Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

HIGHTRANSF - High Volume of Transferred Data

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This method detects massive usage of the data link by one user (IP address). This method aggregates all traffic for an IP address and checks whether it exceeds the maximum limit. The TransferThreshold option specifies the absolute data volume threshold for a single IP address (in MiB). When this limit is reached or exceeded, an event is reported. IP addresses, on which at least the preset percentage of maximal transfer between two addresses was transferred (the TargetPercentile parameter) are marked as targets of the event. The ExcludeServers parameter specifies the name of a filter that defines the IP addresses of servers that should be excluded from detection. The servers have typically higher data transfers than the client’s stations. The LegalServers parameter specifies the name of the filter that defines IP addresses between which high transfers are allowed.

This method consists of the following submethods:

  • General: Reports devices within the monitored network that transfer large amounts of data within a short period.

Method configuration

It is recommended to apply this method only on the IP addresses from your network. The right place for monitoring the traffic is the Internet connection line.

Method parameters

  • TransferThreshold: The threshold for the transferred data amount (in MiB).

  • ExcludeServer: The name of the filter that defines the IP addresses of the devices that are allowed to transfer large amounts of data (especially the servers in the monitored network).

  • TargetPercentile: The value of this parameter defines the minimal percentage of the total data amount that should be transferred with a single communication peer to indicate it as an event target.

  • LegalServers: The name of the filter that defines the IP addresses of the devices that are allowed for large data transfers by the devices in the monitored segment.

Assigned filter

The filter is used for restricting source and destination IP addresses.

Interpretation of results

This method reliably alerts to the IP addresses that transferred more data than is allowed. It may indicate an unexpected overload of the network (for example, due to a backup process or similar large data transfers). Such activity could be considered legitimate depending on the devices and services involved.

TitleResults for “How to create a CRG?”Also Available inAlert