Example: Using NSM to Enable and View Application Volume Tracking
You can use NSM to enable application volume tracking (AVT) and to view AVT logs and reports.
To enable AVT:
- From NSM Device Manager, double-click a device and then click Profiler Settings.
- Click the General tab.
- Ensure Enable AVT is selected. This setting is enabled by default and shown in Figure 1.
- If you have changed settings, click Apply.
Start the Profiler:
- From the NSM main menu, select Devices > IDP Profiler > Start Profiler.
- Select the devices on which you want to start the Profiler.
- Click OK.
 | Note: If you change Profiler settings, you must push a configuration update to the device before the new settings take effect. From the Device Manager, right-click the device, select Update Device, select the Restart IDP Profiler After Device Update check box, and click OK. |
Figure 1: Profiler Settings: Enable AVT
To view AVT logs:
- In the NSM navigation tree, select Investigate > Security Monitor > Profiler.
- Click the Application Profiler tab.
The Application Profiler tab displays application data. Figure 2 shows the Application Profiler tab.
Figure 2: Profiler Viewer: Application Profiler Tab
The Application Profiler view is divided into two sections:
- In the left pane, the Application Profiler tab displays
a hierarchical tree of application categories. Applications are grouped
by common functionality. For example, Peer-to-Peer applications include
Chat and File Sharing applications. Under Chat, you can display Yahoo
messenger, MSN, and AIM; under File Sharing, you can display Kazaa,
Bittorrent, and Gnutella.
The left pane also displays aggregate statistics for volume (bytes) and packet count for the application category, application group, or application you select in the tree.
- In the right pane, the Application Profiler tab displays tables of session logs related to the application category or application you select in the left pane.
Table 1 describes the Application Profiler session table.
Table 1: Application Profiler Session Table
Column | Description |
|---|---|
Src IP | Source IP address of the session. |
Dst IP | Destination IP address. |
VLAN ID | VLAN ID (if any). |
Application ID | Application. |
Byte count | Byte count. |
Packet count | Packet count. |
User | The user associated with the session. |
Role | The role to which the user belongs. |
First Time | Timestamp for the first time the device logged the event (within the specified time interval). |
Last Time | Timestamp for the last time the device logged the event (within the specified time interval). |
Domain | NSM domain. |
Device | Device through which the session was forwarded. |
The Application Profiler tab displays application data. Figure 3 is an example of an NSM AVT report.
Figure 3: NSM AVT Report
| Note: AVT reports are not real-time reports. On the local IDP device, the AVT processor writes an AVT log file at 15 minute intervals. NSM collects the interval data during its routine device log collection activity. As a result, there might be up to a 15 or 16 minute lag from the time a session is received by the IDP device and the display of the data in the NSM report. |
To view AVT reports:
- In the NSM navigation tree, select Investigate > Report Manager > AVT Reports.
- Click the name of a predefined report to display it. Table 2 describes the predefined AVT reports.
Table 2: NSM: Application Volume Tracking Reports
Report | Description |
|---|---|
Top 10 Applications by Volume | Applications with the highest volume in bytes in the past 24 hours. |
Top 10 Application Categories by Volume | Application categories with the highest volume in bytes in the past 24 hours. |
Top 5 Applications by Volume over Time (last hour) | Applications with the highest volume in bytes in the past hour. |
Top 5 Application Categories by Volume (last hour) | Application categories with the highest volume in bytes in the past hour. |
Top 5 Source by Volume over Time (last hour) | Source IP addresses with the highest volume in bytes in the past hour. |
Top 5 Destination by Volume over Time (last hour) | Destination IP addresses with the highest volume in bytes in the past hour. |
