Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

View Flow Data on the Network Activity Tab

The default view on the Network Activity tab is a stream of real-time events. As the hosts continue to communicate, the flow is updated. The entire communication session is represented by multiple flow records that have the same First Packet Time, but with Last Packet Time values that increment through time.

The View list contains options to also view events for specified time periods. After you choose a specified time period from the View list, you can modify the displayed time period by changing the date and time values in the Start Time and End Time fields.

Viewing Normalized Flow Data

Normalization involves preparing flow data to display readable information. You view normalized flow data on the Network Activity tab.

  1. Click the Network Activity tab.

  2. In the center of the window, from the Display list box, choose the display view that you want to see.

    The Normalized (With IPv6 Columns) display shows source and destination IPv6 addresses for IPv6 flows.

  3. From the View list box, select the time frame that you want to display.

    1. To stream flows as they are received, select Real Time.

      You can click the Pause icon to pause streaming.

    2. To reduce the number of flows that you see, select a time frame.

      If you select a time frame to display, a time series chart is displayed. Click Hide Charts to remove it. If you use the Mozilla Firefox web browser and you have an ad blocker extension installed, the charts do not appear.

      For more information about using time series charts, see Time Series Chart Overview.

  4. To view the more information about a particular flow, double-click it to open the Flow Information window.

Viewing Streaming Flows

Streaming mode enables you to view flow data entering your system in real time. This mode provides you with a real-time view of your current flow activity by displaying the last 50 flows.

If you apply any filters on the Network Activity tab or in your search criteria before you enable streaming mode, the filters are maintained in streaming mode. However, streaming mode does not support searches that include grouped flows. If you enable streaming mode on grouped flows or grouped search criteria, the Network Activity tab displays the normalized flows.

  1. Click the Network Activity tab.

  2. From the View list box, select Real Time (streaming).

  3. Optional. Pause or play the streaming flows. When streaming is paused, the last 1,000 flows are displayed.

    Note:

    When you are streaming flows, the status bar displays the average number of results that are received per second. This display is the number of results that the Console successfully received from the Flow processors. If this number is greater than 40 results per second, only 40 results are displayed. The remainder is accumulated in the result buffer. To view more status information, hover over the status bar.

    When flows are not streaming, the status bar displays the number of search results that are currently displayed and the amount of time that is required to process the search results.

Viewing Grouped Flows

View flows that are grouped by various options.

The Display list box is not displayed in streaming mode because streaming mode does not support grouped flows. If you entered streaming mode by using non-grouped search criteria, this option is displayed.

After you select an option from the Display list box, the column layout of the data depends on the chosen group option. Each row in the flows table represents a flow group.

  1. Click the Network Activity tab.

  2. From the View list box, select the time frame that you want to display.

  3. From the Display list box, choose which parameter you want to group flows on.

  4. To view the List of Flows page for a group, double-click the flow group that you want to investigate.

    The List of Flows page does not retain chart configurations that you might define on the Network Activity tab.

  5. To view the details of a flow, double-click the flow that you want to investigate.

Viewing AWS Flow Log Data

Flow logs that are received through Amazon Web Service (AWS) integrations include extra properties in the flow information.

In addition to the standard normalized flow properties, the following properties are shown for AWS flow logs:

  • Interface name (available for all IPFIX flows that send this field)

  • Region (available for all IPFIX flows that send this field)

  • Firewall Name (available for all IPFIX flows that send this field)

  • Firewall Event (enumerated, available for all IPFIX flows that send this field)

  • AWS Action (enumerated)

  • AWS Log Status (enumerated)

  • AWS Account ID

  • VPC ID

  • Subnet ID

  • Instance ID

The following table shows the string description for each of the enumerated fields:

Table 1: AWS Enumerated Strings

Enumerated field

String description

Firewall Event

The numerical values for the Firewall Event field map to the following descriptions:

  • 0 = Ignore

  • 1 = Flow Created

  • 2 = Flow Deleted

  • 3 = Flow Denied

  • 4 = Flow Alert

  • 5 = Flow Update

AWS Action

The numerical values for the AWS Action field map to the following descriptions:

  • 0 = N/A

  • 1 = Accept

  • 2 = Reject

AWS Log Status

The numerical values for the AWS Log Status field map to the following descriptions:

  • 0 = N/A

  • 1 = OK

  • 2 = No Data

  • 3 = Skip Data

To include the description for the enumerated property in your query results, you must include the LOOKUP function in your AQL search string.

  1. Click the Network Activity tab.

  2. In the Advanced Search box, build the AQL query that includes the LOOKUP for the field that you want to include in your search.

    The following examples show the LOOKUP statements for each of the enumerated fields in the AWS flow log:

    LOOKUP('firewall event', "firewall event")

    LOOKUP('aws action', "aws action")

    LOOKUP('aws log status', "aws log status")

    For example, the following query uses a LOOKUP in the WHERE clause and groups the accepted flows by application:

    SELECT APPLICATIONNAME(applicationid), count(*) as NumFlows FROM flows WHERE LOOKUP('aws action', "aws action") == 'Accept' GROUP BY applicationid ORDER BY NumFlows DESC

    In this example, the query uses a LOOKUP in the SELECT clause to show the number of accepted flows vs rejected flows in the AWS environment:

    SELECT LOOKUP('aws action', "aws action"), count(*) as NumFlows FROM flows WHERE "aws action" > 0 GROUP BY "aws action" ORDER BY NumFlows DESC LAST 7 DAYS

Viewing flows that contain MPLS fields

Internet Protocol Flow Information Export (IPFIX) is a common protocol that allows exporting of flow information from network devices. Multiprotocol Label Switching (MPLS) is a routing technique that runs on any protocol.

With MPLS support for IPFIX flow records in Flow Processor, you can filter and search for IPFIX flows in JSA that contain MPLS fields and write rules based on the values of these MPLS fields.

For example, an IPFIX flow is exported from a switch on a network that uses MPLS. The IPFIX flow that is exported from the router contains information about the MPLS stack, which is now saved as part of the flow in JSA. The MPLS stack can contain up to 10 layers where each layer shows information about the flow routing. These MPLS fields are included in rules, searches, and filters, and can be viewed in the Flow Details window.

Filter on MPLS Fields

Use the Add Filter option on the Network Activity tab to filter on MPLS fields.

Search for MPLS Fields

Use the Advanced Search option on the Network Activity tab to search for MPLS fields.

View Information about MPLS Fields

You can view information about MPLS fields by double-clicking a flow in the Flow Details window on the Network Activity tab.

IPFIX MPLS Information Elements

The following table describes the IPFIX MPLS information elements that are supported. All of these elements have Private Enterprise Number (PEN): 0.

Field

Element ID

mplsTopLabelType

46

mplsTopLabelIPv4Address

47

mplsTopLabelStackSection

70

mplsLabelStackSection2

71

mplsLabelStackSection3

72

mplsLabelStackSection4

73

mplsLabelStackSection5

74

mplsLabelStackSection6

75

mplsLabelStackSection7

76

mplsLabelStackSection8

77

mplsLabelStackSection9

78

mplsLabelStackSection10

79

mplsVpnRouteDistinguisher

90

mplsTopLabelPrefixLength

91

mplsTopLabelIPv6Address

140

mplsPayloadLength

194

mplsTopLabelTTL

200

mplsLabelStackLength

201

mplsLabelStackDepth

202

mplsTopLabelExp

203

postMplsTopLabelExp

237

pseudoWireType

250

pseudoWireControlWord

251

mplsLabelStackSection

316

mplsPayloadPacketSection

317

sectionOffset

409

sectionExportedOctets

410

Exporting Flows

You can export flows in Extensible Markup Language (XML) or Comma Separated Values (CSV) format. The length of time that is required to export your data depends on the number of parameters specified.

  1. Click the Network Activity tab.

  2. Optional. If you are viewing flows in streaming mode, click the Pause icon to pause streaming.

  3. From the Actions list box, select one of the following options:

    • Export to XML >Visible Columns - Select this option to export only the columns that are visible on the Log Activity tab. This is the recommended option.

    • Export to XML >Full Export (All Columns) - Select this option to export all flow parameters. A full export can take an extended period of time to complete.

    • Export to CSV >Visible Columns - Select this option to export only the columns that are visible on the Log Activity tab. This is the recommended option.

    • Export to CSV >Full Export (All Columns) - Select this option to export all flow parameters. A full export can take an extended period of time to complete.

  4. If you want to resume your activities, click Notify When Done.

When the export is complete, you receive notification that the export is complete. If you did not select the Notify When Done icon, the Status window is displayed.

Related Documentation