Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    Using Profiler Viewer (NSM Procedure)

    The Profiler Viewer contains multiple tabs with different views of Profiler data. The following topics describe these views:

    Application Profiler Tab

    The Application Profiler tab displays application volume tracking (AVT) data. Figure 1 shows the Application Profiler tab.

    Figure 1: Profiler Viewer: Application Profiler Tab

    Image s036685.gif

    Extended applications, also called nested applications, are reported separately from HTTP results. Figure 2 shows the Application Profiler tab where results for the HTTP Google Earth application are distinguished from HTTP results.

    Figure 2: Profiler Viewer: Application Profiler Tab: Nested Applications

    Image s036827.gif

    The Application Profiler view is divided into two sections:

    • In the left pane, the Application Profiler tab displays a hierarchical tree of application categories. Applications are grouped by common functionality. For example, peer-to-peer applications include chat and file sharing applications. Under chat, you can display Yahoo messenger, MSN, and AIM; under file sharing, you can display Kazaa, Bittorrent, and Gnutella.

      The left pane also displays aggregate statistics for volume (bytes) and packet count for the application category, application group, or application you select in the tree.

    • In the right pane, the Application Profiler tab displays tables of session logs related to the application category or application you select in the left pane.

    Table 1 describes the Application Profiler session table.

    Table 1: Application Profiler Session Table

    Column

    Description

    Src IP

    Source IP address of the session.

    Dst IP

    Destination IP address.

    VLAN ID

    VLAN ID (if any).

    Application ID

    Application. The application identified by the application identification feature. Extended applications (also called nested applications) are reported separately from HTTP results. A 0 indicates the application was not identified.

    Byte count

    Byte count.

    Packet count

    Packet count.

    User

    The user associated with the session.

    Role

    The role to which the user belongs.

    First Time

    Timestamp for the first time the device logged the event (within the specified time interval).

    Last Time

    Timestamp for the last time the device logged the event (within the specified time interval).

    Domain

    NSM domain.

    Device

    Device through which the session was forwarded.

    The Application Profiler session table contains data collected during a configurable time interval.

    To display the Application Profiler tab:

    1. In the NSM navigation tree, select Investigate > Security Monitor > Profiler.
    2. Click the Application Profiler tab.

    Tip: You can jump from the Application Profiler tab to the APE rulebase editor by right-clicking an application in the left pane and selecting a policy editor option. For information about using other NSM features to sort, filter, and drill down in records, see the NSM online Help.

    Protocol Profiler Tab

    The Protocol Profiler tab displays information about applications that are running on your network.

    Figure 3 shows the Protocol Profiler tab.

    Figure 3: Profiler Viewer: Protocol Profiler Tab

    Image s036697.gif

    Table 2 describes Protocol Profiler data.

    Table 2: Protocol Profiler Data

    Column

    Description

    Src IP

    Source IP address of the session.

    Note: Profiler tracks all traffic through the IDP Series device, including traffic for hosts not in your tracked hosts list. It records a value of 73.78.69.84 for the IP address for hosts not defined in the Tracked Hosts tab, such as external hosts you would not know and therefore could not configure.

    Dst IP

    Destination IP address.

    Note: Communication between an internal host and an external host is recorded only once. For example, the device records internal host A communicating to www.yahoo.com and www.cnn.com as one entry in the Profiler DB.

    User

    The user associated with the session.

    Role

    The role to which the user belongs.

    Context

    Matching contexts.

    Value

    Value retrieved from matching context.

    Src MAC

    Source MAC addresses.

    Dst MAC

    Destination MAC addresses.

    Src OUI

    Source OUI.

    Note: The Organizationally Unique Identifier (OUI) value is a mapping of the first three bytes of the MAC address and the organization that owns the block of MACs. You can obtain a list of OUIs at http://standards.ieee.org/regauth/oui/oui.txt.

    Dst OUI

    Destination OUI.

    Src OS Name

    Operating-system version running on the source IP.

    Dst OS Name

    Operating-system version running on the destination IP.

    Hits

    Number of occurrences that match the session.

    First Time

    Timestamp for the first time the device logged the event (within the specified time interval).

    Last Time

    Timestamp for the last time the device logged the event (within the specified time interval).

    Domain

    NSM domain.

    Device

    Device through which the session was forwarded.

    By default, the Protocol Profiler tab contains only the data collected during the configured time interval.

    To display the Protocol Profiler tab:

    1. In the NSM navigation tree, select Investigate > Security Monitor > Profiler.
    2. Click the Protocol Profiler tab.

    Tip: For information about using NSM features to sort, filter, and drill down in records, see the NSM online Help.

    Network Profiler Tab

    The Network Profiler tab displays information about the hosts in your network.

    Figure 4 shows the Network Profiler tab.

    Figure 4: Profiler Viewer: Network Profiler Tab

    Image s036698.gif

    Table 3 describes Network Profiler data.

    Table 3: Network Profiler Data

    Column

    Description

    Src IP

    Source IP address of the session.

    Note: Profiler tracks all traffic through the IDP Series device, including traffic for hosts not in your tracked hosts list. It records a value of 73.78.69.84 for the IP address for hosts not defined in the Tracked Hosts tab, such as external hosts you would not know and therefore could not configure.

    Dst IP

    Destination IP address.

    Note: Communication between an internal host and an external host is recorded only once. For example, the device records internal host A communicating to www.yahoo.com and www.cnn.com as one entry in the Profiler DB.

    User

    The user associated with the session.

    Role

    The role to which the user belongs.

    Service

    Service for the session.

    Access Type

    Type of communication:

    • Access indicates a successful connection, during which the device recorded valid requests and responses from the server to a client.
    • Attempt indicates a request that did not receive a reply. The device recorded a packet from a client to a server, but never saw a reply.
    • Probe indicates a request that does not expect a reply. For non-TCP sessions, the device recorded an ICMP error; for TCP sessions, the device recorded a SYN packet from the client followed by a RST from the server.

    Src MAC

    Source MAC addresses.

    Dst MAC

    Destination MAC addresses.

    Src OUI

    Source OUI.

    Note: OUI stands for Organizationally Unique Identifier. This value is a mapping of the first three bytes of the MAC address and the organization that owns the block of MACs. You can obtain a list of OUIs at http://standards.ieee.org/regauth/oui/oui.txt.

    Dst OUI

    Destination OUI.

    Src OS Name

    Operating-system version running on the source IP.

    Dst OS Name

    Operating-system version running on the destination IP.

    Hits

    Number of occurrences that match.

    First Time

    Timestamp for the first time the device logged the event (within the specified time interval).

    Last Time

    Timestamp for the last time the device logged the event (within the specified time interval).

    Domain

    NSM domain.

    Device

    Device through which the session was forwarded.

    To display the Network Profiler tab:

    1. In the NSM navigation tree, select Investigate > Security Monitor > Profiler.
    2. Click the Network Profiler tab.

    Tip: For information about using NSM features to sort, filter, and drill down in records, see the NSM online Help.

    Violation Viewer Tab

    The Violation Viewer tab displays a filtered view of the Network Profiler data. In the Violation Viewer tab, you configure permitted objects. Permitted objects are filtered from the display, allowing you to focus on unpermitted traffic.

    Figure 5 shows the Violation Viewer tab.

    Figure 5: Profiler Viewer: Violation Viewer Tab

    Image s036699.gif

    To configure permitted objects:

    1. In the NSM navigation tree, select Investigate > Security Monitor > Profiler.
    2. Click the Violation Viewer tab.
    3. Click the + icon that appears on the top of the right-hand window to display the New Permitted Object dialog box.
    4. Type a name for the permitted object.
    5. Within the New Permitted Object dialog box, click the + icon to add rows for rules.
    6. Use the selection controls to select the desired address objects or service objects and click OK.
    7. Click OK to save the permitted object.

      The object appears in the filters windows within the Violation Viewer tab.

    8. Select the object and click Apply to filter matching objects from the display.

    Tip: For information about using additional NSM features to sort, filter, and drill down in records, see the NSM online Help.


    Published: 2011-02-08