34. Reports » Tools » Flows

The Reports » Tools panel includes Flows only if at least one Flow Sensor is configured. Within this tab, you can list, aggregate, filter, and sort flow records, as well as generate traffic tops and statistics.

34.1. Flow Records

In this sub-tab you can list and filter flow data.

● Sensor Interfaces – Select interfaces of interest. Guest accounts may have restricted visibility

● Flow Filtering Expression – Enter a filtering expression for flows. Click the star icon for syntax details. Common expressions can be saved/reused

● Export – The output can be shown in HTML, TEXT, JSON, or CSV, converted to PDF, emailed, or printed. If you need to query a very large volume of flows, avoid listing them all in the browser – the page may time out. In that case, choose CLI to see the shell command used for listing flows, then run that command from the shell and redirect the output to a file

● Time Range – Select a predefined time range, or Custom… to specify an exact interval. Only flows that started or ended within the selected interval are shown. Time zone differences between the Console server and remote Flow Sensor servers are not adjusted automatically

● Limit – Shows only the first <number> flows. To list more than 50,000 flows, use the CLI export option

● Aggregation – By default, flows are not aggregated. By checking the appropriate options, you can choose how to aggregate flows. You can aggregate entire subnets by selecting src(dst)IPv4(IPv6)/<subnet bits>

● Sorting – When listing flows from multiple interfaces, you can sort them after the start time of the flows. Otherwise, the flows are listed in the order of the Sensor Interfaces

● Display – Choose a predefined output format, or Custom… to specify your own. Each predefined format changes the Display Options

● Display Options – Configure how columns are shown. Check Include Unmonitored Ifs to add flows from interfaces not monitored by Flow Sensor but exported by the flow exporter

Note

The raw flow data is saved on disk in five-minute intervals, so a flow can take up to five minutes after being sent before it becomes queryable.

If no data is shown and the Flow Sensor is not running on the Console server, follow the NFS configuration steps.

34.2. Flow Tops

In this sub-tab you can generate tops from flow data.

● Sensor Interfaces – Select interfaces of interest. Guest accounts may have restricted visibility

● Flow Filtering Expression – Enter a filtering expression for flows. Click the star icon for syntax details. Common expressions can be saved/reused

● Top Type – Choose one of the items from the dropdown

● Order By – Select the unit for sorting results

● Export – The output can be shown in HTML, TEXT, JSON, or CSV, converted to PDF, emailed, or printed. If you need to query a very large volume of flows, avoid listing them all in the browser – the page may time out. In that case, choose CLI to see the shell command used for listing flows, then run that command from the shell and redirect the output to a file

● Time Range – Select a predefined time range, or Custom… to specify an exact interval. Only flows that started or ended within the selected interval are shown. Time zone differences between the Console server and remote Flow Sensor servers are not adjusted automatically

● Top – Limit listing to the first <number> records. To list more than 500, use the CLI export option

● Aggregation – By default, flows are not aggregated. By checking the appropriate options, you can choose how to aggregate flows. You can aggregate entire subnets by selecting src(dst)IPv4(IPv6)/<subnet bits>

● Limit – Restrict output to entries where packets or bytes meet the specified condition

● Display – Choose a predefined output format, or Custom… to specify your own. Each predefined format changes the Display Options

● Display Options – Configure how columns are shown. Check Include Unmonitored Ifs to add flows from interfaces not monitored by Flow Sensor but exported by the flow exporter

Note

The raw flow data is saved on disk in five-minute intervals, so a flow can take up to five minutes after being sent before it becomes queryable.

If no data is shown and the Flow Sensor is not running on the Console server, follow the NFS configuration steps.