37. Reports » Devices » Sensors

Clicking on a Sensor anywhere in the Console opens a tab with specific data. The tab has sub-tabs at the bottom. Each sub-tab shares these common toolbar fields:

● Sensor Interface – Select the Sensor interfaces of interest, or All. Administrators can limit which Sensors guests can access

● Time Range – Select a predefined range, or Custom… for a specific time interval

37.1. Sensor Dashboard

This sub-tab displays widgets using data collected by Sensors. Its configuration is global (not specific to just one Sensor), so any changes here are also visible in other Sensor Dashboards. The Reports » Dashboards chapter describes general dashboard operations.

Sensor widget configuration is explained in the following paragraphs.

37.2. Sensor Graphs

In this sub-tab you can view a variety of Sensor-related histograms for the selected Sensor Interface(s):

● Data Units – Select one or more data units:

• Most Used – Frequently used data units

• Packets – Inbound packets/s (+ on Y-axis) and outbound packets/s (– on Y-axis)

• Bits – Inbound bits/s (+ on Y-axis) and outbound bits/s (- on Y-axis)

• Applications – Sensor can track application-specific distribution for HTTP, HTTPS, SMTP, POP3, IMAP, SNMP, FTP, SSH, TELNET, SQL, NETBIOS, MS-DS, MS-RDP, DNS, ICMP, and OTHERS. Not generated when Stats Engine = Disabled

• Internal & External IPs – Number of IP addresses sending/receiving traffic. “Internal” = IPs inside the IP Zone; “External” = IPs outside. Enabling external IP monitoring depends on the Sensor’s Stats Engine parameter. Large spikes in Internal IPs often indicate an IP scan of your network. Large spikes in External IPs often indicate spoofed attacks from random sources

• Received Frames – Packet Sensor: pkts/s captured before IP/MAC validation. Flow Sensor: flows/s received before IP/AS validation

• Dropped Frames – Packet Sensor: pkts/s dropped by the capturing engine (indicates performance issues). Flow Sensor: unaccounted flows (could mean misconfiguration or connectivity issues)

• Unknown Frames – Packet Sensor: pkts/s failing IP validation. Flow Sensor: flows/s failing flow validation

• Unknown Sources – Source IP addresses that did not pass IP validation

• Unknown Destinations – Destination IPs that fail IP validation

• Avg. Packet Size – Average packet size in bits/packet

• CPU% – CPU resources used by the Sensor process

• RAM – RAM usage of the Sensor process

• Load – Kernel load average over 5-minute intervals

• IP Graphs – Number of IP graph files updated

• IP Accounting – Number of IP accounting records updated

• Profile Graphs – Number of profiling files updated

• IP Graphs Time – Seconds taken to update IP graph files

• Profile Graphs Time – Seconds taken to update profiling files

• Processing Time – Seconds used for traffic analysis

• IP Structures – Number of internal IP structures for IP tracking

• IP Structure RAM – Bytes of RAM each IP structure uses

• Flow Interface Packets – For Flow Sensor: pkts/s before IP/AS validation. Matches interface counters, ignoring flow-duration adjustment or interface direction. Useful for troubleshooting; requires InfluxDB

• Flow Interface Bits – For Flow Sensor: bits/s before IP/AS validation. Matches interface counters, ignoring flow-duration adjustment or interface direction. Also requires InfluxDB

• Flow Export Time – Positive side shows delay distribution of Start Time flows, negative side shows Stop Time distribution. Requires InfluxDB

• Dataplane – Parameters from the DPDK Capture Engine

• Bytes/time unit – Throughput in bytes per selected time unit

● Size – Choose a preset dimension or enter a custom size as “<X> x <Y>” where <X> and <Y> are the horizontal/vertical pixel counts

● Title – Enter your own text as the title, or select one of these options:

• Auto – Automatically generated title

• None – No title

● Legend – Select how detailed the legend should be

● Consolidation – Graph consolidation reduces data resolution by averaging, minimizing, or maximizing values over fixed time intervals, optimizing visualization while maintaining overall trends:

• MAXIMUM – Shows peak spikes

• AVERAGE – Displays average values

• MINIMUM – Focuses on lower values

● Grouping

• Sensor Interfaces – Select this to produce a single graph for all chosen Sensor Interfaces

● Stacking

• Sensor Interfaces – Choose this option to view summed, stacked values for multiple Sensor Interfaces

37.3. Sensor Tops

In this sub-tab you can generate various traffic tops.

● Decoders – Select which decoder (traffic dissector) to use

● Top Unit – Select a top unit from the following:

• Talkers – Hosts in your network that sent/received the most traffic for the chosen decoder. Unavailable if Stats Engine is Disabled in the Sensor config

• IP Groups – IP groups sending/receiving the most traffic for the chosen decoder. Unavailable if Stats Engine = Disabled

• External IPs – External IPs sending/receiving the most traffic for the chosen decoder. Requires Stats Engine = Extended or Full

• Upstream ASNs – ASNs sending or receiving the most traffic. Requires Stats Engine = Extended or Full

• Transit/Peering/Downstream ASNs – Available only if the Sensor extracts Transit AS data from a BGP dump file in MRT format

• Countries – Countries sending or receiving the most traffic. Requires Stats Engine = Extended or Full

• TCP Ports – Most-used TCP ports. Unavailable if Stats Engine = Disabled

• UDP Ports – Most-used UDP ports. Unavailable if Stats Engine = Disabled

• IP Protocols – Most-used IP protocols (transport-level). Unavailable if Stats Engine = Disabled

• IP Versions – Counters for IPv4 vs IPv6 traffic. Unavailable if Stats Engine = Disabled

● Traffic Direction – Select the traffic direction you wish to analyze: All, Inbound, or Outbound

● Display Options – Various settings controlling how the data is presented

● Grouping

• Sensor Interfaces – If unchecked, a separate top is generated for each selected Sensor Interface. If checked, top data from all selected Sensor Interfaces is combined

Note

Generating tops for many Sensor Interfaces and long time ranges can take minutes. If the report page times out, raise the max_execution_time value in php.ini.

You can increase the number of top records and add new decoders in General Settings » Graphs & Storage.

37.4. Sensor Events

This sub-tab shows events generated by the chosen Sensor(s) in the specified time window.

37.5. Anomaly Overview

Allows creating trends and summaries of anomalies detected by the selected Sensor Interfaces.

37.6. AS Graphs

Flow Sensor and Packet Sensor, depending on their Stats Engine settings, can produce per-AS bandwidth histograms. The inbound traffic (+ on Y-axis) is traffic received by the AS, while outbound traffic (- on Y-axis) is traffic sent from the AS.

● AS Number(s) – Choose one of:

• Upstream – Traffic sent to/from ASNs listed on the right

• Transit – Traffic that traversed the ASNs listed on the right

• Peering – Traffic to/from your AS peers (PrevAdjacentAS and NextAdjacentAS in NetFlow v9) from the ASNs on the right

• Downstream – Traffic to/from your downstream ASNs on the right

Click the star icon to see the correct syntax and to save commonly used AS numbers for later use.

● Size – Choose a preset dimension or enter a custom size as “<X> x <Y>” where <X> and <Y> are the horizontal/vertical pixel counts

● Title – Enter your own text as the title, or select one of these options:

• Auto – Automatically generated title

• None – No title

● Legend – Select how detailed the legend should be

● Grouping

• Sensor Interfaces – If unchecked, a separate graph is created for each Sensor Interface. If checked, the data is combined

• ASNs – If checked, show a single graph for multiple ASNs

● Stacking

• ASNs – Stack up to 20 ASNs in one graph

Note

To look up ASNs for a particular organization, go to Help » IP & AS Information » AS Numbers List or search https://bgp.he.net.

37.7. Country Graphs

Flow Sensor and Packet Sensor can generate per-country bandwidth histograms when the Stats Engine parameter is set to Full or Extended in the Sensor configuration.

● Countries – Select one or more countries from the dropdown list. Click the star icon to open a window containing saved continent and regional selections

● Size – Choose a preset dimension or enter a custom size as “<X> x <Y>” where <X> and <Y> are the horizontal/vertical pixel counts

● Title – Enter your own text as the title, or select one of these options:

• Auto – Automatically generated title

• None – No title

● Legend – Select how detailed the legend should be

● Grouping

• Sensor Interfaces – Combine data for all selected Sensor Interfaces into one graph

• Countries – When multiple countries are chosen, they can be displayed together on one graph

● Stacking

• Countries – Stack up to 20 countries on a single graph

37.8. Flow Records

In this sub-tab, you can list and filter the flow data for the selected Flow Sensor Interfaces. The available options are covered in detail in Reports » Tools » Flows.

37.9. Flow Tops

In this sub-tab, you can generate tops from the flow data collected by the selected Flow Sensor Interfaces. These options are also described in Reports » Tools » Flows.