Analysis

The Flowmon Packet Investigator is a powerful analytical tool that can help you to resolve operational network problems. Recorded PCAPs are automatically checked for deviations from the RFC specifications of the respective protocols and their combinations, and any error codes or other failures are recorded. The list of currently supported protocols includes all of the most common services used by enterprises, such as ARP, DHCP, DNS, FTP, HTTP, ICMP, IMAP, IMF, IP, NTP, POP, SIP, SLAAC, SMB, SMTP, SSL, and TCP. The following protocols specific for the IoT environment are also supported: CoAP, GOOSE, IEC104, MMS, and MQTT. The analysis can be set to start automatically (see previous sections) or manually. To perform an analysis on a selected recording, click Analyze shown in the Analysis figure below.

Clicking Analyze displays a popup dialog where you can choose which probe (for direct recordings) or which PCAP file (for uploaded recordings) you want to analyze. When starting the analysis, click the blue arrow next to the probe source to show which PCAP files belong to the source, as shown in the Analyze recording figure below. The history PCAPs (obtained from the adaptive buffer functionality) will not be analyzed because they contain packets mixed from all probes of the given recording, and the flows might be incomplete. This scenario would only result in false positive events.

You can also select which protocols you consider important in the Show the following protocols in the analysis report menu. Events related to these protocols are displayed when viewing the results of the analysis of a particular recording, which means that the set of protocols can be different for each recording. However, the displayed event protocol type can always be changed when viewing the analysis results.

Clicking Analyze queues the analysis request. Currently, up to four recordings can be analyzed at once. This limit is set because of the resources required by the process. The initial state of a recording is Waiting to analyze. When the analysis starts, it changes to Analyzing.

After the analysis is finished, the recording state changes to Analyzed. The Analysis Result column shows the number of total findings, to allow you to quickly assess whether the recording needs attention or not. Clicking entries in this column shows a detailed view of the results of the analysis. If an error occurs and the state changes to Analysis failed, contact Flowmon support and provide them with the appliance logs exported from Configuration Center > System > Maintenance.

The Detailed analysis result figure above shows an example of the results of a detailed analysis. In the upper section of the popup dialog, you can select which of the analyzed PCAP's or sources to display the results. The Show protocols selection controls which event trees are displayed in the analysis detail. This part of the settings is available when an analysis is started manually, or when the option to automatically analyze the PCAP after recording or upload is selected. The selected protocols are used as a view filter and they only affect the root events in the analysis detail. Diagnostics is performed on all the supported protocols, regardless of the Show protocols settings. This ensures that the user is presented even with those events whose root cause lies in a protocol that is not included in the Show protocols filter (for example, the network admin is notified about issues regarding email communication, which points to SMTP protocols; however, the root cause is actually an SSL handshake failure. In such a case, the network admin will see the events and issues of the SSL protocol even when only the SMTP protocol is selected in the Show protocols settings). Below the Show protocols filter are the Events and Statistics tabs, where you may select the protocol events you want to see. By default, you see those that were selected during the start of the analysis, but this can be modified here.

The tab shows analysis results in the form of event trees (shown in the left section of the window) along with event details (the right section of the window). The event trees show the progression of the recorded communication and analyzed states. These are visualized as events with different severities. Each node of the event tree may consist of multiple child nodes. Clicking a node displays detailed information in the right section of the tab. Here you can see the selected packet data together with a description of the event and suggestions for resolution (if a problem is detected). Suggestions provide expert knowledge and help you to solve the detected issues without the need to thoroughly analyze the recording. To quickly navigate through the event trees, you can use the Collapse all option together with the Propagate severity option to show only the root events of all trees and propagate the highest severity detected within the individual trees to the root events (indicated by the icon next to the event name). You can also filter the list of event trees by severity. The filtering works as if severity was propagated.

The Statistics tab provides TOP 10 statistics for the selected source. TOP 10 statistics are calculated on demand and sorted by selected parameters, which might cause a short delay when displaying the statistics. If an asterisk symbol (*) is used in a TOP 10 table, it signifies that the numbers shown in that particular row are values aggregated from the rest of the available data; that is, entries not already included in the rest of the TOP 10 table. The asterisk symbol is always placed in the column representing the parameter on which the statistics are based. The Flowmon Packet Investigator also checks PCAP integrity, and if there are missing packets or other defects, it notifies you with a warning icon next to the Statistics tab label.

There is also a description of detected issues within the PCAP, inside the Statistics tab.