The system view flow visualization can be used to generate a flow report specific to a subnet cloud, a device, an interface on that device or a specific flow by right-clicking on the subnet cloud, the device, the interface, or the flow endpoint.
Subnet cloud drill down: Right click on the subnet cloud of interest and select one of the four reports: Address Pairs, Application, DSCP or Protocol.
In this example, the desired Address Pair report lists the flows through the subnet cloud by Source IP and Destination IP address. A two-tier filter for IP source/destination address AND interface type is automatically selected to create this report. The flow data is aggregated from the nearest connected interface to prevent double counting of flows. Additional details on using Filters in Flow Reports can be found in – (LiveNX 6.0)Reporting.
Device drill down: Right click on the device of interest and select one of the four reports: Address Pairs, Application, DSCP or Protocol.
In this example, the desired Address Pair report lists the flows through all the interfaces of the selected device by source and destination address pairs. The desired device and all interfaces are automatically selected to create this report.
Interface drill down: Right click on the interface of interest and select one of the four reports: Address Pairs, Application, DSCP or Protocol.
In this example, the desired Address Pair report lists the flows through the selected device and the selected interface by source and destination address pairs. The desired device and interface are automatically selected to create this report.
Flow endpoint drill down: Right click on a flow endpoint and select one of the four reports: Address Pairs, Application, DSCP or Protocol
In this example, the desired Address Pair report lists the flows through the selected Source and Destination IP address. A two-tier filter for IP source/destination address AND interface type is automatically selected to create this report. The flow data is aggregated from the nearest connected interface to prevent double counting of flows. Additional details on using Filters in Flow Reports can be found in – Reporting.
The LiveNX flow system view has a Search field to filter the system view based on the system and flow entities. The Search field is located under the Flow tab’s main toolbar and is available in the system topology, the flow dashboard and the flow reports.
Searchable system entities include device, interface, site, tag and WAN parameters. Searchable flow entities include the IP address, DSCP, port, protocol, and application. CIDR notation can be used on the IPaddress, for example, “flow.ip=10.0.0.0/8.” Wildcards can be used on the IP address, for example, “flow.ip=10.0.0.2/0.255.255.0” would match the IP address where the first and last octet are 10 and 2 respectively. More granular matches can be done such as “flow.ip=22.214.171.124/0.127.255.0.”
Click on the Search field to begin typing in the desired search parameters.
The general syntax of the search field is shown as shaded text to represent an example entry.
(site = Honolulu | site = Chicago) & wan & flow.app = WebEx-meeting
Use the Enter key to apply the search. Click on the ‘X’ to clear the search field. Click on the down carat symbol to display a history of previous searches. The searches are kept on a per client basis; the history is removed with the LiveNX Client is closed.
Boolean expressions OR = ‘|’ and AND = ‘&’; grouping uses ‘( )’.
The Search editor provides tooltips to assist in creating the search expressions. Click on the desired entity to add it to the expression. NBAR uses dynamic lists based on the capability of the device.
Filtering can be done through the main toolbar dropdowns as well as the Flow Display Filter combo box. Filtering is first done via the main toolbar dropdowns, the Flow Display Filter combo-box and lastly, the Search field.
The Search is done with a one pass search. In addition, the system level entities need to be in a single clause. For example, (site = Honolulu | site = Chicago) & flow.ip=126.96.36.199 is allowed, but (site = Honolulu & flow.ip=188.8.131.52) | (site = Chicago & flow.ip=184.108.40.206) is not allowed.
LiveNX supports a large number of system and flow searchable entities. Click on the ? to display the list of searchable entries as well as some example search expressions.
Relational operators > and < can be used for flow.medianet.packetLossCount and flow.medianet.packetLossPercent, and only in topology view. For example, show flows with packet loss > 3% in topology view.
System Flow Table
The System Flow Table displays the flows from an entire network aggregated by flow technology. To open the table, click on the Table button the toolbar on the Flow tab. If you select a specific flow technology type during a System Refresh, then only the corresponding technology type tab will be populated.
For Basic Flow, the flow records are merged based off Source IP, Destination IP, Source Port, Destination Port, and DSCP and sorted by byte count and then the top 200 flows per device are displayed for the given time range. A non-zero value in the Sampler ID column denotes flows that are sampled.
For Medianet, the flows are merged based off Source IP, Destination IP, Source Port, Destination Port, DSCP , and RTP SSRC and sorted by byte count and then the top 200 per device are displayed for the given time range per device. Packet Loss %, Interarrival Jitter Mean, and Lost Event Count values are the max of all the records that were merged based off the tuples.
For AVC and NSEL, the last 200 records per device are shown for the given time frame.
The Unknown flow technology type is a flow type that doesn’t match any of the other flow types: Application (AVC), Basic Flow, Medianet, NSEL or PfR.
Flows generating an alert are highlighted in light red; the specific attribute exceeding an alert limit is highlighted in dark red. The alerts must be enabled for the particular flow technology for this to be visible.
NOTE: If a given flow with the same source and destination IP addresses are exported from the device using a different technology type, then the same flow would be represented in each flow technology type tab. The corresponding flow in the system topology view will only be shown once. The App Name field in the System Flow Table combines Application and NBAR Application data. When both are present, NBAR Application takes precedence. App Names followed by a (number:number) designate NBAR applications.
Right click on either the source or destination IP address in the System Flow Table and LiveNX provides additional options:
- Show Flow or Medianet Flow Path Analysis – displays an end-to-end analysis of the flow on a per-hop basis in the Basic Flow tab. Displays and end-to-end analysis of the Medianet flow on a per-hop basis in the Medianet flow tab.
- Define Custom Application Based on Flow – allows you to label a flow with a custom name and description.
- Add to IP Blacklist – highlights identification of IP addresses by turning it red in the topology device, flow table, and historical views. Please see Chapter 11 – Tools for Additional Information On the IP Blacklist Feature.
- Add to IP Mapping – allows mapping of IP addresses to a user-defined label. Please see Chapter 11 – Tools for Additional Information On the IP Mapping Feature.
- Copy to Clipboard – creates a one-click method to copy the IP address. • Export Flow Data – creates a .csv file of the system flow table.
Right click on any item in the System Flow Tab other than an item in either the Src IP, or the Dst IP to show flow path analysis, to define custom application based on flow, or to export the System Flow Table to a .csv file.
- Make sure polling is enabled in LiveNX. Click Enable Polling in the device’s toolbar, or go to the Tools menu and select Options, and then select Polling to enable polling for all of your devices.
- To view detailed information on individual flows, separate the flows if they are merged: Right click and select Show Merged Flows to toggle that option on and off. Mouse over each flow to see its information.
- Use the wheel button to zoom in and out.
- Network devices will be grayed out if they do not support flows.