Observer GigaFlow

Documentation

Table of Contents

Observer GigaFlow Documentation

Documentation > Reference Manual for GigaFlow > Reports > System Wide Reports

System Wide Reports

Located at Reports > System Wide Reports.

These are static reports produced by GigaFlow. From the Reports menu, the System Wide Reports option expands to display a further five options:

  • SYN Forensics Monitoring
  • Device Connections
  • MAC Address Vendors
  • Subnet List
  • Flow Stats

SYN Forensics Monitoring

Located at Reports > System Wide Reports > SYN Forensics Monitoring.

GigaFlow monitors all TCP flows where only the SYN bit is set. In normal network operations, this indicates that a flow has not seen a reply packet while active in a router's Netflow cache.

A lonely SYN can be an indicator that:

  • Routing was asymmetric. Perhaps the reply returned via a different router.
  • Reply traffic was blocked.
  • Servers were not responding for some reason.
  • Something was probing the network.

GigaFlow creates an alert when:

  • SYN Source Network Sweep: alerts if a source IP address fails to get a response from more than IP Address Count Threshold unique destination addresses.
  • SYN Source Port Sweep: alerts if a source IP address fails to get a response from more than Port Count Threshold unique destination ports.
  • SYN Source Network And Port Sweep: alerts if a source IP address exceeds both Port Count Threshold and IP Address Count Threshold thresholds.
  • SYN Destination Unreachable Server: alerts if a destination IP address fails to respond to more than IP Address Count Threshold unique destination addresses.
  • SYN Destination Port Sweep: alerts if a destination IP address fails to respond to more than Port Count Threshold unique destination ports.
  • SYN Destination Network And Port Sweep: alerts if a destination IP address exceeds both Port Count Threshold and IP Address Count Threshold.

On the SYN Forensics Monitoring page, you can find two tables of information:

  • SYN Sources.
  • SYN Destinations.

Each table lists the following information:

  • Source or destination IP addresses.
  • The number of destinations or sources.
  • The number of destination ports.
  • The number of flows.
  • The type of SYN, e.g. network sweep.
  • When it was first seen.
  • When it was last seen.

See also System > Alerting

Device Connections

Located at Reports > System Wide Reports > Device Connections.

This page lists all known network connected devices. This list is used as a look-up for Layer-2 to Layer-3 connectivity.

The table lists:

  • Device.
  • Device name.
  • Interface.
  • Interface name.
  • VLAN.
  • VLAN ID.
  • MAC address.
  • IP address.
  • User
  • MAC vendor.

Clicking the export icon beside the page title creates a .csv file for download or printing.

MAC Address Vendors

Located at Reports > System Wide Reports > MAC Address Vendors

This page shows information about devices associated with particular MAC vendors on your network; GigaFlow displays:

  • The MAC vendor name.
  • The number of times devices from that vendor has been seen, Count.

Click on Count to populate the second table, MAC Addresses. These are the individual devices associated with that vendor. For each device, the table shows:

  • Device MAC address.
  • When it was last seen on Layer-2.
  • When it was last seen on Layer-3.

Subnet List

The Subnet List report summarises all the subnets automatically discovered using SNMP. The details listed are:

  • Device Name: the server name.
  • Device IP: the server IP address.
  • IfIndex: the interface index.
  • Name: the interface name.
  • Subnet IP: the subnet IP address.
  • Subnet: the subnet name.
  • Mask: the subnet mask.
  • Alias: the subnet alias.
  • Description: the subnet description.
  • Speed In: the inward bit rate (MB/s).
  • Speed Out: the outward bit rate (MB/s).
  • Admin: admin status.
  • Oper: oper status.
  • Audit: audit status.

Flow Stats

This report summarises infrastructure devices by flow rate, showing a graph and table listing, for each device:

  • Device name and IP address.
  • Flow rate (flows per second) and total flows over the report period.
  • The maximum flow rate and time it occurred.
  • The percentage of the total number of flows over the report period contributed by this device.