Observer GigaFlow


Table of Contents

Observer GigaFlow Documentation

Documentation > Reference Manual for GigaFlow > Reports > Forensics


Located at Reports > Forensics.

See Configuration > Reporting for instructions on how to configure and create new report types. See Appendix > Forensic Report Types for a complete description of the different report types.

Forensics allows you granular, filterable reporting on the stored records. GigaFlow records flow posture, i.e. whether or not a flow is flagged as an excepted event, allowing for detailed analysis.

To create a report:

  • Select a report type from the drop-down menu.
  • Apply filters to the records to customize output.
  • Multiple filters can be selected from the drop-down menu.
  • Filters can also be entered using GigaFlow's Direct Filtering Syntax (see below).
  • Select the Reporting Period.
  • Choose the output type, i.e. graph or table, from the drop-down menu.
  • Click on Save if you want to keep your report.


A router - an infrastructure device - has an IP of router was defined at Configuration > Infrastructure Devices.Choose an Applications report from the report type drop-down menu.Choose Infrastructure Device from the filter drop-down menu.Choose the router from the list of devices and apply the filter by clicking +.

The system will return a graph and/or table with details of:

  • Source IP.
  • Destination IP.
  • Application.
  • Bit rate and/or total bits.

Reporting Period

  • The reporting period is shown at the top right of the main body of the page. This is 2 hours by default.
  • On login, the system displays information for the default time period.
  • This default time period can be set in Configuration > Reporting in the main menu.
  • Different reporting periods can be selected by clicking the from and to boxes.

Direct Filtering Syntax

Queries can be entered directly and quickly using the direct filtering syntax.

Direct Filtering Syntax
srcadd=, !=IP Address that the traffic came from.srcadd=
dstadd=, !=IP Address that the traffic went to.dstadd=
inif<, =, >, !=ifIndex of the interface through which the traffic came into the router.inif=23
outif<, =, >, !=ifIndex of the interface through which the traffic left the router.inif=25
pkts<, =, >, !=Number of packets seen in the flow.pkts>100
bytes<, =, >, !=Number of bytes seen in the flow.bytes<10000
duration<, =, >, !=Duration of flow in milliseconds.duration>100
srcport<, =, >, !=Source IP port of flow.srcport>1024
dstport<, =, >, !=Destination IP port of flow.dstport=5900
flags<, =, >, !=TCP Flags of flow. flags=2 i.e. syn only.Flags=CEUAPRSF
proto<, =, >, !=IP Protocol Number/Type.proto=16
tos<, =, >, !=TOS Marking. tos=104//Flash
srcas<, =, >, !=Source AS Number.srcas!=5124
dstas<, =, >, !=Destination AS Number.dstas!=5124
fwextcode=, !=Forwarding Extended Code.fwextcode='out-of-memory'
fwevent=, !=Forwarding Event.fwevent!='Flow Deleted'
tgsource=, <>Traffic Group Source.fwextcode<>'My network 1'
tgdest=, <>Traffic Group Destination.tgdest<>'Other'
  • Ranges are also supported for IP address, port and AS fields. i.e. "dstport in (22,23,80,443) will match any flow where the dstport is either of the specified ports.
  • Logical operators "and", "or", "not" as well as parentheses can also be used. i.e. "dstport not in(23,2055,443) and srcport not in (8585,23) and (fpr > 0 or pkts < 100)".
  • It is possible to check the bit value of a field using the bitand function i.e. "(flags bitand 4)=4" filters for flows with the Reset flag set.