protocol page, enter the protocol, and then come back to this page afterwards. Some common protocol filters are always included here for convenience.
- Sort select which weight to sort the table by, or select All to sort by the maximum of all the weights in each row.
- Truncate specify a percentage used to truncate the data. If a factor doesn't contribute at least this percentage to at least one weight then it will be removed.
- Date select a date, clicking on today's date will track most recent data.
- Time selects the hour at the start of the Interval, Now will track most recent data.
- Interval select the number of minutes of data to display. The interval starts from the specified Time, or if Time is set to Now displays an interval going back from the current minute.
- Where is used for custom filtering of the flows (see How do I create a filter to select specific flows?).
By default, the legend in a bar chart will reflect the top contributors to the latest bar. Click on any bar to see the top contributors during that minute (and any traffic they may have generated at other times). Click on the last bar to restore the default behavior of displaying contributors to the most recent minute. The gray part each bar represents traffic not attributable to the sources in the legend.
Click on addresses, protocols, or flows in the legend to obtain further information on the selected item. If you click on an address, information about the address (including its location in the network will be displayed (see Search>Host). If you click on a protocol, information about the protocol will be displayed (see Search>Protocol). Finally if you click select a source,destination flow you will see information about the path that the traffic takes through the network (see Search>Path). Click on the Traffic tab to return to your chart.
Note: You must click on a protocol or host if you want to be able to use it as a filter in other Chart selections.
The Where box is used to filter traffic queries so that only selected traffic is shown. A filter expression can be entered directly into the input box. Clicking on the OK button applies the filter. Clicking on the Clear button will remove the filter.
An easier way to construct filters is to click on the Edit button to display additional inputs used to construct the filter expression. The first input consists of a selection box containing attributes that can be compared, a selection box containing comparison operators and an input area to specify that values to be compared to the selected attribute. Clicking the Add button appends the comparison to the current filter. There are also boolean operator buttons (& and |) and bracket buttons that can be used to combine comparison expressions to form more complex filters. The filter builder only enables buttons and inputs when they are allowed in the filter expression that is being constructed. Once the desired filter has been constructed, click on the OK button to apply it.
Note: If you just want to filter on a Host or Protocol then it is easier to set the Host and Protocol options in the Filter bar, rather than constructing a Where filter.
A basic filter expression consists of the name of an attribute, an operator and a set of comma separated values. The allowed operators are:
- = equals
- != not equals
- ~ matches a reqular expression
- !~ does not match a regular expression
Expressions can be combined using brackets and the boolean operators:
- & boolean AND
- | boolean OR
The following examples illustrate typical where filters:
- ipsource = 10.1.1.23
- ipdestination != 10.0.0.0/24,10.0.1.0/24
- serverport = TCP:80,TCP:81,TCP:8080-8088
- sourcezone ~ research.*
- ipsource = 10.0.0.1 & ipdestination = 10.0.0.2
- ipsource = 10.0.0.1 & (sourceport = TCP:80 | destinationport = TCP:80)
- sourcezone = EXTERNAL | destinationzone = EXTERNAL
Note: The special zone EXTERNAL refers to addresses that aren't contained in any of the CIDRs specified using File > Configure.
WARNING Care should be taken if a value in a filter expression contains any of the following special characters: (, ), &, |, !, =, ~, ",', \, comma or space. If the value contains any of these characters then the whole value string can be enclosed in single or double quotes, or the special characters can be individually escaped with a \. The following examples show different ways of using the value "Research & Development" in filters:
- serverzone = "Research & Development", Sales
- clientzone = 'Research & Development'
- sourcezone = Research\ \&\ Development
- serverpath = ">>Research & Development>Data Center"
Note: Special characters typically occur because they are used in Zone or Group names when configuring Traffic Sentinel (see File>Configure). Care should be taken when filtering on zone, group or path attributes.