- Related Topics
- Profiler Task Summary
- Profiler Overview
Using Profiler Viewer (NSM Procedure)
The Profiler Viewer contains multiple tabs with different views of Profiler data. The following topics describe these views:
Application Profiler Tab
The Application Profiler tab displays application volume tracking (AVT) data. Figure 1 shows the Application Profiler tab.
Figure 1: Profiler Viewer: Application Profiler Tab
The Application Profiler view is divided into two sections:
- In the left pane, the Application Profiler tab displays
a hierarchical tree of application categories. Applications are grouped
by common functionality. For example, peer-to-peer applications include
chat and file sharing applications. Under chat, you can display Yahoo
messenger, MSN, and AIM; under file sharing, you can display Kazaa,
Bittorrent, and Gnutella.
The left pane also displays aggregate statistics for volume (bytes) and packet count for the application category, application group, or application you select in the tree.
- In the right pane, the Application Profiler tab displays tables of session logs related to the application category or application you select in the left pane.
Table 1 describes the Application Profiler session table.
Table 1: Application Profiler Session Table
Column | Description |
|---|---|
Src IP | Source IP address of the session. |
Dst IP | Destination IP address. |
VLAN ID | VLAN ID (if any). |
Application ID | Application. |
Byte count | Byte count. |
Packet count | Packet count. |
User | The user associated with the session. |
Role | The role to which the user belongs. |
First Time | Timestamp for the first time the device logged the event (within the specified time interval). |
Last Time | Timestamp for the last time the device logged the event (within the specified time interval). |
Domain | NSM domain. |
Device | Device through which the session was forwarded. |
The Application Profiler session table contains data collected during a configurable time interval.
To display the Application Profiler tab:
- In the NSM navigation tree, select Investigate > Security Monitor > Profiler.
- Click the Application Profiler tab.
 | Tip: You can jump from the Application Profiler tab to the APE rulebase editor by right-clicking an application in the left pane and selecting a policy editor option. For information about using other NSM features to sort, filter, and drill down in records, see the NSM online Help. |
Protocol Profiler Tab
The Protocol Profiler tab displays information about applications that are running on your network.
Figure 2 shows the Protocol Profiler tab.
Figure 2: Profiler Viewer: Protocol Profiler Tab
Table 2 describes Protocol Profiler data.
Table 2: Protocol Profiler Data
Column | Description |
|---|---|
Src IP | Source IP address of the session. Note: Profiler tracks all traffic through the IDP appliance, including traffic for hosts not in your tracked hosts list. It records a value of 73.78.69.84 for the IP address for hosts not defined in the Tracked Hosts tab, such as external hosts you would not know and therefore could not configure. |
Dst IP | Destination IP address. Note: Communication between an internal host and an external host is recorded only once. For example, the device records internal host A communicating to www.yahoo.com and www.cnn.com as one entry in the Profiler DB. |
User | The user associated with the session. |
Role | The role to which the user belongs. |
Context | Matching contexts. |
Value | Value retrieved from matching context. |
Src MAC | Source MAC addresses. |
Dst MAC | Destination MAC addresses. |
Src OUI | Source OUI. Note: The Organizationally Unique Identifier (OUI) value is a mapping of the first three bytes of the MAC address and the organization that owns the block of MACs. You can obtain a list of OUIs at http://standards.ieee.org/regauth/oui/oui.txt. |
Dst OUI | Destination OUI. |
Src OS Name | Operating-system version running on the source IP. |
Dst OS Name | Operating-system version running on the destination IP. |
Hits | Number of occurrences that match the session. |
First Time | Timestamp for the first time the device logged the event (within the specified time interval). |
Last Time | Timestamp for the last time the device logged the event (within the specified time interval). |
Domain | NSM domain. |
Device | Device through which the session was forwarded. |
By default, the Protocol Profiler tab contains only the data collected during the configured time interval.
To display the Protocol Profiler tab:
- In the NSM navigation tree, select Investigate > Security Monitor > Profiler.
- Click the Protocol Profiler tab.
| Tip: For information about using NSM features to sort, filter, and drill down in records, see the NSM online Help. |
Network Profiler Tab
The Network Profiler tab displays information about the hosts in your network.
Figure 3 shows the Network Profiler tab.
Figure 3: Profiler Viewer: Network Profiler Tab
Table 3 describes Network Profiler data.
Table 3: Network Profiler Data
Column | Description |
|---|---|
Src IP | Source IP address of the session. Note: Profiler tracks all traffic through the IDP appliance, including traffic for hosts not in your tracked hosts list. It records a value of 73.78.69.84 for the IP address for hosts not defined in the Tracked Hosts tab, such as external hosts you would not know and therefore could not configure. |
Dst IP | Destination IP address. Note: Communication between an internal host and an external host is recorded only once. For example, the device records internal host A communicating to www.yahoo.com and www.cnn.com as one entry in the Profiler DB. |
User | The user associated with the session. |
Role | The role to which the user belongs. |
Service | Service for the session. |
Access Type | Type of communication:
|
Src MAC | Source MAC addresses. |
Dst MAC | Destination MAC addresses. |
Src OUI | Source OUI. Note: OUI stands for Organizationally Unique Identifier. This value is a mapping of the first three bytes of the MAC address and the organization that owns the block of MACs. You can obtain a list of OUIs at http://standards.ieee.org/regauth/oui/oui.txt. |
Dst OUI | Destination OUI. |
Src OS Name | Operating-system version running on the source IP. |
Dst OS Name | Operating-system version running on the destination IP. |
Hits | Number of occurrences that match. |
First Time | Timestamp for the first time the device logged the event (within the specified time interval). |
Last Time | Timestamp for the last time the device logged the event (within the specified time interval). |
Domain | NSM domain. |
Device | Device through which the session was forwarded. |
To display the Network Profiler tab:
- In the NSM navigation tree, select Investigate > Security Monitor > Profiler.
- Click the Network Profiler tab.
| Tip: For information about using NSM features to sort, filter, and drill down in records, see the NSM online Help. |
Violation Viewer Tab
The Violation Viewer tab displays a filtered view of the Network Profiler data. In the Violation Viewer tab, you configure permitted objects. Permitted objects are filtered from the display, allowing you to focus on unpermitted traffic.
Figure 4 shows the Violation Viewer tab.
Figure 4: Profiler Viewer: Violation Viewer Tab
To configure permitted objects:
- In the NSM navigation tree, select Investigate > Security Monitor > Profiler.
- Click the Violation Viewer tab.
- Click the + icon that appears on the top of the right-hand window to display the New Permitted Object dialog box.
- Type a name for the permitted object.
- Within the New Permitted Object dialog box, click the + icon to add rows for rules.
- Use the selection controls to select the desired address objects or service objects and click OK.
- Click OK to save the permitted
object.
The object appears in the filters windows within the Violation Viewer tab.
- Select the object and click Apply to filter matching objects from the display.
| Tip: For information about using additional NSM features to sort, filter, and drill down in records, see the NSM online Help. |
