Advanced Settings

In the Advanced settings tab, you can configure packet sampling rate, flow identifier list, and list of autonomous systems. If you disable the Use custom settings toggle switch and click Save, this tab is configured according to the global configuration. You can also configure the Decapsulate tunnel protocols and Decapsulation mode of MPLS packets options.

The Packet sampling rate defines the deterministic sampling (for example, sampling interval 1 in 3 packets) or random sampling (for example, sampling interval 1 in 3 packets) for incoming packets. Specifying zero (0) as the Packet sampling rate disables this feature.

You can enable the Light mode toggle to achieve maximum performance of a monitoring port. This option is necessary for reaching wire-speed monitoring at 10Gbps and 100Gbps networks. This option disables monitoring of all additional information from the L2, L3/L4, and L7 layers (only basic flow information equal to Netflow v5 including IPv6 will be monitored).

In the Optional Lx values for NetFlow record list, it is possible to enable monitoring of additional information from the L2, L3/L4, and L7 layer.

Note that each enabled option has an impact on the performance of the monitoring port. Some other Flowmon modules (FPI Probe, APM Probe, IDS Probe) also affect the performace of the monitoring port when enabled.

For proper monitoring of optional values it is highly recommended to connect the probe by SPAN port because both directions of communication must be monitored by the same monitoring port. If the probe is connected by TAP and each direction of communication is received by a different monitoring port then the monitoring capabilities can be limited or less accurate.

Optional L2 values for NetFlow record

For L2, you can select monitoring of MAC, VLAN, and MPLS tags (MPLS is not supported for NetFlow v5). In MPLS frames, there might be many different kinds of protocols encapsulated which are difficult to recognize because the MPLS header has no information about the encapsulated protocol. For this reason, the encapsulated data can be selected using the Select decapsulation mode of MPLS packets drop-down list where you can either select the Auto mode or the specific underlying protocol. If the Auto mode is not working properly, then try to select the underlying protocol manually.

Due to performance optimizations, it is possible that MAC, MPLS, or VLAN values may be missing in some flows.

Optional L3/L4 values for IPFIX record

For L3/L4, you can enable monitoring of extended values from L3/L4 (TCP TTL, TCP SYN packet size, and TCP window size) and Network Performance Monitoring metrics (NPM - see the Network Performance Metrics paragraph below for more information). All these values are available for the IPFIX protocol only.

Network Performance Metrics

The Flowmon Probe can monitor useful metrics which can be used to measure the quality of connection. All metrics are measured in microseconds. The NPM checkbox (Network Performance Metrics) enables the measuring of Round Trip Time, Server Response Time, TCP Retransmissions, and TCP Out of Order values. The NPM extended checkbox enables measuring of Jitter and Delay values. The metrics are listed below:

• Round Trip Time - Network delay during TCP connection establishment (it is measured over TCP traffic only). In detail, it measures the time between SYN and ACK packets (between the first and second packets sent from the client). The metric is measured on flows sent from client to server only.

• Server Response Time - Application delay for the first request of data. In detail, it measures the time between request acknowledgment by the server and the first packet of reply. The metric is measured on flows sent from the server to the client.

• TCP Retransmissions and TCP Out of Order packets - Count of retransmitted and out of order packets in a TCP flow.

• Jitter - The deviation from true periodicity of inter-packet gaps. It is measured for flows with three or more packets. In detail, it measures the delay between the first and second packet and then between the second and third packet. The difference of these two values is Jitter. The same applies to other packets. As an output, it provides average Jitter, min, max value, and standard deviation.

• Delay - Inter-packet delay. In detail, it subtracts packetN and packetN-1 timestamps, and so on. As an output, it provides the average delay, min and max value, and standard deviation.

The detailed description of how the NPM metrics are calculated can be found in the Calculation of Flowmon NPM Metrics page.

Optional L7 values for IPFIX record

For L7, you can enable the NBAR2 option, which enables the detection of L7 applications. Detected applications are exported using the NBAR2 protocol. Next, you can enable deeper analysis of provided application protocols (for example, HTTP, DNS, Samba, and DHCP). All these values are available for the IPFIX protocol only.

DHCP

Enables monitoring of the DHCP protocol. It inspects UDP packets on standard ports 67 and 68. To store the information on the Flowmon Collector enable the DHCP fields extension in the Flow Database Fields configuration.

DNS

Enables monitoring of the DNS protocol. It inspects UDP and TCP packets on standard port 53. To store the information on the Flowmon Collector enable the DNS fields extension in the Flow Database Fields configuration.

HTTP

Enables monitoring of the HTTP protocol. It inspects all TCP packets and looks for HTTP communication even on non-standard ports. To store the information on the Flowmon Collector, enable the HTTP fields extension in the Flow Database Fields configuration.

Email

Enables monitoring of the SMTP, POP, and IMAP protocols. It inspects TCP packets on standard ports 25, 587, 110, and 143. To store the information on the Flowmon Collector, enable the Email fields extension in the Flow Database Fields configuration.

NBAR2

Enables the detection of L7 protocols, which are exported in NBAR2 format. For storing the information on the Flowmon Collector, enable the NBAR2 application tag extension in the Flow Database Fields configuration.

Samba

Enables monitoring of the SMB protocol. It inspects TCP packets on standard port 445. To store the information on the Flowmon Collector, enable the Samba fields extension in the Flow Database Fields configuration.

VoIP and Extended VoIP

Both options enable the monitoring of Session Initiation Protocol (SIP), which is an L7 signaling protocol used in Voice over IP technology (VoIP) for initiating, modifying, and terminating so-called sessions. Packet headers of SIP protocol contain information regarding initiated VoIP sessions (ID of the caller and the called party, how long the call was, whether it was initiated successfully, negotiated IP addresses and ports for Real-time Transport Protocol (RTP)). SIP protocol usually works over UDP on port 5060.

The difference between VoIP and Extended VoIP is that Extended VoIP also attempts to match the corresponding RTP and RTCP traffic to the initiated SIP session. This allows the user to see additional information regarding RTP traffic such as the audio or video codec which was used, the number of transmitted bytes and packets, traffic jitter, and the number of lost packets. However, matching RTP traffic with SIP sessions significantly impacts the performance of the Flowmon Probe appliance. Therefore, it is not recommended to use Extended VoIP on appliances where the expected network traffic rate exceeds 10 Gbps per monitoring port.

These options are mutually exclusive.

For storing the information on the Flowmon Collector, enable the VOIP fields extension in the Flow Database Fields configuration.

MSSQL

Enables monitoring of the TDS protocol, which is a database communication protocol used by Microsoft SQL server. It monitors TCP packets on standard port 1433. To store the information on the Flowmon Collector, enable the MSSQL fields and MSSQL extended fields extensions in the Flow Database Fields configuration.

PostgreSQL

Enables monitoring of the database communication protocol used by a PostgreSQL database. The monitoring functionality inspects all TCP packets and looks for the PostgreSQL communication even on non-standard ports. To store the information on the Flowmon Collector, enable the PostgreSQL fields and PostgreSQL extended fields extensions in the Flow Database Fields configuration.

MySQL

Enables monitoring of the database communication protocol used by the MySQL database. The monitoring functionality inspects all TCP packets and looks for the MySQL communication even on non-standard ports. To store the information on the Flowmon Collector, enable the MySQL fields and MySQL extended fields extensions in the Flow Database Fields configuration.

TLS main

This option enables the monitoring of basic information from the TLS protocol. The monitoring functionality inspects all TCP packets and looks for the TLS communication even on non-standard ports. To store the information on the Flowmon Collector, enable the TLS main fields extension in the Flow Database Fields configuration. When monitoring of the HTTP protocol is enabled, the Server name (SNI) value is also filled into the HTTP hostname field and the HTTP method is set to "SSL".

TLS client

This option enables the monitoring of client-specific information from the TLS protocol. The monitoring functionality inspects all TCP packets and looks for the TLS communication even on non-standard ports. For storing the information on Flowmon Collector enable extension TLS client fields in Flow Database Fields configuration.

TLS certificate

This option enables monitoring of the server certificate information from the TLS protocol. The monitoring functionality inspects all TCP packets and looks for the TLS communication even on non-standard ports. To store the information on the Flowmon Collector, enable the TLS certificate fields extension in the Flow Database Fields configuration.

TLS JA3

This option enables the computation of the JA3 fingerprint from TLS flow records. The monitoring functionality inspects all TCP packets and looks for the TLS communication even on non-standard ports. To store the information on the Flowmon Collector, enable the TLS JA3 fields extension in the Flow Database Fields configuration.

QUIC

This option enables monitoring of QUIC SNI (Server Name Indication) information from the QUIC protocol. The monitored fields are Server name (SNI) and Server name length. When monitoring of the HTTP protocol is enabled, the SNI value is also filled into the HTTP hostname field and the HTTP method is set to "SSL".

The monitoring functionality inspects UDP traffic on port 443. The currently-supported QUIC versions for SNI monitoring are:

• version 1 (defined by RFC9000)

• IETF draft versions starting from 22 to 34

• Facebook's MVFST versions 1 and 2

To store the information on the Flowmon Collector, enable the TLS main fields extension in the Flow Database Fields configuration.

IEC 104

Enables the monitoring of the IEC104 protocol. IEC104 allows communication between two systems in electrical engineering and power system automation. The monitoring functionality inspects all packets even on non-standard ports. To store the information on the Flowmon Collector, enable the IEC104 extension in the Flow Database Fields configuration.

COAP

Enables monitoring of the COAP protocol, which is a communication protocol in an IoT environment. It inspects packets on standard port 5683. For storing the information on the Flowmon Collector, enable the COAP extension in the Flow Database Fields configuration.

GOOSE

Enables monitoring of the GOOSE protocol. GOOSE is a peer-to-peer communication protocol used for information exchange between IEDs ( IED – Intelligent Electronic Device ) in a Substation over the Ethernet and is defined in IEC61850 standard. The monitoring functionality detects packets with the following EtherTypes:

• 0x88b8 - Goose Type 1, Goose Type 1A

• 0x88b9 - GSE Management

• 0x88ba - Sampled Values

Packets with EtherType 0x88b8 are further inspected and monitored. For storing the information on the Flowmon Collector, enable the GOOSE extension in the Flow Database Fields configuration.

Because GOOSE packets do not contain IP addresses and are needed for proper flow analysis on the Flowmon Collector, the IPv6 addresses are generated and exported in GOOSE flows. The MAC addresses from the Ethernet layer are converted into link-local IPv6 addresses using a standard conversion mechanism.

MMS

Enables monitoring of the MMS protocol. MMS is a client-server protocol used for information exchange between IEDs ( IED – Intelligent Electronic Device ) and higher level devices (such as SCADAs) over the Ethernet and is defined in the IEC61850 standard. The monitoring functionality inspects all TCP packets and looks for the MMS communication even on non-standard ports. For storing the information on the Flowmon collector, enable the MMS extension in the Flow Database Fields configuration.

DLMS

Enables monitoring of the DLMS protocol. DLMS is a protocol used for messaging to and from (energy) distribution devices. The monitoring functionality inspects all packets even on non-standard ports. To store the information on the Flowmon collector, enable the DLMS extension in the the Flow Database Fields configuration.

VxLAN

This option enables monitoring of the VxLAN VNI. To store the information on the Flowmon collector, enable the VxLAN extension in the Flow Database Fields configuration. If this option is enabled and the VxLAN option in Decapsulate tunnel protocols is disabled, the VNI is added to the list of flow identificators (that is, SRC IP, DST IP, SRC port, DST port, L4 protocol). This means that a new flow is created with every unique VNI. The VNI is exported in flows regardless of the configuration of VxLAN in the Decapsulate tunnel protocols section.

Decapsulate tunnel protocols

ESP

This option enables ESP tunnel parsing when the ESP payload is not encrypted. Due to the protocol characteristics, it is not possible for the Flowmon Probe to conclusively decide whether the ESP payload is encrypted from the packet payload alone. Therefore, if the traffic also consists of encrypted ESP packets, a very small portion of these packets may be misidentified, and subsequently incorrectly parsed.

VxLAN

This option extends the monitoring of VxLAN. The monitoring functionality inspects all UDP packets where the source or destination port is equal to the number defined in the Select VxLAN port field.

4in6

This option enables parsing of decapsulated IPv4 network traffic transported over an IPv6 network as specified in RFC 2473.

When the 4in6 option is enabled, a subsequent option (Process as DS-Lite) is shown. Enabling this subsequent option allows the analysis of network traffic in the context of Dual-Stack Lite broadband deployments, as specified in RFC 6333. In such deployments, traditional 4in6 decapsulation that leads to the loss of the IPv6-related metadata is not sufficient, because the DS-Lite use-case requires unique identification of the originating Customer Premise Equipment (CPE) device (at Layer 3, this device is uniquely identified only by its IPv6 address). Therefore, it is desirable to retain the IPv6 addressing information and present it as the primary means of device identification of the collected flow data.

If the only enabled option is 4in6, then the exported flow contains a tunneled IPv4 source and destination addresses. The IPv6 addresses are not present in the flow. If both options are enabled, then the tunneled IPv4 address is mapped to the IPv6 address as specified in RFC 4291, section 2.5.5.

L2 Fields in NetFlow

The toggle switch Add enabled L2 fields to the NetFlow identifiers (previously called "Add MAC address to key fields") can be used for extending the list of common flow identificators (that is, SRC IP, DST IP, SRC port, DST port, L4 protocol) by MAC address. It can be used in special cases when you need to detect MAC address changes during communication.

In some cases, the values of MAC, VLAN, or MPLS values may differ in each direction of communication. In these cases, when this option is enabled, it affects the monitoring functionality in a similar way as if each direction was received by different monitoring port.

Packet Deduplication

Depending on the placement of monitoring points within a network, a Flowmon Probe appliance may receive duplicated packets. The preferred way of avoiding duplicates is to select monitoring points and/or configure a traffic mirroring, TAP, or SPAN in such a way that multiple copies of the same packet will not reach the Flowmon Probe appliance. If other means are not available, packet deduplication can be used to identify and remove packet duplicates directly on the Monitoring ports of the Flowmon Probe appliance.

This option should be the last resort for removing duplicated packets that could not be dealt with by any other means. This functionality is computationally intensive and enabling it is going to negatively impact the monitoring performance of the appliance.

To start packet deduplication, switch on Enable packet deduplication for selected Monitoring ports or in Global settings. Every Monitoring port has its own time interval in which the packets are deduplicated. Duplicates received outside of this interval will not be detected and removed. To change this interval, use the Deduplication interval option. You can choose a value in the range of 1 to 1000 ms.

In Light mode, packet deduplication is always disabled.

To identify duplicated packets, hashes of selected packet fields are used. The hash is a combination of a flow hash and a packet hash. Flow hash is computed from typical flow identification fields such as IP addresses, port numbers, and the L4 protocol number. The packet hash computation depends on the L4 protocol. For TCP, UDP and ICMP(v6) protocols the checksum field in the L4 header is used. For other protocols, the whole L4 header plus 64 bytes of payload data is used.

Because the checksum field in the UDP header is optional, this field is used for hash computation only if its value is different than 0. Otherwise, the hash of a UDP packet is computed the same way as for other protocols (L4 header and 64 bytes of payload).

If the hash of two received packets is the same and the interval between these packets is smaller than the chosen Deduplication interval, the second packet is considered to be a duplicate and is removed. Packet deduplication is primarily designed for deduplicating packets in pairs, as they would arrive when both the sender and the receiver of the packet are subject to the same traffic mirroring policy. In a general use case where one packet may have more duplicates, packet deduplication will decrease the number of duplicates but it will not remove them entirely.

Enabling packet deduplication will impact Flowmon's ability to correctly detect packet retransmission rates and report issues that use this metric as an indicator. A retransmitted packet will be treated as a duplicate if it arrives within the deduplication interval. Since packet duplication works with packets in pairs, Flowmon will be able to deduplicate and detect some retransmissions at the same time; however, the resulting packet retransmission statistics will be skewed.

Packet deduplication processes packets for every Monitoring port independently, duplicates passing through separate monitoring ports will not be detected.

Autonomous System Number Export

The Flowmon Probe allows the export of information concerning the source and destination autonomous systems (Origin AS method). As you can see in the following picture, while capturing packets between AS2 and AS3, the NetFlow data will contain source AS1 and destination AS4.

With the Use autonomous system list option, you can apply a list of subnets for every autonomous system. The monitoring port program will then fill the AS numbers into the SRC_AS and DST_AS fields of the NetFlow record. If you are using the NetFlow v5 export protocol, it is done automatically. If you are using NetFlow v9 export protocol, it is necessary to use a correct template containing SRC_AS and DST_AS fields.

To apply an AS list, check the Use autonomous system list toggle switch and choose file with list or type it manually to the text box. Then, click Save. If the list is wrong, the monitoring port will not start and will display an error message. The AS list syntax is described in the section Autonomous system list syntax.

If you need to change the current list, simply choose the file with new list and click the Save button. List can be deactivated and removed by unchecking the Use autonomous system list.