Types of Analysis

Recorded Flow data can be processed in two ways:

• Using the Flow statistics (Statistics tab)

• Working with the list of particular flows (List of flows tab).

Each tab has different configuration options. The Use IP-index option can be used in both, and it allows you to accelerate your filter query by entering a list of IPv4 addresses. IP-index is then used to quickly narrow down the number of flows that contain the specified IPv4 addresses that need to be processed by your query. This option must first be enabled in FMC Configuration, and it is only available for the All Sources profile.

Statistics (TopN)

A description of the options is as follows:

• Top - Limit the statistics to the first top N.

• Statistics by - Select the statistics you want from the menu and the order option.

• Limit - Limit the output only to those statistic lines whose packets or bytes match the specified limit.

• Use sampling - Enable this option if you want to process a large amount of data. It samples the flows in the database in a 1:10 ratio to speed up the computation in exchange for lesser accuracy.

Once the statistic results are displayed, a new option becomes available:

• Show in time - Once the statistics results are displayed, you can use the Show in time option to display a graph showing how the values of each row (maximum 20) developed over time.

The results table contains the requested number of entries (or fewer if not enough values are available). The table columns are predefined and depend on query parameters, mainly the Statistics by parameter. If fields with IP adresses are part of the results and the Anomally Detection System (Flowmon ADS) is available, the IP entry will be enriched with information about location, application, and blacklists where available.

If you hover over the application icon, the application name is displayed.

List of Flows

A description of the options is as follows:

• Limit to - List only the first N flows of the selected time slot.

• Aggregate - Option to aggregate the flows. By clicking on the checkboxes, you can select how you want to have your flows aggregated. You may also aggregate entire subnets when selecting srcIPv4/ . By default, the flows are not aggregated.

• Sort by - When listing flows from different channels/sources you may sort them according to the start time of the flows. Otherwise, the flows are listed in sequence of the selected channels.

• Output - Allows you to change the output format. It is possible to use predefined formats line, long and extended, or define a custom one.

  • Line - displays one NetFlow record per line (if aggregation is off).

  • Long - this format displays extended information like TCP flags, Type of Service, and so on.

  • Extended this format further expands the information provided by "long" format values, like: pps (number of packets per second), bps (number of bytes per second), and bpp (bytes per packet).

Besides these predefined formats, it is possible to add a custom format by clicking Create new output. In the Create new output dialog, enter the name and check the values that you want to include (these show as columns in the result). Confirm your choice by Save. The new filter is available in the output format combo box. You can modify or delete the output formats using corresponding buttons next to the format name in the output combo box.

Like the chart, the table with results supports the context menu. The menu is available only for the items which can be further analyzed (for example, IP addresses). Each address can be used as a source for the next drill-down query.

The context menu can be also used for renaming important values in the table. This can help to achieve better arrangement and you will not have to remember complicated addresses. Click the address you want to rename by right-clicking and clicking Rename. New names are common for all the users of the probe and do not affect the function of the network.

The results table contains the requested number of entries (or fewer if not enough values are available). The table columns are defined by the Output field. Some columns offer a context menu on right-click with additional analysis options for the selected entry. If fields with IP addresses are part of the results and the Anomaly Detection System (Flowmon ADS) is available, the IP entry will be enriched with information about location, application, and blacklists where available.

The Previous Results Menu

The analysis page stores the last 10 result queries for each user. These last results are available in the Previous results menu - details for each item can be displayed by hovering the mouse over it. Selecting an item from this menu sets the Analysis page forms into the state corresponding to the query and displays the query result. The result is just taken from the database - it is not computed again, so the operation is very fast.

Each result can be exported to PDF, CSV, or TXT by clicking the corresponding icon. You can save important results by clicking on the floppy disk icon and specifying a name. Such results will not be rewritten by new results. Each user can permanently store up to 10 results along with the last 10 results. So each user can have up to 20 results in the last results menu.