New Features and Enhancements in JSA 7.4.2

For JSA users, JSA 7.4.2 introduces new flow algorithms, new accumulated byte and packet counters, and support for MAC address fields.

Accumulated Byte and Packet Counters

Flows are reported in 1-minute intervals, and can span several minutes, hours, or even days. For sessions that span more than a minute, JSA reports on the current metrics for the flow at the end of each 1-minute interval. The byte and packet counters show the number of bytes and packets that were received in that 1-minute interval.

In JSA 7.4.2, you can now see the total number of bytes and packets that accumulated over the duration of the flow session. The byte and packet counters for each 1-minute interval that the flow is observed are also preserved.

You can view the accumulated counters by including the following fields in your search results.

  • Accumulated source bytes

  • Accumulated source packets

  • Accumulated destination bytes

  • Accumulated destination packets

New "Common Destination Port" Flow Direction Algorithms

JSA provides information about which algorithm was used to determine the flow direction.

JSA 7.4.2 introduces two new common destination port algorithms for use when the flow matches the criteria, but the flow direction is unchanged:

  • Single common destination port (unaltered) (5)

  • Both common destination ports, RFC 1700 preferred (unaltered) (6)

In previous releases of JSA, the common destination port algorithms were reported only when the flow direction was reversed. Most other flows used the Arrival time algorithm, including the flows that matched the common destination port criteria but did not have the flow direction reversed.

Now, the only flows that show the Arrival time annotation in the Flow Direction Algorithm field are the flows that do not match the criteria for any other flow direction algorithm.

MAC Address Support

JSA can now receive MAC address information from IPFIX and NetFlow V9 exporters.

The following MAC address fields are supported in JSA 7.4.2:

  • sourceMacAddress (IANA Element ID 56)

  • postDestinationMacAddress (IANA Element ID 57)

  • destinationMacAddress (IANA Element ID 80)

  • postSourceMacAddress (IANA Element ID 81)

You can use the new MAC address fields in filters, searches, and rules.