Reports gives you access to system reports and logs. GigaFlow stores a record of all reports. Reports can be generated in many ways but most commonly by viewing a Forensics page; viewing a Forensics page automatically generates a report. When a report is generated by a user, it is cached by the system and can be accessed again almost immediately. In addition, all recorded reports can be re-run from scratch at any time. Runtimes vary with the scope of the report, i.e. reports that involve more data will take longer to complete. Typical reports for limited periods of time complete in seconds.
Administrators have access to all reports run by all users.
See Configuration > Reporting for more.
Located at Reports > My Current Queries.
My Current Queries lists your queries currently in process. The table includes:
The filters used to define the report.
Located at Reports > My Complete Queries.
My Complete Queries lists your completed queries. The table includes:
Located at Reports > All Complete Queries.
This option provides administrators with a view of all queries made by all users.
This option provides administrators with a view of all forensic queries made by all users.
Located at Reports > Canceled Queries.
Canceled Queries lists your canceled queries. The table includes:
Located at Reports > Cluster Search.
Figure: Conducting a GigaFlow Cluster search
[file: Conducting a GigaFlow Cluster search.]
Following the search link from Apex, you will be brought to a new tab and the log in screen for the Pitcher machine. After logging in, you will be brought to the GigaFlow Cluster report page.
Figure: The initial view of the GigaFlow Cluster report page
This displays a list of hits for this IP address across the cluster; in this example, the IP address 172.21.21.21 was found on 11 devices monitored by three receivers. On these receivers the system found 9 devices with data matching the search and there were no errors.
In the first first table, each GigaFlow server is listed with:
Figure: Clicking on the drill down icon beside a result brings up the full user interface and a forensics report for that device on the associated GigaFlow server
The system allows ten minutes between running the report and viewing these results without re-authentication.
You can also select different report types to run on that device on that GigaFlow server by selecting from the drop-down menu. See Reports > Forensics in the main Reference Manual for more.
Located at Reports > DB Queries.
DB Queries displays a list of the most recent database queries. The information returned includes:
Located at Reports > Forensics.
See Configuration > Reporting for instructions on how to configure and create new report types. See Appendix > Forensic Report Types for a complete description of the different report types.
Forensics allows you granular, filterable reporting on the stored records. GigaFlow records flow posture, i.e. whether or not a flow is flagged as an excepted event, allowing for detailed analysis.
To create a report:
A router - an infrastructure device - has an IP of 192.0.2.1.This router was defined at Configuration > Infrastructure Devices.Choose an Applications report from the report type drop-down menu.Choose Infrastructure Device from the filter drop-down menu.Choose the router from the list of devices and apply the filter by clicking +.
The system will return a graph and/or table with details of:
Queries can be entered directly and quickly using the direct filtering syntax.
Field | Operators | Description | Example |
---|---|---|---|
srcadd | =, != | IP Address that the traffic came from. | srcadd=172.21.40.2 |
dstadd | =, != | IP Address that the traffic went to. | dstadd=172.21.40.3 |
inif | <, =, >, != | ifIndex of the interface through which the traffic came into the router. | inif=23 |
outif | <, =, >, != | ifIndex of the interface through which the traffic left the router. | inif=25 |
pkts | <, =, >, != | Number of packets seen in the flow. | pkts>100 |
bytes | <, =, >, != | Number of bytes seen in the flow. | bytes<10000 |
duration | <, =, >, != | Duration of flow in milliseconds. | duration>100 |
srcport | <, =, >, != | Source IP port of flow. | srcport>1024 |
dstport | <, =, >, != | Destination IP port of flow. | dstport=5900 |
flags | <, =, >, != | TCP Flags of flow. flags=2 i.e. syn only. | Flags=CEUAPRSF |
proto | <, =, >, != | IP Protocol Number/Type. | proto=16 |
tos | <, =, >, != | TOS Marking. tos=104 | //Flash |
srcas | <, =, >, != | Source AS Number. | srcas!=5124 |
dstas | <, =, >, != | Destination AS Number. | dstas!=5124 |
fwextcode | =, != | Forwarding Extended Code. | fwextcode='out-of-memory' |
fwevent | =, != | Forwarding Event. | fwevent!='Flow Deleted' |
tgsource | =, <> | Traffic Group Source. | fwextcode<>'My network 1' |
tgdest | =, <> | Traffic Group Destination. | tgdest<>'Other' |
Located at Reports > First Packet Response.
First Packet Response (FPR) is a useful diagnostic tool, allowing you to compare the difference between the first packet time-stamp of a request flow and the first packet time-stamp of the corresponding response flow from a server. By comparing the FPR of a transaction with historical data, you can troubleshoot unusual application performance.
On loading, this page displays any First Packet Response information available for Monitored Servers.
Figure: The First Packet Response reports page
To set up a monitored server, go to Configuration > Server Subnets.
The displayed information includes:
On loading, this page displays any First Packet Response information available for Monitored Servers.
Figure: The First Packet Response reports page
To set up a monitored server, go to Configuration > Server Subnets.
The displayed information includes:
Click the Ticker check box next to a device to enable a ticker in the table below with live response times in milliseconds.
A network audit report is a standard-format JSON object that contains a summary of all the devices registered by GigaFlow that belong to a particular subnet.
Network audit reports are enabled for a particular subnet at Reports > System Wide Reports > Subnet List. Enabling a network audit runs the network audit script for the selected subnet(s). You can view the network audit script at System > Event Scripts.
Server configuration happens at Configuration > Server Subnets.
Located at Reports > Saved Reports.
Newly generated reports of interest can be saved for reference. Click Save in the top right corner.
Once a report has been saved it can be viewed in two ways: (i) open. This opens without running. More filters can be added; (ii) open and run.
Saved Reports are listed with the following information:
Each automatically discovered server is listed here with:
Clicking on a device brings up detailed information for that server.
Details about each discovered server are shown here, with information about its behaviour as a source and destination for traffic. Two tables are shown on screen.
Located at Reports > System Wide Reports.
These are static reports produced by GigaFlow. From the Reports menu, the System Wide Reports option expands to display a further five options:
Located at Reports > System Wide Reports > SYN Forensics Monitoring.
GigaFlow monitors all TCP flows where only the SYN bit is set. In normal network operations, this indicates that a flow has not seen a reply packet while active in a router's Netflow cache.
A lonely SYN can be an indicator that:
GigaFlow creates an alert when:
On the SYN Forensics Monitoring page, you can find two tables of information:
Each table lists the following information:
See also System > Alerting
Located at Reports > System Wide Reports > Device Connections.
This page lists all known network connected devices. This list is used as a look-up for Layer-2 to Layer-3 connectivity.
The table lists:
Clicking the export icon beside the page title creates a .csv file for download or printing.
Located at Reports > System Wide Reports > MAC Address Vendors
This page shows information about devices associated with particular MAC vendors on your network; GigaFlow displays:
Click on Count to populate the second table, MAC Addresses. These are the individual devices associated with that vendor. For each device, the table shows:
The Subnet List report summarises all the subnets automatically discovered using SNMP. The details listed are:
This report summarises infrastructure devices by flow rate, showing a graph and table listing, for each device:
Located at Reports > SQL Report.
Select how many of the most recent SQL Queries to view from the drop-down menu, i.e. the most recent 10, 50, 100 or All.
The table lists the following information:
Located at Reports > User Events.
Select how many of the most recent User Events to view, i.e. the most recent 50, 100, 250 or 500 events.
This table gives information about:
GigaFlow's IpViewer2 uses MapBox to visualise the physical location of IP addresses
© Copyright 2019 Anuview. All rights reserved. VIAVI and the VIAVI logo are trademarks of VIAVI Solutions Inc. ("VIAVI"). All other trademarks and registered trademarks are the property of their respective owners. No part of this guide may be reproduced or transmitted, electronically or otherwise, without the written permission of the publisher.
Reproduction and distribution of this guide is authorized for Government purposes only.