Professional Documents
Culture Documents
User Manual
Version 5.3
Network Resource Management Inc. reserves the right to alter the contents of this publication without
advance notice. All the examples in this publication are used to assist the administrators or the users
to operate the system easily. The regulations of copyright law should be obeyed when using the
software. On the premise of not violating the copyright laws, without the prior written permission of
Genie Network Resource Management Inc., no parts of this publication can be reproduced or used in
any form or by any means (electronic or mechanical, including photocopying and recording) on any
type of information storing and retrieval system.
Contents
1
Introduction.................................................................................................................1
2.3
System Screen........................................................................................................... 3
2.2.2
System Login/Logout......................................................................................... 11
2.3.1
2.3.2
3.2
3.3
User ..................................................................................................................13
3.1.1
3.1.2
Privilege Template.................................................................................................... 18
3.1.3
3.1.4
Remote Authentication............................................................................................. 21
Device ...............................................................................................................22
3.2.1
Controller ................................................................................................................. 22
3.2.2
Collector ................................................................................................................... 24
3.2.3
MSP Server.............................................................................................................. 27
3.2.4
Network.............................................................................................................33
3.3.1
3.3.1.1
3.3.1.2
3.3.2
Dark IP ..................................................................................................................... 36
3.3.3
Router ...................................................................................................................... 37
3.3.3.1
Router........................................................................................................... 38
3.3.3.2
Interfaces...................................................................................................... 43
3.3.3.3
3.3.3.4
3.3.4
3.3.5
Backbone Links........................................................................................................ 53
3.3.6
Neighbor .................................................................................................................. 55
3.3.7
Sub-Network ............................................................................................................ 57
3.3.8
Server....................................................................................................................... 66
3.3.9
MSP Customer......................................................................................................... 72
3.3.9.1
3.3.9.2
3.3.9.3
3.3.9.4
3.3.10
Filter ....................................................................................................................... 79
3.3.10.1
Factor ......................................................................................................... 79
3.3.10.2
Filter ........................................................................................................... 84
3.3.10.3
3.3.11
Application ............................................................................................................. 96
3.3.12
3.3.12.1
3.3.12.2
3.3.13
3.4
3.5
3.6
3.3.13.1
3.3.13.2
3.3.13.3
3.3.13.4
Configuration...................................................................................................125
Mitigation.........................................................................................................129
3.5.1
3.5.2
3.5.2.1
3.5.2.2
3.5.2.3
Preferences.....................................................................................................142
3.6.1
3.6.2
Storage................................................................................................................... 143
3.6.3
3.6.4
3.6.4.1
3.6.4.2
3.6.4.3
3.6.4.4
3.6.4.5
3.6.5
3.6.5.1
Services...................................................................................................... 156
3.6.5.2
3.6.5.3
3.6.5.4
Area............................................................................................................ 160
3.6.5.5
IP to Area.................................................................................................... 161
3.6.6
3.6.6.1
User............................................................................................................ 163
3.6.6.2
Router......................................................................................................... 166
3.6.6.3
3.6.6.4
3.6.6.5
Neighbor..................................................................................................... 172
3.6.6.6
3.6.6.7
3.6.7
3.6.7.1
3.6.7.2
3.6.7.3
3.6.8
3.6.8.1
3.6.8.2
II
3.6.9
3.7
4
Status.......................................................................................................................191
4.1
4.2
4.3
Summary.........................................................................................................191
4.1.1
Global..................................................................................................................... 191
4.1.2
4.1.3
4.1.4
4.1.5
Global..................................................................................................................... 199
4.2.2
Log..................................................................................................................207
4.3.1
4.3.2
Snapshot .................................................................................................................210
Mitigation.................................................................................................................218
6.1
6.2
Blackhole ........................................................................................................218
Hardware Mitigation ........................................................................................221
6.2.1
6.2.2
Eudemon................................................................................................................ 225
Report ......................................................................................................................227
7.1
Internet............................................................................................................227
7.1.1
7.1.2
7.1.2.1
7.1.2.2
7.1.2.3
7.1.2.4
7.1.2.5
7.1.3
7.2
7.1.3.1
Application.................................................................................................. 232
7.1.3.2
7.1.3.3
7.1.3.4
7.1.3.5
Neighbor .........................................................................................................236
7.2.1
7.2.1.1
Compare..................................................................................................... 236
7.2.1.2
7.2.2
III
7.2.2.1
7.2.2.2
Neighbor..................................................................................................... 239
7.2.2.3
7.2.2.4
7.2.2.5
7.2.3
7.3
7.4
7.5
7.6
7.2.3.1
Application.................................................................................................. 242
7.2.3.2
7.2.3.3
7.2.3.4
7.2.3.5
Backbone ........................................................................................................246
7.3.1
7.3.2
7.3.2.1
Compare..................................................................................................... 247
7.3.2.2
Router .............................................................................................................250
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.5.1
7.4.5.2
7.4.5.3
Interface ..........................................................................................................258
7.5.1
7.5.2
7.5.3
7.5.4
7.5.4.1
Application.................................................................................................. 262
7.5.4.2
7.5.4.3
7.5.4.4
7.5.4.5
Sub-Network ...................................................................................................265
7.6.1
7.6.1.1
Compare..................................................................................................... 265
7.6.1.2
7.6.2
7.6.2.1
7.6.2.2
7.6.2.3
7.6.2.4
7.6.2.5
7.6.2.6
7.6.3
7.6.3.1
Application.................................................................................................. 272
7.6.3.2
7.6.3.3
7.6.3.4
IV
7.6.3.5
7.7
Server .............................................................................................................275
7.7.1
Compare..................................................................................................... 275
7.7.1.2
7.7.2.2
7.7.2.3
7.7.2.4
Area............................................................................................................ 280
Application.................................................................................................. 281
7.7.3.2
7.7.3.3
7.7.3.4
7.7.3.5
7.8.1.1
Compare..................................................................................................... 285
7.8.1.2
7.8.2
8.2.2
8.2.3
8.2.4
8.2.4.1
Application.................................................................................................. 300
8.2.4.3
8.2.4.5
8.2.5
Anomaly Activities..................................................................................................305
9.1
9.2
7.7.3.1
7.7.4
7.7.2.1
7.7.3
7.7.1.1
7.7.2
7.8
Dark IP ............................................................................................................305
9.1.1
9.1.2
9.1.2.1
9.1.2.2
9.1.2.3
9.1.2.4
Summary Report.....................................................................................................311
9.2.2
9.2.2.1
9.2.2.2
9.2.2.3
VI
List of Figures
Figure 2.3.1-1 System Login Window.....................................................................................................11
Figure 2.3.1-2 Default System Operation Window ................................................................................ 12
Figure 2.3.1-3 Login/Logout Alert Message Window............................................................................. 12
Figure 3.1.1-1 System Admin / User / Local User Account Management Window ............................... 14
Figure 3.1.1-2 System Admin / User / Local User Account -- Add Local User Account Window .......... 14
Figure 3.1.1-3 System Admin / User / Local User Account -- Edit Local User Account Window .......... 16
Figure 3.1.1-4 System Admin / User / Local User Account -- View Local User Account Window ......... 17
Figure 3.1.2-1 System Admin / User / Privilege Template Management Window ................................. 18
Figure 3.1.2-2 System Admin / User / Privilege Template -- Add User Privilege Template Window ..... 18
Figure 3.1.2-3 System Admin / User / Privilege Template -- Edit User Privilege Template Window ..... 19
Figure 3.1.2-4 System Admin / User / Privilege template -- View User Privilege Template Window .... 20
Figure 3.1.3-1 System Admin / User / Online User Management Window ........................................... 20
Figure 3.1.4-1 System Admin / User / Remote Authentication Management Window .......................... 21
Figure 3.1.4-2 System Admin / User / Remote Authentication / Edit Remote Authentication Window
(Radius Server) .............................................................................................................. 21
Figure 3.2.1-1 System Admin / Controller Management Window ......................................................... 22
Figure 3.2.1-2 System Admin / Controller -- Edit Controller Window .................................................... 23
Figure 3.2.2-1 System Admin / Collector Management Window........................................................... 24
Figure 3.2.2-2 System Admin / Collector -- Add New Collector Window............................................... 24
Figure 3.2.2-3 System Admin / Collector -- Edit Collector Window ....................................................... 25
Figure 3.2.2-4 System Admin / Collector -- View Collector Window ..................................................... 26
Figure 3.3.1-1 System Admin / Network / Home Network / Home Network Management Window...... 33
Figure 3.3.1-2 System Admin / Network / Home Network / Home Network Edit Local IP Address
Window........................................................................................................................... 34
Figure 3.3.1-3 System Admin / Network / Home Network / Home Network Edit Local AS Number
Window........................................................................................................................... 34
Figure 3.3.1-4 System Admin / Network / Home Network / ATD White List Management Window ...... 35
Figure 3.3.1-5 System Admin / Network / Home Network Edit ATD White List Window .................... 35
Figure 3.3.2-1 System Admin / Network / Dark IP Management Window............................................. 36
Figure 3.3.2-2 System Admin / Network / Dark IP -- Edit Dark IP & Non-Dark IP Addresses Window . 36
Figure 3.3.3-1 System Admin / Network / Router / Router Management Window ................................ 37
Figure 3.3.3-2 System Admin / Network / Router / Router -- Add Router Window................................ 38
Figure 3.3.3-3 System Admin / Network / Router / Router -- Edit Router Window................................ 41
Figure 3.3.3-4 System Admin / Network / Router / Router -- View Router Window .............................. 42
Figure 3.3.3-5 System Admin / Network / Router / Interface Management Window............................. 43
Figure 3.3.3-6 System Admin / Network / Router / Interface -- Interface Discovery with SNMP Window......... 44
Figure 3.3.3-7 System Admin / Network / Router / Interface -- Add Interface Window ......................... 44
Figure 3.3.3-8 System Admin / Network / Router / Interface -- Edit Router Interface Window ............. 45
Figure 3.3.3-9 System Admin / Network / Router / Interface -- View Interface Window........................ 46
Figure 3.3.3-10 System Admin / Network / Router / Recomm. to Add/Edit Window ............................. 47
Figure 3.3.3-11 System Admin / Network / Router / Recomm. to Remove Window ............................. 48
Figure 3.3.4-1 System Admin / Network / Internet Boundary Management Window ............................ 49
Figure 3.3.4-2 System Admin / Network / Internet Boundary -- Change Boundary Type Window (with
VII
VIII
Figure 3.3.9-6 System Admin/Network/MSP Customer/MSP User Account MSP User Account
Window........................................................................................................................... 77
Figure 3.3.9-7 System Admin/Network/MSP Customer/Privilege Template -- Privilege Template
Management Window .................................................................................................... 77
Figure 3.3.9-8 System Admin / Network/ MSP Customer / Privilege Template -- Edit User Privilege
Template Window........................................................................................................... 78
Figure 3.3.10-1 System Admin / Network / Filter / Factor Management Window ................................. 79
Figure 3.3.10-2 System Admin / Network / Filter / Factor -- Add Factor Window (IP Factor)................ 80
Figure 3.3.10-3 System Admin / Network / Filter / Factor -- Add Factor Window (BGP Community Factor)
....................................................................................................................................... 80
Figure 3.3.10-4 System Admin / Network / Filter / Factor -- Add Factor Window (AS Number Factor) 81
Figure 3.3.10-5 System Admin / Network / Filter / Factor -- Add Factor Window (AS Path Factor)...... 81
Figure 3.3.10-6 System Admin / Network / Filter / Factor -- Add Factor Window (Application Factor) . 81
Figure 3.3.10-7 System Admin / Network / Filter / Factor -- Edit Factor Window.................................. 83
Figure 3.3.10-8 System Admin / Network / Filter / Factor -- View Factor Window ................................ 84
Figure 3.3.10-9 System Admin / Network / Filter / Filter Management Window.................................... 84
Figure 3.3.10-10 System Admin / Network / Filter / Filter -- Add Filter Window .................................... 85
Figure 3.3.10-11 System Admin / Network / Filter / Filter -- Add Filter Expression Window ................. 86
Figure 3.3.10-12 System Admin / Network / Filter / Filter -- Edit Filter Expression Window ................. 88
Figure 3.3.10-13 System Admin / Network / Filter / Filter -- View Filter Expression Window................ 88
Figure 3.3.10-14 System Admin / Network / Filter / Filter -- Add Filter TopN Window........................... 89
Figure 3.3.10-15 System Admin / Network / Filter / Filter -- Edit Filter TopN Window........................... 90
Figure 3.3.10-16 System Admin / Network / Filter / Filter -- Edit Filter Window .................................... 91
Figure 3.3.10-17 System Admin / Network / Filter / Filter -- View Filter Window................................... 92
Figure 3.3.10-18 System Admin / Network / Filter / Filter Batch Management window ........................ 93
Figure 3.3.10-19 System Admin / Network / Filter / Filter Batch Batch Add Filter Window ................ 94
Figure 3.3.11-1 System Admin / Network / Application Management Window...................................... 96
Figure 3.3.11-2 System Admin / Network / Application -- Add System Application Window ................. 97
Figure 3.3.11-3 System Admin / Network / Application -- Edit System Application Window ................. 99
Figure 3.3.11-4 System Admin / Network / Application -- View System Application Window................ 99
Figure 3.3.12-1 System Admin / Network / Anomaly / Protocol-Misuse Anomaly Management Window
..................................................................................................................................... 100
Figure 3.3.12-2 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Outgoing
Protocol-Misuse Anomaly Detection Window .................................
!
Figure 3.3.12-3 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Protocol-Misuse
Anomaly-Default for Home and User-defined Resources Window.............................. 101
Figure 3.3.12-4 System Admin / Network / Anomaly / Protocol-Misuse Anomaly -- Edit Protocol-Misuse
Anomaly-Non-Home Window....................................................................................... 102
Figure 3.3.12-5 System Admin / Network / Anomaly / Application Anomaly Management Window ... 103
Figure 3.3.12-6 System Admin / Network / Anomaly / Application Anomaly -- Edit Detection Scope
Window......................................................................................................................... 103
Figure 3.3.12-7 System Admin / Network / Anomaly / Application Anomaly -- Add Application Anomaly
Window......................................................................................................................... 104
Figure 3.3.12-8 System Admin / Network / Anomaly / Application Anomaly -- Edit Application Anomaly
IX
Window......................................................................................................................... 106
Figure 3.3.12-9 System Admin / Network / Anomaly / Application Anomaly -- View Application Anomaly
Window......................................................................................................................... 107
Figure 3.3.13-1 System Admin / Network / Template / Baseline Management Window ..................... 108
Figure 3.3.13-2 System Admin / Network / Template / Baseline-- Add Baseline Template Window
(Interface Traffic Type) ................................................................................................. 109
Figure 4.4.11-3 System Admin / Network / Template / Baseline Add Baseline Template Window (BGP
Update Message Type) ................................................................................................. 111
Figure 3.3.13-4 System Admin / Network / Template / Baseline Add Baseline Template Window
(Traffic Anomaly Type) ..................................................................................................113
Figure 3.3.13-5 System Admin / Network / Template / Baseline Add Baseline Template Window
(Traffic Anomaly - Filter Type) .......................................................................................114
Figure 3.3.13-6 System Admin / Network / Template / Baseline Add Baseline Template Window
(Router Performance) ...................................................................................................115
Figure 3.3.13-7 System Admin / Network / Template / Baseline -- Edit Baseline Template Window ...115
Figure 3.3.13-8 System Admin / Network / Template / Baseline -- View Baseline Template Window..116
Figure 3.3.13-9 System Admin / Network / Template / Sub-Network Boundary Template Management
Window..........................................................................................................................117
Figure 3.3.13-10 System Admin / Network / Template / Sub-Network Boundary -- Add Sub-Network
Boundary Template Window .........................................................................................117
Figure 3.3.13-11 System Admin / Network / Template / Sub-Network Boundary -- Edit Sub-Network
Boundary Template Window .........................................................................................118
Figure 3.3.13-12 System Admin / Network / Template / Sub-Network Boundary -- View Sub-Network
Boundary Template Window .........................................................................................119
Figure 3.3.13-13 System Admin / Network / Template / Server-farm boundary Template Management
Window......................................................................................................................... 120
Figure 3.3.13-14 System Admin / Network / Template / Server-farm boundary -- Add Server-farm
boundary Template Window......................................................................................... 120
Figure 3.3.13-15 System Admin / Network / Template / Server-farm boundary -- Edit Server-farm
boundary Template Window......................................................................................... 121
Figure 3.3.13-16 System Admin / Network / Template / Server-farm boundary -- View Server-farm
Boundary Template Window ........................................................................................ 122
Figure 3.3.13-17 System Admin / Network / Template / TopN Report -- TopN Report Template Window
..................................................................................................................................... 123
Figure 3.3.13-18 System Admin / Network / Template / TopN Report -- Add Server-farm TopN Report
Template Window......................................................................................................... 123
Figure 3.3.13-19 System Admin / Network / Template / TopN Report -- Edit Server-farm TopN Window
..................................................................................................................................... 124
Figure 3.4-1 System Admin / Configuration Management Window..................................................... 125
Figure 3.4-2 System Admin / Configuration Dispatch Network Configuration and Save Window.... 126
Figure 3.4-3 System Admin / Configuration -- Upload Configuration Window .................................... 128
Figure 3.5.1-1 System Admin / Mitigation / Blackhole Management Window ..................................... 129
Figure 3.5.1-2 System Admin / Mitigation / Blackhole -- Edit Blackhole Window................................ 129
Figure 3.5.1-3 System Admin / Mitigation / Blackhole -- Add Blackhole Policy Window ..................... 130
2009 Genie Network Resource Management Inc. All Rights Reserved.
Figure 3.5.2-1 System Admin / Mitigation / Device / Device Management Window ........................... 133
Figure 3.5.2-2 System Admin / Mitigation / Device / Cisco Guard -- Add Guard Window................... 133
Figure 3.5.2-3 System Admin / Mitigation / Device / Cisco Guard -- Edit Guard Window................... 135
Figure 3.5.2-4 System Admin / Mitigation / Device / Cisco Guard -- View Guard Window ................. 136
Figure 3.5.2-5 System Admin / Mitigation / Device / Eudemon -- Eudemon Management Window ... 137
Figure 3.5.2-6 System Admin / Mitigation / Device / Eudemon -- Add Eudemon Window .................. 137
Figure 3.5.2-7 System Admin / Mitigation / Device / Eudemon -- Edit Eudemon Window .................. 139
Figure 3.5.2-8 System Admin / Mitigation / Device / Eudemon -- View Eudemon Window ................ 140
Figure 3.5.2-9 System Admin / Mitigation / Global / SSH Public Key Window.................................... 141
Figure 3.5.2-10 System Admin / Mitigation / Global / SSH Public Key Window.................................. 141
Figure 3.6.1-1 System Admin / Preferences / Status Parameter Management Window..................... 142
Figure 3.6.1-2 System Admin / Preferences / Status -- Edit Status Parameter Window ..................... 142
Figure 3.6.2-1 System Admin / Preferences / Storage Management Window .................................... 143
Figure 3.6.2-2 System Admin / Preferences / Storage -- Edit Disk Usage Window ............................ 143
Figure 3.6.2-3 System Admin / Preferences / Storage -- Edit Report Data Window ........................... 144
Figure 3.6.2-4 System Admin / Preferences / Storage -- Edit Alert Log Window ................................ 144
Figure 3.6.2-5 System Admin / Preferences / Storage -- Edit Anomaly Log Window.......................... 145
Figure 3.6.2-6 System Admin / Preferences / Storage -- Edit Login Log Window............................... 145
Figure 3.6.3-1 System Admin / Preferences / Report Parameter Management Window.................... 146
Figure 3.6.3-2 System Admin / Preferences / Report -- Edit Pre-defined TopN Report Parameter
Window......................................................................................................................... 146
Figure 3.6.3-3 System Admin / Preferences / Report -- Edit Report Parameter Window ................... 147
Figure 3.6.3-4 System Admin / Preferences / Report -- Edit Rule-Based Report Label Window........ 147
Figure 3.6.3-5 System Admin / Preferences / Report -- Edit Detail Anomaly Traffic Analysis Report
Parameter Window....................................................................................................... 147
Figure 3.6.4-1 System Admin / Preferences / Notification / System Notification Configuration Window
..................................................................................................................................... 148
Figure 3.6.4-2 System Admin / Preferences / Notification / System -- Edit Email Notification Window
..................................................................................................................................... 149
Figure 3.6.4-3 System Admin / Preferences / Notification / System -- Edit Trap Notification Window 150
Figure 3.6.4-4 System Admin / Preferences / Notification / Router Notification Configuration Window
..................................................................................................................................... 151
Figure 3.6.4-5 System Admin / Preferences / Notification / Router -- Edit Router Notification
Configuration Window .................................................................................................. 151
Figure 3.6.4-6 System Admin / Preferences / Notification / Sub-Network Notification Configuration
Window......................................................................................................................... 152
Figure 3.6.4-7 System Admin / Preferences / Notification / Sub-Network -- Edit Sub-Network Notification
Configuration Window .................................................................................................. 152
Figure 3.6.4-8 System Admin/Preference/Notification/MSP Customer MSP Customer Notification
Configuration Window .................................................................................................. 153
Figure 3.6.4-9 System Admin/Preference/Notification/MSP Customer Edit MSP Customer Notification
Configuration Window .................................................................................................. 153
Figure 3.6.4-10 System Admin / Preferences / Notification / Filter Notification Configuration Window
..................................................................................................................................... 154
XI
Figure 3.6.4-11 System Admin / Preferences / Notification / Filter -- Edit Filter Notification Configuration
Window......................................................................................................................... 154
Figure 3.6.5-1 System Admin / Preferences / Name Mapping / Service Management Window ......... 155
Figure 3.6.5-2 System Admin / Preferences / Name Mapping / Service -- Add Service Name Window
..................................................................................................................................... 156
Figure 3.6.5-3 System Admin / Preferences / Name Mapping / Service -- Edit Service Name Window
..................................................................................................................................... 156
Figure 3.6.5-4 System Admin / Preferences / Name Mapping / Protocol Management Window........ 157
Figure 3.6.5-5 System Admin / Preferences / Name Mapping / Protocol -- Add Protocol Name Window
..................................................................................................................................... 157
Figure 3.6.5-6 System Admin / Preferences / Name Mapping / Protocol -- Edit Protocol Name Window
..................................................................................................................................... 158
Figure 3.6.5-7 System Admin / Preferences / Name Mapping / ASN management Window.............. 158
Figure 3.6.5-8 System Admin / Preferences / Name Mapping / ASN -- Add ASN Window................. 159
Figure 3.6.5-9 System Admin / Preferences / Name Mapping / ASN -- Edit ASN Name Window ...... 159
Figure 3.6.5-10 System Admin / Preferences / Name Mapping / Area Management Window ........... 160
Figure 3.6.5-11 System Admin / Preferences / Name Mapping / Area -- Add Area management Window
..................................................................................................................................... 160
Figure 3.6.5-12 System Admin / Preferences / Name Mapping / Area -- Edit Area management window
..................................................................................................................................... 161
Figure 3.6.5-14 System Admin / Preferences / Name Mapping / IP to Area Import IP-to-Area
management Window .................................................................................................. 162
Figure 3.6.6-1 System Admin / Preferences / Group / User Group Management Window................. 163
Figure 3.6.6-2 System Admin / Preferences / Group / User -- Add User Group Window.................... 163
Figure 3.6.6-3 System Admin / Preferences / Group / User -- Edit User Group Window.................... 164
Figure 3.6.6-4 System Admin / Preferences / Group / User -- View User Group Window .................. 165
Figure 3.6.6-5 System Admin / Preferences / Group / Router Group Management Window.............. 166
Figure 3.6.6-6 System Admin / Preferences / Group / Router -- Add Router Group Window ............. 166
Figure 3.6.6-7 System Admin / Preferences / Group / Router -- Edit Router Group Window ............. 167
Figure 3.6.6-8 System Admin / Preferences / Group / Router -- View Router Group Window............ 167
Figure 3.6.6-9 System Admin / Preferences / Group / Sub-Network Group Management Window ... 168
Figure 3.6.6-10 System Admin / Preferences / Group / Sub-Network -- Add Sub-Network Group
Window......................................................................................................................... 168
Figure 3.6.6-11 System Admin / Preferences / Group / Sub-Network -- Edit Sub-Network Group Window
..................................................................................................................................... 169
Figure 3.6.6-12 System Admin / Preferences / Group / Sub-Network -- View Sub-Network Group
Window......................................................................................................................... 169
Figure 3.6.6-13 System Admin / Preferences / Group / Server-farm Group Management Window ... 170
Figure 3.6.6-14 System Admin / Preferences / Group / Server-farm -- Add Server-farm Group Window
..................................................................................................................................... 170
Figure 3.6.6-15 System Admin / Preferences / Group / Server-farm -- Edit Server-farm Group Window
..................................................................................................................................... 171
Figure 3.6.6-16 System Admin / Preferences / Group / Server-farm -- View Server-farm Group Window
..................................................................................................................................... 171
2009 Genie Network Resource Management Inc. All Rights Reserved.
XII
Figure 3.6.6-17 System Admin / Preferences / Group / Neighbor Group Management Window........ 172
Figure 3.6.6-18 System Admin / Preferences / Group / Neighbor -- Add Neighbor Group Window.... 172
Figure 3.6.6-19 System Admin / Preferences / Group / Neighbor -- Edit Neighbor Group Window.... 173
Figure 3.6.6-20 System Admin / Preferences / Group / Neighbor -- View Neighbor Group Window .. 174
Figure 3.6.6-21 System Admin / Preferences / Group / Filter Group Management Window .............. 175
Figure 3.6.6-22 System Admin / Preferences / Group / Filter -- Add Filter Group Window................. 175
Figure 3.6.6-23 System Admin / Preferences / Group / Filter -- Edit Filter Group Window................. 176
Figure 3.6.6-24 System Admin / Preferences / Group / Filter -- View Filter Group Window ............... 176
Figure 3.6.6-25 System Admin / Preferences / Group / MSP Customer User -- MSP Customer User
Group Management Window ....................................................................................... 177
Figure 3.6.6-26 System Admin / Preferences / Group / MSP Customer User -- Edit MSP Customer User
Group Window ............................................................................................................. 178
Figure 3.6.6-27 System Admin / Preferences / Group / MSP Customer User -- View MSP Customer
User Group Window..................................................................................................... 178
Figure 3.6.7-1 System Admin / Preferences / Baseline History / Sub-Network Baseline History Window
..................................................................................................................................... 179
Figure 3.6.7-2 System Admin / Preferences / Baseline History / Sub-Network -- View Baseline History
Window......................................................................................................................... 179
Figure 3.6.7-3 System Admin / Preferences / Baseline History / MSP Customer Baseline History
Window......................................................................................................................... 180
Figure 3.6.7-4 System Admin / Preferences / Baseline History / MSP Customer -- View Baseline History
Window......................................................................................................................... 181
Figure 3.6.7-5 System Admin / Preferences / Baseline History / Filter Baseline History Window ...... 182
Figure 3.6.7-6 System Admin / Preferences / Baseline History / Filter -- View Baseline History Window
..................................................................................................................................... 182
Figure 3.6.8-1 System Admin / Preferences / Offline Report / Scheduler Template Management Window
..................................................................................................................................... 183
Figure 3.6.8-2 System Admin / Preferences / Offline Report / Scheduler -- Edit Schedule Template
Window (Daily Schedule Type) .................................................................................... 184
Figure 3.6.8-3 System Admin / Preferences / Offline Report / Scheduler -- View Schedule Template
Window......................................................................................................................... 184
Figure 3.6.8-4 System Admin / Preferences / Offline Report / Sub-Network Offline Report Management
Window......................................................................................................................... 185
Figure 3.6.8-5 System Admin / Preferences / Offline Report / Sub-Network-- Edit Sub-Network Offline
Report Window............................................................................................................. 185
Figure 3.6.8-6 System Admin / Preferences / Offline Report / Sub-Network -- View Sub-Network Offline
Report Window ............................................................................................................. 186
Figure 3.6.9-1 System Admin / Preferences / Remote Update Management Window ....................... 187
Figure 3.6.9-2 System Admin / Preferences / Remote Update -- Edit Default Configuration of Remote
Update Window............................................................................................................ 187
Figure 3.7-1 System Admin / Report Rebuild Window ........................................................................ 188
Figure 3.7-2 System Admin / Report Rebuild Adding a New Request Window ............................... 188
Figure 3.7-3 System Admin / Report Rebuild Rawdata File Window ............................................... 189
Figure 3.7-4 System Admin / Report Rebuild Looking Up Last Request Status Window ................ 190
XIII
Figure 3.7-5 System Admin / Report Rebuild Aborting Last Request Window................................. 190
Figure 4.1.1-1 Status / Summary / Global Window ............................................................................. 192
Figure 4.1.2-1 Status / Summary / MSP Server Window .................................................................... 193
Figure 4.1.3-1 Status / Summary / Anomaly Window .......................................................................... 194
Figure 4.1.4-1 Status / Summary / System Window............................................................................ 195
Figure 4.1.4-2 Status / Summary / System / Controller Hardwares Status Report............................. 196
Figure 4.1.4-3 Status / Summary / System / Controller Hardwares Event Report.............................. 196
Figure 4.1.4-4 Status / Summary / System / Controllers Status Window ........................................... 197
Figure 4.1.5-1 The Resource Summary Viewing List .......................................................................... 198
Figure 4.1.5-2 The Further Viewing List of Collector Resource .......................................................... 198
Figure 4.2-1 Status / Anomaly Console / Anomaly Console Querying Window .................................. 199
Figure 4.2-2 Status / Anomaly Console / Summary Anomaly Report Window (Sub-Network Resource
Type) ............................................................................................................................ 202
Figure 4.2-3 Status / Anomaly Console / Detail Anomaly Report Window (Sub-network Resource Type)
..................................................................................................................................... 203
Figure 4.2-4 Status / Anomaly Console / Detail Anomaly Report -- ACL Generate Tool Window ....... 205
Figure 4.2-5 Status / Anomaly Console / Summary Anomaly Report Window (Filter Resource Type) 205
Figure 4.2-6 Status / Anomaly Console / MSP Server Anomaly Console Querying Window.............. 206
Figure 4.3.1-1 Status / Alert Log / Alert Log Querying Window ........................................................... 207
Figure 4.3.2-1 Status / Log -- Mitigation Log Querying Window.......................................................... 208
Figure 4.3.3-1 Status / Log / Login Log Querying Window.................................................................. 209
Figure 5-1 Traffic Snapshot Management Window ............................................................................. 210
Figure 5-2 Snapshot -- Device Interface Management Window.......................................................... 212
Figure 5-3 Snapshot -- Instant Top N Report....................................................................................... 216
Figure 5-4 Snapshot -- Instant Top N Report / Latest 100 Raw Flows ................................................ 217
Figure 6.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation Action Management Window ... 218
Figure 6.1-2 Mitigation / Hardware Mitigation - Add Hardware Mitigation Action Window .................. 219
Figure 6.1-3 Mitigation / Blackhole - View Blackhole Mitigation Action Management Window ........... 220
Figure 6.2.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation: Guard Management Window 221
Figure 6.2.1-2 Mitigation / Hardware Mitigation - Add Guard Mitigation Action Window..................... 221
Figure 6.2.1-3 Mitigation / Hardware Mitigation - Hardware Mitigation Traffic Report......................... 223
Figure 6.2.1-4 Mitigation / Hardware Mitigation - Hardware Mitigation Attack Report......................... 224
Figure 6.2.2-1 Mitigation / Hardware Mitigation / Eudemon Management Window ............................ 225
Figure 6.2.2-2 Mitigation / Hardware Mitigation/Eudemon - Add Eudemon Mitigation Window.......... 225
XIV
Introduction
This manual describes the traffic analysis functions of GenieATM system. In the following section, the
framework of this manual is addressed to give users a summary of this user manual.
Appendix (C) -- Installing SSL in GenieATM for Enabling Secure Web Access
This appendix introduces how to install SSL in GenieATM for enabling secure web access.
2.1
System Overview
As a network operator, it is a torture when facing troublesome daily maintenance and a sudden
DOS/DDOS attack. It is a tough situation when the operators are unable to find out the causes of
unusual network traffic. Therefore, to immediately solve unusual problems with real-time traffic
reports instead of analyzing historical traffic logs after troubles occur would be a great help. Besides,
being short of precise traffic analysis for business management support no matter peering strategy or
capacity planning is an urgent issue for the operators to improve network performance.
Today, most network management equipments monitor only the status of connection, up or down,
without providing the scalability and performance reports of network traffic. Monitoring only the
facilities status is very insufficient for network management operators to solve the problems without
analysis for the network performance and qualities. Most traffic analysis tools only analyze the traffic
volume and few well-known applications, and are not able to create reports, such as the reports
about volumes of packets and sessions, or all TCP/UDP ports. They are also deficient in precise
traffic analysis for BGP information, which can provide peering and transit traffic for network
managers to do significant business decisions.
GenieATM series provides an intelligent Network Traffic Modeling that can precisely classify traffic
flows and cooperate with the built-in reports to generate various related traffic statistics. This
intelligent Network Traffic Modeling sufficiently knows the hierarchical network structure that adopted
by most of xSPs, so that it can analyze traffic appropriately. With the accurate analysis reports of
GenieATM, network operators can easily and efficiently monitor their networks. GenieATM series
also provides a traffic snapshot tool which can be used for instant flow analysis and presents the
instant flow status of the specified network range in a TOP N report. With the configuration of
analysis criteria, users can sieve out some specific traffic from the entire traffic for Top-N analysis.
Furthermore, in order to provide more flexible traffic analysis comparing with Network Traffic
Modeling analysis, GenieATM also equips rule-based Filter traffic analysis function. With
user-defined Factor and Filter elements, users can locate traffic with greatly flexibility. In addition, the
Anomaly Traffic Detection function in the GenieATM system can effectively detect and timely notify
DoS/DDoS attacks, routing mis-configurations, and endangered network devices before they
undermine network availability, performance, and Sub-Network satisfactions.
GenieATM series adopts the network structure of distributed-deployment & centralized-management
which can collect the largest scope of network flows, simplify the management and configuration of
the system, and cut down user's TCO (Total Cost of Ownership). It collects network flows from core
switches/routers through the Collectors deployed on regional networks, and then delivers the
collected network flows (after analyzing) to the Controller for data aggregation. With the Controller,
therefore, network operators can manage the distributed Collectors, aggregate the analyzed traffic
data, monitor the entire network traffic, and read the analysis reports.
GenieATM series equips a BGP module that can provide the monitoring about the BGP update
message of neighbor ASes. Once the statistic of BGP update message has abnormal changes,
network operators can adjust their routing policy according to this reliable statistic information. In
addition, the BGP module also can detect and issue alert notifications for BGP Hijack. In security,
GenieATM provides the BGP encryption of TCP MD5 Signature that can efficiently prevent the BGP
communication between GenieATM and BGP routers from malicious attacks.
GenieATM series products developed by GenieNRM Inc. are state of the art flow analyzing systems.
It provides full functions of statistics and analysis for traffic, such as 24 hours flow monitoring,
warning for over the traffic threshold, issuing anomaly & alert notifications, snapshot (instant)
analysis through TOP N sorting, various traffic model lings analyses, rule-based Filter traffic analysis,
BGP traffic analysis, common attribute analyses, online WEB reports for query, and DB storage
management. Network operators can utilize the traffic analysis reports and statistics to manage their
network resources and plan the future network topology.
2009 Genie Network Resource Management Inc. All Rights Reserved.
2.2
This section highlights the system screen and various function keys to assist users to understand the
system framework and basic operation. For an optimal viewing, IE 6.0 or higher browser with
600x800 (or 1024x768) screen resolution is highly recommended.
2.2.1
System Screen
The following section describes the location and function briefs of GenieATM. Please refer to
Figure 3.2.1-1.
6. Logout Button
5. System Version
7. Help
3. Path
4. Sub Menu Tab
8. Configuration
View List
1. System
Menu Tree
2. Action Buttons
Cancel To stop the uncompleted settings and exit the management window
Check To check the information to see if there is any difference
Close To close the window
Delete To delete an object
Delete All To delete all listed objects
Dispatch Network Configuration and Save To dispatch the current configuration in
Database to the Collectors and then save it as a DB configuration file.
Download To copy a DB configuration file from the Controller to the local host
Edit To edit the content of an object
Get Last Request Status To get the detail information of the last request status
Get Learning Status To get the detail information of the last or processing request
status of prefixs auto-learning
Get Synchronizing Status To get the detail information of the last dispatch status
Go To submit the query conditions
Reset To get back to original settings
Restore and Dispatch To restore a saved DB configuration file into Database and
then dispatch it to the Collectors.
Save To save the configuration
Start Prefix Learning To start a prefix learning request
Submit To send the settings to the system
Upload To copy the configuration file from the local host to the system
View To view the profile of an object
View History To view historical statuses of prefixs auto-learning requests
View Result To view the result of last prefixs auto-learning request
7.
Help
It is a glossary located under the Logout button and provides information to help users to
understand the operations of GenieATM.
2.2.2
The system operating structure basically includes system management and report presentation two
major parts. The system management contains functions: User, Device, Network, Configuration,
Mitigation, Preferences, and Report Rebuild; the report presentation contains parts: Internet,
Neighbor, Backbone, Router, Interface, Sub-Network, Server, Rule-based Report, MSP
Customer and Anomaly Activities. Except the MSP Customer and Anomaly Activities report
menus, others are converged on the Report main menu. Not to include the Anomaly Activities report
menu is due to anomaly events focus. In addition, a Status, a Snapshot, and a Mitigation functions
are also provided to report the summary statistics of detected anomalies, issued alerts and the
system profiling, to carry the powerful diagnostic and troubleshooting capabilities into execution, and
to actually execute actions for stopping or mitigating impacts from the detected anomaly activities.
The following section outlines all the configurations of individual system functions to help users to
quickly and easily configure system functions.
Web-based Interface
The system offers easy-to-use web-based user interface.
Collector
All Collectors managed by the Controller will be displayed here. Administrators have to
configure any new Collector once they are added into the system.
MSP Server
Allow users to define the MSP server to collect customers traffic and provide portal site for
customers to maintain system and browse kinds of traffic reports.
This function will show when the system support the MSP module (value-added function).
Flow Load Balancer
The Flow Load Balancer devices are used to receive the flows from the routers and forward
them to multiple ATM collectors according to the policy configured.
Note
Support Flow Record
GenieATM collects NetFlow (V1, V5, V7, V9), NetStream, and sFlow (V2, V4, V5) records
from different Flow exporters and can perform statistics and analysis of such records.
Network
GenieATM utilizes the definition of Network Boundary to implement the concept of Network
Cut and provides the built-in Network Model lings to analyze network traffic. Users need to
configure some mandatory entities and then the analysis will operate effectively.
Home Network
Users need to provide all address prefixes belonging to Home with CIDR format and Home
Network AS numbers. This function also allows users to define prefix-based network entities
without traffic detection.
Dark IP
Users can define dark or non-dark IP address prefixes with CIDR format for Dark IP
Detection.
Router
Users need to provide all related information of their desire routers and interfaces for traffic
and hardware monitoring.
Internet Boundary
Users need to define their Internet boundary for traffic analysis between users networks and
the Internet.
Backbone Links
Users need to register their entire backbone links for GenieATM to auto identify backbone
routers and backbone boundary.
Neighbor
Users need to provide their entire neighbor ASes (AS: Autonomous System) for traffic
analysis between users networks and their neighboring networks.
Sub-Network
Users should define sub-networks for traffic analysis of some specific network entities. These
specific network entities could be a POP, a Sub-Networks network, or a server farm, and
might be either inside (internal) or outside (external) Home Network.
Server
Users can define their server farm, which includes several servers to the system, so
that they can gain variety of reports relevant to the server traffic.
MSP Customer
Users can define the MSP customers and generate their traffic. Therefore, the MSP
customers can access the MSP server to manage system function and view their
traffic reports.
Filter
The system provides rule-based traffic analysis for users to locate traffic by themselves.
7
Application
Users can gather different services (protocol + port), which all belong to one kind of network
application, to form a group. The system will adopt the application group configured to
classify traffic for the Attribute Application reports.
Anomaly
The system provides default Protocol-Misuse & Application anomaly signatures which are
used to define the traffic characteristics of known anomalies. Users are allowed to modify the
default Protocol-Misuse & Application anomaly signatures and also are allowed to create new
Application anomaly signatures. In addition, this menu also provides the latest definition of
system anomaly signatures download from GenieATM definition update servers.
Template
Users can create templates for the baseline and boundary (including Sub-Network boundary
and Server-farm boundary) that can be quickly applied to some configurations of network
entities.
Configuration
The system offers configuration backup, restoration, and dispatching for the settings of Network
menu.
Mitigation
This Mitigation sub menu (under Network menu) is for users to configure essential
mitigation elements for two system mitigation methods supported (Hardware Mitigation
and Blackhole). Before adding mitigation actions, there are some required elements
must be provided for each mitigation method.
Blackhole
Users can configure basic elements for Blackhole mitigation method and this should be done
before adding Blackhole mitigation actions.
Device
Users can configure basic elements for Hardware Mitigation method and also manage Guard
devices and Eudemon device here. Before adding Hardware mitigation actions, users should
make sure that the related mitigation devices have been configured.
Preferences
Status
Users can control the refreshed time of the Status page, and the maximum number of the
most recent ongoing anomalies and alerts displayed.
Storage
Users can control the duration for storage of analysis reports and logs.
Report
Users can set the parameter about the maximum displayed entries of pre-defined TopN
report.
Notification
Users can configure the settings of the system alert and anomaly event notifications.
Name Mapping
Users can maintain the built-in name mapping, including services, protocols, ASNs
(Autonomous System Numbers) Area, and IP to Area.
Group
Users can aggregate multiple resource entities as a group, such as user group, router group,
sub-network group, server-farm group, neighbor group, filter group and MSP customer
group.
Baseline History
The system provides users the historical results of dynamic anomaly detection baseline
buildings of all existing Sub-Network, MSP Customer, and Filter entities in the system. Users
are allowed to reset the historical detected traffic baseline values for manually excluding
improper statistics.
2009 Genie Network Resource Management Inc. All Rights Reserved.
Offline Report
Users can configure schedule template, which decides when to send out offline reports,
enable the generation of offline reports for Sub-Network entities, and delete the added offline
reports.
Remote Update
Users can configure the definition update server of GenieATM system anomaly signatures for
the latest definition download.
Report Rebuild
The system provides a convenient function allowing users to rebuild rule-based Filter reports of a
specific time period.
Status
Summary
Summary function presents some significant traffic statistics and information in these tabs:
Global: Anomaly Statistics, Ongoing Anomalies, and Most Recent Alerts; MSP Server:
Anomaly Statistics and Ongoing Anomalies of MSP Servers; Anomaly: Summary Report;
System: System Status, and Cisco Guard Status. The reason to gather these data that users
might want to know urgently together is to ensure that users can presently understand the
entire situation. The refreshing time period of this page is decided by the configuration of
Status Page Refresh Period in the Preferences/Status function. The configurable values are
from 1 minute to 10 minutes. Resources: display the number of configured resources and
the maximum number that the system supports.
Anomaly Console
The system presents a variety of anomaly events detected, provides summary and detailed
traffic characteristics of detected anomaly events, and is able to generate appropriate ACL
(Access Control List) commands as suggestions for network operators.
Log
Alert Log
When there is any significant status change or failure, the system will send a notification to
users according to the configuration, and record all alerts issued and recovered.
Mitigation Log
The system will record the logs of the mitigation actions.
Login Log
The system will record the users of logging into the system.
Report
Internet
The system provides various built-in reports for traffic analysis between the Internet and
Home Network.
Neighbor
The system provides various built-in reports for traffic analysis for Neighbor ASes
(Autonomous Systems).
Backbone
The system provides various built-in reports for Backbone traffic analysis.
Router
The system provides various built-in reports for the traffic analysis of each router configured
in the system.
Interface
The system provides various built-in reports for the traffic analysis of each interface on the
routers configured in the system.
Sub-Network
The system provides various built-in reports for traffic analysis within a sub-network itself,
between a sub-network and other sub-networks, and through each Neighbor AS to/from a
specific sub-network.
Server
The system provides the reports within Server farms, between a server farm to other server
farm, and through sub-networks, Neighbors and Areas.
9
Rule-based Report
The system provides traffic analysis reports for rule-based Filters which are configured in the
system and based on users definitions. There are two types of analysis reports for Filter
traffic, Summary Report and TopN Report.
MSP Customer
Anomaly Console
Provide anomaly statistic and ongoing reports of MSP customers.
Report
Provide various traffic reports of MSP customers, including traffic report, boundary
traffic report, top talker report, attribute report, topn report and son on.
Anomaly Activities
Dark IP
The system provides various built-in dark IP traffic analysis reports, such as overall dark IP
traffic, each infected host traffic, each victim host traffic, into/out of each interface traffic, and
into/out of each SUB-NETWORK entity.
Worm
The system provides various built-in application anomaly traffic analysis reports, such as
overall application anomaly traffic, each infected host traffic, into/out of each interface traffic,
and into/out of each SUB-NETWORK entity.
Snapshot
Users can define the analysis scope, analysis criteria, aggregation method, and the number of
value for TOP N sorting. The system provides two kinds of analyzed data sources, cache and
rawdata files. The rawdata source provided can meet the needs on analyzing a specific time
period in the past.
Analysis Scope
Users can specify a specific network entity configured in the system as the analysis scope of
the inspected traffic.
Analysis Criteria
Users can define the range of analysis with criteria. The system will ignore the flow outside
the range during analysis.
Aggregation Method
Users can define up to three aggregation keys to generate the snapshot report. The selected
keys are such as source or destination IP address, Source or Destination protocol/port,
Application on Source or Destination, TCP Flag, TOS Value, Protocol, Input or Output
Interface, Router, and etc.
Detect the Distributed Denial of Service
This system is capable of analyzing the traffic flow in real time. When an attack flood occurs,
the system can accurately trace the source. Even when the router or switch fails after the
attack, the system still can analyze the last output data to trace the source of attack.
Mitigation
The Mitigation menu (on the Main Menu tree) provides users mitigation methods to execute
mitigation actions for protecting their network resources or filtering anomaly traffic.
Blackhole
The system utilizes limited BGP announcement to conduct anomaly traffic to a setup honey
pot or blackhole device. Before adding any blackhole mitigation action, the related
configuration requested should be done in the System Admin / Mitigation / Blackhole
function.
Hardware Mitigation
The system integrates with a traffic-cleaning device (such as Guard, Eudemon and etc) to
wash out attacking traffic and forward clean traffic back to their original destination. Before
adding any hardware mitigation action, the related configuration requested should be done in
the System Admin / Mitigation / Device function.
2009 Genie Network Resource Management Inc. All Rights Reserved.
10
2.3
System Login/Logout
The system is using web-based operation and configuration interfaces, so that users can configure
all system functions, and view system reports on the Internet. This section will show users how to
login and logout the system.
2.3.1
1. Run the browser and enter URL at http://xxx.xxx.xxx.xxx/ or https://xxx.xxx.xxx.xxx/ to open the
system login window (as presented in Figure 2.3.1-1).
Note
1. xxx.xxx.xxx.xxx refers to the IP address of the Controller.
2. The secure web access (https) to GenieATM will only be available after you enable it in CLI
interface of the Controller. Please refer to the Appendix (C) Installing SSL in Controller for
Secure Web access for how to enable https.
3. Both https and http are supported after https was enabled in GenieATM.
Note
The default username/password to login this system is admin/admin.
11
2.3.2
Click on the
button at the right top corner of the Window to logout GenieATM (as
presented in Figure 2.3.1-2).
12
3.1
User
User menu allows users to manage local user accounts, to specify the privilege group for login
account, to constrainedly terminate the login session of online users, and to enable the remote
authentication function, GenieATM supports the remote authentication for those user accounts not
registered in the GenieATM system. In order to avoid confusion, the user accounts registered in the
system are called local user accounts. After clicking the User menu displayed on the Sub Menu
tree of System Admin at the left side of the screen, users will enter the Local User Account
window (the default entered window) and see the sub-menu tabs, Local User Account, Privilege
Template, Online User, and Remote Authentication, appearing above the screen. (See Figure
3.1.1-1) The following sections (Local User Account, Privilege Template, Online User, and Remote
Authentication) are going to introduce how to mange local user accounts, how to specify the
privilege template, how to terminate the login session of an online user, and how to enable the
Radius-Server remote authentication.
Note
Only the user with the privilege of administrator can access all sub-functions of the User menu.
The Sub-Network user and the defined by template, superuser and viewing only user, cannot
access anyone of them.
3.1.1
Click on the User menu to enter the Local User Management window. (As presented in Figure
3.1.1-1) Users can use the sorting symbol in columns to decide the sorting of the view list; is
ascending and is descending.
13
Figure 3.1.1-1 System Admin / User / Local User Account Management Window
Figure 3.1.1-2 System Admin / User / Local User Account -- Add Local User Account Window
1. Enter user information in all fields: (The asterisk "" indicates a mandatory field.)
User ID: Account name used for login GenieATM. It is a mandatory field. All characters are
accepted except space and special characters. The number of inputted characters must be
between 2 and 40.
2009 Genie Network Resource Management Inc. All Rights Reserved.
14
First Name: All characters are accepted except space and special characters. The number
of inputted characters must be between 1 and 80.
Last Name: All characters are accepted except space and special characters. The number
of inputted characters must be between 1 and 80.
Password: It is a mandatory field. The password is at least 4 characters and at most 40
characters with no space inside. Be aware that the password is case sensitive.
Confirm Password: Re-type the password and make sure it is exactly the same as the one
typed previously.
Phone: Please enter the contact phone number. Only numerical characters and the dash
(-) are accepted.
Email: It is a mandatory field. Please follow the format aaa@aaa.aaa with no space inside.
Privilege: Administrator may assign different authority to different user accounts with these
types of roles. A Sub-Network entity must be specified if the Sub-Network user role is
assigned.
(I) administrator
Users have the highest authority and can use all system functions.
(II) Sub-Network user
The account with sub-network privilege only can view the reports of the specified
sub-network, which can be selected from the dropped-down list or Browse button.
Besides, administrators can define the authority for each sub-network account by using
the Privilege Template.
(III) defined by template
Administrators can define the specified authority for the account by using the Privilege
Template to operate the parts of the systems functions.
Note
The built-in account, admin (default password: admin), belongs to the default
privilege template, Administrator, which can operate all system functions.
Privilege template
If the Privilege type of the account is Sub-Network user or defined by template, a
privilege template should be assigned to that account. The system will list all defined
templates, including system default privilege templates and user defined ones, in the drop
down list for users to select. In addition, users can define a new template via clicking on the
Define button, or specifying it in the Privilege Template tab in System Admin/User
Function. The configuration steps please refer to the section, Privilege Template, in the
System Admin/User function.
Note
There are two default privilege templates, superuser and user for viewing only.
(a) superuser
Users can access most functions except some in the System Admin menu
(Including: User, Controller, Collector, Flow Load Balancers, Mitigation and
Status, Storage, Report, Name Mapping and Remote Update of Preferences).
(b) user for viewing only
Users can only read the reports. They are not allowed to use the Mitigation and
System Admin function.
Language: GenieATM offers language options: English, Traditional Chinese, Simplified
Chinese and Japanese. Users may choose a proficient one as their system language.
Status: There are two kinds of account statuses, Active and Inactive. This item can be the
15
Figure 3.1.1-3 System Admin / User / Local User Account -- Edit Local User Account Window
1. Click on the edit icon to modify the account information.
A page with Edit Local User Account title will be shown.
2. Modify the content or change the role.
The input information for each field, please refer to the section, To add a new local user
account, for details. To change the password: only need to enter a new password in both
fields of Password and Confirm Password.
3. Click on Submit button to complete the modification.
16
Figure 3.1.1-4 System Admin / User / Local User Account -- View Local User Account Window
1. Click on a local user ID to enter the View Local User Account window.
When you move the cursor to the user account listed in the User ID column, the color of the
pointed username will turn into blue.
2. Besides, users can click on the View button at the Privilege row to view which function is
enabled for this account (See Figure 3.1.1-5).
3. Click on Back to List button to return to the User management window.
Note
If the status of a user account is Inactive, users will be unable to login the system with that
user ID. However, all information saved under this ID will still be preserved in the system.
This information will be gone from the system only with the Delete command executed.
Figure 3.1.1-5 System Admin / User / Local User Account -- View Privilege Template of Local User
Account Window
17
3.1.2
Privilege Template
Users can add, edit, delete, or view a privilege template and specify authorized system functions for
each privilege template. Click on the Privilege Template tab to enter the Privilege Template window.
(As presented in Figure 3.1.2-1)
Figure 3.1.2-2 System Admin / User / Privilege Template -- Add User Privilege Template Window
18
1. Enter privilege template information in all fields: (The asterisk "" indicates a mandatory field.)
Name: Input a name of the Privilege Template.
Coverage: select the coverage, whole network or sub-network, for the privilege template.
Note
When the role is set as sub-network user, only Anomaly Console, Sub-network Reports,
Snapshot functions and Profile Management can be assigned in the Authority.
Remarks: Enter additional information for the Privilege Template. The inputted characters
are allowed to 64 the most.
Authority: Check the system functions that are allowed to be executed by this role. Click on
the to extend the function tree for selecting the sub functions (As presented in Figure
3.1.2-2).
2. Click on Submit button to complete the configuration.
Figure 3.1.2-3 System Admin / User / Privilege Template -- Edit User Privilege Template Window
1. Click on the edit icon to modify the privilege template information.
A page with Edit Use Privilege Template will show. (As presented in Figure 3.1.2-3)
2. Modify the name or change the authorization of the system functions.
The input information for each field or setup steps, please refer to the section, To add a new
privilege template, for details.
3. Click on Submit button to complete the modification.
Note
The user accounts who are assigning to this privilege template will list in the Applied table
below.
19
Figure 3.1.2-4 System Admin / User / Privilege template -- View User Privilege Template Window
1. Click on a privilege template No. or name to enter the View User Privilege Template window.
When you move the cursor to the name listed in the ID or Name column, the color of the
pointed username will turn into blue.
2. Click on Back to List button to return to the User Privilege Template window.
3.1.3
Online User
Click on Online User tab to enter the Online User management window. (See Figure 3.1.3-1)
With this function, users can view all online users at a time and terminate their login sessions.
The default sorting way to list online users is descending according to the login time. Users can
also sort the online users according to the user ID, or logout IP either ascending or descending
by clicking on or .
20
3.1.4
Remote Authentication
So far, GenieATM only supports the remote authentication for the Radius server. The users
logging on the Web UI via Radius authentication may be assigned with the administrator,
Sub-Network user, or defined by template authority without a user group. Once the remote
user has successfully logged on the system via Radius authentication, some attributes will be
carried with this user such as Privilege, Language, and Sub-Network ID (if the assigned
privilege is Sub-Network user). For detailed configuration of Radius server, please refer to
Appendix (E) Dictionary of IETF Radius Client Attributes Supported by GenieATM. Click on
Remote Authentication tab to enter the Remote Authentication management window. (See
Figure 3.1.4-1)
Figure 3.1.4-2 System Admin / User / Remote Authentication / Edit Remote Authentication Window
(Radius Server)
21
3.2
Device
The sub menus under Device menu will turn up when users click on the unfolding mark of Device.
These sub menus include Controller, Collector, MSP Server, and Flow load Balancers. The
Device menu mainly provides configuration interfaces of devices attributes. Please refer to the
following sections to get the detail information.
Note
1. Only the user assigned to the privilege template, administrator, can access the Device
menu.
2. The tab, MSP Server, will not show when the system does not support the MSP module
(value-added service).
3.2.1
Controller
Controller menu mainly provides some information about the Controller. After clicking on
Controller menu displayed on the Sub Menu tree of System Admin/Device at the left side of the
screen, a page with the Controller Management title will show the detail information about the
Controller. (See Figure 3.2.1-1) Users can edit the Controllers name, community string, and
remark information manually. The information displayed of CLI configuration is retrieved through
SNMP protocol from the SNMP agent of the Controller.
22
23
3.2.2
Collector
Collector menu allows users to manage the Collectors under the system. After clicking on
Collector menu displayed on the sub menu tree of System Admin/Device at the left side of the
screen, the Collector Management window will be presented and display all the Collectors
controlled by the Controller (As presented in Figure 3.2.2-1).
The latest configured Collector will be displayed at the first row of the list. A message next to the
Add button is the last version of dispatched Network configuration, which is convenient to
compare with the current version of each Collector.
Note
Only the user assigned to the privilege template, administrator, can access the Collector
menu.
There is a built-in Collector in the Controller, called Collector1. It is displayed at the last row in
the view list.
24
1. Enter Collector information in all fields: (The asterisk "" indicates a mandatory field.)
Collector Name: The Collector name defined here is for easy identification for multiple
Collectors controlled under the same Controller. You can give a meaningful name for the
new Collector. Only the default name of the First Collector (The one built in the Controller) is
Collector1; others are Collector. The number of inputted characters must be between 1
and 40. All characters are accepted except space and special characters
(!@#$%^&<>?...).
SNMP IP Address: The IP address of the SNMP agent to get Collectors information. Every
Collector has its own built-in SNMP agent, so please enter the IP address setup at the
Collector. The inputted format is xxx.xxx.xxx.xxx.
Note
Only the First Collector (The one built in the Controller) has a default SNMP IP address,
127.0.0.1, that means the IP address of the local host itself, here namely the
Controller. Other new adding Collectors do not have a default SNMP IP address.
Read Community String: The password to connect with the Collector. The default value is
genie. If you have changed the community string in CLI, please enter the same string here.
Please note that it will fail to get Collectors information if the read-only community string you
provided is not correct. The number of inputted characters must be between 1 and 40.
SNMP Version: The current SNMP version.
CLI Configuration: The information about the Collector retrieved through SNMP protocol,
including Collector ID, Model Number, Admin Status, Operation Status, and Configuration
Version. Click on the SNMP WALK >> button to get the current information of the
Collector. All the latest configurations will be firstly displayed in the SNMPWALK Information
block area of the right side, users have to click on << Update button to write the
displayed configurations into Controller.
Remarks: Enter additional information for the Collector. The inputted characters are
allowed to 400 the most.
To edit a Collector
Users can modify the Collectors name, update the community string, refresh Collectors
information, and edit the remark information. Click on Edit button to enter the Edit Controller
window. (See Figure 3.2.2-3)
(Please refer to the previous To add a New Collector section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Enter a new Collector Name if you desire.
2. Enter the Collector IP address if changed.
3. Enter the read-only community string that you configured in CLI.
If you have changed the community string, please re-type the same string here.
4. Get current CLI information by clicking on SNMP WALK >> button.
If the Configuration Version displayed is not the same as the latest dispatched configuration
version, you can synchronize it by clicking on Synchronize Network Configuration
button.
5. Enter additional information in the Remarks field if necessary.
6. Click on Submit button to complete the modification.
To delete a Collector
Users can delete a Collector from the system except the First Collector built in the Controller.
1. Click on the delete icon .
A Delete page with detailed configuration will be shown. Note that if the Collector you are
deleting has applied to any configurations, the system will not allow you to delete it and the
Submit button will be unavailable. You have to change the applied configurations to
another Collector before you delete this Collector.
2. Click on Submit button to remove the Collector from the system.
26
3.2.3
MSP Server
MSP Server menu allows users to manage the MSP server (GenieATM 6110 device) under the system.
After clicking on MSP Server menu displayed on the Sub Menu tree of System Admin/Device at the
left side of the screen, the MSP Server Management window will be presented and all the MSP
Servers controlled by the Controller will be displayed (see the figure 3.2.3-1). The MSP Server can
generate customers reports and provides a portal site for end users to view themselves reports.
Note
This function will not show when the system does not support the MSP module (value-added
service).
Figure 3.2.3-1 System Admin/Device/MSP Server -- the MSP Collector Management window
27
Figure 3.2.3-2 System Admin/Device/MSP Server Add New MSP Collector window
28
3.2.4
The major functions of FLB are to receive the flows from the routers and forward them to multiple ATM
collectors according to the policy configured. Flow Load Balancers menu allows users to manage the
Flow Load Balancer devices. After click on the Flow Load Balancers menu displayer on the sub
menu tree of the System Admin/Device at the left side of the screen, the Flow Load Balancers
management window will display all configured the Flow Load Balancers (As presented in Figure
3.2.4-1). The latest set Flow Load Balancer will display at the first row of the list.
Figure 3.2.4-2 System Admin / Flow Load Balancers / Add Flow Load Balancers Window
29
Provide the information in all fields: (The asterisk "" indicates a mandatory field.)
Name: The name defined here is for easy identification for the Flow Load Balancers controlled
under the same Controller. You can give a meaningful name for the Flow Load Balancer. The
number of inputted characters must be between 2 and 64. All characters are accepted except
space and special characters (!@#$%^&<>?...).
SNMP IP Address: Input the IP address of the SNMP agent to get the Flow Load Balancers
information. Every Flow Load Balancer has its own built-in SNMP agent, so please enter the IP
address setup for the Flow Load Balancer. The inputted format is xxx.xxx.xxx.xxx.
Read Community String: The password to connect with the Flow Load Balancer. The default
value is genie. If you have changed the community string in CLI, please enter the same string
here. Please note that it will fail to get Flow Load Balancers information if the read-only community
string you provided is not correct. The number of inputted characters must be between 2 and 32.
SNMP Version: select the SNMP version from the dropped down list.
CLI Configuration: The information about the Flow Load Balancer retrieved through SNMP
protocol, including ID, Model Number, Admin Status, Operation Status, and Configuration Version.
Click on the SNMP WALK >> button to get the current information of the Flow Load Balancer.
All the latest configurations will be firstly displayed in the SNMPWALK Information block area of
the right side, users have to click on << Update button to write the displayed configurations into
Controller.
Note
The advanced configuration fields, Flow Dispatching and Collector BGP Configuration, show after
the SNMP information of the Flow Load Balancer shows via clicking on the SNMP WALK >> button.
The detail pleases refer to the following description.
Flow Dispatching: this setting provides the way for users to specify the load balance policy
performing on the selected collectors. The available collectors will list in the Collector table.
Load Balance Policy: there are three types of Load Balance Policy for users to
specify and they are Round-Robin, Model-based Round-Robin and Weighted
Round-Robin. The factory default is Model-based Round-Robin.
When Round-Robin is specified, the weights of the selected collectors are equal.
The Weight assigned by GenieATM is according to the model number of GenieATM Collector.
Model
Flows/s
Model
Flows/s
Model
Flows/s
Model
Flows/s
Model
Flows/s
Model
Flows/s
6105
10K f/s
6133
20K f/s
6165
50K f/s
6323
20K f/s
6333
20K f/s
6365
50K f/s
6123
20K f/s
6135
30K f/s
6167
70K f/s
6325
30K f/s
6335
30K f/s
6367
70K f/s
6125
30K f/s
6169
90K f/s
6369
90K f/s
30
Note
The system will automatically relay traffic to other FLB devices when one of the FLB
devices is down.
Collector: click on the check box before the listed in the Assigned row to add the
collector to the Load Balance Policy. If the load balance policy is set as Weighted
Round-Robin, users have to specify the percentage value of the flow dispatched.
Collector BGP Configuration: select the set of the BGP connection for the FLB. The factory
default is disabled. This parameter is used to let user select FLB BGP Module as the
reference of the parameter Use BGP Table of Another Router in the BGP Lookup
configuration of the System Admin/Router/Router function. If users set enable, the following
parameters users have to define.
BGP MD5 Secret: Enter the string. The number of inputted characters must be
between 0 and 40.
Remote AS Number: Enter the AS number of BGP router with which the FLBs BGP
module to establish the BGP connection.
Local AS Number: Enter the AS number of the FLB to establish the BGP connection
with the BGP router.
Figure 3.2.4-3 System Admin / Flow Load Balancers / Edit Flow Load Balancers Window
(Please refer to the previous To add a flow load balancer section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
31
Figure 3.2.4-4 System Admin / Flow Load Balancers / View Flow Load Balancers Window
1.
2.
Click on Back to List button to return to the Flow Load Balancer management window.
32
3.3
Network
A string of sub menus under Network menu will turn up when users click on the unfolding mark of
Network. These sub menus include Home Network, Dark IP, Router, Internet Boundary,
Backbone Links, Neighbor, Sub-Network, Server, MSP Customer, Filter, Application,
Anomaly, and Template. The Network menu mainly provides configuration interfaces of network
attributes for users to build their own network traffic modeling and anomaly detection environment.
Through this Network menu, users can also establish user-defined traffic analysis reports which
can meet users needs different from pre-defined network modeling reports.
Note
Only the user with the authority of administrator or defined by privilege, superuser, can
access the Network menu.
3.3.1
Home Network
Home Network menu provides two main configuring functions. One is to define the Home
Network area and the other is to define router-based anomaly traffic detection prefix scopes.
After clicking on Home Network menu displayed on the Sub Menu tree of System Admin/
Network at the left side of the screen, the Home Network management window (the default
entered window) will be shown. Users can see the sub-menu tabs, Home Network and ATD
White List, appearing above the screen. (See Figure 3.3.1-1)
Figure 3.3.1-1 System Admin / Network / Home Network / Home Network Management Window
3.3.1.1
Home Network
Home Network sub-menu tab is to specify the local network area by IP address prefixes and AS
numbers. All network areas directly controlled by users belong to the local network area namely
Home Network. After clicking on Home Network menu displayed on the Sub Menu tree of
Network at the left side of the screen, a page with the Home Network title will be shown. (See
Figure 3.3.1-1 above) Specifying all IP addresses and AS numbers of the Home Network is an
essential procedure.
33
Figure 3.3.1-2 System Admin / Network / Home Network / Home Network Edit Local IP Address
Window
Figure 3.3.1-3 System Admin / Network / Home Network / Home Network Edit Local AS Number
Window
34
3.3.1.2
All IP prefixes/addresses specified in the white list will not be ignored when the system perform the
Protocol-Misuse and Application Anomalies anomaly detection. Click on the ATD White List
sub-menu tab to enter the management window. (See Figure 3.3.1-4)
Figure 3.3.1-4 System Admin / Network / Home Network / ATD White List Management Window
Figure 3.3.1-5 System Admin / Network / Home Network Edit ATD White List Window
35
3.3.2
Dark IP
Dark IP menu allows users to specify dark IP addresses and non-dark IP addresses. As long as
an IP address matches any inputted IP address defined as dark IP or non-dark IP, the system
will consider it as dark IP or non-dark IP. The adopted matching logic is longest match. Once any
dark IP is detected, it will be accounted for threshold violation checking. After clicking on Dark IP
menu displayed on the Sub Menu tree of System Admin/Network at the left side of the screen,
a page with the Dark IP title will be shown (See Figure 3.3.2-1).
Figure 3.3.2-2 System Admin / Network / Dark IP -- Edit Dark IP & Non-Dark IP Addresses Window
36
3.3.3
Router
Router menu allows users to add routers to the system for monitoring. This function provides the
configuration parameters about the router and the interfaces on the router. Users can add both
routers and interfaces to the system configuration. Besides, the Recomm. to Add/Edit
sub-menu tab provide user to add/edit the interface which is unspecified/updated and Recomm.
to Remove sub-menu tab list interfaces that the system recommends users to delete.
After clicking on Router menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, the Router management window (the default entered window) will be
shown. Users can see the sub-menu tabs, Router, Interface, Recomm. to Add/Edit and Recomm.
to Remove, appearing above the screen. (See Figure 3.3.3-1)
37
3.3.3.1
Router
Once you click on Router menu, you will directly enter the Router management window. The
latest added router will be displayed at the first row of the list. The following sections are going to
introduce how to add, edit, and delete a router, and how to view the profile of a router.
To add a router
Click on Add button at the top of the Router view list to enter the Add Router window. (See
Figure 3.3.3-2)
Figure 3.3.3-2 System Admin / Network / Router / Router -- Add Router Window
1. Provide router information to the following fields: (The asterisk "" indicates a mandatory
field.)
2009 Genie Network Resource Management Inc. All Rights Reserved.
38
Basic Information
Name: Give a name for this router. (It is only for the purpose of identification.) The number
of inputted characters must be between 2 and 40. All characters are accepted except space
and special characters (!@#$%^&<>?...).
SNMP IP Address: The IP address of the SNMP agent to get the routers information.
Please enter the IP address from which setup at the router. The inputted format is
xxx.xxx.xxx.xxx.
Read Community String: The password to connect with the Router. Enter routers SNMP
read community string. Please note that it will fail to get the routers information if the
read-only community string you provided is not correct. The number of inputted characters
must be between 1 and 40.
SNMP Version: Select the SNMP version which to contact with router. Note that this item is
available only if the SNMP IP address and its community string are provided. After you
select the version, click on SNMP WALK >> button to get the current routers information.
The results of SNMP query will be displayed in a yellow block at the upper-right side of the
screen, including routers system description, name, contact, location, and total memory.
You have to manually enter a correct value of the total memory (unit is megabyte) if without
a query result.
Time Out of SNMP Polling: Select a time from the drop-down list. Users are allowed to
manually configure the waiting time length for each SNMP polling request. Available time
selections are 3, 4, 5., to 15 (seconds) and the default value is 5 seconds.
Retries of SNMP Polling: Select a preference setting from the drop-down list. Users can
also configure the frequency of retrying SNMP polling. Once the collector does not get
SNMP polling response from routers exceeding the configured time out, the system will try
to send a SNMP polling request again. Available selections are 1, 2, and 3 (times) and the
default value is 2 times.
Anomaly Traffic Detection: Select Enabled or Disabled from the drop-down list. The
factory default is enabled.
Rawdata: Select the Enabled or Disabled from the drop-down list. The factory default is
enabled and it allows the system to store the rawdata.
SNMP Polling (CPU, Memory):
SNMP Polling (CPU, Memory): Select Disabled or Enabled from the drop-down
list to disable or enable the monitoring of usage for devices CPU & memory. This item
is available only if the SNMP IP address and its community string are provided and
correct.
CPU SNMP OID: input the SNMP OID of the devices CPU. Note that be sure the
inputted OID is the devices CPU because the system does not check the contents of
the OID that is the information of the CPU. If users do not input the value, the system
will accord to the factory default OID to get the information. After inputting the OID,
users can click on the Check button to verify the SNMP connection is successful. If
NetFlow/SFlow Information
Flow Exporter IP Address: Enter the IP address of the flow exporter from which flow data
is collected. The inputted format is xxx.xxx.xxx.xxx. If the IP address is incorrect, the
Collector will be unable to collect flow data.
Flow Receiving Port Number: Enter the port number to which flow data are exported. The
value is between 1025 and 65534. The port number must be the same with the one set up at
the flow exporter. We strongly recommend that you give each configured router with
different port number for receiving the traffic flow.
39
Sampling Rate: Specify a method of defining your sampling rate. Basically, the system
provides two types of sampling rate, one is dynamic and the other is fixed. Dynamic
sampling rate is to use the sampling rate inside the flow records received and will be
changing all the time. Fixed sampling rate is to use a constant sampling rate specified by
users. Choose dynamic sampling rate by clicking on Adopt the Sampling Rate carried in
flows radio button or fixed sampling rate by click on Adopt the Sampling Rate Defined
Manually radio button. If you choose fixed sampling rate, please enter a number between 1
and 32768 in the blank. For example, if you want to take one from ten, please enter 10. If
the value you entered is 1, that means the packet sampling function is disabled.
Age-out Time (V9): Enter an age-out time if the flow type is NetFlow V9. Its unit is second
and the available value is 0 or from 30 to 1800.
Flow Relay:
Flow Relay IP Address: Enter the IP address of flow collector to which flow data will
be relayed. The inputted format is xxx.xxx.xxx.xxx.
Flow Relay Port Number: Enter the port number to which flow data will be relayed.
The value is between 1 and 65534.
Flow Relay Sampling Rate: Enter the sampling rate. The value is between 1 and
1024. The factory default is 1. For example, if you want to take one from fifteen, please
enter 15. If the value you entered is 1, that means the packet sampling function is
disabled.
Note
Netflow v9 Templates are not guaranteed to be relayed.
Collector/FLB
Collector/FLB: Select the Collectors IP address, MSP Server or FLB device from the
drop-down list, which displays all Collectors, MSP Servers and FLB devices under control of
the Controller. The Collector you selected will collect NetFlow records from the router you
are configuring.
Note
The selected entries, MSP-xxx, will not show when the system does not support the MSP
module (value-added service).
BGP Lookup: Choose to activate the service of BGP lookup or not. If you do not want to
use this service, just click on the Disabled radio button. Please note that this will lead to no
AS path information generated in the report. If the router you are configuring is not a BGP
router but you want to analyze its BGP information, please click on the Enabled radio
button and provide the following information needed.
NetFlow ASN: Select a method for the adopted ASN information in the NetFlow records
from the drop-down list. There are three options: Overwritten by BGP module lookup
means all ASN information in the NetFlow records will be replaced by BGP lookup; Keep
them as Peer ASN means to keep the ASN information of NetFlow records as Peer ASN;
Keep them as Origin ASN means to keep the ASN information of NetFlow records as
Origin ASN.
Use BGP Table of Another Router: Select a router from the drop-down list. The
drop-down list will show the routers configured under the same Collector and also must
activate the BGP lookup service. Once this option is used, the BGP hijack and BGP
update message monitoring wont be available.
Connect to BGP Router IP Address: Enter the IP address of BGP router for the
Collectors BGP module to create a BGP peering session. If you want to look up BGP
information from an external BGP router, you can use this function. Please provide the
following information needed:
BGP MD5 Secret: Enter the string. The number of inputted characters must be
between 0 and 40.
Remote AS Number: Enter the AS number of BGP router with which the Collectors
BGP module to establish the BGP connection.
2009 Genie Network Resource Management Inc. All Rights Reserved.
40
Local AS Number: Enter the AS number of the Collector by which the Collectors BGP
module will use to establish the BGP connection.
BGP Hijack Detection: Click on the Disabled or Enabled radio button for the BGP
hijack detection. (Default is Disabled.)
BGP Update Message Monitoring: Select a threshold template from the drop-down list
for the monitoring of update BGP message. All threshold templates of router
configured in the Template/Baseline function of the Network menu will be shown at
here. (Default is Disabled.)
2. Click on Submit button to complete the configuration.
To edit a router
Click on icon to enter the Edit Router window. (See Figure 3.3.3-3)
Figure 3.3.3-3 System Admin / Network / Router / Router -- Edit Router Window
(Please refer to the previous To add a router section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
41
To delete a router
1. Click on the delete icon .
A Delete page with detailed configuration will be shown. The system will remind you that all
configurations are using this router will be affected if the router is deleted.
2. Click on Submit button to remove the router from the system.
Figure 3.3.3-4 System Admin / Network / Router / Router -- View Router Window
1. Click on an ID/Name to enter the View Router window.
When you move the cursor to the ID/Name listed in the ID/Router Name column, the color of
the pointed ID/Name will turn into blue. The Applied block area shows the information of Filters
to which this viewed router applied.
2. Click on Back to List button to return to the Router Management window.
2009 Genie Network Resource Management Inc. All Rights Reserved.
42
3.3.3.2
Interfaces
Click on Interface sub-menu tab to enter the Interface management window. (See Figure 3.3.3-5)
There are drop-down lists presented at the below of the sub-menu tabs. One is the Router
Group drop-down list from which you can choose the router group (if any router groups are
configured in the Preferences/Group function of System Admin); the other is the Router
drop-down list which will display all routers that belong to the selected Router Group. A
message about the current-selected router will be presented at the top of the view list. The latest
added interface will be displayed at the first row of the list. The following sections are going to
introduce how to add, edit, and delete an interface. (Note that the interface indicates the router
interface.)
To add an interface
GenieATM monitors and collects link-layer traffic statistics from the interfaces added here. Users
can add an interface manually or through the SNMP query to get the interfaces information of the
router. After selecting the router from which users can start the adding procedures below.
Adding via SNMP discovery
When users click on Discover via SNMP button, a Router Interface Discovery with SNMP window
will pop up and the system will trigger the SNMP walk to retrieve the interface inventory table from the
router (See Figure 3.3.3-6). The interfaces with a red check mark represent they have been added in
Web UI Management System.
1. Select a preferred interface by checking on the check box.
A green check mark will appear once you check on the check box.
2. Enter a new name for the interface if you desire.
After you checked on the check box, the Interface name field will be available. The number of
inputted characters must be between 1 and 64. All characters are accepted except space and
special characters (!@#$%^&<>?...). The default Interface Name depends on what kind of
system version is supported by the router. If the router supports V1, Interface Name will be the
value of Router Name plus SNMPWalk ifDescr. If the router supports V2c, Interface Name
will be the value of SNMPWalk ifAlias; however, if the value of SNMPWalk ifAlias is empty,
the system will use the value of Router Name plus SNMPWalk ifDescr as Interface Name,
then.
3. Select a baseline template for the monitored SNMP traffic.
All baseline templates of interface configured in the Template/Baseline function of the
Network menu will be shown at here. The system will issue alert logs once the SNMP traffic is
against the specified baseline template. If you select no baseline template for the SNMP
polling, then, no alert logs will be issued.
Note
The factory default of the SNMP Polling function is enabled and users can change the status
to disable.
43
Figure 3.3.3-6 System Admin / Network / Router / Interface -- Interface Discovery with SNMP Window
Adding by manual
If the SNMP query is failed or SNMP community string is not available, users can manually add
interface. When users click on Add button, the Add Interface window will pop up. (See Figure
3.3.3-7) Under the title, the router to which the interface belongs is indicated including its name
and IP address.
Figure 3.3.3-7 System Admin / Network / Router / Interface -- Add Interface Window
1. Provide router information to the following fields: (The asterisk "" indicates a mandatory
field.)
Interface Name: Give a name for this interface. The number of inputted characters must be
between 1 and 64. All characters are accepted except space and special characters
(!@#$%^&<>?...).
ifIndex: Enter the interface index. Please refer to the realistic value of the router.
2009 Genie Network Resource Management Inc. All Rights Reserved.
44
ifDescr: Enter the description for this interface. The number of inputted characters must be
between 1 and 256.
ifAlias: Enter the alias name of the interface.
ifSpeed: Enter the interface speed. The unit is bps (bits per second). Please refer to the
realistic configuration of the router.
ifType: Enter the interface type. Value 6 represents ethernet and 22 represents serial.
Please refer to the realistic configuration of the router.
Flow ifIndex: Enter the flow interface index carried in flow packet.
Except manually entering the above information one by one, you can also use
SNMP WALK >> button (will be available when the value of ifIndex is inputted) to get
interfaces information configured in the router automatically and then click on << Update
button (will be available after the interface information is gotten) to update ifIndex, ifDescr,
ifSpeed, ifType, Flow ifIndex at once.
SNMP Monitor
SNMP Polling: Select Enabled or Disabled from the SNMP Polling drop-down list.
(Default is Disabled.) If you select to enable this function, you can specify a baseline
template from the Baseline Template drop-down list below. If the SNMP polling function is
disabled here, then, there will be no SNMP traffic statistics in the Interface detail report.
Baseline Template: Specify a baseline template from the Baseline Template drop-down
list if you selected to enable the SNMP polling. The SNMP monitor can provide traffic and
performance monitoring for interfaces. All baseline templates of interface configured in the
Template/Baseline function of the Network menu will be shown at here. The system will
issue alert logs once the SNMP traffic is against the specified baseline template. If you
select no baseline template for the SNMP polling, then, no alert logs will be issued.
Flow Aggregation
Flow Aggregation: Select Enabled or Disabled from the drop-down list.
Common Attribute Report: Click on the check boxes to generate your preferred common
attribute reports for this interface. The selectable reports include Application, Protocol,
Protocol+Port, TOS, Packet Size, and Top Talker.
2. Click on Submit button to complete the configuration.
If you want to manually add more than one router interface, you can add them one by one. To
close the Add Router Interface window, please click on Cancel button to exit.
To edit an interface
Click on button, the Edit Interface window will pop up. (See Figure 3.3.3-8)
Figure 3.3.3-8 System Admin / Network / Router / Interface -- Edit Router Interface Window
45
(Please refer to the previous To add an interface section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
To delete an interface
1. Click on the delete icon .
A Delete page with detailed configuration will be shown. The system will remind you that all
configurations are using this interface will be affected if the interface is deleted.
Note
If users want to remove multiple interfaces once, users just click on the check boxes of the
interfaces and then click on the Delete button to remove them.
2. Click on Submit button to remove the interface from the system.
Figure 3.3.3-9 System Admin / Network / Router / Interface -- View Interface Window
1. Click on an ID/Name to enter the View Interface window.
When you move the cursor to the ID/Name listed in the ID/Interface Name column, the color
of the pointed ID/Name will turn into blue.
2. Click on Back to List button to return to the Router management window.
46
3.3.3.3
Recomm. to Add/Edit
Click on Recomm. to Add/Edit sub-menu tab to enter the Interface Add/Edit Recommendation
window. (See Figure 3.3.3-10) There is a Router drop-down list, which users can choose the
router presented below the sub-menu tabs. Besides, the Searching function which is including
the drop-down list and text box is use for finding the specified interface.
The interface recommendation view list will show the interfaces that the system recommends
adding or updating. When the system receives a flow but can not find its corresponding interface
in the configuration, the interface will be listed here as recommended to add. In addition, if the
value of a recommended interface is the same as the other interface in the configuration, it will
be marked red as recommended to update. This may occur when users add a new interface slot
between the running interfaces.
Note
It needs a period of time for the system to check and update the interfaces information.
47
3.3.3.4
Recomm. to Remove
Click on Recomm. to Remove sub-menu tab to enter the Interface Remove Recommendation
window. (See Figure 3.3.3-11) Below the sub-menu tabs is a Router drop-down lists for users to
choose. Besides, the search function which includes the Searching drop-down list displayed the
types of interface and text box is use for finding the specified interface.
Here lists the interfaces that the system recommends to remove. These interfaces are without
passing through flows for a long time.
48
3.3.4
Internet Boundary
Internet Boundary menu allows users to define the boundary of Internet/Neighbor for their
networks. The Neighbor boundary shares the same defined boundary here since it is actually
part of the Internet boundary. The Internet boundary actually consists of one or more than one
boundary links (external interfaces). In order to prevent the flow traffic from being double
counted, there are two types of boundary samples provided for users to define their
Internet/Neighbor boundary: Segment Cut and Circular Cut. These two boundary cuts have
different ways to calculate the flow traffic. Therefore, users should specify which boundary type
they are going to use before they start to define the Internet/Neighbor boundary. The following
sections will introduce how to specify the boundary type and how to define boundary links of the
Internet boundary.
Note
Once the Internet boundary is built, it will become a default boundary template that can be
reused for the sub-network boundary. However, this boundary template will not be displayed
in the Boundary Template configuration view list.
After clicking on Internet Boundary menu displayed on the Sub Menu tree of System Admin/
Network at the left side of the screen, a page with the Internet Boundary title will be shown. (See
Figure 3.3.4-1)
Figure 3.3.4-2 System Admin / Network / Internet Boundary -- Change Boundary Type Window (with
Segment Cut Illustration)
49
If Circular Cut (See Figure 3.3.4-3) was selected, not only border routers but also the routers
(could be border routers or aggregation routers) on the circular cut should export flow packets
need to export flow packets to GenieATM. However, only the interfaces on the circular cut
need to export flow packets to GenieATM.
The default type is Segment Cut.
Figure 3.3.4-3 System Admin / Network / Internet Boundary -- Change Boundary Type Window (with
Circular Cut Illustration)
2. Click on Submit button to complete the modification.
Figure 3.3.4-4 System Admin / Network / Internet Boundary -- Add Internet Boundary Window
1. Select a router group from the Router Group drop-down list.
All router groups configured in the Group/Router function of Preferences will be shown in this
drop-down list. (Default is All Routers)
2009 Genie Network Resource Management Inc. All Rights Reserved.
50
Figure 3.3.4-5 System Admin / Network / Internet Boundary -- Edit Internet Boundary Window
(Please refer to the previous To add a boundary link section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Provide new information to those fields that you like to modify.
2. Choose Enable or Disable item for replacing the Neighbor AS number of flow traffic or not
by clicking on the radio button. The factory default is disable.
Enable means you want to decide the Neighbor ASN of the flow traffic for this interface by
yourself; Disable means you prefer the system to decide it according to the routing
information and flow data (Default is Disable). If you choose to enable this function, you have
51
to provide further information below. Usually, you choose Enable because only one neighbor
connect to this interface and you exactly know the traffic comes from whose network.
ASN: enter the AS number of this connective neighbor.
Force Rule: select the interface connects to your neighbor or home network by clicking on
the radio button. If Interface Connect to Neighbor is selected (the ingress flow packets on
the interface should be exported to GenieATM), the Peer ASN on Source IP address of the
input flow traffic will be replaced by the ASN you provided above. Oppositely, if Interface
Connect to Home is selected (the egress flow packets on the interface should be exported
to GenieATM), the Peer ASN on Source IP address of the output flow traffic will be replaced
by the ASN you provided above.
52
3.3.5
Backbone Links
Backbone Links menu allows users to register backbone links on users network. The
backbone link is the interface used to connect to two backbone routers. Once users register the
backbone links here, the backbone routers and backbone boundary can be automatically
identified by GenieATM. That information can be utilized by GenieATM to do Backbone traffic
analysis.
After clicking on Backbone Links menu displayed on the Sub Menu tree of System Admin/
Network at the left side of the screen, a page with the Backbone Links title will be shown (See
Figure 3.3.5-1). The following sections will introduce how to add and delete a backbone link.
53
Figure 3.3.5-2 System Admin / Network / Backbone Links -- Add Backbone Links Window
1. Select a router group from the Router Group drop-down list.
All router groups configured in the Group/Router function of Preferences will be shown in this
drop-down list. (Default is All Routers)
2. Select a router from the Router drop-down list.
After you selected a router group, all routers belong to the router group you selected will be
shown in this Router drop-down list. Here will change according to the router group you
selected.
3. Select an interface from the Interface drop-down list.
It is same as the router selection above. Here will change according to the router you selected.
All interfaces belong to the router you selected will be shown in this Interface drop-down list.
Note
Once the link (interface) is defined as a backbone link, it will be marked backbone interface.
You are able to see this information in Backbone column of the Interface view list. (Please
see Figure 3.4.3-5 and refer to the Configuring Interfaces section.)
4. Click on Submit button to complete the configuration.
54
3.3.6
Neighbor
Neighbor menu allows users to configure neighbor AS (Autonomous System) into the system.
For analyzing the traffic between users network and their neighboring networks, they have to
add their entire neighbor ASes to the system manually. (The Neighbor boundary shares the
same one with the Internet boundary, so users do not need to define it here.)
After clicking on Neighbor menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, a page with the Neighbor Management title will be shown (See Figure
3.3.6-1). The following sections will introduce how to add, edit, delete, and view a neighbor.
To add a neighbor
Click on Add button at the top of the Neighbor view list to enter the Add Neighbor window.
(See Figure 3.3.6-2) It is allowed to add up to 128 neighbor ASes to the system.
55
To edit a neighbor
Click on icon to enter the Edit Neighbor window. (See Figure 3.3.6-3)
To delete a neighbor
1. Click on the delete icon .
A Delete page with detailed configuration will be shown. Note that if the neighbor you are
deleting has applied to any configurations, the system will not allow you to delete it and the
Submit button will be unavailable. You have to change the applied configurations to
another neighbor before you delete this neighbor.
2. Click on Submit button to remove the neighbor from the system.
56
3.3.7
Sub-Network
Sub-Network menu allows users to define their sub-networks. The sub-network could be a part
of network inside or outside users network identified by IP address (CIDR), AS number, AS path
regular expression, BGP community string, interface (Prefixes Daily Learned) or Private Network.
Users should define all their sub-networks to the system, so that they can gain variety of reports
relevant to the Sub-Network traffic. The definition of sub-network includes two main parts, the
sub-network area and boundary.
After clicking on Sub-Network menu displayed on the Sub Menu tree of System
Admin/Network at the left side of the screen, a page with the Sub-Network Management title
will be shown (See Figure 3.3.7-1). The IP Space column is presented with a list box and it
allows users to read the data by rolling the scroll bar. If the sub-network entity uses a created
sub-network boundary template as its boundary, the Boundary Links column will display a
hyperlink of the used boundary template for users to view the detail information about it. The
following sections will introduce how to add, edit, delete, and view a sub-network.
Note
1. A searching function is provided. It is located next to the Add button and above the view
list. Users can utilize multiple searching filters (ID, Name/Remarks, IP Space) to quickly find
out a specific sub-network from plenty of listed sub-networks. Select a type of searching
filter in the Searching drop-down list, input key word in the for blank, and then click on the
Go button.
2. Page-control buttons are next to the Go button.
|<
<<
>>
>|
The Page drop-down list: to go to a specific page selected from the drop-down list. The
numerator represents the page you are going to list and the denominator represents the
total pages.
3. Entries/Page drop-down list: to control the displayed entries per page of the Application
view list. There are six options to select: 12, 25, 50, 100, 150, and 250. The number 25
with an asterisk means the default value.
57
To add a sub-network
Click on Add button at the top of the Sub-Network view list to enter the Add Sub-Network
window. (See Figure 3.3.7-2) It is allowed to add up to 600 sub-networks to the system.
Figure 3.3.7-2 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by
CIDR)
1. Enter the name of the sub-network in the Name field.
This name must be unique among sub-network in the system. The number of inputted
characters must be between 2 and 40. All characters are accepted except space and special
characters (!@#$%^&<>?...).
2. Select CIDR, AS Number, AS Path Regular Expression, BGP Community String, Interface (Prefixes
Daily Learned) or Private Network from the Defined By drop-down list for the sub-network area.
The default type is CIDR. If you select the AS Number/AS Path Regular Expression/BGP
Community String/Interface/Private Network type, the screen will be transferred to another
window for configuring the AS number/AS path/BGP community string/Interface (Prefixes Daily
Learned). (See Figure 3.3.7-3 / Figure 3.3.7-4 / Figure 3.3.7-5 / Figure 3.3.7-6/ Figure 3.3.7-7)
2009 Genie Network Resource Management Inc. All Rights Reserved.
58
Figure 3.3.7-3 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by AS
Number)
Figure 3.3.7-4 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by AS
Path Regular Expression)
Figure 3.3.7-5 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by BGP
Community String)
Figure 3.3.7-6 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by
Interface)
59
Figure 3.3.7-7 System Admin / Network / Sub-Network -- Add Sub-Network Window (Defined by
Private Network)
3. Enter all IP addresses to define the sub-network with IP prefixes (CIDR) or IP ranges in the
CIDR text box if you select the CIDR type on Step 2.
You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not
specify permit or deny keyword, the IP prefix or range will be considered as Permit. The
sequence does matter and works like an ACL. You can enter one IP address prefix in a line
(use Enter key to create different lines) or separate multi-prefixes with commas. The
maximum # of prefixes can be up to 200.
Enter all AS numbers to define the sub-network in the AS Number text box if you select the
AS Number type on Step 2.
They are not allowed to be duplicable. Both singular AS number and successive range are
acceptable. You can enter up to 40 elements of AS numbers (separated by commas; and
between 1 and 65535) in a sub-network entity.
Enter the AS path to define the sub-network in the AS Path Regular Expression text box if you
select the AS Path Regular Expression type on Step 2.
You can define the sub-network with one AS path regular expression. An AS path regular
expression is used for displaying BGP routes by a list of AS numbers (concatenating one or
more AS numbers). Three types of token expressions are supported by the system: digital
token, * token, and [] token; and a space character is needed between every AS number
and */[] token.
A * token represents zero or multiple AS numbers, i.e. 32 * 123 means any AS path
with Peer ASN 32 and Origin ASN 123;
A [] token represents a union relationship between all the AS numbers inside [].
Once an AS number in the AS path in the specified location equals any one AS number in
the union-ship, this token is considered matched, e.g. [13 439 302] * means any AS path
with Peer ASN 13,439 or 302.
The total length of the AS path regular expression string can be up to 200 characters.
Enter the BGP community to define the sub-network in the BGP Community String text box if
you select the BGP Community String type on Step 2.
You can define the sub-network with up to 12 BGP communities with wildcards. A BGP
community string consists of two token sets, separated by a colon :, and must be
cascaded together without space or tab in between. A token set includes 5 digits from 0 to 9
and three types of token expressions are supported: digital token, ? token, and [] token.
A ? token represents one digit with any value from 0 to 9, e.g. 21829:1290? means
from 21829:12900 to 21829:12909;
A [] token represents a container that can hold up to 10 digits. A digit matched any
digit inside the token, this token is matched, e.g. 23910:391[0 2]4 means 23910:39104
and 23910:39124.
The 0 digit can be skipped if they do not affect the value, for example, 00023:12802 can be
replaced by 23:12802. The total length of a BGP community-with-wildcard string is up to 120
characters.
2009 Genie Network Resource Management Inc. All Rights Reserved.
60
Add interfaces (which connect to your sub-network) to define the sub-network in the
Interface text box if you select the Interface type on Step 2.
The interfaces you select here will form a border which is used to auto learn prefixes for
the defined sub-network. Once you use auto-learning interfaces to define your
sub-network, then you don't need to define a sub-network boundary in the next step.
Using the previous four defining methods ("CIDR", "AS Number", "AS Path Regular
Expression", "BGP Community String") to define a sub-network entity must manually
specify IP Spaces and Boundary Cut but the "Interface" and Private Network defining
method has merged these two elements. Therefore, with "Interface" and Private
Network defining method, you will only need to specify the Boundary Cut manually and
then the system will learn the IP Spaces automatically. There are some differences to
use auto-learning interfaces on defining the Boundary Cut. Firstly, you could select
the interface which is connected to backbone but not sub-network as the border. In this
way, you can simplify the configuration when there are more interfaces connecting to the
sub-network and less to the backbone. Secondly, the flow traffic calculation is always
two-way, so you don't have to specify the traffic direction for interfaces. After clicking on
Edit button next to the Interface text box, the Edit Sub-Network Learning Interface
window will pop up (See Figure 3.3.7-8). Please follow the steps below for configuring
your sub-network auto-learning interfaces.
Figure 3.3.7-8 System Admin / Network / Sub-Network -- Edit Sub-Network Learning Interface
Window
(1)
(2)
(3)
61
Note
If users add the interface via the step, clicking on the Browse button, they have
to specify traffic direction ( step (4) below) before clicking on the Add button
(below the list table ). When users click on the Add button (below the list table ) the
selected interface will be added to the Learning Interface text box, and users can skip
the step (4) and (5).
(4)
(5)
(6)
After adding all interfaces desired, please click on Submit button to complete the
configuration.
Add Private Network (which connect to your sub-network) to define the sub-network in the
Interface text box if you select the Private Network on Step 2.
The Private Network defining method is the same as the method of Interface, please refer
to the above steps to set the sub-network via defining Private Network.
4. Define the boundary of the sub-network.
You can use the existing boundary templates as the sub-network boundary or manually define
a new one right away by clicking on the radio button. Please ignore this step if you have used
auto-learning interfaces to define your sub-network in the previous step.
If you use the existing boundary templates, please select a template from the Use Boundary
Template drop-down list. Both the templates defined in the Template/ Sub-Network
Boundary function of Network and the Internet boundary will be shown here.
If you want to define a new one, please click on Edit button (will be selectable after
clicking on the Defined radio button) to start the configuration. You will see the Edit
Sub-Network Boundary window pop up. (See Figure 3.3.7-9) After selecting the router group,
router, and interface from each drop-down list, and specifying the traffic direction, you click on
Add button to add the link (one by one) to the Sub-Network Boundary text box. In addition,
users still can add the interface via click on the Browse button and a interface list table show
for specifying. After you finish adding links, you click on the Submit button and the links you
added will form the boundary of this sub-network.
Note
1.
2.
Traffic Directions:
Input the flow will be included for traffic counting if the interface ifindex appears in
Input Interface field of the flow record.
Output the flow will be included for traffic counting if the interface ifindex appears in
Output Interface field of the flow record.
Both the flow will be included for traffic counting if the interface ifindex appears in
Input Interface or Output Interface field of the flow record.
If users add the interface via the step, clicking on the Browse button, they have to
specify the Traffic Direction before clicking on the Add button (below the list table) to
add the selected interface into the Learning Interface text box.
62
Figure 3.3.7-9 System Admin / Network / Sub-Network -- Edit Sub-Network Boundary Window
5. Set the parameters for generating Report data.
Select reports that you want to generate by checking on the check boxes. There are two types
of the reports for selection. One is Advanced Traffic Analysis report including Breakdown
Report and Top Talker report, and the other is Command Attribute Report including
Application, Protocol, Protocol+Port, TOS, and Packet Size reports. The default set of
command attribute report is Enabled except TOS report.
6. Set the Offline Report Scheduler
This function defines whether the sub-network provides the offline report function for the users
whose privilege is belong to this sub-network to set its own offline report. Select Enabled from
the dropped-down list to enforce the Offline report function for the sub-network; otherwise
keep the default value, Disabled. The default set is Disabled.
Note
1.
2.
If this function of the sub-network is enabled, the user whose privilege is specified to
this sub-network can set all types offline reports in the Report/Sub-network function.
The ways to set the offline report please refer to the Report/Sub-Network section.
The language type of the received offline reports can specify in the Global in the
System Admin/Preference/Offline Report function.
To edit a sub-network
Click on icon to enter the Edit Sub-Network window. (See Figure 3.3.7-10)
To delete a sub-network
1. Click on the delete icon .
A Delete page with detailed configuration will be shown. Note that if the sub-network you are
deleting has applied to any configurations, the system will not allow you to delete it and the
Submit button will be unavailable. You have to change the applied configurations to
another sub-network before you delete this sub-network.
2. Click on Submit button to remove the sub-network from the system.
2009 Genie Network Resource Management Inc. All Rights Reserved.
64
65
3.3.8
Server
Server menu allows users to define server farm, which includes several servers. Users can
define their server farm to the system, so that they can gain variety of reports relevant to the
server traffic.
After clicking on Server menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, the Server-farm Management window will be shown. (See Figure
3.3.8-1)
Note
1. A searching function is provided. It is located next to the Add button and above the view
list. Users can utilize multiple searching filters (ID, Name/Remarks, IP Space) to quickly find
out a specific Server-farm from plenty of listed server entries. Select a type of searching
filter in the Searching drop-down list, input key word in the for blank, and then click on the
Go button.
2. Page-control buttons are next to the Go button.
| < button: to go to the first page.
<< button: to go to the previous page.
>> button: to go to the next page.
> | button: to go to the end page.
The Page drop-down list: to go to a specific page selected from the drop-down list. The
numerator represents the page you are going to list and the denominator represents the
total pages.
3.
Entries/Page drop-down list: to control the displayed entries per page of the Application
view list. There are six options to select: 12, 25, 50, 100, 150, and 250. The number 25
with an asterisk means the default value.
To add a server-farm
Click on Add button at the top of the Server view list to enter the Add Server-farm
management window (See Figure 3.3.8-2). Please check the resource limitation for server farm
entries in Status/Summary/Resources function.
66
67
Protocol/Port: select protocol/port from the drop-down list and define the port number.
You can enter a port range (continuous port numbers) at one time. For adding a port
range, you should enter the first number of the range in the previous field and the last
number of the range in the back field. For adding a port number, you can select Port
Number and enter the number in the text box.
ICMP: the system allows you to set the message type and code further for various
services of ICMP. You have to enter the message type and code if ICMP is selected.
Traffic Directions:
Input the flow will be included for traffic counting if the interface ifindex appears in
Input Interface field of the flow record.
Output the flow will be included for traffic counting if the interface ifindex appears in
Output Interface field of the flow record.
Both the flow will be included for traffic counting if the interface ifindex appears in
Input Interface or Output Interface field of the flow record.
If users add the interface via the step, clicking on the Browse
specify the Traffic Direction before clicking on the Add button (below the list table)
to add the selected interface into the Server Boundary text box.
68
Figure 3.3.8-3 System Admin / Network / Server -- Edit Server Boundary Window
5. Generate Report Data: Set the parameters for generating Report data.
Select reports that you want to generate by checking on the check boxes. There are two types
of the reports for selection. One is Advanced Traffic Analysis report including Breakdown
Report, and the other is Command Attribute Report including Application, Protocol,
Protocol+Port, TOS, and Packet Size reports. The default set of command attribute report is
Enabled except Protocol and TOS report.
6. TopN Report: Enable TopN report.
A TopN report of a server is to sort the analyzed traffic results of a specified server farm with
aggregation elements. All listed TopN reports are predefined in the TopN Report function of
the System Admin/ Network/ Template function. The operation describes as follows:
Adding a TopN Report
Click on the Add button to list the aggregation reports of TopN. Check the needed
reports and then click on the Add button to create the TopN reports of the server
farm. In addition, users can redefine the fields, Name, TopN # and Status, when adding
a TopN Report.
Figure 3.3.8-4 System Admin / Network / Server -- Adding TopN Report to the Server-farm
69
7. Remarks: Enter additional information for the server-farm in the Remarks field.
The inputted characters are allowed to 400 the most.
8. Click on Submit button to complete the configuration.
To edit a server-farm
Click on icon to enter the Edit Server-farm window. (See Figure 3.3.8-5)
To delete a server-farm
1. Click on the delete icon .
A Delete page with detailed configuration will be shown.
2. Click on Submit button to remove the configuration from the system.
70
71
3.3.9
MSP Customer
MSP Customer menu allows users to manage MSP customers, to specify the boundary template, to
configure the MSP user account, and set privilege template for user account. After clicking on the MSP
Customer menu displayed under the Sub Menu tree of System Admin/Network at the left side of the
screen, users will enter the MSP Customer Management window (the default-entered window) and
see its sub-menu tabs, MSP Customer, Boundary Template, MSP User Account, and Privilege
Template. (See Figure 3.3.9-1) The following sections are going to introduce how to configure MSP
customer, how to define the boundary template, how to manage MSP user account, and how to
specify the privilege template.
Note
This function will not show when the system does not support the MSP module (value-added
function).
3.3.9.1
MSP Customer
Users can specify the MSP customers to a MSP server, and assign the MSP user with the
administrator privilege, can log into the MSP server to view/manage its traffic reports.
After clicking on MSP Customer menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, a page with the MSP Customer Management title will be shown (see the
figure 3.3.9-1).
Note
A searching function and page-control buttons are provided and the detail descriptions please refer to
the Sub-Network sub-menu of System Admin/Network function.
72
74
3.3.9.2
Boundary Template
Click on the Boundary Template tab to define the routers to a boundary template used in MSP
Customer function in System Admin/Network/MSP Customer. After clicking on Boundary
Template tab, a page with the MSP Customer Boundary Template Management title will be
shown (see the figure 3.3.9-4). The following sections will introduce how to add, edit, delete, and
view the routers in a boundary template.
75
76
3.3.9.3
MSP User Account
Click on MSP User Account tab to enter the MSP User Account Management window (see the figure
3.3.9-6). The MSP User Account management window lists all MSP user accounts specified to all
MSP collectors.
Note
1.
The account with the privilege template, Customer Admin, is specified in the MSP Customer
function of System Admin / Network / MSP Customer menu in the Controller system, but
the account with other privileges, such as Customer Superuser or Customer Viewer, are set
in the specified MSP Server by its admin account.
2.
The access authority of Privilege template is defined in Privilege Template function in the
System Admin/ Network / MSP Customer menu in the Controller system.
Figure 3.3.9-6 System Admin/Network/MSP Customer/MSP User Account MSP User Account
Window
3.3.9.4
Privilege Template
Users can edit, or view a privilege template and specify authorized functions for the privilege
template. Click on the Privilege Template tab to enter the Privilege Template window. (As shown in
Figure 3.3.9-7)
77
Figure 3.3.9-8 System Admin / Network/ MSP Customer / Privilege Template -- Edit User Privilege
Template Window
1. Click on the icon to modify the information in the privilege template.
A page with Edit User Privilege Template will show. (As presented in Figure 3.3.9-8)
2. Change the authorization of the system functions by checking the box.
3. Click on Submit button to complete the modification.
Note
The user accounts who are assigned to this privilege template will list in the Applied table
below.
78
3.3.10 Filter
Filter menu allows users to manage Factors and Filters, which are two significant elements used
to implement the Rule-based report. Factors can be basic building components used in an
expression inside a Filter. Filters are basic units which allow users to locate traffic to analyze.
Through Factors and Filters, users can analyze traffic elastically to make up the deficiency of
pre-defined reports.
After clicking on Filter menu displayed on the Sub Menu tree of System Admin/Network at the
left side of the screen, the Factor Management window (the default entered window) will be
shown. Users can see sub-menu tabs, Factor and Filter, appearing above the screen. (See
Figure 3.3.10-1)
3.3.10.1
Factor
Once you click on Filter menu, you will directly enter the Factor Management window. There are
categories of Factors: one is System Factor like Home network, Sub-Network entities, and
applications already defined in the system; another is User-defined Factor. The following
sections are going to introduce how to add, edit, and delete a Factor, and how to view the profile
of a Factor.
Note
1.
2.
3.
A searching function and page-control buttons are provided. Please refer to the Note
descriptions in Sub-Network sub menu of Network function for the operation.
The Export button are use for backup the Factor configurations to local host. After
clicking on the Emport button, the download configuration field shows. There are
two file formats, XML Schema and XML Data, to download. However, users have to
perform the CLI command factor encoding in the global configuration mode before
exporting the Factor configurations.
The Import are use for load the Factor configurations from the local host. After
clicking on the Import button, the Upload configuration field shows and users have
to click on the Browser button to select the factor configuration file for uploading.
To add a Factor
Click on Add button at the top of the Factor view list to enter the Add Factor window. (See
Figure 3.3.10-2) There are five different types of user-defined Factors. Each type of them has its
maximum entities in a Controller.
Factor Type
IP Factor
BGP Community Factor
AS Number Factor
AS Path Regular Expression Factor
Application Factor
79
Maximum Entities
1024
256
256
256
256
Figure 3.3.10-2 System Admin / Network / Filter / Factor -- Add Factor Window (IP Factor)
1. Enter the name of the Factor in the Name field.
This name must be unique among Factors in the system. The number of inputted characters
must be between 2 and 40. All characters are accepted except space and special characters
(!@#$%^&<>?...).
2. Input additional information in the Remarks field if desired.
The inputted characters are allowed to 400 the most.
3. Select IP, BGP Community, AS Number, AS Path or Application from the Type drop-down list for the
Factor.
The default type is IP. If you select the BGP Community/AS Number/AS Path /Application type,
the screen will be transferred to another window for configuring the IP/BGP Community/AS
Number/AS Path. (See Figure 3.3.10-3 / Figure 3.3.10-4/ Figure 3.3.10-5 / Figure 3.3.10-6)
Figure 3.3.10-3 System Admin / Network / Filter / Factor -- Add Factor Window (BGP Community
Factor)
80
Figure 3.3.10-4 System Admin / Network / Filter / Factor -- Add Factor Window (AS Number Factor)
Figure 3.3.10-5 System Admin / Network / Filter / Factor -- Add Factor Window (AS Path Factor)
Figure 3.3.10-6 System Admin / Network / Filter / Factor -- Add Factor Window (Application Factor)
81
4. Enter all IP addresses to define the IP Factor with IP prefixes (CIDR) or IP ranges in the IP
text box if you select the IP type on Step 3.
You can enter either IP prefixes or IP ranges with permit or deny keyword. If you do not specify
permit or deny keyword, the IP prefix or range will be considered as Permit. The sequence
does matter and works like an ACL. You can enter one IP address prefix in a line (use Enter
key to create different lines) or separate multi-prefixes with commas. The maximum # of
prefixes in one Factor can be up to 128.
Enter the BGP community to define the BGP community Factor in the BGP Community
String text box if you select the BGP Community type on Step 3.
You can define the Factor with one BGP community with wildcards. A BGP community string
consists of two token sets, separated by a colon :, and must be cascaded together without
space or tab in between. A token set includes 5 digits from 0 to 9 and three types of token
expressions are supported: digital token, ? token, and [] token.
A digital token is a number which range is from 0 to 9;
A ? token represents one digit with any value from 0 to 9, e.g. 21829:1290? means from
21829:12900 to 21829:12909;
A [] token represents a container that can hold up to 10 digits. A digit matched any digit
inside the token, this token is matched, e.g. 23910:391[0 2]4 means 23910:39104 and
23910:39124.
The 0 digit can be skipped if they do not affect the value, for example, 00023:12802 can be
replaced by 23:12802. The total length of a BGP community-with-wildcard string is up to 120
characters.
Enter all AS numbers to define the AS Number factor in the AS Number text box if you
select the AS Number type on Step 3.
They are not allowed to be duplicable. Both singular AS number and successive range are
acceptable. You can enter up to 40 elements of AS numbers (separated by commas; and
between 1 and 65535) in a factor.
Enter the AS path to define the AS path Factor in the AS Path text box if you select the AS
Path type on Step 3.
You can define the Factor with one AS path regular expression. An AS path regular expression
is used for displaying BGP routes by a list of AS numbers (concatenating one or more AS
numbers). Three types of token expressions are supported by the system: digital token, *
token, and [] token; and a space character is needed between every AS number and */[]
token.
A digital token is a number which range is from 0 to 9;
A * token represents zero or multiple AS numbers, i.e. 32 * 123 means any AS path with
Peer ASN 32 and Origin ASN 123;
A [] token represents a union relationship between all the AS numbers inside []. Once an
AS number in the AS path in the specified location equals any one AS number in the
union-ship, this token is considered matched, e.g. [13 439 302] * means any AS path with
Peer ASN 13,439 or 302.
The total length of the AS path regular expression string can be up to 200 characters.
Specify applications and channel numbers to define the application Factor in the text box if
you select the Application type on Step 3.
You can select an application via using the Application drop-down list or clicking on Browse
button (Please refer to the Browse Helper part in Snapshot for details. They have the same
operation.). After selecting the application, you also have to select its channel number from the
Channel No. drop-down list and then click on Add button to add the selected application
and channel number into the text box. The combination of an application and a channel
number is called an application definition. Up to 16 entries of application definitions can be
added into one application Factor. Note that the * symbol represents all channels. Once the
* is added, any other channel with the same application will unable to be added into the text
box. You can delete an added application definition entry or all from the text box by using
Remove One or Remove All button.
5. Click on Submit button to complete the configuration.
2009 Genie Network Resource Management Inc. All Rights Reserved.
82
To edit a Factor
Click on icon to enter the Edit Factor window. (See Figure 3.3.10-7)
Figure 3.3.10-7 System Admin / Network / Filter / Factor -- Edit Factor Window
(Please refer to the previous To add a Factor section for the following steps of your
modification.)
1. Provide new information to those fields/options that you like to modify.
2. Click on Submit button to complete the modification.
To delete a Factor
1. Click on the delete icon .
A Delete page with detailed configuration will be shown. Note that if the Factor you are
deleting has applied to any configurations, the system will not allow you to delete it and the
Submit button will be unavailable. You have to change the applied configurations to
another Factor before you delete this Factor.
2. Click on Submit button to remove the Factor from the system.
83
Figure 3.3.10-8 System Admin / Network / Filter / Factor -- View Factor Window
1. Click on an ID or Name to enter the View Factor window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue. The Applied block area shows the information of Filters to
which this viewed Factor applied.
2. Click on Back to List button to return to the Factor Management window.
3.3.10.2
Filter
Click on Filter sub-menu tab of Filter to enter the Filter Management window (See Figure
3.3.10-9). The latest added Filter will be displayed at the first row of the list. The following
sections are going to introduce how to add, edit, and delete a Filter, and how to view the profile
of a Filter.
Note
A searching function and page-control buttons are provided. Please refer to the Note
descriptions in Sub-Network sub menu of Network function for the operation.
84
To add a Filter
Click on Add button at the top of the Filter view list to enter the Add Filter window. (See Figure
3.3.10-10)
Figure 3.3.10-10 System Admin / Network / Filter / Filter -- Add Filter Window
1. Enter the name of the Filter in the Filter Name field.
This name must be unique among Filters in the system. The number of inputted characters
must be between 2 and 40. All characters are accepted except space and special characters
(!@#$%^&<>?...).
2. Specify the traffic scope for analysis.
First, select a network scope type from the Scope drop-down list and then specify a network
entity from another drop-down list. There are several types of network scopes to select and
the drop-down list of network entity will display different network entities according to different
network scope types selected, except the ANY and Home (they has no need to specify a
network entity). The supported boundary scope includes Internet, and Sub-network
boundaries. The inspected traffic will be restricted by the specified traffic scope (i.e. only traffic
flows belong to the scope specified will be inspected by the traffic analysis of Filter). A Browse
function is provided here. Please refer to Browse Helper part in Snapshot for details.
3. The drop-down list shows the IPv4 and there is no other parameter for select.
4. Select Disabled or Enabled from the Status drop-down list.
This function allows you to flexibly activate or inactivate the Filter in any time of need. Once
you select to disable the Filter, all traffic reports and applied scope related to this Filter will be
unavailable, including its TopN reports configured.
5. Enter additional information in the Remarks field if necessary.
The inputted characters are allowed to 400 the most.
6. Configure expressions for constructing the Filter.
Expressions are basic elements internal the Filter and used to sift traffic flows. In other words,
they are sort of criteria configured in the Filter. Totally, up to 2048 expressions are allowed to
configure in the system. This step will introduce how to add, edit, delete, and view an
expression.
85
To add an expression
Click on Add button above the Expression table list to open the Add Filter Expression
window. (See Figure 3.3.10-11)
Figure 3.3.10-11 System Admin / Network / Filter / Filter -- Add Filter Expression Window
No.: select a number from the No. drop-down list for the sequence of expression
configured. The number you select is the sequence of the created expression among
all expressions. You do not have choice for the first created expression since it does
not have sequence issue. Only when the second expression and upward are creating,
the system will allow you to decide their sequence. The rule to match multiple
expressions in a Filter is First Match in the Sequence.
Matching Rule: select to permit or deny the expression from the Matching Rule
drop-down list. The default value is Permit.
The following is provided to define expressions.
Src. IP: available selections for source IP address have Home, a sub-network, an IP
Factor, and a BGP community Factor. Select Home from the Src. IP drop-down list or
click on Browse button next to the drop-down list to select a Factor, or a
sub-network. Specify the source IP by clicking on the radio and Submit buttons
(Destination IP can be selected at the same time through the Browse button). You
can refer to Browse Helper part in Snapshot for further operation.
Dst. IP: same as Src. IP. Please refer to its description above.
2009 Genie Network Resource Management Inc. All Rights Reserved.
86
Src. AS Path: select an AS Path Factor for source AS path from the Src. AS Path
drop-down list. All AS Path Factors configured in the system will be displayed here.
Dst. AS Path: same as Src. AS Path. Please refer to its description above.
Src. Application: select an application or an Application Factor from the Src.
Application drop-down list. All applications defined and Application Factors configured
will be displayed here. Or click on Browse button next to the drop-down list to
select the source application by clicking on the radio and Submit buttons
(Destination application can be selected at the same time through the Browse
button). You can refer to Browse Helper part in Snapshot for further operation.
Dst. Application: same as Src. Application. Please refer to its description above.
Router: select a router from the Router drop-down list. After you selecting a router, the
Input Flow ifIndex and Output Flow ifIndex fields will be available. You can enter flow
ifIndexes directly or click on Browse button next to the fields to select the source
and destination flow ifIndexes by clicking on the radio and Submit buttons.
TOS Value: check on the check box and then the drop-down lists of all values will be
configurable. Select the value for each bit of the TOS field in IP header.
Note
There are three values representing different meanings for users to set, XIgnore,
1Flag On, and 0Flag Off (Ignorethe system will not check this bit value; On :
the system will collect the traffic information about the IP packets with the bit On in
TOS field; Off : the system will collect the traffic information about the IP packets
with the bit Off in TOS field).
TCP Flag: check on the check box and then the drop-down lists of all flags will be
configurable. Select the value for each flag.
Note
There are six types of TCP flags (URG, ACK, PSH, RST, SYN, and FIN in TCP
header) and three values representing different meanings for users to set each flag.
Three values are : XIgnore, 1Flag On, and 0Flag Off (Ignore : the system will
not check this bit value; On : the system will collect the traffic information about the
TCP packets with the bit On in TOS field; Off : the system will collect the traffic
information about the TCP packets with the bit Off in TOS field).
IPv4 Next Hop: enter a next hop IP addresses in the Next Hop field.
IPv4 BGP Next Hop: enter a BGP next hop IP addresses in the BGP Next Hop field.
Avg. Packet Size: select an average packet size from the Avg. Packet Size drop-down
list. The packet size segments are: <32, 32-64, 64-96, 96-128, 128-160, 160-192,
192-224, 224-256,
To edit an expression
Click on a radio button in the Expression table list and press the Edit button above to
open the Edit Filter Expression window. (See Figure 3.3.10-12)
87
Figure 3.3.10-12 System Admin / Network / Filter / Filter -- Edit Filter Expression Window
(Please refer to the previous To add a Filter section for your modification.)
Provide new information to those fields/options that you like to modify and then Click on
Submit button to complete the modification.
To delete an expression
Click on a radio button in the Expression table list and press the Delete button above
to remove the expression from the table list. Once the Delete button is pressed, the
selected expression will be deleted right away.
To view the profile of an expression
Click on a radio button in the Expression table list and press the View button above to
open the View Filter Expression window. (See Figure 3.3.10-13)
Figure 3.3.10-13 System Admin / Network / Filter / Filter -- View Filter Expression Window
The detail information of the expression can be reviewed. Click on Cancel button to
close the View Filter Expression window.
2009 Genie Network Resource Management Inc. All Rights Reserved.
88
7. Enable the traffic report and monitor for the Filter (Optional).
You can choose to enable the traffic report or not to by selecting Enabled or Disabled from
the Report drop-down list located in the Traffic Report and Monitor block area (See Figure
4.64). The default value is Disabled. Once Traffic Report is enabled, the system will generate
traffic reports for the Filter namely the Summary reports in Rule-based Report. If Traffic
Report is not enabled, the system will not generate traffic reports but will still collect the filtered
traffic and save it in database for Snapshots utilization. As soon as you enable Traffic Report,
its monitoring feature will be also available. Select a type of baseline template configured in
the system from the Baseline Template drop-down list next to the Report drop-down list for the
Filter traffic report. If there is any traffic violation, an anomaly will be generated and tracked by
the system. You can enable the anomaly notification for the Filter through the
Preferences/Notification/Filter function of System Admin. In addition, the system can also
provide an opposite direction report contrary to the Filter traffic report. Select Enabled from
the Opposite Direction Report drop-down list and a type of baseline template from the next
Baseline Template drop-down list to generate the opposite direction report if desired.
8. Configure TopN reports of a Filter (Optional).
A TopN report of a Filter is to sort the analyzed traffic results of a specific Filter with
aggregation elements of Source / Destination / Directionless. A configured and enabled TopN
report can be viewed in the TopN Report sub menu of Rule-based Report. Totally, up to 1024
rule-based TopN reports are allowed to configure in the system. This step will introduce how to
add, edit, delete, and view a TopN report of a Filter.
Figure 3.3.10-14 System Admin / Network / Filter / Filter -- Add Filter TopN Window
Name: input a name for the TopN report. The number of inputted characters must be
between 2 and 40. All characters are accepted except space and special characters
(!@#$%^&<>?...).
Status: select Disabled or Enabled from the Status drop-down list. This function
allows you to flexibly activate or inactivate the rule-based TopN report in any time of
need.
Aggregation Keys: select an aggregation element from the text box. The aggregation
elements include such as Source/Destination IP, Source/Destination Protocol/Port,
Application on Source/Destination, TCP Flag, TOS Value, Protocol, Input/Output
Interface, Router, and so on.
Number of Top-N: select a number for the N value of Top-N, that traffic statistics will
be saved into database and will be also displayed in Rule-based reports, from the
Number of Top-N drop-down list. The available selections are 16 (default), 32, 64, 128,
and 256.
89
Figure 3.3.10-15 System Admin / Network / Filter / Filter -- Edit Filter TopN Window
(Please refer to the previous To add a TopN report of a Filter section for your
modification.)
Note that the aggregation elements cannot be changed once the TopN report has been
created. You have to create a new one to replace the one whose aggregation elements
you want to change. Provide new information to those fields/options that you like to
modify and then Click on Submit button to complete the modification.
To delete a TopN report of a Filter
Click on a radio button in the TopN Report table list and press the Delete button above
to remove the TopN report from the table list. Once the Delete button is pressed, the
selected TopN report will be deleted right away.
9. Select a Filter from the Total Traffic calculated on Filter drop-down list to replace the calculated
total traffic of the configuring Filters TopN reports. (Optional)
The default value is Self, which means not to replace the calculated total traffic with any
other Filters. If users choose to use other Filters total traffic, each TopNs percentage value
will be derived from the replaced total as divisor. With this function, users can easily utilize two
Filters to customize an integrated report by defining some identical criteria but sieving out
specific traffic to sort. For instance, two Filters A and B are configured with same
expressions (i.e. same network cuts) but one more expression is added to Filter A to sieve
out traffics of specific source ASNs. Therefore, by replacing the calculated total traffic of Filter
A with Filter Bs, users can obtain a TopN report of those specific ASNs, but remain the traffic
percentage as the proportion of defined network cuts.
10. Click on Submit button to complete the configuration.
90
To edit a Filter
Click on icon to enter the Edit Filter window. (See Figure 3.3.10-16)
Figure 3.3.10-16 System Admin / Network / Filter / Filter -- Edit Filter Window
(Please refer to the previous To add a Filter section for the following steps of your
modification.)
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
Note
Users still can add a new filter via clicking on the button " Save As New Filter " after editing
the filter.
To delete a Filter
1. Click on the delete icon .
A confirmative dialog box will pop up.
2. Click on OK button to remove the Filter from the system.
91
Figure 3.3.10-17 System Admin / Network / Filter / Filter -- View Filter Window
1. Click on an ID or Name to enter the View Filter window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue.
2. Click on Back to List button to return to the Filter Management window.
92
3.3.10.3
Filter Batch
Filter Batch function provides users to generate batch filters. Click on Filter Batch sub-menu tab of
Filter to enter the Filter Management window (See Figure 3.3.10-18). The latest added entry will be
displayed at the first row of the list. The following sections are going to introduce how to add, and
delete an entry.
Figure 3.3.10-18 System Admin / Network / Filter / Filter Batch Management window
93
Figure 3.3.10-19 System Admin / Network / Filter / Filter Batch Batch Add Filter Window
94
The filters within the factor-crossing will be generated. The generated way of the filter is a
source factor with a destination factor. In other words, when users specified three source
factors and two destination factors to generate batch filters, there will be six filters created.
95
3.3.11 Application
Application menu allows users to organize several services (protocol + port) into an application.
For example, users can define a FTP application which includes ftp-data (20/TCP, 20/UDP) and
ftp (21/TCP, 21/UDP). The application defined here will be used for the Common Attribute
Application reports.
After clicking on Application menu displayed on the Sub Menu tree of System Admin/Network
at the left side of the screen, a page with the Application Management title will be shown (See
Figure 3.3.11-1). Users can see some default applications provided by the system. The
Protocol/Port column is presented with a list box and it allows users to read the data by rolling
the scroll bar. The following sections will introduce how to add, edit, delete, and view an
application.
Note
1. A searching function is provided. It is located next to the Add button and above the view
list. Users can utilize multiple searching filters (ID, Application No., Channel No., Name, Port,
or NPC Application ID) to quickly find out a specific application from plenty of listed
applications. Select a type of searching filter in the Searching drop-down list, input key word
in the for blank, and then click on the Go button.
2. Page-control buttons are next to the Go button.
| < button: to go to the first page.
<< button: to go to the previous page.
>> button: to go to the next page.
> | button: to go to the end page.
The Page drop-down list: to go to a specific page selected from the drop-down list. The
numerator represents the page you are going to list and the denominator represents the
total pages.
3. Entries/Page drop-down list: to control the displayed entries per page of the Application
view list. There are six options to select: 12, 25, 50, 100, 150, and 250. The number 25
with an asterisk means the default value.
96
To add an application
Click on Add button at the top of the Application view list to enter the Add System Application
window. (See Figure 3.3.11-2)
Figure 3.3.11-2 System Admin / Network / Application -- Add System Application Window
1. Provide the application name.
There are two ways to decide the application name. You can input a new application name,
which is not defined in the system, in the New Application Name field. Note that the number of
inputted characters must be between 2 and 40. All characters are accepted except space and
special characters (!@#$%^&<>?...). Or you can select an existing application name, from
the Using Application Name drop-down list. Check on the radio boxes to decide which way you
are going to use. The name for the application you are adding is actually a combination. It is
combined with an application name and a channel name.
2. Enter the channel name in the Channel Name field.
The number of inputted characters must be between 0 and 40. All characters are accepted
except special characters (!@#$%^&<>?...). This channel name and the application name
you entered or selected in the previous step will form a combination name, and this
combination name must be unique in the system. The channel name has to be provided but it
can be a blank space once for one application name because the combination of the name
must be unique in the system.
3. Select Enabled or Disabled from the Pre-defined Report drop-down list.
This function allows you to flexibly activate or inactivate the applications in any time of need.
Once you select to disable the applications, the Application traffic analyses of all attribute
reports will not appear the traffic statistics relevant to the disabled applications.
97
4. Enter additional information for the application in the Remarks field (Optional).
The inputted characters are allowed to 400 the most.
5. Enter the application ID defined in the GenieNPC exporter.
Once a GenieNPC application ID configured for identifying an application, GenieATM will try to
classify the Application traffic by matching the application ID information in the flow packets
exported by GenieNPC. The available range is from 1 to 65535.
6. Adding the services (protocol + port) for this application.
Select the protocol by clicking on the radio button, then enter the port number or the message
type/code, and then click on <<Add button to add the services to the text box. You have to
add all services that you desire to the Protocol+Port text box individually. It is allowed to add
up to 32 service combinations to an application. A service combination can be used in different
applications. Using Remove>> or Remove All button to remove the added service from
the text box.
Select a protocol from the drop-down list and click on the radio button to specify the port
number. For adding one port number, you can just select Port Number and enter the
number. You also can enter a port range (continuous port numbers) at one time via selecting
Port Range. For adding a port range, you should enter the first number of the range in the
first field and the last number of the range in the second field.
The system allows you to set the message type and code further for various services of
ICMP. You have to enter the message type and code if ICMP is selected.
7. Enter the IP prefixes/ranges desired (Optional).
GenieATM provides IP prefixes/ranges as an extra criterion to define an application service,
which means the system will classify the traffic by matching both the configured service
(protocol + port) and IP prefixes/ranges. Up to 128 IP prefixes or ranges are supported. You
can enter one IP prefix in a line (use Enter key to create different lines) or separate
multi-prefixes with commas. Please note that the overlaps between the prefixes are not
allowed.
8. Click on Submit button after you finish adding all services to complete the configuration.
To edit an application
Click on icon to enter the Edit System Application window. (See Figure 3.3.11-3)
98
Figure 3.3.11-3 System Admin / Network / Application -- Edit System Application Window
(Please refer to the previous To add an application section for the following steps of your
modification.)
1. Provide new information to those fields/options that you like to modify. Note that you can only
enable or disable the Pre-defined Report function, and modify the IP prefixes/ranges
information for the system built-in applications, but are not allowed to modify their Detail
settings.
2. Click on Submit button to complete the modification.
To delete an application
1. Click on the delete icon .
A Delete page with detailed configuration will be shown. Note that if the user-defined
application you are deleting has applied to any configurations, the system will not allow you to
delete it and the Submit button will be unavailable. You have to change the applied
configurations to another application before you delete this user-defined application.
2. Click on Submit button to remove the user-defined application from the system.
Figure 3.3.11-4 System Admin / Network / Application -- View System Application Window
1. Click on an ID or Name to enter the View System Application window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue.
2. Click on Back to List button to return to the Application Management window.
99
3.3.12 Anomaly
Anomaly menu allows users to manage anomaly signatures, which is used to define the traffic
characteristics of known anomalies. For the purpose of directly locating attacking and infected
hosts, GenieATM adopts host-based anomaly traffic detections to target each host IP address to
collect and analyze anomaly traffic. There are two kinds of anomaly signatures provided here,
Protocol-Misuse Anomaly and Application Anomaly. As implied by the name, the
Protocol-Misuse anomaly signature is used to verify the anomaly traffic that caused by the
misuse of communication protocols and the Application anomaly signature is used to verify the
anomaly traffic that caused by the abnormal applications.
After clicking on Anomaly menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, the Protocol-Misuse Anomaly Management window (the default
entered window) will be shown. Users can see two sub-menu tabs, Protocol-Misuse Anomaly
and Application Anomaly. (See Figure 3.3.12-1)
Figure 3.3.12-1 System Admin / Network / Anomaly / Protocol-Misuse Anomaly Management Window
100
3.3.12.1
Protocol-Misuse Anomaly
Once you click on Anomaly menu, you will directly enter the Protocol-Misuse Anomaly
Management window. There are two parts in the management window. First part is Default for
Home and User-defined Resources which defines default Protocol-Misuse anomalies for the
detection scopes of Home and user-defined resources; second part is Non-Home which
defines Protocol-Misuse anomalies for the detection scopes of those not belonging to Home and
user-defined resources. The information displayed in the Protocol-Misuse Anomaly view list
includes two latency settings (Severity & Recover) and other information for each anomaly (No.,
ID, Name, Status, Event Threshold, and Unit). The Protocol-Misuse anomalies are system
built-in and users are unable to add or delete them. The built-in Protocol-Misuse anomalies of
the system are as follows:
TCP SYN Flooding,
IP Protocol Null,
TCP Flag Null or Misuse,
TCP Fragment,
UDP Fragment,
ICMP Misuse,
Land Attack,
TCP RST Flooding.
UDP Flooding
Host Total Traffic
The following section is going to introduce how to edit Protocol-Misuse anomalies of Default for
Home and User-defined Resources and Non-Home parts.
To edit Protocol-Misuse anomalies for Default for Home and User-defined Resources part
Click on Edit button of the Default for Home and User-defined Resources part to enter the
Edit Protocol-Misuse Anomaly-Default for Home and User-defined Resources window. (See
Figure 3.3.12-2) Note that the configurations here will be default settings of any new-added
user-defined anomaly detection resource (Sub-network) but users can overwrite these default
settings for each individual resource through its management window.
3.3.12.2
Application Anomaly
Application Anomaly Detection is designed with a global detection threshold for each application
anomaly, which is different from Protocol-Misuse Anomaly Detection allowing users to overwrite
default settings for each individual resource. In other words, users can overwrite the default
settings of application anomalies and the changes will be applied to all host IP addresses of the
configured detection scope but not for some individual resource. In addition, this function also
provides the latest definition of system application anomaly signatures download from
GenieATM definition update servers.
Click on Application Anomaly sub-menu tab of Anomaly to enter the Application Anomaly
Management window. (See Figure 3.3.12-4) There are three parts displaying in this window,
Anomaly Update, Detection Scope, and Application Anomaly view list. The Anomaly Update part
indicates if there are any new anomalies to update. The Detection Scope part shows the
presently configured detection scope. The latest added application anomaly will be displayed at
the first row of the list. The following sections are going to introduce how to edit detection scope;
how to update system application anomaly signatures; how to add, edit, and delete an
application anomaly, and how to view the profile of an application anomaly.
2009 Genie Network Resource Management Inc. All Rights Reserved.
102
Figure 3.3.12-4 System Admin / Network / Anomaly / Application Anomaly Management Window
Note
There are four built-in Application anomalies in the system: MS Blaster, Sasser, Code Red,
and SQL Slammer. These four system built-in Application anomalies are irremovable from the
system. Only when it is necessary, otherwise, we DO NOT recommend users to modify the
definition of the system built-in Application anomalies.
Figure 3.3.12-5 System Admin / Network / Anomaly / Application Anomaly -- Edit Detection Scope
Window
1. Check on a radio button to select a desired detection scope.
There are three detection scopes provided, User-defined Resources Only, Home, and Whole
Internet. The User-defined Resources Only scope indicates only user-defined resources in the
system including Sub-Network entity; the Home scope indicates entire Home network; the
Whole Internet scope, as implied by the name, indicate whole Internet. The default setting is
Home.
2. Click on Submit button to complete the modification.
103
Figure 3.3.12-6 System Admin / Network / Anomaly / Application Anomaly -- Add Application
Anomaly Window
1. Enter the channel name in the Channel Name field.
It must be provided at least 4 up to 64 characters. All characters are accepted except space
and special characters (!@#$%^&<>?...). Give a channel name that can be easily recognized
which type of traffic attack the Application anomaly is. (Application No. : Channel No.: the
application and channel numbers that the system uses to identify what kinds of the application
and channel are. The application number for a Protocol-Misuse anomaly is 20000.)
2. Select Disabled or Enabled from the Status drop-down list.
This function allows you to flexibly activate or inactivate the Application anomaly in any time of
need. Once you select to disable the anomaly, the system will not verify this type of anomaly
when analyzing the received traffic flows.
3. Enter additional information in the Remarks field if necessary.
The inputted characters are allowed to 400 the most.
4. Specify the Attack Type, Worm or DDoS, form the dropped-down list. If the Attack Type is
set worm and the status is enabled, user can view the worm reports in the Anomaly
Activities/Worm function.
5. Define the following traffic characteristics for the Application anomaly you are configuring.
Number of Packets Per Flow: check on the check box and then the drop-down list of (=, >,
<) will be configurable. Select a comparison sign and input a value of packets for each flow
(Integer and must be greater than 0) in the blank next to the drop-down list.
Number of Bytes Per Flow: check on the check box and then the drop-down list of (=, >, <)
will be configurable. Select a comparison sign and input a value of byte counts for each flow
(Integer and must be greater than 0) in the blank next to the drop-down list.
Number of Bytes Per Packet: check on the check box and then the drop-down list of (=, >,
<) will be configurable. Select a comparison sign and input a value of byte counts for each
packet (Integer and must be greater than 0) in the blank next to the drop-down list.
TCP Flag: check on the check box and then the drop-down lists of all flags will be
configurable. Select the value for each flag.
104
Note
There are six types of TCP flags (URG, ACK, PSH, RST, SYN, and FIN in TCP header)
and three values representing different meanings for users to set each flag. Three values
are : XIgnore, 1Flag On, and 0Flag Off (Ignore : the system will not check this bit
value; On : the system will collect the traffic information about the TCP packets with the
bit On in TOS field; Off : the system will collect the traffic information about the TCP
packets with the bit Off in TOS field).
TOS Value: check on the check box and then the drop-down lists of all values will be
configurable. Select the value for each bit of the TOS field in IP header.
Note
There are three values representing different meanings for users to set, XIgnore,
1Flag On, and 0Flag Off (Ignorethe system will not check this bit value; On : the
system will collect the traffic information about the IP packets with the bit On in TOS field;
Off : the system will collect the traffic information about the IP packets with the bit Off in
TOS field).
Protocol: check on the check box and then the drop-down list of protocol will be
configurable. Select a protocol from the drop-down list. If you select ICMP protocol, you
have to specify its message type and code.
Note
ICMP protocol works with message type and code. An error message will pop up to
remind you that port number is not supported for ICMP.
Port: once you have selected the TCP or UDP protocol in the Protocol characteristic, you
can specify the port numbers. Check on the check box and then this item will be
configurable. Select source or destination, source, or destination from the drop-down list,
and then input the port number in the right-side blank. The value of port number should be
between 0 to 65535. Multiple port numbers are separated by the comma character and
up to 36 port numbers are supported.
Dark IP: check on the check box to enable the Dark IP detection. When the IP address
cannot be found with BGP lookup or is not a private IP address defined in Home Network, it
will be considered as a Dark IP address.
Prefix: check on the check box to enable the IP Blacklist mechanism. This mechanism
allows users to use IP prefixes as one part of criteria to define the signatures of Application
Anomaly for the undesirable traffic from some specific hosts always sending malicious traffic.
Enter desired IP prefixes (Up to 64 prefixes are supported) with CIDR format after checking
on the check box and selecting the destination or source traffic direction. Note that once you
enable this function, the Dark IP check box will not be available.
6. Configure baseline template for the added application anomaly.
The following are items needed to be configured:
Event Threshold: Input the Event Threshold value (Only integers from 1 to 4294967296
will be accepted).
Unit: Select the unit from the drop-down list (bps: bit per second; Kbps: kilobit per second;
Mbps: megabit per second; Gbps: gigabit per second; pps: packet per second; Kpps:
kilopacket per second; Mpps: megapacket per second; Gpps: gigapacket per second).
Severity Latency: Select a time from the drop-down list. Severity Latency is a time period
parameter used to control when an anomaly severity becomes RED from YELLOW. Once
the detected traffic rate is higher than the event threshold configured, an anomaly event will
be generated with the anomaly severity as YELLOW. If the detected event maintains in
YELLOW level for a period, which is longer than the severity latency configured, the
anomaly severity will become RED. The configurable values are from 2 to 30 (minutes), and
Forever (Default is 3 minutes). If the severity latency is configured as Forever, there will be
no RED anomaly.
Recover Latency: Select a time from the drop-down list. Recover Latency is a time period
parameter used to control when an anomaly severity becomes recovered from YELLOW.
When the detected traffic rate is lower than the anomaly threshold configured and maintains
longer than the recover latency, the anomaly status will be changed to Recovered. Its
configurable values are from 2 to 30 (minutes).
7. Click on Submit button to complete the configuration.
105
Figure 3.3.12-7 System Admin / Network / Anomaly / Application Anomaly -- Edit Application Anomaly
Window
(Please refer to the previous To add an Application anomaly section for the following steps of
your modification.) For those built-in system application anomalies, we strongly recommend you
not to change default settings unless necessary.
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
106
Figure 3.3.12-8 System Admin / Network / Anomaly / Application Anomaly -- View Application
Anomaly Window
1. Click on an ID or Name to enter the View Application Anomaly window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue.
2. Click on Back to List button to return to the Application Anomaly management window.
107
3.3.13 Template
Template menu allows users to create reusable templates for baseline and boundary. The
baseline template is for the traffic statistics of link layer, BGP message, anomaly traffic
monitoring, and rule-based Filter traffic; the boundary template is to define the boundary
template that can be applied to sub-networks.
After clicking on Template menu displayed on the Sub Menu tree of System Admin/Network at
the left side of the screen, the Baseline Management window (the default entered window) will
be shown. Users can see the sub-menu tabs, Baseline, Sub-Network Boundary, Server-farm
Boundary and TopN Report appearing above the screen (See Figure 3.3.13-1).
Baseline Template
Once you click on Template menu, you will directly enter the Baseline Template management
window. The latest added baseline template will be displayed at the first row of the list. The
following sections are going to introduce how to add, edit, and delete a baseline template, and
how to view the profile of a baseline template. There are types of baseline templates, Interface
Traffic, BGP Update Message, Traffic Anomaly - SubNetwork, and Traffic Anomaly Filter and
Router Performance. The system provides some built-in baseline templates, which are
irremovable, but users can add new ones by themselves.
108
Figure 3.3.13-2 System Admin / Network / Template / Baseline-- Add Baseline Template Window
(Interface Traffic Type)
1. Select the baseline type from the Type drop-down list.
If you select the Interface Traffic type, please follow step 3 below to configure its thresholds;
if you select the BGP Update Message type, please follow step 4 below to configure its
threshold;
if you select the Traffic Anomaly, please follow step 5 below to configure its thresholds;
if you select the Traffic Anomaly - Filter type, please follow step 6 below to configure its
thresholds.
if you select the Router Performance, please follow step 7 below to configure its thresholds.
Please refer the following descriptions what you need to know before you start to
configure the baseline thresholds.
Auto Learning: only applies to the High Watermark of Traffic Anomaly - Sub-Network, and
Traffic Anomaly - Filter. There are three options available when the traffic anomaly baseline
109
110
should also set the severity & recover latencies for the Throughput thresholds by selecting
the time periods (Default is 5 minutes) respectively from the Severity & Recover Latency
drop-down lists.
Packets: select Enabled from the High/Low Watermark drop-down list if you want to
perform the High/Low Watermark checking by packet rates. Once Enabled is selected, you
have to input the Event Threshold value (Only integers from 1 to 4294967296 will be
accepted) and also to select the unit from the Unit drop-down list (pps: packets per second;
Kpps: kilo-packets per second; Mbps: mega-packets per second; Gbps: giga-packets per
second). You should also set the severity & recover latencies for the Packets thresholds by
selecting the time periods (Default is 5 minutes) respectively from the Severity & Recover
Latency drop-down lists.
Interface Utilization: select Enabled from the High/Low Watermark drop-down list if you
want to perform the High/Low Watermark checking by interface link utilization. Once
Enabled is selected, you have to input the Event Threshold value (Only values from
0.0001 to 100 will be accepted) and the unit is percentage (%). You should also set the
severity & recover latencies for the Interface Utilization thresholds by selecting the time
periods (Default is 5 minutes) respectively from the Severity & Recover Latency drop-down
lists.
(CRC)Errors: select Enabled from the High Watermark drop-down list if you want to
perform the High Watermark checking by CRC error. Once Enabled is selected, you have
to input the Event Threshold value and the unit is counts per 5 minutes. You should also set
the severity & recover latencies for the (CRC) Errors thresholds by selecting the time
periods (Default is 5 minutes) respectively from the Severity & Recover Latency drop-down
lists.
Discards: select Enabled from the High Watermark drop-down list if you want to perform
the High Watermark checking by discard packet. Once Enabled is selected, you have to
input the Event Threshold value and the unit is counts per 5 minutes. You should also set
the severity & recover latencies for the Discards thresholds by selecting the time periods
(Default is 5 minutes) respectively from the Severity & Recover Latency drop-down lists.
Percentage of Multicast + Broadcast: select Enabled from the High Watermark
drop-down list if you want to perform the High Watermark checking by Multicast + Broadcast
packet # percentage. Once Enabled is selected, you have to input the Event Threshold
value (Only values from 0.0001 to 100 will be accepted) and the unit is percentage (%). You
should also set the severity & recover latencies for the Percentage of Multicast + Broadcast
thresholds by selecting the time periods (Default is 5 minutes) respectively from the Severity
& Recover Latency drop-down lists.
4. Enter the following thresholds for the baseline if you selected the BGP Update Message type
in step 1 (See Figure 3.3.13-3).
BGP update message: enter the High Watermark value as the no. of BGP update
message received per 5 minutes.
Figure 3.3.13-3 System Admin / Network / Template / Baseline Add Baseline Template Window
(BGP Update Message Type)
111
5. Select the learning period and enter the following thresholds for the baseline if you selected
the Traffic Anomaly type in step 1. (See Figure 3.3.13-4) The low watermark must be less
than the high watermark if both of them are enabled.
Initial Learning Period: select a time period (1 to 30 days) from the Initial Learning Period
drop-down list (Default is 15 days) if any high watermark of anomaly threshold of BPS or
PPS is configured as auto. For each Anomaly type, the learning period applies to its all
anomaly thresholds.
BPS (bits per second): select Enabled from the High/Low Watermark drop-down list if
you want to perform the High/Low Watermark checking by BPS. There are some differences
between configuring High Watermark and Low Watermark. For High Watermark, you will
need to choose either Auto or Fixed method for anomaly detection. Once Fixed is
selected, you have to input the Event Threshold value (Only integers from 1 to 4294967296
will be accepted) and also to select the unit from the Unit drop-down list (bps: bit per second;
Kbps: kilobit per second; Mbps: megabit per second; Gbps: gigabit per second). If you
select Auto, you do not need to input the Event Threshold value but can choose to input a
Significant Threshold value or not (Optional). For Low Watermark, Auto and Significant
Threshold Value are unavailable. No matter High or Low Watermark is enabled, you should
set the severity & recover latencies for the BPS thresholds by selecting the time periods
(Default is 3 minutes) respectively from the Severity & Recover Latency drop-down lists.
Input the Tolerance value if the Auto method of High Watermark is enabled.
PPS (packets per second): select Enabled from the High/Low Watermark drop-down list
if you want to perform the High/Low Watermark checking by PPS. There are some
differences between configuring High Watermark and Low Watermark. For High Watermark,
you will need to choose either Auto or Fixed method for anomaly detection. Once Fixed
is selected, you have to input the Event Threshold value (Only integers from 1 to
4294967296 will be accepted) and also to select the unit from the Unit drop-down list (pps:
packet per second; Kpps: kilo-packet per second; Mbps: mega-packet per second; Gbps:
giga-packet per second). If you select Auto, you do not need to input the Event Threshold
value but can choose to input a Significant Threshold value or not (Optional). For Low
Watermark, Auto and Significant Threshold Value are unavailable. No matter High or Low
Watermark is enabled, you should set the severity & recover latencies for the BPS
thresholds by selecting the time periods (Default is 3 minutes) respectively from the Severity
& Recover Latency drop-down lists. Input the Tolerance value if the Auto method of High
Watermark is enabled.
112
Figure 3.3.13-4 System Admin / Network / Template / Baseline Add Baseline Template Window
(Traffic Anomaly Type)
6. Select the learning period and enter the following thresholds for the baseline if you selected
the Traffic Anomaly - Filter type in step 1. (See Figure 3.3.13-5) The low watermark must be
less than the high watermark if both of them are enabled.
Initial Learning Period: select a time period (1 to 30 days) from the Initial Learning Period
drop-down list (Default is 15 days) if any high watermark of anomaly threshold of BPS, PPS,
or FPS is configured as auto. For each Anomaly type, the learning period applies to its all
anomaly thresholds.
BPS (bits per second): select Enabled from the High/Low Watermark drop-down list if
you want to perform the High/Low Watermark checking by BPS. There are some differences
between configuring High Watermark and Low Watermark. For High Watermark, you will
need to choose either Auto or Fixed method for anomaly detection. Once Fixed is
selected, you have to input the Event Threshold value (Only integers from 1 to 4294967296
will be accepted) and also to select the unit from the Unit drop-down list (bps: bit per second;
Kbps: kilobit per second; Mbps: megabit per second; Gbps: gigabit per second). If you
select Auto, you do not need to input the Event Threshold value but can choose to input a
Significant Threshold value or not (Optional). For Low Watermark, Auto and Significant
Threshold Value are unavailable. No matter High or Low Watermark is enabled, you should
set the severity & recover latencies for the BPS thresholds by selecting the time periods
(Default is 5 minutes) respectively from the Severity & Recover Latency drop-down lists.
Input the Tolerance value if the Auto method of High Watermark is enabled.
PPS (packets per second): select Enabled from the High/Low Watermark drop-down list
if you want to perform the High/Low Watermark checking by PPS. There are some
differences between configuring High Watermark and Low Watermark. For High Watermark,
you will need to choose either Auto or Fixed method for anomaly detection. Once Fixed
is selected, you have to input the Event Threshold value (Only integers from 1 to
4294967296 will be accepted) and also to select the unit from the Unit drop-down list (pps:
packet per second; Kpps: kilo-packet per second; Mbps: mega-packet per second; Gbps:
giga-packet per second). If you select Auto, you do not need to input the Event Threshold
value but can choose to input a Significant Threshold value or not (Optional). For Low
Watermark, Auto and Significant Threshold Value are unavailable. No matter High or Low
Watermark is enabled, you should set the severity & recover latencies for the BPS
thresholds by selecting the time periods (Default is 5 minutes) respectively from the Severity
& Recover Latency drop-down lists. Input the Tolerance value if the Auto method of High
Watermark is enabled.
113
FPS (flows per second): select Enabled from the High/Low Watermark drop-down list if
you want to perform the High/Low Watermark checking by FPS. There are some differences
between configuring High Watermark and Low Watermark. For High Watermark, you will
need to choose either Auto or Fixed method for anomaly detection. Once Fixed is
selected, you have to input the Event Threshold value (Only integers from 1 to 4294967296
will be accepted) and also to select the unit from the Unit drop-down list (fps: flow per
second; Kpps: kilo-flow per second; Mbps: mega-flow per second; Gbps: giga-flow per
second). If you select Auto, you do not need to input the Event Threshold value but can
choose to input a Significant Threshold value or not (Optional). For Low Watermark, Auto
and Significant Threshold Value are unavailable. No matter High or Low Watermark is
enabled, you should set the severity & recover latencies for the BPS thresholds by selecting
the time periods (Default is 3 minutes) respectively from the Severity & Recover Latency
drop-down lists. Input the Tolerance value if the Auto method of High Watermark is
enabled.
Figure 3.3.13-5 System Admin / Network / Template / Baseline Add Baseline Template Window
(Traffic Anomaly - Filter Type)
7. Select the learning period and enter the following thresholds for the baseline if you selected
the Router Performance type in step 1 (See Figure 3.3.13-6). The low watermark must be
less than the high watermark if both of them are enabled.
CPU: select Enabled from the High Watermark drop-down list if you want to perform the High
Watermark checking by usage percentage.
Memory: select Enabled from the High Watermark drop-down list if you want to perform the
High Watermark checking by usage percentage.
2009 Genie Network Resource Management Inc. All Rights Reserved.
114
Figure 3.3.13-6 System Admin / Network / Template / Baseline Add Baseline Template Window
(Router Performance)
8. Click on Submit button to complete the configuration and then the screen will show you the
settings. You can click on Back to List button to go back to the Baseline Template view list.
Figure 3.3.13-7 System Admin / Network / Template / Baseline -- Edit Baseline Template Window
115
(Please refer to the previous To add a baseline template section for the following steps of
your modification.)
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
Figure 3.3.13-8 System Admin / Network / Template / Baseline -- View Baseline Template Window
1. Click on an ID or Name to enter the View Baseline Template window.
When you move the cursor to the ID/Name listed in the ID/ Name column, the color of the
pointed ID/Name will turn into blue. The Applied table displays all anomaly signatures to which
the viewed baseline template is applied.
2. Click on Back to List button to return to the Baseline Template management window.
116
3.3.13.2
Sub-Network Boundary
Figure 3.3.13-9 System Admin / Network / Template / Sub-Network Boundary Template Management
Window
Figure 3.3.13-10 System Admin / Network / Template / Sub-Network Boundary -- Add Sub-Network
Boundary Template Window
1. Enter the name of the sub-network boundary template in the Name field.
The number of inputted characters must be between 2 and 40. All characters are accepted
except space and special characters (!@#$%^&<>?...).
2. Select a router group from the Router Group drop-down list.
All router groups configured in the Group/Router function of Preferences will be shown in this
117
Figure 3.3.13-11 System Admin / Network / Template / Sub-Network Boundary -- Edit Sub-Network
Boundary Template Window
(Please refer to the previous To add a sub-network boundary template section for the following
steps of your modification.)
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
Note
Users still can add a new sub-network boundary via clicking on the button
" Save As New Boundary " after editing the sub-network boundary.
118
Figure 3.3.13-12 System Admin / Network / Template / Sub-Network Boundary -- View Sub-Network
Boundary Template Window
1. Click on an ID or Name to enter the View Sub-Network Boundary Template window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue. The Applied table displays all sub-network entities to
which the viewed sub-network boundary template is applied.
2. Click on Back to List button to return to the Sub-Network Boundary Template
management window.
119
3.3.13.3
Server-farm Boundary
Click on Server-farm boundary sub-menu tab of Template to enter the Server-farm boundary
Template management window (See Figure 3.3.13-13). The latest added boundary template will
be displayed at the first row of the list. The following sections are going to introduce how to add,
edit, and delete a server-farm boundary template, and how to view the profile of a server-farm
boundary template.
Figure 3.3.13-13 System Admin / Network / Template / Server-farm boundary Template Management
Window
Figure 3.3.13-14 System Admin / Network / Template / Server-farm boundary -- Add Server-farm
boundary Template Window
1. Enter the name of the server-farm boundary template in the Name field.
The number of inputted characters must be between 2 and 40. All characters are accepted
except space and special characters (!@#$%^&<>?...).
2. Select a router group from the Router Group drop-down list.
All router groups configured in the Group/Router function of Preferences will be shown in this
drop-down list. (Default is All Routers)
2009 Genie Network Resource Management Inc. All Rights Reserved.
120
icon to enter the Edit Server-farm boundary Template window. (See Figure
Figure 3.3.13-15 System Admin / Network / Template / Server-farm boundary -- Edit Server-farm
boundary Template Window
(Please refer to the previous To add a server-farm boundary template section for the following
steps of your modification.)
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
Note
Users still can add a new server-farm boundar y via clicking on the button
" Save As New Boundary " after editing the server-farm boundary.
121
Figure 3.3.13-16 System Admin / Network / Template / Server-farm boundary -- View Server-farm
Boundary Template Window
1. Click on an ID or Name to enter the View Server-farm Boundary Template window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue. The Applied table displays all Sever entities to which the
viewed server-farm boundary template is applied.
2. Click on Back to List button to return to the Server-farm boundary Template management
window.
3.3.13.4
Click on Server TopN Report sub-menu tab of System Admin/Network/Template to enter the
TopN Report Template management window (See Figure 3.3.13-17). The latest added TopN
Report template will be displayed at the first row of the list. The following sections are going to
introduce how to add, edit, and delete a TopN Report template.
Note
The defined TopN Report Templates are shown when users add TopN reports for a creating
Server farm in the System Admin/Network/Server function.
122
Figure 3.3.13-17 System Admin / Network / Template / Server TopN Report -- TopN Report Template
Window
Figure 3.3.13-18 System Admin / Network / Template / Server TopN Report -- Add Server-farm TopN
Report Template Window
1. Enter the information in all fields: (The asterisk "" indicates a mandatory field.)
Name: input a name for the TopN report. The number of inputted characters must be
between 2 and 40. All characters are accepted except space and special characters
(!@#$%^&<>?...).
Status: select Disabled or Enabled from the Status drop-down list. This function allows
you to flexibly activate or inactivate the TopN report of Server farm in any time of need.
Aggregation Keys: select an aggregation element from the text box. The aggregation
elements include Source/Destination IP, Source/Destination Protocol/Port, Application on
Source/Destination, TCP Flag, TOS Value, Protocol, and so on.
Number of Top-N: select a number for the N value of Top-N, that traffic statistics will be
saved into database and will be also displayed in Rule-based reports, from the Number of
Top-N drop-down list. The available selections are 16 (default), 32, 64, 128, and 256.
2. Click on Submit button to complete the configuration.
123
Figure 3.3.13-19 System Admin / Network / Template / Server TopN Report -- Edit Server-farm TopN
Window
(Please refer to the previous To add a TopN report template section for your modification.)
Note that the aggregation elements cannot be changed once the TopN report has been
created. You have to create a new one to replace the one whose aggregation elements
you want to change. Provide new information to those fields/options that you like to modify and
then click on Submit button to complete the modification.
124
3.4
Configuration
GenieATM offers configuration backup, dispatching, and restoration, for the configuration settings
of System Admin / Network menu. When users change any settings in all sub functions under the
Network menu (including Home Network, Router, Internet Boundary, Backbone Links, Neighbor,
Sub-Network, Filter, Application, Anomaly, and Template), the changed configuration can be saved
as a record and further downloaded to users computer for backup. Once the users need to restore
this backup configuration, they can upload the backup configuration file to the Controller. However,
one thing that users must know is any saved configuration in the Controller will not have any effect
if it has not been dispatched to Collectors.
Click on Configuration menu displayed on the Sub Menu tree of System Admin at the left side of
the screen to enter the Configuration Management window (As presented at Figure 3.4-1). There
are four parts in the Configuration Management window:
Current Configuration: this part allows users to save the present Network settings as a record
and dispatch it to Collectors. The present Network settings have not taken effect before being
dispatched to Collectors.
Last Dispatched Configuration: this part shows the last version of dispatched configuration
setting and its dispatch status, and allows users to get detail information of last dispatch status.
There are three statuses here could be: Synchronizing -- the Controller is dispatching the
Network configuration to Collectors; Completed -- the Controller has finished all dispatching jobs
to Collectors and all of them were successful; Completed Partially -- the Controller has finished all
dispatching jobs to Collectors but only some of them were successful.
Saved Configuration: this part displays all saved configuration setting records, and allows
users to download / upload the saved configuration to / from a local host, to delete the saved DB
configuration file, and to restore and dispatch the upload.
Status: this part will be displayed above the Saved Configuration view list only when users do
some action. It will show the result or detail information of the taken action.
The following sections will introduce the operation and function of Configuration Management.
Note
Only the user with the authority of administrator or defined by template, superuser, can
access the Configuration menu.
If the home network area or at least one router is not configured (in other words, both of them
must be configured in the system), the system will not allow users to dispatch the system
configuration changed.
125
Figure 3.4-2 System Admin / Configuration Dispatch Network Configuration and Save Window
126
127
128
3.5
Mitigation
The Mitigation sub menu of Network is for users to configure essential mitigation elements for two
system mitigation methods supported (Hardware Mitigation and Blackhole). When users click on
the unfolding mark of Mitigation, all its sub menus will be unfolded including Blackhole, and
Device. The Blackhole menu is used to configure basic element for the Blackhole mitigation
method; and the Device menu is used to manage Cisco Guard devices for the Hardware Mitigation
method. Be aware of getting confused with the Main Menu tree of Mitigation which is for
taking/managing mitigation actions.
Note
Only the user with the authority of administrator or defined by template, superuser, can
access the Mitigation sub menu of System Admin.
3.5.1
Blackhole
The Blackhole menu (on the Mitigation sub menu of System Admin Main Menu tree at the left
side of the screen) is used to configure Blackhole next hop for creating Blackhole mitigation
actions. After clicking on Blackhole menu, a page with the Blackhole title will be shown (See
Figure 3.5.1-1).
129
Submit
Figure 3.5.1-3 System Admin / Mitigation / Blackhole -- Add Blackhole Policy Window
130
Figure 3.5.1-4 System Admin / Mitigation / Blackhole -- Edit Blackhole Policy Window
(Please refer to the previous "To add a Blackhole Policy" section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Provide new information to those fields that you like to modify.
2. Click on " Submit " button to complete the modification.
131
Figure 3.5.1-5 System Admin / Mitigation / Blackhole -- View Blackhole Policy Window
1. Click on an ID/Name to enter the View Blackhole Policy window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue.
2. Click on Back to List button to return to the Blackhole management window.
132
3.5.2
Device
Device menu allows users to add Guard/Eudemon devices into the system for washing out
attacking traffic and redirecting normal traffic back to its original destination. The added
Guard/Eudemon devices here will be applied in configuring Hardware Mitigation actions (on the
Hardware Mitigation sub menu of Mitigation main menu). This function mainly provides
Guard/Eudemon devices integrant information for GenieATM to provision for the devices. Here,
users can generate SSH host key for SSH access to Guard from GenieATM and configure
Guard into the system.
After clicking on Device menu displayed on the Sub Menu tree of Mitigation at the left side of
the screen, the Guard management window (the default entered window) will be shown. Users
can see the sub-menu tabs, Cisco Guard, Eudemon and Global, appearing above the screen
(See Figure 3.5.2-1). The job of Global sub-menu tab is to generate SSH host key. Users should
go get a host key before adding a Guard.
3.5.2.1
Guard
Once you click on Device menu, you will directly enter the Guard management window. The
latest added Guard will be displayed at the first row of the list. The following sections are going to
introduce how to add, edit, and delete a Guard device, and how to view the profile of a Guard
device.
Figure 3.5.2-2 System Admin / Mitigation / Device / Cisco Guard -- Add Guard Window
133
1. Provide Guard information to the following fields: (The asterisk "" indicates a mandatory
field.)
Name: Give a name for this Guard. (It is only for the purpose of identification.) The number
of inputted characters must be between 2 and 40. All characters are accepted except space
and special characters (!@#$%^&<>?...).
IP Address: The IP address of the Guard. The inputted format is xxx.xxx.xxx.xxx.
Device Type: select the device type of the Guard from the drop-down list. The supported
types are Cisco Guard and Leadsec Guard.
SSH:
Username: Input an available user account on your Guard. The number of inputted
characters must be between 2 and 64. Default is admin.
Password: Input the password of the specified user account in the Username field. The
number of inputted characters must be between 2 and 64.
Port: Input a port number to connect to Guard with SSH. The available value is between 1
and 65535. Default is 22.
SNMP:
Read Community String: The password to connect with Guard. Enter Guards SNMP read
community string. Please note that it will fail to get Guards information if the read-only
community string you provided is not correct. The number of inputted characters must be
between 2 and 64.
SNMP Version: Select the SNMP version which to contact with Guard. Note that this item is
available only if the IP address and its community string are provided. Only SMNP version
2c is provided, click on SNMP WALK >> button to get the current Guards information.
The results of SNMP query will be displayed in a yellow block at the upper-right side of the
screen, including Guards system object ID, description, name, and rhNESw version.
Time Out of SNMP Polling: Select a time from the drop-down list. Users are allowed to
manually configure the waiting time length for each SNMP polling request. Available time
selections are 1, 2, 3, 4, 5., to 15 (seconds) and the default value is 5 seconds.
Retries of SNMP Polling: Select a preference setting from the drop-down list. Users can
also configure the frequency of retrying SNMP polling. Once the collector does not get
SNMP polling response from Guard exceeding the configured time out, the system will try to
send a SNMP polling request again. Available selections are 1, 2, and 3 (times) and the
default value is 2 times.
Auto-Mitigation:
Auto-mitigation: Select the Enabled to perform the mitigation automatically, otherwise
select the Disabled. The default set is Disabled.
Triggered Severity: Select the severity, red or yellow, to trigger the auto-mitigation, if the
auto-mitigation function is enabled.
Bandwidth: Set the capacity of the Guard device. Once the volume of attacking traffic
exceeds the capacity of Guard device, the mitigation action will not to be executed.
Time Out: Set the time-out duration to stop the mitigation action.
2. Click on Update button displayed at the top of Zone Table to get the latest configured zone
information on Guard. The Zone Table information includes No., Zone ID, Zone Name, Prefix #,
Prefix, Status and Auto. Each zone has its one auto control. The system default is disable.
3. Click on Submit button to complete the configuration.
134
To edit a Guard
Click on icon to enter the Edit Guard window. (See Figure 3.5.2-3)
Figure 3.5.2-3 System Admin / Mitigation / Device / Cisco Guard -- Edit Guard Window
(Please refer to the previous To add a Guard section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
To delete a Guard
1. Click on the delete icon .
A Delete page with detailed configuration will be shown. The system will remind you that all
configurations are using this Guard will be affected if the Guard is deleted.
2. Click on Submit button to remove the Guard from the system.
135
Figure 3.5.2-4 System Admin / Mitigation / Device / Cisco Guard -- View Guard Window
1. Click on an ID/Name to enter the View Guard window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue.
2. Click on Back to List button to return to the Guard management window.
136
3.5.2.2
Eudemon
Click on Eudemon sub-menu to enter the Eudemon management window (See Figure 3.5.2-5).
The latest added Eudemon will be displayed at the first row of the list. The following sections are
going to introduce how to add, edit, and delete a Eudemon device, and how to view the profile of
a Eudemon.
Figure 3.5.2-5 System Admin / Mitigation / Device / Eudemon -- Eudemon Management Window
To add a Eudemon
Click on Add button at the top of the Eudemon view list to enter the Add Eudemon window
(See Figure 3.5.2-6).
Figure 3.5.2-6 System Admin / Mitigation / Device / Eudemon -- Add Eudemon Window
1. Provide Eudemon information to the following fields: (The asterisk "" indicates a mandatory
field.)
Name: Give a name for this Eudemon. (It is only for the purpose of identification.) The
number of inputted characters must be between 2 and 40. All characters are accepted
except space and special characters (!@#$%^&<>?...).
Note
The name specified in the Blackhole or Device function can not be duplicated.
137
138
To edit a Eudemon
Click on icon to enter the Edit Eudemon window (See Figure 3.5.2-7).
Figure 3.5.2-7 System Admin / Mitigation / Device / Eudemon -- Edit Eudemon Window
(Please refer to the previous To add a Eudemon section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Provide new information to those fields that you like to modify.
2. Click on Submit button to complete the modification.
To delete a Eudemon
1. Click on the delete icon .
A Delete page with detailed configuration will be shown. The system will remind you that all
configurations using this Eudemon will be affected if the Eudemon is deleted.
2. Click on Submit button to remove the Eudemon from the system.
139
Figure 3.5.2-8 System Admin / Mitigation / Device / Eudemon -- View Eudemon Window
140
3.5.2.3
Global
Click on Global sub-menu tab to enter the SSH Public Key Generation window (See Figure
3.5.2-9). If users want to use SSH access to their mitigation device, the SSH key generated here
should be copied into both the mitigation device and GenieATM. In GenieATM, users should
copy the key into the Host Key field of mitigation device management window (such as Guard
management Window).
After clicking on Generate SSH Key Pair button, the system will take couple minutes to
generate the SSH key and a message will tell the generation is processing, completed, or failed.
If the generation is completed, a new set of SSH key will be displayed in the SSH Public Key text
field then and a time stamp will appear to tell when the key is generated. Please see Figure
3.5.2-10 for a completed example.
Figure 3.5.2-9 System Admin / Mitigation / Global / SSH Public Key Window
Figure 3.5.2-10 System Admin / Mitigation / Global / SSH Public Key Window
141
3.6
Preferences
Preferences menu allows users to define the preferred parameters and templates which can be
applied in the system including ten sub menus: Status, Storage, Report, Notification, Name
Mapping, Group, Baseline History, Offline Report, and Remote Update. These sub menus will
turn up when users click on the unfolding mark of Preferences.
Note
Only the user with the authority of administrator can access all functions of the Preferences
menu. The user with the authority of defined by template, superuser, can access only the
Notification, Group, Baseline History, and Offline Report functions in Preferences, and the
viewing only user & Sub-Network user cannot access any of them.
3.6.1
Status
The Status menu here indicates the sub-function in Preferences (not the Status menu on the
Main Menu tree). This function allows administrators to set the parameter for the Status
Summary page (under the Main Menu tree of Status). Click on Status menu displayed on the
Sub Menu tree of Preferences at the left side of the screen to enter the Status Parameter
management window. (As presented at Figure 3.6.1-1)
Figure 3.6.1-2 System Admin / Preferences / Status -- Edit Status Parameter Window
2009 Genie Network Resource Management Inc. All Rights Reserved.
142
3.6.2
Storage
Storage menu provides administrators a tool to manage the store of analysis report and log. It
can prevent the system from running out of disk storage space. There are five parts: Disk Usage,
Report Data, Alert Log, Anomaly Log, and Login Log. The Disk Usage part is to configure the
parameters of when the auto DB purging process will be triggered and till when the purging
process halted. The Report Data part is to configure for how long different types (daily, weekly,
monthly, and yearly) of reports will be preserved in DB once the auto DB purging process is
triggered. The preservation durations of different period-type reports can be configured
respectively. The report data is preserved according to various different time periods: daily,
weekly, monthly, and yearly. The Alert Log part is to configure the maximum preservative period
and amount for system alert logs. The Anomaly Log part is to configure the maximum
preservative period and amount for anomaly event logs. The Login Log part is to configure the
maximum preservative period and amount for login logs.
The following sections are going to tell users how to set up the parameters of these five parts.
Click on Storage menu displayed on the Sub Menu tree of Preferences at the left side of the
screen to enter the Storage Management window. (As presented at Figure 3.6.2-1)
Figure 3.6.2-2 System Admin / Preferences / Storage -- Edit Disk Usage Window
143
Figure 3.6.2-3 System Admin / Preferences / Storage -- Edit Report Data Window
Figure 3.6.2-4 System Admin / Preferences / Storage -- Edit Alert Log Window
144
Figure 3.6.2-5 System Admin / Preferences / Storage -- Edit Anomaly Log Window
Figure 3.6.2-6 System Admin / Preferences / Storage -- Edit Login Log Window
145
3.6.3
Report
Report menu allows administrators to set the parameters about the maximum displayed entries
of the pre-defined TopN reports (Internet, Neighbor, Backbone, Router, Interface, and
Sub-Network), and the detail anomaly traffic analysis report. Click on Report menu displayed on
the Sub Menu tree of Preferences at the left side of the screen to enter the Report Parameter
management window (As presented at Figure 3.6.3-1).
Figure 3.6.3-2 System Admin / Preferences / Report -- Edit Pre-defined TopN Report Parameter
Window
146
Figure 3.6.3-3 System Admin / Preferences / Report -- Edit Report Parameter Window
Figure 3.6.3-4 System Admin / Preferences / Report -- Edit Rule-Based Report Label Window
Figure 3.6.3-5 System Admin / Preferences / Report -- Edit Detail Anomaly Traffic Analysis Report
Parameter Window
147
3.6.4
Notification
Notification menu allows administrators to configure the settings of the system alert and
anomaly event notifications. There are three kinds of notification methods supported, Email,
SNMP Trap, and Syslog notifications. Except Syslog, Email and SNMP Trap can be configured
through Web UI. Please refer to the GenieATM CLI Command Reference document for
relevant configurations of Syslog.
The Notification function is divided into five parts: System Notification -- includes parameters of
overall notification sending and system-related alert notifications; Router Notification -provides parameter configurations of router relevant alert and anomaly notifications;
Sub-Network Notification -- provides parameter configurations of anomaly notification relevant
to Sub-Network; MSP Customer Notification -- provides parameter configurations of anomaly
notification relevant to MSP Customers; Filter Notification -- provides parameter configurations
of anomaly notification relevant to Filters.
Note
The MSP Customer tab will not show when the system does not support the MSP module
(value-added function).
After clicking on Notification menu displayed on the Sub Menu tree of Preferences at the left
side of the screen, the System Notification Configuration window (the default entered window)
will be shown. Users can see the sub-menu tabs, System, Router, Sub-Network, MSP Customer,
and Filter, appearing above the screen (See Figure 3.6.4-1).
Figure 3.6.4-1 System Admin / Preferences / Notification / System Notification Configuration Window
148
3.6.4.1
System Notification
Once you click on Notification menu, you will directly enter the System Notification
Configuration window. It includes two parts of configurations, the Email Notification part is to
register email sending relevant parameters and; the Trap Notification part is to configure the
SNMP community string which will be used for SNMP trap sending.
Figure 3.6.4-2 System Admin / Preferences / Notification / System -- Edit Email Notification Window
1. Set the action, Enabled or Disabled, for receiving the Email Notification.
2. Enter an email address which will be used as the sender of notification email.
Please follow the format aaa@aaa.aaa with no space inside. This email account must be valid
email account.
3. Enter the IP address of the email (SMTP) server which will be used to send the alert
notifications for all events.
4. Enter a user name, which is used to authenticate by the SMTP server.
5. Enter the password of the user name.
6. From the dropped list, select the user group that specified to receive the email notification.
The maintainer can specify a user group in User function in the System Admin/ Preference/
Group function.
7. Select the displaying way of the notification in the email. There are two ways, Pop up login
page and Direct to Report page, for selection and the factory default is Direct to Report page.
In addition, users can set the way to link the report via HTTP or HTTPS.
8. Select the displaying format, TEXT or HTML, to present the content in the Notification mail.
9. Input the subjects descriptions of the Notification Mail.
10. Input the subjects descriptions of the Offline-line Report Mail.
11. Select the language type from the dropped down list. There are four languages for selection
and the factory default is Westerm (ISO-8859-1). The specified language is use for the
Notification mail and Offline Report mail.
12. 11. Click on Submit button to complete the configuration.
149
Figure 3.6.4-3 System Admin / Preferences / Notification / System -- Edit Trap Notification Window
1. Select Disabled or Enabled to disable or enable the notification sending via email from the
Email Notification drop-down list.
The default value is Disabled.
2. Enter the IP address that the system sends traps to.
3. Enter the read-only community string for the SNMP trap which will be applied to all
notifications.
The number of inputted characters must be between 1 and 40. (Default is public)
4. Click on Submit button to complete the configuration.
150
3.6.4.2
Router Notification
Click on Router sub-menu tab to enter the Router Notification Configuration window. (See
Figure 3.6.4-4) The information displayed in the Router Notification view list includes No., Router
Name, IP Address, Email Notification [Enabled; User Group], and Resource Importance. All
routers configured in the system (in the Network/Router function of System Admin) will be
shown in this view list. Users can edit the notifications parameters for each router here.
Figure 3.6.4-4 System Admin / Preferences / Notification / Router Notification Configuration Window
Figure 3.6.4-5 System Admin / Preferences / Notification / Router -- Edit Router Notification
Configuration Window
1. Select Disabled or Enabled to disable or enable the notification sending via email from the
Email Notification drop-down list. The default value is Disabled.
2. Select a user group from the drop-down list of User Group to Receive Email Notification.
All user groups configured in the Group/User function of Preferences will be shown in this
drop-down list. The default value is None. Please note that if you have selected to enable the
Email notification, you have to choose a user group. Otherwise, the system will send the Email
notification to nowhere.
3. Select an importance level for the router from the Resource Importance drop-down list.
There are two importance levels, Regular and High (Default is Regular). This configuration
parameter works with the User Groups email notification configurations to determine whether
the email notification will be sent under different situation.
4. Click on Submit button to complete the configuration.
151
3.6.4.3
Sub-Network Notification
152
3.6.4.4
Click on MSP Customer sub-menu tab to enter the MSP Customer Notification Configuration window
(see the figure 3.6.4-8). Users only can edit the notifications parameters for sending notifications to
the specified MSP Customer.
Select the action, Disabled or Enabled, for the notification sending via email. The default
value is Disabled.
2.
The system only displays the default user group for selecting. The MSP customers with
Customer Admin and Customer Superuser Privileges will belong to default user group of this
customer. System admin can add or delete the users form default user group listed at
System Admin/Preference/Group/MSP Customer User function.
3.
Select an importance level for the Customer entity from the Resource Importance drop-down
list. There are two importance levels, Regular and High (Default is Regular). This
configuration parameter works with the User Groups email notification to determine what
situation the email notification will be sent.
4.
153
3.6.4.5
Filter Notification
Click on Filter sub-menu tab to enter the Filter Notification Configuration window. (See Figure
3.6.4-10) The information displayed in the Filter Notification view list includes No., Name, Email
Notification [Enabled; User Group], and Resource Importance. All Filters configured in the
system (in the Network/Filter function of System Admin) will be shown in this view list. Users
can edit the notifications parameters for each Filter here.
Figure 3.6.4-10 System Admin / Preferences / Notification / Filter Notification Configuration Window
Figure 3.6.4-11 System Admin / Preferences / Notification / Filter -- Edit Filter Notification
Configuration Window
1. Select Disabled or Enabled to disable or enable the notification sending via email from the
Email Notification drop-down list.
The default value is Disabled.
2. Select a user group from the drop-down list of User Group to Receive Email Notification.
All user groups configured in the Group/User function of Preferences will be shown in this
drop-down list. The default value is None. Please note that if you have selected to enable the
Email notification, you have to choose a user group. Otherwise, the system will send the Email
notification to nowhere.
3. Select an importance level for the Filter from the Resource Importance drop-down list.
There are two importance levels, Regular and High (Default is Regular). This configuration
parameter works with the User Groups email notification configurations to determine whether
the email notification will be sent under different situation.
4. Click on Submit button to complete the configuration.
154
3.6.5
Name Mapping
Name Mapping menu allows administrators to maintain and configure the name-mapping of
Services, Protocols, ASNs (Autonomous System Numbers), Area and IP to Area. (The called
service is a combination of protocol and port number.) This mapping information will be used in
reports. There are built-in mappings provided, but the system also allows users to create and
update name mappings.
After clicking on Name Mapping menu displayed on the Sub Menu tree of Preferences at the
left side of the screen, the Service management window (the default entered window) will be
shown. Users can see its sub-menu tabs, Service, Protocol, ASN, Area, and IP to Area
appearing above the screen. (See Figure 3.6.5-1)
Note
1. A searching function is provided. It is located next to the Add button and above the view
list. Users can utilize multiple searching filters (Protocol, Port, Name, AS Number, Display
Name, or Registered Name) to quickly find out a specific service, protocol, or ASN from the
view list. Select a type of searching filter in the Searching drop-down list, input key word in
the for blank, and then click on the Go button.
2. Page-control buttons are next to the Go button.
|<
<<
>>
>|
The Page drop-down list: to go to a specific page selected from the drop-down list. The
numerator represents the page you are going to list and the denominator represents the
total pages.
3. Entries/Page drop-down list: to control the displayed entries per page of the Application
view list. There are four options to select: 15, 30, 60, and 120. The number 15 with an
asterisk means the default value.
Figure 3.6.5-1 System Admin / Preferences / Name Mapping / Service Management Window
155
3.6.5.1
Services
Once you click on Name Mapping menu, you will directly enter the Service management
window. The information displayed in the Service view list includes No., Protocol, Port, and
Name. The following sections are going to introduce how to add, edit, and delete a service.
To add a service
Click on Add button at the top of the Service view list to enter the Add Service Name window.
(See Figure 3.6.5-2)
Figure 3.6.5-2 System Admin / Preferences / Name Mapping / Service -- Add Service Name Window
1. Provide service information to the following fields: (The asterisk "" indicates a mandatory
field.)
Name: Give a name for this service. The number of inputted characters must be between 1
and 64. All characters are accepted except space and special characters
(!@#$%^&<>?...).
Protocol: Enter the protocol number. Only integers from 0 to 255 will be accepted.
Port: Enter the port number. Only integers from 0 to 65535 will be accepted.
Note
The system will reject your submission if the service (protocol and port) you add is
duplicated with existing configurations.
2. Click on Submit button to complete the configuration.
To edit a service
Click on icon to enter the Edit Service Name window. (See Figure 3.6.5-3)
Figure 3.6.5-3 System Admin / Preferences / Name Mapping / Service -- Edit Service Name Window
(Please refer to the previous To add a service section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Enter a new name if necessary.
2. Click on Submit button to complete the modification.
To delete a service
1. Click on the delete icon .
A confirmative dialog box will pop up.
2. Click on OK button to remove the service from the system.
2009 Genie Network Resource Management Inc. All Rights Reserved.
156
3.6.5.2
Protocols
Click on Protocol sub-menu tab to enter the Protocol management window. (See Figure 3.6.5-4)
The information displayed in the Protocol view list includes No., Protocol, and Name. The
following sections are going to introduce how to add, edit, and delete a protocol.
Figure 3.6.5-4 System Admin / Preferences / Name Mapping / Protocol Management Window
To add a protocol
Click on Add button at the top of the Protocol view list to enter the Add Protocol Name
window. (See Figure 3.6.5-5)
Figure 3.6.5-5 System Admin / Preferences / Name Mapping / Protocol -- Add Protocol Name
Window
1. Provide protocol information to the following fields: (The asterisk "" indicates a mandatory
field.)
Name: Give a name for this protocol. The number of inputted characters must be between 1
and
64.
All
characters
are
accepted
except
space
and
special
characters
(!@#$%^&<>?...).
Protocol: Enter the protocol number. Only integers from 0 to 255 will be accepted.
Note
The system will reject your submission if the protocol you add is duplicated with existing
configurations.
2. Click on Submit button to complete the configuration.
157
To edit a protocol
Click on icon to enter the Edit Protocol Name window. (See Figure 3.6.5-6)
Figure 3.6.5-6 System Admin / Preferences / Name Mapping / Protocol -- Edit Protocol Name
Window
(Please refer to the previous To add a protocol section for the following steps of your
modification. The asterisk "" indicates a mandatory field.)
1. Enter a new name if necessary.
2. Click on Submit button to complete the modification.
To delete a protocol
1. Click on the delete icon .
A confirmative dialog box will pop up.
2. Click on OK button to remove the protocol from the system.
3.6.5.3
ASNs
Click on ASN sub-menu tab to enter the ASN management window. (See Figure 3.6.5-7) The
information displayed in the Protocol view list includes No., AS Number, Display Name, and
Registered Name. The following sections are going to introduce how to add, edit, and delete a
protocol.
Figure 3.6.5-7 System Admin / Preferences / Name Mapping / ASN management Window
2009 Genie Network Resource Management Inc. All Rights Reserved.
158
To add a ASN
Click on Add button at the top of the ASN view list to enter the Add ASN Name window. (See
Figure 3.6.5-8)
Figure 3.6.5-8 System Admin / Preferences / Name Mapping / ASN -- Add ASN Window
1. Provide AS number information to the following fields: (The asterisk "" indicates a
mandatory field.)
Display Name: Give a name for this AS number. This name will be displayed in reports.
The number of inputted characters must be between 1 and 40. All characters are accepted
except space and special characters (!@#$%^&<>?...).
AS Number: Enter the AS number. Only integers from 0 to 65535 will be accepted.
Registered Name: Enter the registered name of the AS number. The number of inputted
characters must be between 1 and 256.
Note
The system will reject your submission if the AS number you add is duplicated with existing
configurations.
2. Click on Submit button to complete the configuration.
To edit a ASN
Click on icon to enter the Edit ASN Name window. (See Figure 3.6.5-9)
Figure 3.6.5-9 System Admin / Preferences / Name Mapping / ASN -- Edit ASN Name Window
(Please refer to the previous To add a ASN section for the following steps of your modification.
The asterisk "" indicates a mandatory field.)
1. Enter a new display name if desired.
2. Enter a new registered name if necessary.
3. Click on Submit button to complete the modification.
To delete a ASN
1. Click on the delete icon .
A confirmative dialog box will pop up.
2. Click on OK button to remove the protocol from the system.
159
3.6.5.4
Area
Click on Area sub-menu tab to enter the Area management window. (See Figure 3.6.5-10) The
information displayed in the Area view list includes No., Code2, Code3 and Area. The following
sections are going to introduce how to add, edit, and delete a configuration of Area.
Figure 3.6.5-10 System Admin / Preferences / Name Mapping / Area Management Window
To add an area
Click on Add button at the top of the Area view list to enter the Add Area management
window. (See Figure 3.6.5-11)
Figure 3.6.5-11 System Admin / Preferences / Name Mapping / Area -- Add Area management Window
1. Provide area information to the following fields: (The asterisk "" indicates a mandatory field.)
Code2: Give an abbreviation name for this Area. The number of inputted characters must
be between 1 and 5. All characters are accepted except space and special characters
(!@#$%^&<>?...).
Code3: Enter the abbreviation name of the Area. The number of inputted characters must
be between 1 and 64. All characters are accepted except space and special characters
(!@#$%^&<>?...).
Area: enter the areas full name.
Note
The system will reject your submission if anyone field you add is duplicated with existing
configurations.
2. Click on Submit button to complete the configuration.
160
To edit an area
Click on icon to enter the Edit Area management window. (See Figure 3.6.5-12)
Figure 3.6.5-12 System Admin / Preferences / Name Mapping / Area -- Edit Area management
window
(Please refer to the previous To add an area section for the following steps of your modification.
The asterisk "" indicates a mandatory field.)
1. Enter a new display data in Code3, or Area field if desired.
2. Click on Submit button to complete the modification.
To delete an area
1. Click on the delete icon .
A confirmative dialog box will pop up.
2. Click on OK button to remove the entry from the system.
3.6.5.5
IP to Area
Click on IP to Area sub-menu tab to enter the IP to Area management window. (See Figure
3.6.5-13) The information displayed in the IP to Area view list includes No., Begin IP, End IP,
Area Code and Area. The following section is going to introduce how to import the aggregation
data about IP to Area.
Figure 3.6.5-13 System Admin / Preferences / Name Mapping / IP to Area Management Window
161
Data Type
Field Description
IP_FROM
numerical (Double)
IP_TO
numerical (Double)
CODE2
char(2)
CODE3
char(3)
Country Name
varchar(50)
Note that all IP address ranges recorded in the IP_FROM and IP_TO fields are
represented as IP numbers which is the numeric representation of the dotted IP
address. The formula to convert an IP Address of the form A.B.C.D to an IP Number is
as follows:
IP Number = A x (256*256*256) + B x (256*256) + C x 256 + D
Figure 3.6.5-14 System Admin / Preferences / Name Mapping / IP to Area Import IP-to-Area
management Window
162
3.6.6
Group
Group menu allows users to aggregate multiple entities as a resource group, such as user
group, router group, sub-network group, server-farm, neighbor group, Filter group and MSP
Customer User group. With this function, operating the system and managing the network
resources will be easier and more flexible. Every kind of Group has a built-in group called All,
which contains all created objects of the object type. For instance, The All group of User
contains all created (registered) user accounts in the system. These All groups are not addible,
modifiable, or removable by manual.
After clicking on Group menu displayed on the Sub Menu tree of Preferences at the left side of
the screen, the User Group Management window (the default entered window) will be shown.
Users can see the sub-menu tabs, User, Router, Sub-Network, Server-farm, Neighbor, Filter,
and MSP Customer User, appearing above the screen. (See Figure 3.6.6-1)
Note
Except administrators, the user with the authority of defined by template, superuser, also can
access the Group menu.
Figure 3.6.6-1 System Admin / Preferences / Group / User Group Management Window
3.6.6.1
User
Once you click on Group menu, you will directly enter the User Group Management window.
The information displayed in the User Group view list includes No., Group ID, and Group Name,
User, and User #. (The User # is the total users of the user group.) The following sections are
going to introduce how to add, edit, and delete a user group and how to view the profile of a user
group.
Figure 3.6.6-2 System Admin / Preferences / Group / User -- Add User Group Window
163
Figure 3.6.6-3 System Admin / Preferences / Group / User -- Edit User Group Window
2009 Genie Network Resource Management Inc. All Rights Reserved.
164
(Please refer to the previous To add a user group section for the following steps of your
modification.
1. Enter a new name for the user group if desired.
2. Add/Remove the users for the group if necessary.
3. Modify the Notification configurations for the group if necessary.
4. Click on Submit button to complete the modification.
Figure 3.6.6-4 System Admin / Preferences / Group / User -- View User Group Window
1. Click on a (User) Group ID or Group Name to enter the View User Group window.
When you move the cursor to the ID/Name listed in the Group ID/Group Name column, the
color of the pointed ID/name will turn into blue. The View User Group window will display the
following information:
Name: name of the user group you selected to view.
User ID: user ID of each member in the group.
User Name: detailed user name of each member in the group.
Minimum Severity to Receive Email Notification for High Importance Resource:
Please refer To add a user group section for details.
Minimum Severity to Receive Email Notification for Regular Importance Resource:
Please refer To add a user group section for details.
Receive Email for Recovery:
Please refer To add a user group section for details.
2. Click on Back to List button to return to the User Group Management window.
165
3.6.6.2
Router
Click on Router sub-menu tab to enter the Router Group Management window. (See Figure
3.6.6-5) The information displayed in the Router Group view list includes No., Group ID, and
Group Name, Router, and Router #. (The Router # is the total routers of the router group.) The
following sections are going to introduce how to add, edit, and delete a router group and how to
view the profile of a router group.
Figure 3.6.6-5 System Admin / Preferences / Group / Router Group Management Window
Figure 3.6.6-6 System Admin / Preferences / Group / Router -- Add Router Group Window
1. Enter a name for this router group in Name field.
You can give a meaningful name that can represent the router group you are adding. The
number of inputted characters must be between 2 and 40. All characters are accepted except
space and special characters (!@#$%^&<>?...).
2. Select routers for this group from the Available Router list box.
You can select a router in the Available Router list box each time and then click on <<Add
button to add the router to the Group list box at the left side. Use Remove>> button to
remove one selected router per time or Remove All button to remove all selected routers at
a time from the left-hand Group list box. All registered routers in the system will be displayed in
the Available Router list box.
3. Click on Submit button to complete the configuration.
2009 Genie Network Resource Management Inc. All Rights Reserved.
166
Figure 3.6.6-7 System Admin / Preferences / Group / Router -- Edit Router Group Window
(Please refer to the previous To add a router group section for the following steps of your
modification.
1. Enter a new name for the router group if desired.
2. Add/Remove the routers for the group if necessary.
3. Click on Submit button to complete the modification.
Figure 3.6.6-8 System Admin / Preferences / Group / Router -- View Router Group Window
1. Click on a (Router) Group ID or Group Name to enter the View Router Group window.
When you move the cursor to the ID/Name listed in the Group ID/Group Name column, the
color of the pointed ID/Name will turn into blue. The View Router Group window will display the
following information:
Name: name of the router group you selected to view.
Router ID: router ID of each member in the group.
Router Name: name of each router in the group.
IP Address: the routers IP address.
2. Click on Back to List button to return to the Router Group Management window.
167
3.6.6.3
Sub-Network
Click on Sub-Network sub-menu tab to enter the Sub-Network Group Management window.
(See Figure 3.6.6-9) The information displayed in the Sub-Network Group view list includes No.,
Group ID, and Group Name, Sub-Network, and Sub-Network #. (The Sub-Network # is the total
sub-networks of the sub-network group.) The following sections are going to introduce how to
add, edit, and delete a sub-network group and how to view the profile of a sub-network group.
Figure 3.6.6-9 System Admin / Preferences / Group / Sub-Network Group Management Window
To add a sub-network
Click on Add button at the top of the Sub-Network Group view list to enter the Add
Sub-Network Group window. (See Figure 3.6.6-10)
Figure 3.6.6-10 System Admin / Preferences / Group / Sub-Network -- Add Sub-Network Group
Window
1. Enter a name for this sub-network group in Name field.
You can give a meaningful name that can represent the sub-network group you are adding.
The number of inputted characters must be between 2 and 40. All characters are accepted
except space and special characters (!@#$%^&<>?...).
2. Select sub-networks for this group from the Available Sub-Network list box.
You can select a sub-network in the Available Sub-Network list box each time and then click
on <<Add button to add the sub-network to the Group list box at the left side. Use
Remove>> button to remove one selected sub-network per time or Remove All button
to remove all selected sub-networks at a time from the left-hand Group list box. All registered
sub-networks in the system will be displayed in the Available Sub-Network list box.
3. Click on Submit button to complete the configuration.
2009 Genie Network Resource Management Inc. All Rights Reserved.
168
Figure 3.6.6-11 System Admin / Preferences / Group / Sub-Network -- Edit Sub-Network Group
Window
(Please refer to the previous To add a sub-network group section for the following steps of
your modification.
1. Enter a new name for the sub-network group if desired.
2. Add/Remove the sub-networks for the group if necessary.
3. Click on Submit button to complete the modification.
Figure 3.6.6-12 System Admin / Preferences / Group / Sub-Network -- View Sub-Network Group
Window
1. Click on a (Sub-Network) Group ID or Group Name to enter the View Sub-Network Group
window.
When you move the cursor to the ID/Name listed in the Group ID/Group Name column, the
color of the pointed ID/Name will turn into blue. The View Sub-Network Group window will
display the following information:
Name: name of the sub-network group you selected to view.
Sub-Network ID: sub-network ID of each member in the group.
Sub-Network Name: name of each sub-network in the group.
2. Click on Back to List button to return to the Sub-Network Group Management window.
169
3.6.6.4
Server-farm
Click on Server-farm sub-menu tab to enter the Server-farm Group Management window. (See
Figure 3.6.6-13) The information displayed in the Server-farm Group view list includes No.,
Group ID, and Group Name, Server-farm, and Server-farm #. (The Server-farm # is the total
server-farms of the server-farm group.) The following sections are going to introduce how to add,
edit, and delete a server-farm group and how to view the profile of a server-farm group.
Figure 3.6.6-13 System Admin / Preferences / Group / Server-farm Group Management Window
Figure 3.6.6-14 System Admin / Preferences / Group / Server-farm -- Add Server-farm Group
Window
1. Enter a name for this Server-farm group in Name field.
You can give a meaningful name that can represent the server-farm group you are adding.
The number of inputted characters must be between 2 and 40. All characters are accepted
except space and special characters (!@#$%^&<>?...).
2. Select server-farm for this group from the Available Server-farm(s) list box.
You can select a server-farm in the Available Server-farm list box each time and then click on
<<Add button to add the server-farm to the Group list box at the left side. Use
Remove>> button to remove one selected server-farm per time or Remove All button to
remove all selected Server-farms at a time from the left-hand Group list box. All registered
server-farms in the system will be displayed in the Available Server-farm list box.
3. Click on Submit button to complete the configuration.
2009 Genie Network Resource Management Inc. All Rights Reserved.
170
Figure 3.6.6-15 System Admin / Preferences / Group / Server-farm -- Edit Server-farm Group Window
(Please refer to the previous To add a Server-farm group section for the following steps of
your modification.
1. Enter a new name for the server-farm group if desired.
2. Add/Remove the server-farms for the group if necessary.
3. Click on Submit button to complete the modification.
Figure 3.6.6-16 System Admin / Preferences / Group / Server-farm -- View Server-farm Group
Window
171
1. Click on a (Server-farm) Group ID or Group Name to enter the View Server-farm Group
window.
When you move the cursor to the ID/Name listed in the Group ID/Group Name column, the
color of the pointed ID/Name will turn into blue. The View Server-farm Group window will
display the following information:
Name: name of the server-farm group you selected to view.
Server-farm ID: server-farm ID of each member in the group.
Server-farm Name: name of each server-farm in the group.
2. Click on Back to List button to return to the Server-farm Group Management window.
3.6.6.5
Neighbor
Click on Neighbor sub-menu tab to enter the Neighbor Group Management window. (See
Figure 3.6.6-17) The information displayed in the Neighbor Group view list includes No., Group
ID, and Group Name, Neighbor, and Neighbor #. (The Neighbor # is the total neighbors of the
neighbor group.) The following sections are going to introduce how to add, edit, and delete a
neighbor group and how to view the profile of a neighbor group.
Figure 3.6.6-17 System Admin / Preferences / Group / Neighbor Group Management Window
To add a neighbor
Click on Add button at the top of the Neighbor Group view list to enter the Add Neighbor
Group window. (See Figure 3.6.6-18)
Figure 3.6.6-18 System Admin / Preferences / Group / Neighbor -- Add Neighbor Group Window
172
Figure 3.6.6-19 System Admin / Preferences / Group / Neighbor -- Edit Neighbor Group Window
(Please refer to the previous To add a neighbor group section for the following steps of your
modification.
1. Enter a new name for the neighbor group if desired.
2. Add/Remove the neighbors for the group if necessary.
3. Click on Submit button to complete the modification.
173
Figure 3.6.6-20 System Admin / Preferences / Group / Neighbor -- View Neighbor Group Window
1. Click on a (Neighbor) Group ID or Group Name to enter the View Neighbor Group window.
When you move the cursor to the ID/Name listed in the Group ID/Group Name column, the
color of the pointed ID/Name will turn into blue. The View Neighbor Group window will display
the following information:
Name: name of the neighbor group you selected to view.
Neighbor ID: neighbor ID of each member in the group.
Neighbor Name: name of each neighbor in the group.
2. Click on Back to List button to return to the Neighbor Group Management window.
174
3.6.6.6
Filter
Click on Filter sub-menu tab to enter the Filter Group Management window. (See Figure
3.6.6-21) The information displayed in the Filter Group view list includes No., Group ID, and
Group Name, Filter, and Filter #. (The Filter # is the total Filters of the Filter group.) The following
sections are going to introduce how to add, edit, and delete a Filter group and how to view the
profile of a Filter group.
Figure 3.6.6-21 System Admin / Preferences / Group / Filter Group Management Window
To add a Filter
Click on Add button at the top of the Filter Group view list to enter the Add Filter Group
window. (See Figure 3.6.6-22)
Figure 3.6.6-22 System Admin / Preferences / Group / Filter -- Add Filter Group Window
1. Enter a name for this Filter group in Name field.
You can give a meaningful name that can represent the Filter group you are adding. The
number of inputted characters must be between 2 and 40. All characters are accepted except
space and special characters (!@#$%^&<>?...).
2. Select Filters for this group from the Available Filter list box.
You can select a Filter in the Available Filter list box each time and then click on <<Add
button to add the Filter to the Group list box at the left side. Use Remove>> button to
remove one selected Filter per time or Remove All button to remove all selected Filters at a
time from the left-hand Group list box. All registered Filters in the system will be displayed in
the Available Filter list box.
3. Click on Submit button to complete the configuration.
175
Figure 3.6.6-23 System Admin / Preferences / Group / Filter -- Edit Filter Group Window
(Please refer to the previous To add a Filter group section for the following steps of your
modification.
1. Enter a new name for the Filter group if desired.
2. Add/Remove the Filters for the group if necessary.
3. Click on Submit button to complete the modification.
Figure 3.6.6-24 System Admin / Preferences / Group / Filter -- View Filter Group Window
1. Click on a (Filter) Group ID or Group Name to enter the View Filter Group window.
When you move the cursor to the ID/Name listed in the Group ID/Group Name column, the
color of the pointed ID/Name will turn into blue. The View Filter Group window will display the
following information:
Name: name of the Filter group you selected to view.
Filter ID: Filter ID of each member in the group.
Filter Name: name of each Filter in the group.
2. Click on Back to List button to return to the Filter Group Management window.
176
3.6.6.7
After clicking on MSP Customer User tab in the System Admin/Preference/Group menu at
the left side of the screen, the MSP Customer User Group Management window will be shown
(see the figure 3.6.6-25). The fields of MSP Customer User view list include No., Group ID,
Group Name, User, and User # (The User # shows the total Users in the User group). Please
refer to the following section to modify the contents of the MSP Customer User group.
Figure 3.6.6-25 System Admin / Preferences / Group / MSP Customer User -- MSP Customer User
Group Management Window
Figure 3.6.6-26 System Admin / Preferences / Group / MSP Customer User -- Edit MSP Customer
User Group Window
Figure 3.6.6-27 System Admin / Preferences / Group / MSP Customer User -- View MSP Customer
User Group Window
2009 Genie Network Resource Management Inc. All Rights Reserved.
178
3.6.7
Baseline History
Baseline History menu mainly provides users the historical results of auto-learning traffic
baseline in the past N days (up to 30 days) of all existing Sub-Network, MSP Customer, and
Filter entities in the system. It also allows users to delete daily auto-learning traffic baseline
values which are confirmed as attacks happened in the learning period to manually exclude
improper statistics. So that, the auto-learning traffic baseline will not be greatly impacted by
happened attacks and can stay a more adaptive nature.
After clicking on Baseline History menu displayed on the Sub Menu tree of Preferences at the
left side of the screen, the Sub-Network Baseline History window (the default entered window)
will be shown. Users can see the sub-menu tabs, Sub-Network, MSP Customer, and Filter
appearing above the screen. (See Figure 3.6.7-1)
Note
Except administrators, the user with the authority of defined by template, superuser, also
can access the Baseline History menu.
A searching function and page-control buttons are provided. Please refer to the Note
descriptions in Sub-Network sub menu of Network function for the operation.
Figure 3.6.7-1 System Admin / Preferences / Baseline History / Sub-Network Baseline History
Window
3.6.7.1
The information displayed in the Baseline History view list of Sub-Network includes No., ID,
(Sub-network) Name, Resource Importance, and Traffic Anomaly - Sub-Network [Incoming /
Outgoing] (See Figure 3.6.7-1). The activation status in the Incoming / Outgoing field indicates
whether the anomaly detection is enabled or disabled for the specific Sub-Network entity. The
detected results of traffic anomaly detection will be shown in the Traffic Anomaly Detection table
in detail (See Figure 3.6.7-2).
Figure 3.6.7-2 System Admin / Preferences / Baseline History / Sub-Network -- View Baseline History
Window
179
3.6.7.2
The information displayed in the Baseline History view list of MSP Customer (See Figure
3.6.7-1). The activation status shown in the Traffic Anomaly-SubNetwork [Incoming / Outgoing]
field indicates whether the anomaly detection is enabled or disabled for the specific MSP
Customer entity. The detected results of traffic anomaly detection will be shown in the Traffic
Anomaly Detection table in detail (See Figure 3.6.7-3).
Figure 3.6.7-3 System Admin / Preferences / Baseline History / MSP Customer Baseline History
Window
180
Figure 3.6.7-4 System Admin / Preferences / Baseline History / MSP Customer -- View Baseline
History Window
181
3.6.7.3
Click on Filter sub-menu tab to enter the Filter Baseline History window. (See Figure 3.6.7-5)
The information displayed in the Baseline History view list of Filter includes No., ID, (Filter) Name,
Resource Importance, and Baseline Template [Filter; Opposite]. The columns of Filter and
Opposite show which baseline templates the Filter Traffic Anomaly used. The detected results of
traffic anomaly detections will be shown in the Baseline History table in detail (See Figure
3.6.7-6).
Figure 3.6.7-5 System Admin / Preferences / Baseline History / Filter Baseline History Window
Figure 3.6.7-6 System Admin / Preferences / Baseline History / Filter -- View Baseline History Window
182
3.6.8
Offline Report
Offline Report menu allows users to configure schedule template, which decides when to send
out offline reports, to enable the generation of offline reports for Sub-Network entities, and to
delete the added offline reports. GenieATM now provides offline reports with HTML format via
email delivery only. For most reports under Sub-Network Main Menu, users whose privilege is
sub-network can create offline reports with specific conditions (Please go to the Sub-Network
menu for creating offline reports). With the Offline Report function, users can conveniently obtain
the reports of Sub-Network entities on a regular time schedule via email without on-line access.
Note
If the sub-network is enabled to generate offline report, the users with the Sub-Network
authority can specify the offline reports in the Report/Sub-network function. The configurations
of Offline Report please refer to the Report/Sub-Network section.
After clicking on Offline Report menu displayed on the Sub Menu tree of Preferences at the left
side of the screen, the Scheduler Template management window (the default entered window)
will be shown. Users can see three sub-menu tabs, Scheduler and Sub-Network, appearing
above the screen. (See Figure 3.6.8-1)
Note
Except administrators, the user with the authority of defined by template, superuser, also can
access the Offline Report menu.
Figure 3.6.8-1 System Admin / Preferences / Offline Report / Scheduler Template Management
Window
3.6.8.1
Scheduler Template
Click on the Scheduler sub-menu tab to enter the Schedule Template Management window.
The information displayed in the Scheduler Template view list includes No., ID, Name, Type,
Execution Time, and Offline Report # (including all enabled and disabled offline reports applied
to schedule templates). There are three system default schedule templates: Daily, Weekly, and
Monthly. Users can change default configurations of these schedule templates, but are not
allowed to add new templates or delete the system default templates. The following sections are
going to introduce how to edit and view a scheduler template.
Note
The subject and language type of the Offline Report mail is set in the System in System
Admin/Preferences/Notification function.
183
Figure 3.6.8-2 System Admin / Preferences / Offline Report / Scheduler -- Edit Schedule Template
Window (Daily Schedule Type)
1. Input a new name to replace the default name in the Name field if desired.
The number of inputted characters must be between 1 and 40. All characters are accepted
except special characters (!@#$%^&<>?...).
2. Select a time from the drop-down list if desired.
The execution time decides when the system executes the work for offline report generation
and delivery. Select the Hour and Minute from the dropped down list. Users still need to
select the day of week or the day of month if a weekly or monthly schedule template is
modified.
3. Click on Submit button to complete the modification.
Figure 3.6.8-3 System Admin / Preferences / Offline Report / Scheduler -- View Schedule Template
Window
1. Click on an ID/Name to enter the View Schedule Template window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue. The Applied block area shows the information of
Sub-Network entities and the number of created offline report to which this viewed template
applied.
2. Click on Back to List button to return to the Schedule Template Management window.
2009 Genie Network Resource Management Inc. All Rights Reserved.
184
3.6.8.2
Sub-Network
Click on Sub-Network sub-menu tab to enter the Sub-Network Offline Report Management
window. (See Figure 3.6.8-4) The information displayed in the Sub-network Offline Report view
list includes No., ID, Name, Offline Report Scheduler, Offline Report # [Daily; Weekly; Monthly]
and IP Space. The following sections are going to introduce how to enable the offline report
generation of a Sub-Network entity, how to delete the added offline reports, and how to view its
offline report configuration.
Figure 3.6.8-4 System Admin / Preferences / Offline Report / Sub-Network Offline Report
Management Window
Figure 3.6.8-5 System Admin / Preferences / Offline Report / Sub-Network-- Edit Sub-Network Offline
Report Window
185
Figure 3.6.8-6 System Admin / Preferences / Offline Report / Sub-Network -- View Sub-Network
Offline Report Window
1. Click on an ID/Name to enter the View Sub-Network Offline Report window.
When you move the cursor to the ID/Name listed in the ID/Name column, the color of the
pointed ID/Name will turn into blue. The Offline Report block area lists all added offline reports
of this viewed Sub-Network entity.
2. Click on Back to List button to return to the Sub-Network Offline Report Management
window.
186
3.6.9
Remote Update
Remote Update menu allows users to configure the definition update server of GenieATM
system anomaly signatures for the latest definition download. Note that the configuration here is
to set the DNS name of the server but not to execute the update job (Please refer to the
Anomaly menu in the System Admin / Network function for details). Click on Remote Update
menu displayed on the Sub Menu tree of Preferences at the left side of the screen to enter the
Remote Update management window. (As presented at Figure 3.6.9-1)
Note
Except administrators, the user with the authority of defined by user, superuser, also can
access the Remote Update menu.
Figure 3.6.9-2 System Admin / Preferences / Remote Update -- Edit Default Configuration of Remote
Update Window
187
3.7
Report Rebuild
GenieATM provides a convenient function that allows users to rebuild rule-based Filter reports of a
specific time period. The rebuilding data source is the saved rawdata in the system. Once users
rebuild rule-based reports of a Filter, the TopN reports under the Filter will be also rebuilt and old
reports of the Filter within the time period will be overwritten by the rebuilt reports.
Click on Report Rebuild menu displayed on the Sub Menu tree of System Admin at the left side
of the screen to enter the Report Rebuild window. (As presented at Figure 3.7-1) There are five
parts in the Report Rebuild window:
Last Request: this part displays the result and detail information of the latest report-rebuilt
request. There are four statuses might display here: Processing, Completed, Aborted, or Failure.
Historical Request: this part displays historical report-rebuilt requests successfully added, and
allows users to view the detailed configuration of requests and to delete the added requests.
System: this part will be displayed below the Last Request block area only after users submit a
new request. It will show the result of adding the request.
Last Request Status: this part will be displayed below the Last Request block area only after
users click on Get Last Request Status button. It will show the detailed information and
processing result of each Collector, which are selected to provide rawdata for the rebuilt report.
The Status column has four kinds of statuses: Processing, Completed, Aborted, and Failure.
Abort Last Request: this part will be displayed below the Last Request block area only after
users click on Abort Last Request button. It will show the result of aborting the request.
Note
Only the user with the authority of administrator or superuser can access the Report Rebuild
menu.
Figure 3.7-2 System Admin / Report Rebuild Adding a New Request Window
2009 Genie Network Resource Management Inc. All Rights Reserved.
188
Step 1. Click on <<Check>> button in the Checking System Configuration block area to
check if the current system configuration equals the last dispatched configuration (The symbol
!= means not equal).
When the current system configuration is not consistent with the last dispatched configuration,
the system will not allow you to add report-rebuilt requests (The Browse button will be
disabled and Step 2 will not be able to proceed).
Step 2. Click on Browse button to specify the Collectors of data source and the time duration
for the rebuilt report.
After you click on Browse button, a Rawdata File window will pop up (as presented in
Figure 3.7-3). First of all, select year and month from the Date Used to Update drop-down lists
to display all Collectors daily rawdata status of the entire month (Gray: No Data; Yellow:
Incomplete Data; Green: Complete Data). Check on the check boxes to specify Collectors.
And then click on a radio button of a date that you want to be your start date of the time
duration and then press <<Update button of Start Time to update the start time. Same to
the end time, click on a radio button of a date that you want to be your end date of the time
duration and then press <<Update button of Until. Note that the end time cannot be earlier
than the start time. After you finish specifying the Collectors and time duration, click on
Submit button. All specified information will be updated in the Input Time Duration And Pick
Up Collector block area of Step 2.
189
Figure 3.7-4 System Admin / Report Rebuild Looking Up Last Request Status Window
Figure 3.7-5 System Admin / Report Rebuild Aborting Last Request Window
1. Click on Abort Last Request button to terminate the process of the last report-rebuilt
request.
Once you click on this button, an Abort Last Request block area will be displayed above the
Historical Request view list to tell you if the abortion is completed or not. The system will
indicate the reason if the abortion is failed.
190
Status
Status menu provides users the overall information about the event summary and the system profile.
A Summary Report with the concise information including the brief anomaly event statistics tables,
the top N ongoing Anomalies, the top N most recent Alerts, the total number of anomalies, the
system utilizations, and the utilizations of Cisco Guard devices is presented for users to precisely
understand the general situation of the system. An Anomaly Console and an Alert Log functions are
also provided for users to query all events with many kinds of searching filters. With this function,
administrators can manage the system and their networks more effectively. When users click on the
unfolding mark of Status, all its sub menus will be unfolded including Summary, Anomaly Console,
and Alert Log.
4.1
Summary
Summary menu presents some significant traffic statistics and information in these tabs: Global:
Anomaly Statistics, Ongoing Anomalies, and Most Recent Alerts; MSP Server: Anomaly Statistics
and Ongoing Anomalies of the MSP Server; Anomaly: Summary Report; System: System Status,
FLB Status and Cisco Guard Status. The reason to gather these data that users might want to
know urgently together is to ensure that users can presently understand the entire situation. The
refreshing time period of this page is decided by the configuration of Status Page Refresh
Period in the Preferences/Status function. The configurable values are from 1 minute to 10
minutes. Resources: display the number of configured resources and the maximum number that
the system supports.
Click on Summary menu to enter the Status Summary window (See Figure 4.1.1-1) and refer to
the descriptions below for details.
4.1.1
Global
The reports listed in the Global sub function are as follows (See Figure 4.1.1-1):
Anomaly Statistics: there are two briefly anomaly statistic table provided here to report
useful anomaly event statistics. It is briefly reporting the total numbers of the ongoing
anomalies and the anomalies detected in the last 24-hour (including how many are Yellow
severity level and how many are Red severity level).
Ongoing Anomalies: a list table that reports the latest ongoing N anomaly events. The N
value is decided by the configuration of The Maximum Number of Most Recent Ongoing
Anomalies in the Preferences/Status function. The configurable values are from 3 to 20
(Default is 5). The information displayed in the table includes events ID, verification check
box, traffic line chart, severity level, when the anomaly event started, events duration,
anomalys direction, which type the anomaly is, and which resource the anomaly cautioned.
Most Recent Alerts: a list table that reports the most recent N alerts. The N value is decided
by the configuration of The Maximum Number of Most Recent Alerts Displayed in the
Preferences/Status function. The configurable values are from 3 to 30 (Default is 10). The
information displayed in the table includes when the alert issued, which type the alert is, which
resource the alert cautioned, and the further description about the alert.
191
192
4.1.2
MSP Server
The reports present the anomaly traffic gathered from all MSP Servers. Click on MSP Server
sub-menu tab to enter the management window of MSP Server.
The reports listed in the MSP Server sub function are as follows (See Figure 4.1.2-1):
Anomaly Statistics: there are two briefly anomaly statistic table provided here to report
useful anomaly event statistics. It is briefly reporting the total numbers of the ongoing
anomalies and the anomalies detected in the last 24-hour (including how many are Yellow
severity level and how many are Red severity level).
Ongoing Anomalies: a list table that reports the latest ongoing N anomaly events. The N
value is decided by the configuration of The Maximum Number of Most Recent Ongoing
Anomalies in the Preferences/Status function. The configurable values are from 3 to 20
(Default is 5). The information displayed in the table includes events ID, verification check
box, MSP Server, severity level, Start Time, Duration, anomalys direction, Type (which type
the anomaly is), and Resource (which resource the anomaly cautioned).
4.1.3
Anomaly
Click on the Anomaly sub function to enter the Anomaly Window (See Figure 4.1.3-1). The Anomaly
report display the total counts of three important types of anomaly events (Unexpected Traffic,
DDoS/DoS Attacks, and Worms) in the last 24-hour (including how many are Yellow severity level
and how many are Red severity level). The Unexpected Traffic event is actually Traffic Anomaly
plus Interface Traffic anomaly; the DDoS/DoS Attack event is Protocol-Misuse anomaly; and the
Worm event is Application anomaly.
193
194
4.1.4
System
Click on the System sub function to enter the System Window (See Figure 4.1.4-1) and refer to the
description below for details.
System Status: a list table that reports the latest performance profiling statuses of Controller,
Collectors, and MSP Server (shows when the system supports MSP module) ,and their
associated routers the messages of hardware (status and events). their associated routers
and the messages of hardware (status and events). It allows users to look up the utilizations
of devices not only in real-time but also in the past. In addition, clicking on the Report
button also can present a line chart report for the CPU usage, memory usage, and DB Disk
usage.
Hardware
There are two buttons, Status and Events, to display the hardware messages. The
messages from hardware status and events are implemented by the hardware manufacturer.
Click on the Status button to display the status of sensed hardware (See Figure 4.1.4-2).
The Status report of the Hardware displays these information including Sensor Name,
Present (status), Entity ID, and Current Reading.
Click on the Event button to show the events of the devices hardware (See Figure
4.1.4-3). The Events report of the Hardware lists these information including No., Date/Time,
Source, Description and Direction. Users still can set the display entries in a page via
selecting the number from the dropped down list above the list table.
Note
Users still can show the hardware messages via the CLI command, ipmitool shell, in the
enable mode.
195
Report
After users click on Report button, a pop-up window will be shown (See Figure 4.1.4-4). In
this window, users can see two parts: Query Bar and Report Chart.
Report Chart
There are four line charts displayed here: CPU Usage, Memory Usage, DB Disk Usage. The
first one is the CPU utilization chart; the second one is the memory utilization chart; the third
one is the chart about DB disk utilization. The X-coordinate of represents time and will be
converted according to the time period selected by users. The Y-coordinate of CPU,
Memory and DB Disk Usage charts represents the percentage of the utilization.
Query Bar
This part is located on the top of the screen and contains condition options below:
Go: after finishing the query conditions, click on this button to submit the query.
Cancel: click on this button to cancel the query and close the pop-up window.
196
197
4.1.5
Resources
The Resources Summary viewing list displays the resources information here. The Resources
Summary view list includes Resource, System Limit Description, Configured and Limit (see figure
4.1.5-1). The number of the configured resources and the limited number of each resource are
showed. In addition, the records with underline in the configured column can be clicked to view the
detail information (see the figure 4.1.5-2).
198
4.2
Anomaly Console
Anomaly Console menu is mainly to provide various reports of anomaly events through Anomaly
Console. Anomaly Console sub function allows users to list out a variety of anomaly events
detected via several searching filters, provides summary and detailed traffic characteristics for
each detected anomaly event, and is able to generate appropriate ACL (Access Control List)
commands as suggestions for network operators.
After clicking the Anomaly Console menu displayed on the Sub Menu tree of Status at the left
side of the screen, users will enter the Anomaly Console window (the default entered window) and
see the sub-menu tabs, Global and MSP Server, appearing above the screen (See Figure 4.2-1).
Note
When the system supports the MSP module (value-added function), the tab, MSP Server, will
show.
4.2.1
Global
Click on Global sub-menu tab to enter the Anomaly Console Querying window (See Figure 4.2-1).
The default sorting way to list the anomaly events is descending according to the ID number.
Severity: three pieces of information are shown in this field. Firstly, the severity degree in terms
of Yellow/Red of the anomaly is shown; following displays the detected traffic rate at which the
event was determined as the previous severity degree; finally the event threshold value
configured for this anomaly event is shown.
Status: the present status of an anomaly event that could be ongoing, recovered, or obsolete.
Start Time/End Time: the beginning time/close time of an anomaly event. The displaying format
is mm-dd hh:mm (e.g. 08-18 15:12). If an anomaly event is not recovered, there shows no end
time.
Duration: a time period that represents how long an anomaly event lasts. The displaying format
is 00 hours / 00 mins / 00 secs (e.g. 27 hours / 37 mins / 42 secs).
Direction: the traffic direction of an anomaly event.
Type: a category plus an anomaly type and with a monitored traffic statistic object (e.g. Traffic
Anomaly by bps / Protocol-Misuse with TCP SYN Flooding by pps / Application with Code Red
by pps).
Resource: the detection scope of a detected anomaly event and its related information. For
Traffic anomaly, here will show resource type and the resource name of detection scope only.
For Protocol-Misuse and Application anomalies, if the resource type is Global, then here will
show resource type and Global type, Home or Non-Home (Home indicates the host IP address
of detected anomaly event belongs to Home and Non-Home indicates the host IP address of
detected anomaly event belongs to outside of Home.), and event-triggered host IP address; if
the resource type is Sub-Network, then Home or Non-Home will be replaced by resource name
and other information will be the same.
200
Time Period: daily, weekly, monthly, and quarterly. This is another way different from Time
Range to specify reports time interval. In this way, the fixed time interval are provided to
present analysis report with an end time specified from the Until drop-down list. Once users
choose this way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of
reports time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start
Time, the year-month-date time table will be shown. Specify the year and month from the
drop-down lists in the time table, select the date by using your cursor to click on (the
selected date will be highlighted), and then click on the OK button. Or click on the
Cancel button to close the time table. Specify the time from the time drop-down list after
finishing the selections of year, month, and date. If users choose the Period way to specify
the reports time interval, this drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports
time interval. Please refer to the Start Times description above for operation.
The system will list all anomaly events detected in the Anomaly Console view list according to
the filters you specified.
Action Buttons Description
Note
1. Page-control buttons are above the view list:
| < button: to go to the first page.
<< button: to go to the previous page.
>> button: to go to the next page.
> | button: to go to the end page.
The Page drop-down list: to go to a specific page selected from the drop-down list. The
numerator represents the page you are going to list and the denominator represents the
total pages.
2. An Anomaly ID searching function is provided. It is located next to the Page-control
buttons and above the view list. Users can input the ID of the anomaly event in the
Anomaly ID blank and then press the View button to quickly find out a specific anomaly
from plenty of listed anomalies. The Summary Anomaly report of the searched anomaly
will pop up (Please refer to the descriptions below for details.)
3. A Rows per Page drop-down list is provided to control the displayed entries per page of
the Anomaly Console view list. The number 10 with an asterisk means the default value.
Figure 4.2-2 Status / Anomaly Console / Summary Anomaly Report Window (Sub-Network Resource
Type)
Anomaly Event List Table
This part is on the upper area of the screen. It shows the brief information of the clicked
anomaly event. For details, please refer to the descriptions in Figure 4.2-2.
There are buttons located at the right-upper corner above the list table and a Cripple Attack
check box is in the ID filed of the list table. The descriptions are as follows.
View Raw Flow : this button is used to view all received raw flows of the clicked anomaly
event from routers. Once users click on this button, an Anomaly Raw Flow pop-up window
will show and display raw flows for all routers. Users can use Download button to
download the raw flow file in a desired storage.
Forced Obsolete : this button is used to obsolete an anomaly event when users consider
the event not worthy to trace for some exceptional issues. Once users click on this button, the
anomaly event will be obsolete. If the traffic detection related to this anomaly is still going and
the detected traffic is large than the anomaly threshold, a new anomaly event will be created
since the original one has been obsolete.
Details : this button is used to display the detail report of the clicked anomaly event. Once
clicking on this button, users will enter the Detail Anomaly Report window. Please refer to the
descriptions below for the detail anomaly report.
Cancel : clicking on this button can close the Detail Anomaly Report pop-up window.
Cripple Attack : this check box is used to manually disable the clicked anomaly event.
Once users check on this check box, the system will count this event traffic in the calculation
of traffic baseline. This function is only applied to tickets triggered by auto-learning baseline.
Traffic Line Chart
A traffic line chart with a timer controller is provided for users to query a specific time period
traffic statistics of the monitored anomaly event. Select the start time
(year/month/date/hour/minute) and the duration (hour) from the drop-down lists, and then click
on Go button to submit the query. The default start time in this time controller is the start
time of the queried anomaly event, and the duration of the drop-down list is 0.25hour
(15minutes).
Remarks
This Remarks column is used to record additional information relevant to the anomaly events.
Up to 800 characters are available. The Update button will be clickable after any characters
are inputted.
202
Traffic Characteristics
This part will display the latest top N traffic analysis statistics of traffic characteristics items of
the queried anomaly event by bps and pps. There are some certain formulas used to
determine the N value. According to different anomaly types, different Traffic Characteristics
items will be displayed.
Network Elements
This part will display the latest Top N routers with input-interface and routers with
output-interface which are most impacted by the traffic of the anomaly event queried. The Top
N analysis statistics are provided with bps and pps units.
Mitigation
This part will display the information of all added mitigation actions for the detected anomaly
event (Only 1.Incoming traffic direction; 2. High Watermark is over a specific amount; 3.
Sub-Network resource types with Traffic Anomaly, Protocol-Misuse, or Application type). Click
on Add button to add new mitigation action, an Add Mitigation window will pop up. Specify a
mitigation method from the Method drop-down list and then provide all requested information.
For more details, please refer to the Hardware Mitigation and Blackhole section of
Mitigation.
[Detail Anomaly Report Description of Sub-Network Resource Type]
Figure 4.2-3 Status / Anomaly Console / Detail Anomaly Report Window (Sub-network Resource
Type)
203
Traffic Characteristics
The system provides view points for users to understand the evolution of the selected anomaly
event in terms of its traffic characteristics at different time points (sorting by per minute).
In addition, the Detail Anomaly Report window also provides the functions that allow users to
link to the Snapshot menu with the provided anomaly traffic characteristics and view the ACL
commands generated by the system. These functions are implemented by the Snapshot
and Generate ACL buttons. Please follow the steps below:
Linking to Snapshot Menu
1.
2.
Decide one or more analyzed traffic characteristics as the snapshot analysis criteria
and click on the Lock check boxes (at the end of the rows) of the decided traffic
characteristics.
Click on Snapshot button.
A Snapshot window with the analysis criteria you checked will pop up after the clicking.
For Sub-Network resource, the snapshot scope of this page will be locked as the
Sub-Network entity of the queried anomaly event. Since the most operations are the
same as the Snapshot main menu, please refer to Snapshot menu (on the Main Menu
tree) for more detail function information.
3.
Decide one or more traffic characteristics as the target that you want to lock and click
on the Lock check boxes (at the end of the rows) of the decided traffic characteristics.
Click on Generate ACL button.
An ACL Generate Tool window will pop up after the clicking (See Figure 4.2-3). The
Configuration part in this window will show the traffic characteristics you checked on
the previous step. It also allows you to do the tuning by manual configurations here
before populating the ACL commands.
Click on Update button in the ACL Generate Tool window to generate ACL
commands. (Please see Figure 4.2-4)
After you press the button, the system will generate appropriate ACL commands
according to the traffic characteristics you selected and show the commands in the
Result text box. A Router Type drop-down list is provided in order to meet different
needs of ACL commands for different router brands (Cisco / Juniper / Foundry). With
different router types selected, the system will generate different ACL commands for
users. Note that TCP Flag is only available for the Cisco router type.
204
Figure 4.2-4 Status / Anomaly Console / Detail Anomaly Report -- ACL Generate Tool Window
Figure 4.2-5 Status / Anomaly Console / Summary Anomaly Report Window (Filter Resource Type)
The following only describes Filter resource types summary anomaly report.
Anomaly Event List Table
Display the information of the selected anomaly event.
Traffic Line Chart
GenieATM will combine the traffic statistics from the routers, which enables traffic detection for
the queried Filter, in this chart. Therefore, more than one traffic line may be displayed here.
Users can compare the differences between multiple routers about the traffic of this Filter. The
color marks indicate the traffic from which router. For other details, please refer to the Traffic
Line Chart part of Summary Anomaly Report Description of Sub-Network Resource Type
above.
205
4.2.2
MSP Server
This report presents the anomaly traffic gathered from all MSP servers. Click on MSP Server
sub-menu tab to enter the Anomaly Console window of MSP Server (see the figure 4.2-6).
The default sorting way to list the anomaly events is descending according to the ID number. Users
can click on the ID of the entry to view the Summary Anomaly report.
Except the some of the field name are different, the descriptions of the operation steps or reports are
the same as the data in the Global section in the Status / Anomaly Console.
Figure 4.2-6 Status / Anomaly Console / MSP Server Anomaly Console Querying Window
206
4.3
Log
Log menu presents a variety of alert events issued and their recoveries generated from the system.
Here displays three types of the logs, Alert Log, Mitigation Log and Login Log. Alert Log records
the system status that are abnormal or in fail. Mitigation Log records the status and action of the
anomaly to mitigate. Login Log records the status that user accounts access the system. Please
refer to the following sections to get detail descriptions.
4.3.1
Alert Log
An alert is used to inform users the significant status change or failure with severity. For the same
resource with the same cause, an alert will only be generated once. Doing so is to prevent
delivering mass emails and traps. The following alert types are supported:
SNMP Polling: alerts associated with the SNMP polling module. Two causes -- one is due to
SNMP failure or recovery; another is due to traffic threshold crossed by SNMP polling
information.
Module Monitoring: when a module went up or went abnormal/down (Operation Status changed).
BGP Monitoring: when any of the following situations happens -- Hijack warning, BGP updates
crossing threshold.
Configure Manager: when the download of configuration changes to a module failed.
Collector: when any router under a Collector had not exported any NetFlow for more than some
specific time (i.e. 5 minutes)
Click on Alert Log menu to enter the Alert Log Querying window (See Figure 4.3.1-1). The
information displayed in the Alert Log view list includes No., Alert Time, Alert Type, Resource
Name, and Description. The default sorting way to list the alert logs is descending according to the
alert time. Users can sort the alert logs ascending or descending by clicking on or .
Note
If an alert has recovered, the system will issue an alert recovery log.
207
3. Select the end time for the time period you specified from the Until drop-down list.
The end time includes Year, Month, and Date. The system will list all alert logs from the date
you selected backward to the time period you specified. For example, if you specified 7 days
as your time period and selected 2005/8/11 as your end time, the system will list all login logs
from 2005/8/11 backward to 2005/8/5.
4. Select a number that you want to display the alert logs per page from the Alerts Per Page
drop-down list.
The configurable values are 10, 15, 20, 25, and 30 (Default is 15).
5. Click on Go button to submit your query.
4.3.2
Mitigation Log
Click on Auto-Mitigation Log sub-menu tab to enter the Auto-Mitigation Log Querying window
(See Figure 4.3.2-1). The information displayed in the Mitigation Log view list includes No.,
Mitigation (ID/Execution Time), Protected IP/Prefix, Related Anomaly (ID/Resource), Device
Type, Cisco Guard | Next Hop (Zone | Community), Action, Result(Cause Failure), Operator. The
default sorting way to list the logs is descending according to the No (system auto generates).
208
Time Period: daily, weekly, monthly, and quarterly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to
present analysis report with an end time specified from the Until drop-down list. Once users
choose this way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of
reports time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start
Time, the year-month-date time table will be shown. Specify the year and month from the
drop-down lists in the time table, select the date by using your cursor to click on (the
selected date will be highlighted), and then click on the OK button. Or click on the
Cancel button to close the time table. Specify the time from the time drop-down list after
finishing the selections of year, month, and date. If users choose the Period way to specify
the reports time interval, this drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports
time interval. Please refer to the Start Times description above for operation.
Anomaly ID: to list all anomaly events. Please input the ID (eg. 24035).
Protected IP/Prefix: to list all Protected IP address/Prefix. Please input an IP address or
range with CIDR format (eg. 192.168.10.0/25).
2. User also can directly click on an ID of Anomaly or Mitigation to viewing the records.Login Log.
Click on Login Log sub-function tab to enter the Login Log Querying window. (See Figure
4.3.3-1)The information displayed in the Login Log view list includes No., User ID, Login Method,
Last Login IP, Last Login Time, and Last Logout Time.
209
Snapshot
The Traffic Snapshot function of GenieATM is designed for instant flow analysis and presents the
instant flow status of the specified network range in a TOP N report. GenieATM provides two kinds of
analyzed data sources, cache and rawdata files. The rawdata source provided can meet the needs
on analyzing a specific time period in the past. Users are also allowed to export or import the analysis
configurations of scope, criteria, and aggregation. With the configuration of analysis criteria, users
can sieve out some specific traffic from the entire traffic for Top-N analysis. In addition, users can
configure the N value of the TOP N report according to the needs (default value is 10 and the
maximum is 120). Click on the Snapshot menu to enter the Snapshot management window as
presented in Figure 6-1. In following sections, we will introduce how to conduct various data mining
with the Snapshot function and describe the Snapshot (Instant) Top N report content.
210
2.
Browse Helper
This browse helper can help users quickly seek out a specific target from plenty of objects and
this function is only available for the Filter scope types. The object type of browsing will be
converted according to the selected scope type. After clicking on Browse button, an
interactive window will pop up.
Searching: this drop-down list displays all searching filters.
Filter: Filter ID, Filter Name/Remarks.
for blank: input key word in this blank after select a type of searching filter.
Go : click on this button to start the key-word searching.
Page-control buttons and the Page drop-down list:
| < button: to go to the first page.
<< button: to go to the previous page.
>> button: to go to the next page.
> | button: to go to the end page.
The Page drop-down list: to go to a specific page selected from the drop-down list. The
numerator represents the page you are going to list and the denominator represents the total
pages.
Entries/Page drop-down list: to control the displayed entries per page of the Application view
list. There are five options to select: 10, 20, 30, 60, and 120. The number 20 with an asterisk
means the default value.
Radio button: click on the radio buttons to select a wanted or searched object from the view
list.
Submit : after selecting the object wanted or searched from the view list, click on this button
to send the request.
Cancel : click on this button to close the pop-up window.
3.
211
(1) Protocol/Port
Users can restrict the snapshot traffic to the traffic with specific source, destination, or source
& destination combinations of protocol and port. Input the protocols and ports in the
Source/Input Interface and Destination/Output Interface of the Protocol/Port fields, and use a
comma to separate every two inputs if multiple combinations of protocols and ports are
inputted.
Example Check on the Protocol/Port check box and input tcp/80 in the Source/Input of
Protocol/Port field if the www application is required as the analysis criteria of the collected
flow data.
(2) Interface
Users can restrict the snapshot traffic to the traffic with specific source, destination, source &
destination interfaces. Please see the following instructions to configure the interface criteria:
Click on Browse to display device interface information (as presented in Figure 5-2).
Select a router group from the Router Group drop-down list.
Select a flow exporter (router) from the Router drop-down list.
Check on check boxes to select input/output interfaces of the flow exporters and click on
Add to add the interface to the Source/Input Interface or Destination/Output Interface of
Interface field. To uncheck the check boxes, please click on Reset button. To close the
window, please click on Cancel button.
Example If users want to collect the flow data whose source or destination interface is
Router1.11 of the device, Router 1 (Router 1 does not belong to any router group), check on
the Interface check box, select All Routers from the Router Group drop-down list, select the
device, Router 1, from the Router drop-down list, and click on the input and output check
boxes of the interface Router1.11. Then, click on the Add button to add the interface in the
text field.
212
(4) IPv4
When users define the IP version as IPv4 or Both in the Scope field, this field is available for
specify. Users can restrict the snapshot traffic to the traffic with specific source, destination, or
source & destination IP addresses. Users can configure the IP spaces by a number of IP
prefixes.
Example If users want to set 192.168.3.0-255 as the source IP Block and 192.168.88.0-127
as the destination IP Block for the scope of collected flow data, check on the IP check box, enter
192.168.3.0/24 in the Source/Input Interface of IP field and 192.168.88.0/25 in the
Destination/Output Interface of IP field.
(5) IPv6
When users define the IP version as IPv6 or Both in the Scope field, this field is available for
specify. Users can restrict the snapshot traffic to the traffic with specific source, destination, or
source & destination IP addresses. Users can configure the IP spaces by a number of IP
prefixes.
Example If users want to set fe80::5efe:192.168.38.168/128 as the source IP Block
and ::1/128 as the destination IP Block for the scope of collected flow data, check on the IP check
box, enter fe80::5efe:192.168.38.168/128 in the Source/Input Interface field and ::1/128 in the
Destination/Output Interface field.
213
214
216
Action Buttons
The action buttons are located at the bottom of the page, and are described as follows:
Back : to go back to the Snapshot management window with the previously selected criteria.
Generate ACL : pressing this button can obtain the system generation ACL commands with
the analyzed traffic characteristics. Please refer to the Generating ACL Commands part in
Anomaly Console.
Snapshot : users can utilize this button to perform further drill-down analysis to narrow down
the scope of the target traffic. For instance, after performing snapshot on a large analysis scope
and loose criteria, users can narrow the scope and tighten the criteria basing on those ranked
objects they find and do a next round snapshot. Check on the specific check boxes and then
click on this button.
Note
There is a restriction on using the ranked Applications and Packet Sizes to do snapshot
drilldown. Only the highest-ranked objects selected will be default criterion for the next round
snapshot since the system does not support multiple selections for Application and Packet
Size criteria. For example, after a previous snapshot, users selected top 3 ranked applications
(HTTP, FTP, SMTP) to do next round snapshot. The system will only list HTTP application as
the default scope criterion after clicking on the Snapshot button. Besides, the Router
aggregation method is unable to be passed back as a criterion.
Cancel : to go back to the Snapshot management window.
Latest 100 Raw Flows : users can view the latest 100 raw flow data from a specific collector.
Select a collector from the From drop-down list and then click on this button. A Latest 100 Raw
Flows window will pop up and the latest 100 records will be displayed (See Figure 5-4).
Figure 5-4 Snapshot -- Instant Top N Report / Latest 100 Raw Flows
217
Mitigation
The Mitigation menu (on the Main Menu tree) mainly provides users mitigation methods to execute
mitigation actions for protecting their network resources or filtering anomaly traffic. There are two
mitigation methods provided here, Hardware Mitigation and Blackhole. Hardware Mitigation is that
GenieATM integrates with a traffic-cleaning device (such as Cisco Guard) to wash out attacking
traffic and forward clean traffic back to their original destination; Blackhole is utilizing limited BGP
announcement to conduct anomaly traffic to a setup honey pot or blackhole device. Be aware of
getting confused with the Mitigation sub menu of System Admin, which is for configuring essential
mitigation elements such as blackhole next hops and mitigation devices. With this function,
administrators or defined by template, supersuer, can add, manage, and remove mitigation actions of
the system. When users click on the unfolding mark of Mitigation, all its sub menus will be unfolded
including Hardware Mitigation and Blackhole.
6.1
Blackhole
The Blackhole menu, under the Main Menu tree of Mitigation, is used to manage (add, remove,
start, or stop) blackhole mitigation actions. Blackhole mitigation utilizes limited BGP announcement
to conduct anomaly traffic to a setup honey pot or blackhole device thus achieving network
resources protection. Except the configuration of blackhole mitigation action, users also need to
get the Zebra daemon running on GenieATM Controller via CLI (Using config bgpd command to
enter bgpd mode for running Zebra daemon).
Click on Blackhole menu to enter the Blackhole Mitigation management window (See Figure
6.1-1). The information displayed in the Blackhole Mitigation view list includes No., ID, Name,
Anomaly ID/Resource Name, Protected Prefix, BGP Next Hop/Community String, Start Time/End
Time, Time Out, Status, Action, and Issued By. The following sections will introduce how to add,
stop, delete, and view a blackhole mitigation action. Besides, at the top of the report table there is a
search function that allows users to list the records, Ongoing, Stop, or All status. After selecting
the status, users have to click on the Go button to list the records.
Figure 6.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation Action Management Window
218
Figure 6.1-2 Mitigation / Hardware Mitigation - Add Hardware Mitigation Action Window
1. Enter blackhole mitigation action information required in all fields: (The asterisk "" indicates
a mandatory field.)
Method: Select the method form the drop down list.
Name: Give a name for this action. The number of inputted characters must be between 2
and 64. All characters are accepted except space and special characters
(!@#$%^&<>?...).
Protected Prefix: Input prefixes that you want to protect with CIDR format. Duplicated IP
prefixes are not allowed in both all Hardware and Blackhole mitigations.
Note
If you are adding a blackhole mitigation action through Anomaly Console Report, then
there will be a drop-down list for you to select a desired protected prefix. After selecting
the prefix and clicking on Protect button, the selected prefix will be copied to the
Protected Prefix field.
Blackhole Policy: select the policy from the drop-down list.
Note
Users who are with the administrator authority can specify the mitigation policy in the
System Admin/Mitigation/Blackhole function.
Time Out: Input a time value in this field. The configured blackhole mitigation action will
automatically stop when the time configured here is expired. Available range is from 5 to
1440 (minutes) and the factory default value is 120 minutes.
BGP Next Hop: this field is unable to input. The list information is bind with the blackhole
policy.
Community: this field is unable to input. The list information is bind with the blackhole
policy.
219
Router: this field is unable to input. The list information is bind with the blackhole policy.
Protected Zone: this field is unable to input. The list information is bind with the blackhole
policy.
Figure 6.1-3 Mitigation / Blackhole - View Blackhole Mitigation Action Management Window
1. Click on an action ID/name and show a popped-up View Blackhole window.
When you move the cursor to the ID/name listed in the ID/Name column, the color of the
pointed ID/name will turn into blue.
2. Click on Close button to close the popped-up window.
220
6.2
Hardware Mitigation
The Hardware Mitigation menu, under the Main Menu tree of Mitigation, is used to manage (add,
remove, start, or stop) hardware mitigation actions, and also provides brief overall traffic statistics
and detailed attacking traffic for each action. Hardware mitigation cooperates with a traffic-cleaning
device (such as Guard or Eudemon) to protect a specific IP address/prefix.
After clicking on Hardware Mitigation menu displayed on the Sub Menu tree of Mitigation at the
left side of the screen, the Guard management window (the default entered window) will be shown.
Users can see two sub-menu tabs, Guard, and Eudemon, appearing above the screen.
6.2.1
Guard
Click on Hardware Mitigation menu to enter the Hardware Mitigation management window (See
Figure 6.2.1-1). The information displayed in the Guard view list includes No., ID, Name, Anomaly
ID/Resource Name, Protected IP/Prefix, bps/pps (In, Dropped, Passed), Start Time/End Time,
Status, Action, Issued By and Report. Besides, at the top of the report table there is a search
function that allows users to list the records, Ongoing, Stop, or All status. After selecting the
status, users have to click on the Go button to list the records. The following sections will
introduce how to add, stop, delete, and view a hardware mitigation action, and how to read its
report.
Note
If the mitigation is added from the anomaly console report, users can click on the anomaly ID
to view the anomaly console report.
Figure 6.2.1-1 Mitigation / Hardware Mitigation / Hardware Mitigation: Guard Management Window
Figure 6.2.1-2 Mitigation / Hardware Mitigation - Add Guard Mitigation Action Window
1. Enter Guard mitigation action information required in all fields: (The asterisk "" indicates a
mandatory field.)
Method: Select the method form the drop down list.
Name: Give a name for this action. The number of inputted characters must be between 2
and 64. All characters are accepted except space and special characters
(!@#$%^&<>?...).
221
Protected Host: Input an IP address that you want to protect. The inputted IP address
must be within the selected Zones IP range. If you leave this field blank, then all the IP
addresses of the selected Zone will be protected.
Note
If you are adding a hardware mitigation action through Anomaly Console Report, then
there will be a drop-down list for you to select a desired protected IP address. After
selecting the IP address and clicking on Protect button, the selected IP address will
be copied to the Protected IP Address field.
Time Out: Provide time-out information for action expiration. You can set the time-out as
forever by clicking on the Forever radio button. Using this way, the action will not be
terminated until you manually stop it through the Stop button of Web UI or CLI. Or, you
can choose to input a time value yourself. The configured hardware mitigation action will
automatically stop when the time configured here is expired. Available range is from 10 to
65535 (seconds).
Device: Select a traffic-cleaning device from the Device drop-down list. All devices
configured in the System Admin / Mitigation / Device / Cisco Guard function will be
displayed here.
Zone: Select a zone from the Zone drop-down list. The selections here will be converted
according to which device is selected. Once you select a device, all zones configured in the
device will be displayed here. The text box will display all IP addresses configured in the
selected zone. GenieATM will execute SNMP polling every minute to get the latest zone
information from Cisco Guard.
222
Traffic
Click on the Traffic sub-menu tab to enter the traffic report window. (See Figure 6.2.1-3)
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains actions information and condition
options below:
Name: the name of hardware mitigation action.
Protected: the time that the hardware mitigation action was started.
Unit: bps (bit per second) and pps (packet per second).
Time Period: daily, and weekly. Two fixed time interval are provided to present analysis report
with an end time specified from the Until drop-down list.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation. Users can specify the
end date of the analysis report from either the year/month/date drop-down lists or a
year-month-date time table. After clicking on Until, the year-month-date time table will be
shown. Specify the year and month from the drop-down lists in the time table, select the date
by using your cursor to click on (the selected date will be highlighted), and then click on the
OK button. Or click on the Cancel button to close the time table. Specify the time from the time
drop-down list after finishing the selections of year, month, and date.
Go: after finishing the query conditions, click on this button to submit the query.
Cancel: click on this button to close the report window.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. In the chart, each stacked
band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked
bands represents the total traffic of all bands. (The objects with colors indicate which traffic they
are.)
223
Report Table
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can use Download Excel-XML button to download tabular data of the table with XML
file, which can be read by the Excel program.
Please refer to the Operation Procedure to Query Reports part in the Summary Report
section of Report / Internet for details.
Attach Report
Click on the Attack Report sub-menu tab to enter the attack report window. (See Figure
6.2.1-4)
Action Information
This part is located on the top of the screen and presents actions information below:
Name: the name of hardware mitigation action.
Protected: the time that the hardware mitigation action was started
Action Button
Get Report List : click on this button to retrieve related attack reports from traffic-cleaning
devices.
Close : click on this button to close the report window.
Report Table
After users execute retrieving attack reports via Get Report List button, the retrieved
reports will be displayed in this table. The information includes NO., Report ID, Attack [Start;
Until; Duration], Peak, Report.
224
6.2.2
Eudemon
Click on Eudemon sub-menu to enter the Eudemon management window (See Figure 6.2.2-1).
The information displayed in the Eudemon view list includes No., ID, Name, Anomaly ID/Resource
Name, Protected IP Address, bps [Max Legitimate / Malicious], Start Time/End Time, Status, Action,
Issued By and Report. Besides, at the top of the report table there is a search function that allows
users to list the records by Ongoing, Stop, or All status. After selecting the status, users have
to click on the Go button to list the records. The following sections will introduce how to add,
stop, and delete a mitigation action.
Max Speed Limit: This value is to define the host total traffic profile for Eudemon 8000. The
inputted value must be between 1 and 1024 (Mbps). It will be provisioned to Eudemon 8000
device as tcp-max-speed/ udp-max-speed/ icmp-max-speed parameters in CLI command
"firewall ddos-policy ip <victim ip addr> tcp-max-speed INTEGER<0-1024>".
Device: Select a Eudemon device from the drop-down list. All devices configured in the
System Admin / Mitigation / Device / Eudemon function will be displayed here.
226
Report
Report menu provides system report presentation including both pre-defined (built-in) and
rule-based reports. The system pre-defined reports are included in the Report main menu. When
users click on the unfolding mark of Report, all its sub menus will be unfolded including Internet,
Neighbor, Backbone, Router, Interface, Sub-Network, Server, and Rule-based Report.
Note
The viewing report within user-specified parameters (such as network resource, Time Range,
Unit, Chart, etc) will be set to other reports in Report function when users switch to browse.
However, some of the specified parameters may not support by the switched report, so only the
accepted parameters will be set in the switched report.
7.1
Internet
Internet menu provides various built-in reports for traffic analysis between the Internet and Home
Network, provided that the Home Network area and the Internet boundary must be defined in
advance. GenieATM analyzes the collected flow data about the traffic through the interfaces of
defined Internet boundary and the BGP routing information, and then generates a variety of
Internet traffic analysis reports. There are three types of analysis reports for Internet traffic:
Summary Report, Breakdown Report, and Attribute Report. In following sections, we will
introduce how to query various Internet traffic reports.
When users click on the unfolding mark of Report / Internet, all its sub menus will be unfolded
including Summary Report, Breakdown Report, and Attribute Report.
7.1.1
Summary Report
The summary report of the Internet traffic presents the traffic analysis between the Internet and
Home Network in a macroscopic view. With the Internet summary report, users can briefly know
their Internet traffic. Click on the Summary Report sub menu of Report / Internet menu to enter
the Summary Report window. The system will display various analysis reports for Internet traffic
according to the selected traffic unit, time interval, and traffic type.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
227
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
This report is presented as a line chart. The X-coordinate represents time and will be converted
according to the time interval selected by users. The Y-coordinate represents traffic flow. In the
chart, each line represents one kind of traffic and its data will be matching the data listed in Report
Table. (The objects with colors next to check boxes indicate what traffic they are.)
Report Table
For Internet summary report, this table will display five kinds of traffic statistics:
Internet to Home If the source IP address does not belong to Home Network and the
destination IP address belongs to Home Network, the flow packet will be considered as Internet
to Home Traffic.
Home to Internet If the source IP address belongs to Home Network and the destination IP
address does not belong to Home Network, the flow packet will be considered as Home to
Internet Traffic.
Internet to Internet If the source and destination IP addresses both do not belong to Home
Network, the flow packet will be considered as Internet to Internet Traffic, also called Transit
Traffic.
Into Home It is the total traffic into Home, namely the sum of Internet to Home Traffic plus
Transit Traffic.
Out of Home It is the total traffic out of Home, namely the Home to Internet Traffic plus Transit
Traffic.
Average, current, and maximum values will be displayed in the table. Clicking on the check box in
the front of the row means to draw the traffic in Report Chart. So that users can compare different
types of traffic clearly by unselecting the traffic and leave those they want. An All check box for
users to conveniently select all check boxes at once. Please click on Submit button (in Query
Bar) to refresh the screen for your selection. In addition, users can use Download Excel-XML
button to download tabular data of the table with XML file, which can be read by the Excel program.
228
7.1.2
Breakdown Report
The breakdown report is unlike the macroscopic summary report; it provides the further analysis
in some kind of specific traffic. The breakdown report of the Internet traffic includes four types of
reports: Sub-Network, Origin ASN, Peer ASN, and Peering Analysis.
When users click on the unfolding mark of Breakdown Report under the Report / Internet
menu, all its sub menus will be unfolded including Sub-Network, Origin ASN, Peer ASN, and
Peering Analysis.
7.1.2.1
Sub-Network
The Sub-Network traffic analysis of Internet breakdown report provides the information about the
Internet traffic into/out of each Sub-Network defined in the system. The traffic will be collected
from all each Sub-Network boundary. The Top N Report Table will display all sub-networks (N:
maximum =300). Each row of Report Table will display ingress, egress and sum traffic for each
Sub-Network. Click on the Sub-Network sub menu of Breakdown Report under the Report /
Internet menu to enter the Sub-Network Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Home and the lower part
represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic
229
and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of
all bands. (The objects with colors next to check boxes indicate what traffic they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
This table will display all kinds of traffic analysis statistics of sub-networks that defined in the
system. There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different types of traffic clearly by unselecting the traffic and
leave those they want. An All check box for users to conveniently select all check boxes at once.
Please click on Submit button (in Query Bar) to refresh the screen for your selection. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML file,
which can be read by the Excel program. The downloaded file will separate the Average, Current,
and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.1.2.2
Origin ASN
The Origin ASN traffic analysis of Internet breakdown report provides the information about the
Internet traffic originated from different ASes. Because the number of ASes is quite large,
therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be
displayed and each in a row. Each row of Report Table will display ingress, egress and sum
traffic for each Origin ASN. Click on the Origin ASN sub menu of Breakdown Report under the
Report / Internet menu to enter the Origin ASN Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Internet for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Origin
ASN reports, the Report Table will display top N Origin ASNs.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
230
7.1.2.3
Peer ASN
The Peer ASN traffic analysis of Internet breakdown report provides the information about the
traffic between the Internet and Home Network through each Neighbor AS. Since the number of
Neighbor AS wont be more than 100, at most up to top 128 will be displayed. Each row of
Report Table will display ingress, egress and sum traffic for each Neighbor ASN. Click on the
Peer ASN sub menu of Breakdown Report under the Report / Internet menu to enter the Peer
ASN Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Internet for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Peer
ASN reports, the Report Table will display top N Peer ASNs.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.1.2.4
Peering Analysis
The Peering traffic analysis of Internet breakdown report provides the Peering traffic of top 128
ASN in and out of Home Network. Actually the Neighbor AS will be listed within the list most of
the time because they are the major Transit traffic providers of the Home Network. If there is a
Neighbor AS (defined in the system) appearing in the Neighbor column of Report Table, the
traffic is between this Neighbor and Home Network. However, if there is no Neighbor AS
appearing in the Neighbor column of Report Table, the traffic is between an AS (not a Neighbor
AS) and Home Network.
Each row of Report Table will display ingress(through, from), egress(through, to) and sum traffic
for each AS. The value of Thru(Through) in the Into Home column means the traffic is through
the AS to Home. The value of From in the Into Home column means the traffic originates from
the AS to Home. Conversely, the value of Thru(Through) in the Out of Home column means
the traffic is from Home through the AS to other ASes. And, the value of To in the Out of Home
column means the traffic is from Home to the AS.
Click on the Peering Analysis sub menu of Breakdown Report under the Report / Internet
menu to enter the Peering Analysis Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Internet for details.
Except the data listed in Report Table is different and Bar & Pie Charts are not supported, other
descriptions are all the same. For Peering Analysis reports, the Report Table will display top N
Peering Analyses (that will be relative to a Neighbor AS or an Origin AS).
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.1.2.5
AS Path Length
The AS Path Length traffic analysis of Internet breakdown report provides the information about
the ingress/egress (Into Home/Out of Home) traffic from a specific AS, which is aggregated
according to the BGP AS Path length. The system will ignore the length longer than 30. Each
row of Report Table will display ingress, egress and sum traffic for each AS path length.
231
This report can help users understand the routing efficiency of their networks and review their
routing policies.
Click on the AS Path Length sub menu of Breakdown Report under the Report / Internet
menu to enter the AS Path Length Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Internet for details.
Except the data listed in Report Table is different, other descriptions are all the same. For AS Path
Length reports, the Report Table will display the traffic aggregated according to different lengths of
AS path for the Internet AS passed through.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.1.3
Attribute Report
The attribute report provides the analysis information about some common attributes. With
common attribute reports, users can really understand how their network resources are actually
been using. The attribute report of the Internet traffic has five kinds: Application, Protocol,
Protocol+Port, TOS, and Packet Size.
When users click on the unfolding mark of Attribute Report under the Report / Internet menu,
all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and
Packet Size.
7.1.3.1
Application
The Application traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to the user defined
application groups on source and destination ports separately for different traffic directions. Up to
top 128 applications will be saved to DB. The top N (N: default = 25) applications will be
displayed and each in a row.
In this report, users can obtain not only the traffic Into Home and Out of Home for applications
but also the traffic between the Request side and the Response side. For example, when a client
issues a request to a server, the traffic belongs to Request traffic; when a server replies to a
client, the traffic belongs to Response traffic. (A server is the Response side and a client is the
Request side.) A Service drop-down list is provided for users to select the traffic direction. There
are items selectable, Inside, and Outside. Inside means the server is inside the entity (Home
Network, Sub-Network) and represents the data of Request of Ingress traffic or the data of
Response of Egress traffic. Outside means the server is outside the entity and represents the
data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the Report / Internet menu to
enter the Application Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
232
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart. Both
Service: once the bar chart or pie chart is selected, the Service drop-down list will be shown for
users to select traffic direction of service. There are kinds of traffic directions: Inside, and
Outside.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Home and the lower part
represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic
and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of
all bands. (The objects with colors next to check boxes indicate which application they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Ingress, Egress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Ingress, Egress, and
Sum traffic statistics.
Report Table
This table will display top N Applications. There are three tabs at the right top corner of the table:
Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different types of traffic clearly by unselecting the traffic and
leave those they want. An All check box for users to conveniently select all check boxes at once.
Please click on Submit button (in Query Bar) to refresh the screen for your selection. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML file,
which can be read by the Excel program. The downloaded file will separate the Average, Current,
and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
233
7.1.3.2
Protocol
The Protocol traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to the protocol (e.g. TCP/6,
UDP/17, ICMP/1...). Totally, top 128 protocols will be stored to database and top N (N: default =
25) will be displayed for report. Each row of Report Table will display the Into Home/Out of Home
traffic for the protocol and the value in the Sum column is the total amount of the Into Home and
Out of Home traffic.
Click on the Protocol sub menu of Attribute Report under the Report / Internet menu to enter
the Protocol Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Internet for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Protocol
reports, the Report Table will display top N Protocols.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.1.3.3
Protocol+Port
The Protocol+Port traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to protocol plus port
number (service) for TCP and UDP (if the ICMP, the traffic will be aggregated according to the
code and type of the ICMP). Each row of Report Table will display the Into Home/Out of Home
traffic for the protocol+port (service) and the value in the Sum column is the total amount of the
Into Home and Out of Home traffic. The top 128 will be stored to database and top N (N: default
= 25) will be displayed for report.
In this report, users can obtain not only the traffic Into Home and Out of Home for the service
(protocol+port), but also the traffic between the Request side and the Response side. For
example, when a client issues a request to a server, the traffic belongs to Request traffic; when a
server replies to a client, the traffic belongs to Response traffic. (A server is the Response side
and a client is the Request side.) A Service drop-down list is provided for users to select the
traffic direction. There are two items selectable, Inside, and Outside. Inside means the service
is inside the entity (Home Network, Sub-Network) and represents the data of Request of
Ingress traffic or the data of Request of Egress traffic. Outside means the server is outside the
entity and represents the data of Response of Ingress traffic or the data of Request of Egress
traffic.
Click on the Protocol+Port sub menu of Attribute Report under the Report / Internet menu to
enter the Protocol+Port Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Application section of Attribute Report of
Report / Internet for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Protocol+Port reports, the Report Table will display top N Protocol+Port (services).
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
234
7.1.3.4
TOS
The TOS traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to the 256 TOS values.
Each row of Report Table will display the Into Home/Out of Home traffic for the TOS and the
value in the Sum column is the total amount of the Into Home and Out of Home traffic. Totally, top
128 TOS will be stored to database and top N (N: default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Internet menu to enter the
TOS Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Internet for details.
Except the data listed in Report Table is different, other descriptions are all the same. For TOS
reports, the Report Table will display top N TOSes.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.1.3.5
Packet Size
The Packet Size traffic analysis of Internet attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to the packet size. The
packet size is calculated by dividing the bytes with number of packets. The packet size segments
are: <32, 32-64, 64-96, 96-128, 128-160, 160-192, 192-224, 224-256, 256-320, 320-384,
384-448, 448-512, 512-768, 768-1024, 1024-1536, and >1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Internet menu to
enter the Packet Size Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Internet for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Packet
Size reports, the Report Table will display all segments of Packet Size.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
235
7.2
Neighbor
Neighbor menu provides various built-in reports for traffic analysis between Neighbor ASes and
Home Network, provided that the Home Network area, the Internet boundary, and the Neighbor AS
must be defined in advance. Since border routers in Home AS can connect to Neighbor AS via
external interfaces, the Neighbor boundary shares the same boundary with the Internet boundary.
GenieATM Collector receives the flow data from the border routers to analyze and reports the
results related the Neighbor AS list when BGP module is enabled. There are three types of
analysis reports for Neighbor traffic: Summary Report, Breakdown Report, and Attribute Report.
In following sections, we will introduce how to query various Neighbor traffic reports.
When users click on the unfolding mark of Report / Neighbor, all its sub menus will be unfolded
including Summary Report, Breakdown Report, and Attribute Report.
7.2.1
Summary Report
The summary report of the Neighbor traffic presents the traffic analysis between the Neighbor
ASes and Home Network in a macroscopic view. With the Neighbor summary report, users can
briefly know not only the total traffic of each Neighbor AS into/out of Home Network but also the
detail traffic analysis for each Neighbor AS. When users click on the Summary Report sub
menu of Report / Neighbor, there are two sub menus will be shown: Compare and Detail.
7.2.1.1
Compare
The Compare traffic analysis of Neighbor summary report provides users the information about
the ingress/egress (Into Home/Out of Home) traffic for each Neighbor AS to compare the
differences with the total amount. The Top N Report Table will display all Neighbor ASes (N:
maximum = 128).
Click on the Compare sub menu of Summary Report under the Report / Neighbor menu to
enter the Compare Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Neighbor Group: All Neighbors (default) and the defined Neighbor groups (All Neighbor groups
defined in the Group menu of System Admin / Network / Preferences will be shown here. If
you select one specific group, Report Table will only display the traffic analyses for the Neighbor
ASes configured in this group. Otherwise, it will display all Neighbor ASes configured in the
system.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
236
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Home and the lower part
represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic
and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of
all bands. (The objects with colors next to check boxes indicate which Neighbor they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
This table will display the traffic analyses statistics for all Neighbor ASes that configured in the
system or some if you selected some specific group in the Neighbor Group drop-down list (In
Query Bar) to view. There are three tabs at the right top corner of the table: Average, Current, and
Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different types of traffic clearly by unselecting the traffic and
leave those they want. An All check box for users to conveniently select all check boxes at once.
Please click on Submit button (in Query Bar) to refresh the screen for your selection. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML file,
which can be read by the Excel program. The downloaded file will separate the Average, Current,
and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.1.2
Detail
The Detail traffic analysis of Neighbor summary report provides the information about the
ingress/egress (Into Home/Out of Home) traffic aggregated according to different traffic types
(Neighbor Transit, Local Transit, Peering, Both Transit, and Unknown) for a specific Neighbor
AS.
Click on the Detail sub menu of Summary Report under the Report / Neighbor menu to enter
the Detail Report window.
237
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Neighbor Group: All Neighbors (default) and the defined Neighbor groups (All Neighbor groups
defined in the Group menu of System Admin / Network / Preferences will be shown here. If
you select one specific group, Report Table will only display the traffic analyses for the Neighbor
ASes configured in this group. Otherwise, it will display all Neighbor ASes configured in the
system.)
Neighbor: every Neighbor AS configured in the Neighbor group (It will be converted according to
the group selected in the Neighbor Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Home and the lower part
represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic
and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of
all bands. (The objects with colors next to check boxes indicate what traffic they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
For the Detail traffic analysis of Neighbor summary report, this table will display five types of traffic
analysis statistics for a specific Neighbor AS.
Neighbor Transit It counts all traffic that is transient by the Neighbor AS.
Local Transit It counts all traffic that origins from the Neighbor AS and is transient to another
AS by Home Network.
Peering It counts all traffic that origins from the Neighbor AS and is delivered to Home
Network.
Both Transit It counts all traffic that is transient by the Neighbor AS and Home Network.
Unknown It counts those traffic does not match anyone of the four types above.
2009 Genie Network Resource Management Inc. All Rights Reserved.
238
There are tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different types of traffic clearly by unselecting the traffic and
leave those they want. An All check box for users to conveniently select all check boxes at once.
Please click on Submit button (in Query Bar) to refresh the screen for your selection. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML file,
which can be read by the Excel program. The downloaded file will separate the Average, Current,
and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.2
Breakdown Report
The breakdown report is unlike the macroscopic summary report; it provides the further analysis
in some kind of specific traffic. The breakdown report of the Neighbor traffic provides the traffic
analysis between one network entity (a Neighbor AS) to another (a Neighbor AS or a
sub-network) and has five kinds of reports: Sub-Network, Neighbor, AS Path Length, BGP
Message, and Origin ASN.
When users click on the unfolding mark of Breakdown Report under the Report / Neighbor
menu, all its sub menus will be unfolded including Sub-Network, Neighbor, AS Path Length,
BGP Message, and Origin ASN.
7.2.2.1
Sub-Network
The Sub-Network traffic analysis of Neighbor breakdown report provides the traffic information
between the Neighbor AS and each Sub-Network defined in the system. Actually, the traffic
analyzed in this report is the same as the Neighbor ASN traffic analysis of Sub-Network
breakdown report, but only in different statistic perspectives. The Top N Report Table will display
all sub-networks (N: maximum = 300). Each row of Report Table will display ingress, egress and
sum traffic for each Sub-Network. Click on the Sub-Network sub menu of Breakdown Report
under the Report / Neighbor menu to enter the Sub-Network Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Neighbor for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Sub-Network reports, the Report Table will display the traffic between the Neighbor AS specified
and each Sub-Network defined in the system.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.2.2
Neighbor
The Neighbor traffic analysis of Neighbor breakdown report provides the traffic information about
the traffic through a specific Neighbor AS to/from each other Neighbor AS defined in the
system. The Top N Report Table will display all Neighbor ASes (N: maximum = 128). Each row of
Report Table will display ingress, egress and sum traffic for each Neighbor AS. Click on the
Neighbor sub menu of Breakdown Report under the Report / Neighbor menu to enter the
Neighbor Report window.
239
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Neighbor for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Neighbor
reports, the Report Table will display the traffic between the Neighbor AS specified and each other
Neighbor AS defined in the system.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.2.3
AS Path Length
The AS Path Length traffic analysis of Neighbor breakdown report provides the information
about the ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is
aggregated according to the BGP AS Path length. The system will ignore the length longer than
30. Each row of Report Table will display ingress, egress and sum traffic for each AS path length.
This report can help users understand the routing efficiency of their networks and review their
routing policies.
Click on the AS Path Length sub menu of Breakdown Report under the Report / Neighbor
menu to enter the AS Path Length Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Neighbor for details.
Except the data listed in Report Table is different, other descriptions are all the same. For AS Path
Length reports, the Report Table will display the traffic aggregated according to different lengths of
AS path for the Neighbor AS passed through.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.2.4
BGP Message
The BGP Message traffic analysis of Neighbor breakdown report provides the update
information about Peer BGP message for a single Neighbor at a time. For an individual router
associated with a specific Neighbor entity, there are several statistic types of BGP messages.
Each row of Report Table will display message type, number of message, and total percentage.
Click on the BGP Message sub menu of Breakdown Report under the Report / Neighbor
menu to enter the BGP Message Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Neighbor Group: All Neighbors (default) and the defined Neighbor groups (All Neighbor groups
defined in the Group menu of System Admin / Network / Preferences will be shown here.)
Neighbor: every Neighbor AS configured in the Neighbor group (It will be converted according to
the group selected in the Neighbor Group drop-down list.)
Router Group: All routers (default) and the defined Router groups (All Router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here.)
2009 Genie Network Resource Management Inc. All Rights Reserved.
240
Router: every router configured in the Router group (It will be converted according to the group
selected in the Router Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
There are three line charts displayed here: Neighbor Traffic, Prefixes From Neighbor, and BGP
Messages.
The first one is the traffic chart for the selected Neighbor entity (Into Home/Out of Home). The
X-coordinate represents time and will be converted according to the time interval selected by users.
The Y-coordinate represents traffic flow. In the chart, the line represents the traffic of the selected
Neighbor into and out of Home. The objects with colors below the chart indicate what traffic they
are.
The second one displays the number of routes (prefixes) announced through the selected
Neighbor entity. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents number of prefixes.
The third one displays the variation of different types of messages within the selected time interval.
The X-coordinate represents time and will be converted according to the time interval selected by
users. The Y-coordinate represents number of messages (per 5 minutes). The objects with colors
below the chart indicate what message types they are.
Report Table
For the BGP message information of Neighbor breakdown report, this table will display six statistic
types of BGP messages for a specific router with a specific Neighbor.
ANN -- Routes Announced by Peer.
AADIFF -- A route is withdrawn implicitly and replaced with a different route when the original
route turns into unreachable, or an alternative path preferred turns into available. AADIFF is
classified as forwarding instability.
AADUP -- A route is withdrawn implicitly and replaced with a duplicate of the original route. A
duplicate route is defined as a subsequent route announcement that has the same nexthop or
AS-path attribute information. AADUP may reflect pathological behavior because a router should
only send a BGP update for a change in topology or policy. AADUP may also reflect policy
fluctuation as subsequent route announcements may be different in other attributes such as
MED and Aggregator.
TUP -- A previously unavailable route is announced as available. This represents a route repair.
TDOWN -- A previously available route is withdrawn. This represents a route failure.
UPDATES -- BGP updates (AADIFF + AADUP+ TUP + TDOWN).
241
There are tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different types of BGP message clearly by unselecting the
message type and leave those they want. An All check box for users to conveniently select all
check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
your selection. In addition, users can use Download Excel-XML button to download tabular
data of the table with XML file, which can be read by the Excel program. The downloaded file will
separate the Average, Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.2.5
Origin ASN
The Origin ASN traffic analysis of Neighbor breakdown report provides the information about the
traffic from/to the Home Network through a specific Neighbor AS to/from some Origin ASes. This
report will list top N Origin ASNs passing through the specific Neighbor AS. Because the number
of Origin ASes may be quite large, therefore, only top 128 ASNs will be saved to DB. The top N
(N: default = 25) ASNs will be displayed and each in a row. Each row of Report Table will display
ingress, egress and sum traffic for each Origin ASN. Click on the Origin ASN sub menu of
Breakdown Report under the Report / Neighbor menu to enter the Origin ASN Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Neighbor for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Origin
ASN reports, the Report Table will display top N Origin ASNs.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.3
Attribute Report
The attribute report provides the analysis information about some common attributes. With
common attribute reports, users can understand how their network resources are actually been
using. The attribute report of the Internet traffic has five kinds: Application, Protocol,
Protocol+Port, TOS, and Packet Size.
When users click on the unfolding mark of Attribute Report under the Report / Neighbor menu,
all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and
Packet Size.
7.2.3.1
Application
The Application traffic analysis of Neighbor attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is
aggregated according to the user defined application groups on source and destination ports
separately for different traffic directions. Up to top 128 applications will be saved to DB. The top
N (N: default = 25) applications will be displayed and each in a row.
2009 Genie Network Resource Management Inc. All Rights Reserved.
242
In this report, users can obtain not only the traffic Into Home and Out of Home for applications
but also the traffic between the Request side and the Response side. For example, when a client
issues a request to a server, the traffic belongs to Request traffic; when a server replies to a
client, the traffic belongs to Response traffic. (A server is the Response side and a client is the
Request side.) A Service drop-down list is provided for users to select the traffic direction. There
are items selectable, Inside, and Outside. Inside means the server is inside the entity (Home
Network, Sub-Network) and represents the data of Request of Ingress traffic or the data of
Response of Egress traffic. Outside means the server is outside the entity and represents the
data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the Report / Neighbor menu to
enter the Application Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Neighbor for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Application reports, the Report Table will display top N Applications.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.3.2
Protocol
The Protocol traffic analysis of Neighbor attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is
aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols
will be stored to database and top N (N: default = 25) will be displayed for report. Each row of
Report Table will display the Into Home/Out of Home traffic for the protocol and the value in the
Sum column is the total amount of the Into Home and Out of Home traffic.
Click on the Protocol sub menu of Attribute Report under the Report / Neighbor menu to
enter the Protocol Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Neighbor for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Protocol
reports, the Report Table will display top N Protocols.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.3.3
Protocol+Port
The Protocol+Port traffic analysis of Neighbor attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is
aggregated according to protocol plus port number (service) for TCP and UDP (if it is for ICMP,
the traffic will be aggregated according to the code and type of the ICMP). Each row of Report
Table will display the Into Home/Out of Home traffic for the protocol+port (service) and the value
in the Sum column is the total amount of the Into Home and Out of Home traffic. The top 128 will
be stored to database and top N (N: default = 25) will be displayed for report.
In this report, users can obtain not only the traffic Into Home and Out of Home for the service
243
(protocol+port), but also the traffic between the Request side and the Response side. For
example, when a client issues a request to a server, the traffic belongs to Request traffic; when a
server replies to a client, the traffic belongs to Response traffic. (A server is the Response side
and a client is the Request side.) A Service drop-down list is provided for users to select the
traffic direction. There are two items selectable, Inside, and Outside. Inside means the server is
inside the entity (Home Network, Sub-Network) and represents the data of Request of Ingress
traffic or the data of Response of Egress traffic. Outside means the server is outside the entity
and represents the data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Protocol+Port sub menu of Attribute Report under the Report / Neighbor menu
to enter the Protocol+Port Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Neighbor for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Protocol+Port reports, the Report Table will display top N Protocol+Port (services).
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.2.3.4
TOS
The TOS traffic analysis of Neighbor attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is
aggregated according to the 256 TOS values. Each row of Report Table will display the Into
Home/Out of Home traffic for the TOS and the value in the Sum column is the total amount of the
Into Home and Out of Home traffic. Totally, top 128 TOS will be stored to database and top N (N:
default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Neighbor menu to enter the
TOS Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Neighbor for details.
Except the data listed in Report Table is different, other descriptions are all the same. For TOS
reports, the Report Table will display top N TOSes.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
244
7.2.3.5
Packet Size
The Packet Size traffic analysis of Neighbor attribute report provides the information about the
ingress/egress (Into Home/Out of Home) traffic from a specific Neighbor AS, which is
aggregated according to the packet size. The packet size is calculated by dividing the bytes with
number of packets. The packet size segments are: <32, 32-64, 64-96, 96-128, 128-160, 160-192,
192-224, 224-256, 256-320, 320-384, 384-448, 448-512, 512-768, 768-1024, 1024-1536, and
>1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Neighbor menu to
enter the Packet Size Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Detail section of Summary Report of Report /
Neighbor for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Packet
Size reports, the Report Table will display all segments of Packet Size.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
245
7.3
Backbone
Backbone menu provides various built-in reports for Backbone traffic analysis, provided that the
Home Network area, and the Backbone boundary must be defined in advance. The traffic going
through the interfaces on the Backbone boundary is classified as Backbone traffic. Users can
realize the traffic delivered through their backbone network and the traffic status of each core
router from Backbone traffic reports. Backbone traffic reports include: Summary Report, and Core
Router. In following sections, we will introduce how to query various Backbone traffic reports.
When users click on the unfolding mark of Report / Backbone, all its sub menus will be unfolded
including Summary Report, and Core Router.
7.3.1
Summary Report
The summary report of the Backbone traffic presents the traffic analysis about the traffic from the
Internet/Home Network through Backbone to the Internet/Home Network in a macroscopic view.
With the Backbone summary report, users can briefly know their Internet traffic. Click on the
Summary Report sub menu of Report / Backbone menu to enter the Summary Report window.
The system will display various analysis reports for Backbone traffic according to the selected
traffic unit, time interval, and traffic type.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
This report is presented as a line chart. The X-coordinate represents time and will be converted
according to the time interval selected by users The Y-coordinate represents traffic flow. In the
chart, each line represents one kind of traffic and its data will be matching the data listed in Report
Table. The data is divided into two parts by the X-axis. The upper part represents the traffic into
Home and the lower part represents the traffic out of Home. (The objects with colors next to check
boxes indicate what traffic they are.)
2009 Genie Network Resource Management Inc. All Rights Reserved.
246
Report Table
For Backbone summary report, this table will display four kinds of traffic statistics:
Home to Home If both the source and destination IP addresses of the Backbone traffic belong
to the Home Network IP space, the traffic will be considered as Home to Home Traffic.
Internet to Home If the destination IP address of the Backbone traffic belongs to the Home
Network IP space but the source IP address does not belong to the Home Network, the traffic
will be considered as Internet to Home Traffic.
Home to Internet If the source IP address of the Backbone traffic belongs to the Home
Network IP space but the destination IP address does not belong to the Home Network, the
traffic will be considered as Home to Internet Traffic.
Internet to Internet If both the source and destination IP addresses of the Backbone traffic do
not belong to the Home Network IP space, the traffic will be considered as Internet to Internet
Traffic, also call Transit Traffic.
Average, current, and maximum values will be displayed in the table. Clicking on the check box in
the front of the row means to draw the traffic in Report Chart. So that users can compare different
types of traffic clearly by unselecting the traffic and leave those they want. An All check box for
users to conveniently select all check boxes at once. Please click on Submit button (in Query
Bar) to refresh the screen for your selection. In addition, users can use Download Excel-XML
button to download tabular data of the table with XML file, which can be read by the Excel program.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.3.2
Core Router
The report of Core Router of the Backbone traffic presents the traffic analysis related to
backbone network from core routers viewpoint. (The router with any backbone link is the core
router.) There are two kinds of reports about the core router. One displays the traffic summary for
each core router; another provides the detail traffic information for a specific core router. When
users click on the Core Router sub menu of Report / Backbone, there are two sub menus will
be shown: Compare and Detail.
7.3.2.1
Compare
The Compare report of Core Router of Backbone traffic analysis provides users the information
about the Into Backbone/Out of Backbone (Backbone Boundary to Backbone Links/Backbone
Links to Backbone Boundary) traffic for each Core Router to compare the differences with the
total amount. The Top N Report Table will display all core routers.
Click on the Compare sub menu of Core Router under the Report / Backbone menu to enter
the Compare Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
247
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Backbone and the lower part
represents the traffic out of Backbone. In the chart, each stacked band represents one kind of
traffic and it is additive, that is to say the outer edge of all stacked bands represents the total
traffic of all bands. (The objects with colors next to check boxes indicate which router they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
This table will display the traffic analyses statistics for all core routers. There are three tabs at the
right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different types of traffic clearly by unselecting the traffic and
leave those they want. An All check box for users to conveniently select all check boxes at once.
Please click on Submit button (in Query Bar) to refresh the screen for your selection. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML file,
which can be read by the Excel program. The downloaded file will separate the Average, Current,
and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.3.2.2
Detail
The Detail report of Core Router of Backbone traffic analysis provides the information about the
Into Backbone/Out of Backbone (Boundary to Backbone/Backbone to Boundary) traffic
aggregated according to different traffic types (Local to Local, Local to Backbone, Backbone to
Local, and Backbone to Backbone) for a specific Core Router.
Click on the Detail sub menu of Core Router under the Report / Backbone menu to enter the
Detail Report window.
248
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Core Router: every core router (All routers with a backbone interface, also called backbone link,
are the core routers and will be listed in this drop-down list. You can check this information in the
Router configuration view list of the System/Network/Router function. )
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
This report is presented as a line chart. The X-coordinate represents time and will be converted
according to the time interval selected by users The Y-coordinate represents traffic flow. In the
chart, each line represents one kind of traffic and its data will be matching the data listed in Report
Table. (The objects with colors next to check boxes indicate what traffic they are.)
Report Table
For the Detail report of Core Router of Backbone traffic analysis, this table will display four types of
traffic analysis statistics for a specific Core Router.
Local to Backbone It counts all traffic only the output interface is backbone link (interface).
Local to Local It counts all traffic both input and output interfaces are not backbone link
(interface).
Backbone to Local It counts all traffic only the input interface is backbone link (interface).
Backbone to Backbone It counts all traffic both input and output interface are backbone link
(interface).
Average, current, and maximum values will be displayed in the table. Clicking on the check box in
the front of the row means to draw the traffic in Report Chart. So that users can compare different
types of traffic clearly by unselecting the traffic and leave those they want. An All check box for
users to conveniently select all check boxes at once. Please click on Submit button (in Query
Bar) to refresh the screen for your selection. In addition, users can use Download Excel-XML
button to download tabular data of the table with XML file, which can be read by the Excel program.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
249
7.4
Router
Router menu provides various built-in reports for the traffic analysis of each router configured in
the system. Users can obtain the information of the total ingress/egress traffic, the device utilization
of CPU and memory, the BGP message (the BGP lookup function must be enabled), and BGP next
hops of each router configured in the system. In following sections, we will introduce how to query
various Router traffic reports. For the traffic of each interface on routers, please check out the
Report / Interface menu.
When users click on the unfolding mark of Report / Router, all its sub menus will be unfolded
including Traffic, Performance, BGP Message, and BGP Next Hop.
7.4.1
Traffic
The Traffic report of the router presents the traffic analysis for every single router. With this report,
users can know the ingress/egress traffic of each router. Click on the Traffic sub menu of Report
/ Router menu to enter the Traffic Report window. The system will display various analysis
reports for Router traffic according to the selected router group, traffic unit, and time interval. The
Top N Report Table will display all routers.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Router Group: All routers (default) and the defined router groups (All router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here. If you select
one specific group, Report Table will only display the traffic analyses for the routers configured in
this group. Otherwise, it will display all routers configured in the system.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there is only one type of output report charts provided Stacked Chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
This report is presented as a stacked chart. The X-coordinate represents time and will be
converted according to the time interval selected by users The Y-coordinate represents traffic flow.
2009 Genie Network Resource Management Inc. All Rights Reserved.
250
The data is divided into two parts by the X-axis. The upper part represents the traffic into Router
and the lower part represents the traffic out of Router. In the chart, each stacked band represents
the traffic of a router and it is additive, that is to say the outer edge of all stacked bands represents
the total traffic of all bands. The objects with colors below the chart indicate which router they are.
Report Table
This table will display the traffic analyses statistics for all routers. There are three tabs at the right
top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different routers of traffic clearly by unselecting the router and
leave those they want. An All check box for users to conveniently select all check boxes at once.
Please click on Submit button (in Query Bar) to refresh the screen for your selection. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML file,
which can be read by the Excel program. The downloaded file will separate the Average, Current,
and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.4.2
Performance
The Performance report of the router presents the information about the CPU and memory
utilization for every configured router. It uses SNMP polling to collect data. With this report, users
can take the precaution against any overload in advance. Click on the Performance sub menu
of Report / Router menu to enter the Performance Report window. The system will display
various analysis reports for Router traffic according to the selected router group, and time
interval.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Router Group: All routers (default) and the defined router groups (All router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here. If you select
one specific group, Report Table will only display the traffic analyses for the routers configured in
this group. Otherwise, it will display all routers configured in the system.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
251
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
There are two line charts displayed here: CPU Usage, and Memory Usage. The first one is the
CPU utilization chart and the second one is the Memory utilization chart for the selected router
group. The X-coordinate represents time and will be converted according to the time interval
selected by users. The Y-coordinate represents the percentage of the utilization. In the chart, the
line represents the utilization of the selected router. The objects with colors below the chart
indicate which router they are.
Report Table
This table will display the percentage of CPU and memory utilization for every router in the
selected router group. There are three tabs at the right top corner of the table: Average, Current,
and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different routers of utilization clearly by unselecting the router
and leave those they want. An All check box for users to conveniently select all check boxes at
once. Please click on Submit button (in Query Bar) to refresh the screen for your selection. In
addition, users can use Download Excel-XML button to download tabular data of the table with
XML file, which can be read by the Excel program. The downloaded file will separate the Average,
Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.4.3
BGP Message
The BGP Message traffic analysis of Router report provides the update information about BGP
message for a single Router at a time. This report provides similar statistic information of
Neighbor BGP Message report, but it does not display ANN message type statistics. This is
because ANN is related to a specific Neighbor. Each row of Report Table will display message
type, number of message, and total percentage.
Click on the BGP Message sub menu of Report / Router menu to enter the BGP Message
Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Router Group: All routers (default) and the defined Router groups (All Router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here.)
Router: every router configured in the Router group (It will be converted according to the group
selected in the Router Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
252
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
There are two line charts displayed here: All Prefixes on Router, and BGP Messages.
The first one displays the total number of routes (prefixes) learned from the router within the
selected time interval. The X-coordinate represents time and will be converted according to the
time interval selected by users. The Y-coordinate represents number of prefixes.
The second one displays the variation of different types of messages within the selected time
interval. The X-coordinate represents time and will be converted according to the time interval
selected by users. The Y-coordinate represents number of messages (per 5 minutes). The objects
with colors below the chart indicate what message types they are.
Report Table
For the BGP message information of Router report, this table will display five statistic types of BGP
messages for a specific router.
AADIFF -- A route is withdrawn implicitly and replaced with a different route when the original
route turns into unreachable, or an alternative path preferred turns into available. AADIFF is
classified as forwarding instability.
AADUP -- A route is withdrawn implicitly and replaced with a duplicate of the original route. A
duplicate route is defined as a subsequent route announcement that has the same nexthop or
AS-path attribute information. AADUP may reflect pathological behavior because a router should
only send a BGP update for a change in topology or policy. AADUP may also reflect policy
fluctuation as subsequent route announcements may be different in other attributes such as
MED and Aggregator.
TUP -- A previously unavailable route is announced as available. This represents a route repair.
TDOWN -- A previously available route is withdrawn. This represents a route failure.
UPDATES -- BGP updates (AADIFF + AADUP+ TUP + TDOWN).
There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different types of BGP message clearly by unselecting the
message type and leave those they want. An All check box for users to conveniently select all
check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
your selection. In addition, users can use Download Excel-XML button to download tabular
data of the table with XML file, which can be read by the Excel program. The downloaded file will
separate the Average, Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
253
7.4.4
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Router Group: All routers (default) and the defined Router groups (All Router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here.)
Router: every router configured in the Router group (It will be converted according to the group
selected in the Router Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there is only one type of output report charts provided Stacked Chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
This report is presented as a stacked chart. The X-coordinate represents time and will be
converted according to the time interval selected by users The Y-coordinate represents traffic flow.
The chart (above the X-axis) represents the traffic out of Router. In the chart, each stacked band
represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands
represents the total traffic of all bands. (The objects with colors next to check boxes indicate which
next hop they are.)
Report Table
This table will display the traffic analyses statistics for all routers. There are three tabs at the right
top corner of the table: Average, Current, and Maximum.
2009 Genie Network Resource Management Inc. All Rights Reserved.
254
7.4.5
MPLS
The MPLS traffic analysis of Router report provides both overall and detailed MPLS
(Multi-protocol Label Switching) traffic analyses. GenieATM will collect MPLS traffic via retrieving
NetFlow V9 packets from each router (NetFlow V9 packets can carry MPLS traffic information).
The reports will be presented for each router (since there is no way to know if the router enables
NetFlow V9 and MPLS or not) and will be empty if the router does not get NetFlow V9 and MPLS
enabled. There are three kinds of reports supported for MPLS traffic including Summary, Class
of services, and Egress PE reports.
When users click on the unfolding mark of MPLS under the Report / Router menu, all its sub
menus will be unfolded including Summary Report, Class of Services, and Egress PE.
7.4.5.1
Summary Report
The summary report of the MPLS traffic presents the traffic analysis for each routers ingress and
egress traffic carried by MPLS packets, and also the total MPLS and non-MPLS traffic of the
router. With the MPLS summary report, users can know how much MPLS traffic running on each
router. Up to top 64 MPLS labels will be saved to DB and top N (N: default = 25) will be displayed
and each in a row. Each row will display the following information: MPLS labels, into router traffic,
out of router traffic, sum traffic, and total percentage.
Click on the Summary Report sub menu of MPLS under the Report / Router menu to enter the
Summary Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Router Group: All routers (default) and the defined Router groups (All Router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here.)
Router: every router configured in the Router group (It will be converted according to the group
selected in the Router Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
255
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart. Both
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
This report is presented as a stacked chart. The X-coordinate represents time and will be
converted according to the time interval selected by users The Y-coordinate represents traffic flow.
The chart (above the X-axis) represents the traffic out of router. In the chart, each stacked band
represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands
represents the total traffic of all bands. (The objects with colors next to check boxes indicate which
MPLS label they are.)
Report Table
This table will display the traffic analyses statistics for all routers. There are three tabs at the right
top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different MPLS label of traffic clearly by unselecting the label
and leave those they want. An All check box for users to conveniently select all check boxes at
once. Please click on Submit button (in Query Bar) to refresh the screen for your selection. In
addition, users can use Download Excel-XML button to download tabular data of the table with
XML file, which can be read by the Excel program. The downloaded file will separate the Average,
Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.4.5.2
Class of Services
There are three class of services used to feature MPLS: CAR, WRED, and WFQ. CAR uses
TOS bits in IP header to classify packets according to the input and output transmission rate.
Therefore, this report will aggregate the router input traffic according to the SRC_TOS if
2009 Genie Network Resource Management Inc. All Rights Reserved.
256
MPLS_LABEL_1 exists and the router output traffic according to DST_TOS if MPLS_LABEL_1
exists. Up to top 64 CoS values will be saved to DB and top N (N: default = 25) will be displayed
and each in a row. Each row will display the following information: CoS values, into router traffic,
out of router traffic, sum traffic, and total percentage.
Click on the Class of Services sub menu of MPLS under the Report / Router menu to enter the
Class of Services Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Summary Report section of Report / Router /
MPLS for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Class o
Services reports, the Report Table will display top N CoS.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.4.5.3
Egress PE
When the MPLS_TOP_LABEL_IP_ADDR is not zero and label type is LDP, the traffic will be
aggregated according to the values of MPLS_TOP_LABEL_IP_ADDR. Up to top 64 IP
addresses will be saved to DB and top N (N: default = 25) will be displayed and each in a row.
Each row will display the following information: IP addresses, egress traffic, and total
percentage.
Click on the Egress PE sub menu of MPLS under the Report / Router menu to enter the Egress
PE Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Summary Report section of Report / Router /
MPLS for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Egress
PE reports, the Report Table will display top N IP addresses.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
257
7.5
Interface
Interface menu provides various built-in reports for the traffic analysis of each interface on routers
configured in the system. Users cannot only compare the total traffic in/out of each interface for a
specific router but also obtain the detail traffic analysis for each interface of the router. In addition,
Interface menu also provides common attribute analysis reports for each interface. In following
sections, we will introduce how to query various Interface traffic reports.
When users click on the unfolding mark of Report / Interface, all its sub menus will be unfolded
including Compare, Detail, Top Talker, and Attribute Report.
7.5.1
Compare
The Compare report of Interface traffic analysis provides users the information about the Into
Router/Out of Router traffic for each available interface on the router to compare the differences
with the total amount. The Top N Report Table will display all interfaces in a router.
Click on the Compare sub menu of Report / Interface menu to enter the Compare Report
window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Router Group: All routers (default) and the defined Router groups (All Router groups defined in
the Group menu of System Admin / Network / Preferences will be shown here.)
Router: every router configured in the Router group (It will be converted according to the group
selected in the Router Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there is only one type of output report charts provided Stacked Chart.
Submit : after finishing the query conditions, click on this button to submit the query.
2009 Genie Network Resource Management Inc. All Rights Reserved.
258
Report Chart
This report is presented as a stacked chart. The X-coordinate represents time and will be
converted according to the time interval selected by users The Y-coordinate represents traffic flow.
The data is divided into two parts by the X-axis. The upper part represents the traffic into Router
and the lower part represents the traffic out of Router. In the chart, each stacked band represents
one kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the
total traffic of all bands. (The objects with colors next to check boxes indicate which interface they
are.)
Report Table
This table will display the traffic analyses statistics for all available interfaces on the selected router.
There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different interfaces of traffic clearly by unselecting the interface
and leave those they want. An All check box for users to conveniently select all check boxes at
once. Please click on Submit button (in Query Bar) to refresh the screen for your selection.
(The top 5 interfaces will be the default selections for the line chart. Users can select more (up to
16) interfaces to add them into the report chart. The total row will be the ingress/egress traffic of the
selected router.) In addition, users can use Download Excel-XML button to download tabular
data of the table with XML file, which can be read by the Excel program. The downloaded file will
separate the Average, Current, and Maximum tables into three different worksheets.
In addition, users can inspect the detail information via click on Snapshot button. A Snapshot
window with the analysis criteria popped up. The snapshot scope of this page will be locked as the
queried criterion and the checked entries in the list table are considered as source parameters.
Users also can keep the wanted entries to perform the Snapshot. Since the most operations are
the same as the Snapshot main menu, please refer to Snapshot menu (on the Main Menu tree) for
more detail function information.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.5.2
Detail
The Detail report of Interface traffic analysis provides the information about the Into Router/Out
of Router traffic aggregated according to different traffic types (NetFlow Traffic (bps), SNMP
Traffic (bps), NetFlow Traffic(pps), SNMP Traffic (pps), SNMP Discard, SNMP CRC Error, and
SNMP Multicast/Broadcast) for each available interface on the router. Note that the traffic data of
this report is collected from both the NetFlow records and SNMP Polling. So, users must enable
the SNMP Monitor when configuring the interface.
Click on the Detail sub menu of Report / Interface menu to enter the Detail Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Router: every router configured in the system.
259
Interface: every available interface on the selected router. (It will be converted according to the
router selected in the Router drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
This report is presented as a line chart. The X-coordinate represents time and will be converted
according to the time interval selected by users The Y-coordinate represents traffic flow. The data
is divided into two parts by the X-axis. The upper part represents the traffic into Interface and the
lower part represents the traffic out of Interface. (The objects with colors next to check boxes
indicate what traffic type they are.)
Report Table
For the Detail report of Interface of Router traffic analysis, this table will display seven types of
statistics related to layer 2 & layer 4 traffic for a specific interface.
NetFlow Traffic (bps)
SNMP Traffic (bps)
NetFlow Traffic (pps)
SNMP Traffic (pps)
SNMP Discard
SNMP CRC Error
SNMP Multicast/Broadcast
Average, current, and maximum values will be displayed in the table. Clicking on the check box in
the front of the row means to draw the traffic in Report Chart. So that users can compare different
types of traffic clearly by unselecting the traffic type and leave those they want. An All check box
for users to conveniently select all check boxes at once. Please click on Submit button (in
Query Bar) to refresh the screen for your selection. (Default types of traffic drawn in the report
chart are NetFlow Traffic and SNMP Traffic.) In addition, users can use Download Excel-XML
button to download tabular data of the table with XML file, which can be read by the Excel program.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
260
7.5.3
Top Talker
The Top Talker traffic analysis of Interface report provides the top N listing for the traffic of IP
address within interfaces. Because the number of IP addresses may be large, therefore, only top
128 IP addresses will be saved to DB. The top N (N: default = 25) IP addresses will be displayed
and each in a row. Each row of Report Table will display ingress, egress and sum traffic for each
IP address. Click on the Top Talker sub menu of Report / Interface menu to enter the Top
Talker Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Router: every router configured in the system.
Interface: every available interface on the selected router. (It will be converted according to the
router selected in the Router drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Interface and the lower part
represents the traffic out of Interface. In the chart, each stacked band represents one kind of
traffic and it is additive, that is to say the outer edge of all stacked bands represents the total
traffic of all bands. (The objects with colors next to check boxes indicate which IP address they
are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Ingress, Egress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Ingress, Egress, and
Sum traffic statistics.
261
Report Table
This table will display top N IP addresses within the selected interface. There are three tabs at the
right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different IP addresses of traffic clearly by unselecting the IP
address and leave those they want. An All check box for users to conveniently select all check
boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for your
selection. In addition, users can use Download Excel-XML button to download tabular data of
the table with XML file, which can be read by the Excel program. The downloaded file will separate
the Average, Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.5.4
Attribute Report
The attribute report provides the analysis information about some common attributes. With
common attribute reports, users can understand how their network resources are actually been
using. The attribute report of the Interface traffic has five kinds: Application, Protocol,
Protocol+Port, TOS, and Packet Size.
When users click on the unfolding mark of Attribute Report under the Report / Interface menu,
all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and
Packet Size.
7.5.4.1
Application
The Application traffic analysis of Interface attribute report provides the information about the
ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is
aggregated according to the user defined application groups on source and destination ports
separately for different traffic directions. Up to top 128 applications will be saved to DB. The top
N (N: default = 25) applications will be displayed and each in a row.
In this report, users can obtain not only the traffic Into Interface and Out of Interface for
applications but also the traffic between the Request side and the Response side. For example,
when a client issues a request to a server, the traffic belongs to Request traffic; when a server
replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a
client is the Request side.) A Service drop-down list is provided for users to select the traffic
direction. There are items selectable, Inside, and Outside. Inside means the server is inside the
entity (Home Network, Sub-Network) and represents the data of Request of Ingress traffic or
the data of Response of Egress traffic. Outside means the server is outside the entity and
represents the data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the Report / Interface menu to
enter the Application Report window.
262
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for
details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Application reports, the Report Table will display top N Applications.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.5.4.2
Protocol
The Protocol traffic analysis of Interface attribute report provides the information about the
ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is
aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols
will be stored to database and top N (N: default = 25) will be displayed for report. Each row of
Report Table will display the Into Interface/Out of Interface traffic for the protocol and the value in
the Sum column is the total amount of the Into Interface and Out of Interface traffic.
Click on the Protocol sub menu of Attribute Report under the Report / Interface menu to enter
the Protocol Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for
details.
Except the data listed in Report Table is different, other descriptions are all the same. For Protocol
reports, the Report Table will display top N Protocols.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.5.4.3
Protocol+Port
The Protocol+Port traffic analysis of Interface attribute report provides the information about the
ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is
aggregated according to protocol plus port number (service) for TCP and UDP (if it is for ICMP,
the traffic will be aggregated according to the code and type of the ICMP). Each row of Report
Table will display the Into Interface/Out of Interface traffic for the protocol+port (service) and the
value in the Sum column is the total amount of the Into Interface and Out of Interface traffic. The
top 128 will be stored to database and top N (N: default = 25) will be displayed for report.
In this report, users can obtain not only the traffic Into Interface and Out of Interface for the
service (protocol+port), but also the traffic between the Request side and the Response side.
For example, when a client issues a request to a server, the traffic belongs to Request traffic;
when a server replies to a client, the traffic belongs to Response traffic. (A server is the
Response side and a client is the Request side.) A Service drop-down list is provided for users to
select the traffic direction. There are two items selectable, Inside, and Outside. Inside means
the server is inside the entity (Home Network, Sub-Network) and represents the data of
Request of Ingress traffic or the data of Response of Egress traffic. Outside means the server
is outside the entity and represents the data of Response of Ingress traffic or the data of Request
of Egress traffic.
Click on the Protocol+Port sub menu of Attribute Report under the Report / Interface menu to
enter the Protocol+Port Report window.
263
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for
details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Protocol+Port reports, the Report Table will display top N Protocol+Port (services).
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.5.4.4
TOS
The TOS traffic analysis of Interface attribute report provides the information about the
ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is
aggregated according to the 256 TOS values. Each row of Report Table will display the Into
Interface/Out of Interface traffic for the TOS and the value in the Sum column is the total amount
of the Into Interface and Out of Interface traffic. Totally, top 128 TOS will be stored to database
and top N (N: default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Interface menu to enter the
TOS Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for
details.
Except the data listed in Report Table is different, other descriptions are all the same. For TOS
reports, the Report Table will display top N TOSes.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.5.4.5
Packet Size
The Packet Size traffic analysis of Interface attribute report provides the information about the
ingress/egress (Into Interface/Out of Interface) traffic from a specific interface, which is
aggregated according to the packet size. The packet size is calculated by dividing the bytes with
number of packets. The packet size segments are: <32, 32-64, 64-96, 96-128, 128-160, 160-192,
192-224, 224-256, 256-320, 320-384, 384-448, 448-512, 512-768, 768-1024, 1024-1536, and
>1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Interface menu to
enter the Packet Size Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Top Talker section of Report / Interface for
details.
Except the data listed in Report Table is different, other descriptions are all the same. For Packet
Size reports, the Report Table will display all segments of Packet Size.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
2009 Genie Network Resource Management Inc. All Rights Reserved.
264
7.6
Sub-Network
Sub-Network menu provides various built-in reports for traffic analysis within a sub-network itself,
between sub-networks, between a sub-network and other sub-networks, and between a
sub-network and Neighbor ASes. The traffic data of Sub-Network report is collected from the
Sub-Network boundaries defined in the system. There are three types of analysis reports for
Sub-Network traffic: Summary Report, Breakdown Report, and Attribute Report. In following
sections, we will introduce how to query various Sub-Network traffic reports.
When users click on the unfolding mark of Report / Sub-Network, all its sub menus will be
unfolded including Summary Report, Breakdown Report, and Attribute Report.
7.6.1
Summary Report
The summary report of the Sub-Network traffic presents the traffic analysis about the
sub-network from the viewpoints of comparing the total traffic of each sub-network with a
sub-network group and analyzing the detail traffic of one sub-network. With the Sub-Network
summary report, users can briefly know not only the total traffic of each sub-network but also the
detail traffic analysis for each sub-network. When users click on the Summary Report sub menu
of Report / Sub-Network, there are two sub menus will be shown: Compare and Detail.
7.6.1.1
Compare
The Compare traffic analysis of Sub-Network summary report provides users the information
about the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for each sub-network
itself to compare the differences with the total amount. The Into Sub-Network traffic includes the
traffic from Home and the Internet to the sub-network; the Out of Sub-Network traffic includes the
traffic from the sub-network to Home and the Internet. The Top N Report Table will display all
sub-networks (N: maximum = 300).
Click on the Compare sub menu of Summary Report under the Report / Sub-Network menu to
enter the Compare Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All
Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will
be shown here.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
265
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into sub-network and the lower part
represents the traffic out of sub-network. In the chart, each stacked band represents one kind of
traffic and it is additive, that is to say the outer edge of all stacked bands represents the total
traffic of all bands. (The objects with colors next to check boxes indicate which sub-network
traffic they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
This table will display the traffic analyses statistics for all sub-networks that configured in the
system or some if you selected some specific group in the Sub-Network Group drop-down list (In
Query Bar) to view. There are three tabs at the right top corner of the table: Average, Current, and
Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different sub-networks of traffic clearly by unselecting the
sub-network and leave those they want. An All check box for users to conveniently select all
check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
your selection. In addition, users can use Download Excel-XML button to download tabular
data of the table with XML file, which can be read by the Excel program. The downloaded file will
separate the Average, Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.6.1.2
Detail
The Detail traffic analysis of Sub-Network summary report provides the information about the
average/current/maximum traffic aggregated according to different traffic types (Home to
Sub-Network, Sub-Network to Home, Internet to Sub-Network, and Sub-Network to Internet) for
a specific sub-network.
Click on the Detail sub menu of Summary Report under the Report / Sub-Network menu to
enter the Detail Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
2009 Genie Network Resource Management Inc. All Rights Reserved.
266
Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All
Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will
be shown here.)
Sub-Network: every sub-network configured in the Sub-Network group (It will be converted
according to the group selected in the Sub-Network Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
This report is presented as a line chart. The X-coordinate represents time and will be converted
according to the time interval selected by users The Y-coordinate represents traffic flow. In the
chart, each line represents one kind of traffic and its data will be matching the data listed in Report
Table. (The objects with colors next to check boxes indicate what traffic they are.)
Report Table
For the Detail traffic analysis of Sub-Network summary report, this table will display four types of
traffic analysis statistics for a specific sub-network.
Home to Sub-Network It counts all traffic that the source IP address belongs to the Home
Network area, and the destination IP address belongs to any existing sub-network area.
Sub-Network to Home It counts all traffic that the destination IP address belongs to the Home
Network area, and the source IP address belongs to any existing sub-network area.
Internet to Sub-Network It counts all traffic that the source IP address does not belong to the
Home Network area, and the destination IP address belongs to any existing sub-network area.
Sub-Network to Internet It counts all traffic that the destination IP address does not belong to
the Home Network area, and the source IP address belongs to any existing sub-network area.
Average, current, and maximum values will be displayed in the table. Clicking on the check box in
the front of the row means to draw the traffic in Report Chart. So that users can compare different
types of traffic clearly by unselecting the traffic and leave those they want. An All check box for
users to conveniently select all check boxes at once. Please click on Submit button (in Query
Bar) to refresh the screen for your selection. In addition, users can use Download Excel-XML
button to download tabular data of the table with XML file, which can be read by the Excel program.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
267
7.6.2
Breakdown Report
The breakdown report is unlike the macroscopic summary report; it provides the further analysis
in some kind of specific traffic. The breakdown report of the Sub-Network traffic provides the
traffic analysis between a sub-network and other sub-networks, between a sub-network and
other Neighbor entities, between a sub-network and origin ASes, and for top N IP addresses with
sub-networks. There are four kinds of breakdown reports: Sub-Network, Neighbor ASN, Origin
ASN, and Top Talker. Since the number of sub-networks/Neighbor entities and IP addresses
may be very large, the data aggregated will be saved for every 30 minutes.
When users click on the unfolding mark of Breakdown Report under the Report / Sub-Network
menu, all its sub menus will be unfolded including Sub-Network, Neighbor ASN, Origin ASN,
and Top Talker.
7.6.2.1
Sub-Network
The Sub-Network traffic analysis of Sub-Network breakdown report provides the traffic
information between a specific sub-network and every other sub-network within a specific
sub-network group. Each row of Report Table will display ingress (Into Sub-Network), egress
(Out of Sub-Network) and sum traffic for each Sub-Network. And the maximum number for the
listed sub-network in Report Table is 300. Click on the Sub-Network sub menu of Breakdown
Report under the Report / Sub-Network menu to enter the Sub-Network Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All
Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will
be shown here.)
Sub-Network: every sub-network configured in the Sub-Network group (It will be converted
according to the group selected in the Sub-Network Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
268
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into sub-network and the lower part
represents the traffic out of sub-network from a specific sub-network selected. In the chart, each
stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all
stacked bands represents the total traffic of all bands. (The objects with colors next to check
boxes indicate which sub-network they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different sub-networks of traffic clearly by unselecting the
sub-network and leave those they want. An All check box for users to conveniently select all
check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
your selection. In addition, users can use Download Excel-XML button to download tabular
data of the table with XML file, which can be read by the Excel program. The downloaded file will
separate the Average, Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.6.2.2
Sub-Network Matrix
The Sub-Network Matrix analysis report provides the crossing report of the sub-networks. Click
on the Sub-Network Matrix sub menu of Breakdown Report under the Report / Sub-Network
menu to enter the Sub-Network Matrix Report window.
Report Descriptions
There are two parts in the Traffic Report window: Query Bar, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All
Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will
be shown here.)
Period: daily, weekly, and monthly. In this way, three fixed time intervals are provided to present
analysis report with an end time specified from the Until drop-down list.
Until: year, month, and date. It represents the end time of reports time interval.
Unit: bps (bit per second) and pps (packet per second).
Submit : after finishing the query conditions, click on this button to submit the query. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML
file, which can be read by the Excel program.
Report Table
The first column shows the sequence number to mark the sub-network and the second shows
the sun-network name. Besides, the top row shows the sequence number just like the first
column to mark the sub-network. The sub-network listed in the second column is the source
sub-network and the sub-network listed in the top row is the direction sub-network. So, users can
easily to know the traffic information of a sun-network to all other sub-networks.
269
7.6.2.3
Neighbor ASN
The Neighbor ASN traffic analysis of Sub-Network breakdown report provides the traffic
information about the traffic through each Neighbor AS (defined in the system) to/from a
specific sub-network. And the maximum number for the listed Neighbor ASes in Report Table is
128. Each row of Report Table will display ingress, egress and sum traffic for each Neighbor AS.
Click on the Neighbor ASN sub menu of Breakdown Report under the Report / Sub-Network
menu to enter the Neighbor ASN Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Sub-Network for details.
Except the data listed in Report Table are different, other descriptions are all the same. For
Neighbor ASN breakdown reports, the Report Table will display the traffic between a specific
sub-network and the Neighbor entities. In addition, users can inspect the detail information via click
on Snapshot button. A Snapshot window with the analysis criteria popped up. The snapshot
scope of this page will be locked as the queried criterion and the checked entries in the list table
are considered as source parameters. Users also can keep the wanted entries to perform the
Snapshot. Since the most operations are the same as the Snapshot main menu, please refer to
Snapshot menu (on the Main Menu tree) for more detail function information.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.6.2.4
Neighbor Matrix
The Neighbor Matrix analysis report provides the crossing report of the sub-networks in the
specified sub-network group to all specified Neighbors in the Neighbor group. Click on the
Neighbor Matrix sub menu of Breakdown Report which is under the Report / Sub-Network
menu to enter the Neighbor Matrix Report window.
Report Descriptions
There are two parts in the Traffic Report window: Query Bar, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Sub-Network Group: All sub-networks (default) and the defined Sub-Network groups (All
Sub-Network groups defined in the Group menu of System Admin / Network / Preferences will
be shown here.)
Neighbor Group: All Neighbors (default) and the defined Neighbors groups (All Neighbors
groups defined in the Group menu of System Admin / Network / Preferences will be shown
here.)
Period: daily, weekly, and monthly. In this way, three fixed time intervals are provided to present
analysis report with an end time specified from the Until drop-down list.
Until: year, month, and date. It represents the end time of reports time interval.
Unit: bps (bit per second) and pps (packet per second).
Submit : after finishing the query conditions, click on this button to submit the query. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML
file, which can be read by the Excel program.
Report Table
The first column shows the sequence number to mark the sub-network and the second shows the
sun-network name. Besides, the top row shows the Neighbors name. The traffic direction is from a
sub-network to all the specified neighbors. So, users can easily to know the traffic information of all
sub-networks in the specified sub-network group to all neighbors in the specified neighbor group.
270
7.6.2.5
Origin ASN
The Origin ASN traffic analysis of Sub-Network breakdown report provides the top N listing for
Origin AS traffic into/out of a specific sub-network. Because the number of Origin ASes may be
large, therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be
displayed and each in a row. Each row of Report Table will display ingress, egress and sum
traffic for each Origin ASN. Click on the Origin ASN sub menu of Breakdown Report under the
Report / Sub-Network menu to enter the Origin ASN Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Sub-Network for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Origin
ASN reports, the Report Table will display top N Origin ASNs. In addition, users can inspect the
detail information via click on Snapshot button. A Snapshot window with the analysis criteria
popped up. The snapshot scope of this page will be locked as the queried criterion and the
checked entries in the list table are considered as source parameters. Users also can keep the
wanted entries to perform the Snapshot. Since the most operations are the same as the Snapshot
main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail function
information.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.6.2.6
Top Talker
The Top Talker traffic analysis of Sub-Network breakdown report provides the Inside/Outside top
N listing for the traffic of IP address within/outside sub-networks. Because the number of IP
addresses may be large, therefore, only top 128 IP addresses will be saved to DB. The top N (N:
default = 25) IP addresses will be displayed and each in a row. Each row of Report Table will
display ingress, egress and sum traffic for each IP address. Click on the Top Talker sub menu of
Breakdown Report under the Report/Sub-Network menu to enter the Top Talker Report
window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Sub-Network for details.
Except the data listed in Report Table is different, other descriptions are all the same. Furthermore,
the tab Usage is supported here. For Top Talker reports, the Report Table will display inside top
N IP addresses within sub-network entities. Besides, the IP addresses which are out of
sub-network also can browse when users set Talker as outside to view report. In addition, users
can inspect the detail information via click on Snapshot button. A Snapshot window with the
analysis criteria popped up. The snapshot scope of this page will be locked as the queried criterion
and the checked entries in the list table are considered as source parameters. Users also can keep
the wanted entries to perform the Snapshot. Since the most operations are the same as the
Snapshot main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail
function information.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
271
7.6.3
Attribute Report
The attribute report provides the analysis information about some common attributes. With
common attribute reports, users can really understand how their network resources are actually
been using. The attribute report of the Sub-Network traffic has five kinds: Application, Protocol,
Protocol+Port, TOS, and Packet Size.
When users click on the unfolding mark of Attribute Report under the Report / Sub-Network
menu, all its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS,
and Packet Size.
7.6.3.1
Application
The Application traffic analysis of Sub-Network attribute report provides the information about
the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network,
which is aggregated according to the user defined application groups on source and destination
ports separately for different traffic directions. Up to top 128 applications will be saved to DB. The
top N (N: default = 25) applications will be displayed and each in a row.
In this report, users can obtain not only the traffic Into Sub-Network and Out of Sub-Network for
applications but also the traffic between the Request side and the Response side. For example,
when a client issues a request to a server, the traffic belongs to Request traffic; when a server
replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a
client is the Request side.) A Service drop-down list is provided for users to select the traffic
direction. There are three items selectable, Both, Inside, and Outside. Both represents the sum
of Request and Response of Ingress or Egress traffic. Inside means the server is inside the
entity (Home Network, Sub-Network) and represents the data of Request of Ingress traffic or
the data of Response of Egress traffic. Outside means the server is outside the entity and
represents the data of Response of Ingress traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the Report / Sub-Network menu
to enter the Application Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Sub-Network for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Application reports, the Report Table will display top N Applications. In addition, users can inspect
the detail information via click on Snapshot button. A Snapshot window with the analysis
criteria popped up. The snapshot scope of this page will be locked as the queried criterion and the
checked entries in the list table are considered as source parameters. Users also can keep the
wanted entries to perform the Snapshot. Since the most operations are the same as the Snapshot
main menu, please refer to Snapshot menu (on the Main Menu tree) for more detail function
information.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.6.3.2
Protocol
The Protocol traffic analysis of Sub-Network attribute report provides the information about the
ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network, which is
aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols
will be stored to database and top N (N: default = 25) will be displayed for report. Each row of
Report Table will display the Into Sub-Network/Out of Sub-Network traffic for the protocol and the
value in the Sum column is the total amount of the Into Sub-Network and Out of Sub-Network
traffic.
2009 Genie Network Resource Management Inc. All Rights Reserved.
272
Click on the Protocol sub menu of Attribute Report under the Report / Sub-Network menu to
enter the Protocol Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Sub-Network for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Protocol
reports, the Report Table will display top N Protocols. In addition, the snapshot function also
provide for user to inspect the detail information. The detail information please refer to Application
section of Report/Sub-Network/Attribute Report.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.6.3.3
Protocol+Port
The Protocol+Port traffic analysis of Sub-Network attribute report provides the information about
the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network,
which is aggregated according to protocol plus port number (service) for TCP and UDP (if the
ICMP, the traffic will be aggregated according to the code and type of the ICMP). Each row of
Report Table will display the Into Sub-Network/Out of Sub-Network traffic for the protocol+port
(service) and the value in the Sum column is the total amount of the Into Sub-Network and Out of
Sub-Network traffic. The top 128 will be stored to database and top N (N: default = 50) will be
displayed for report.
In this report, users can obtain not only the traffic Into Sub-Network and Out of Sub-Network for
the service (protocol+port), but also the traffic between the Request side and the Response side.
For example, when a client issues a request to a server, the traffic belongs to Request traffic;
when a server replies to a client, the traffic belongs to Response traffic. (A server is the
Response side and a client is the Request side.) A Service drop-down list is provided for users to
select the traffic direction. There are two items selectable, Inside, and Outside. Inside means
the server is inside the entity (Home Network, Sub-Network) and represents the data of
Request of Ingress traffic or the data of Response of Egress traffic. Outside means the server
is outside the entity and represents the data of Response of Ingress traffic or the data of Request
of Egress traffic.
Click on the Protocol+Port sub menu of Attribute Report under the Report/Sub-Network
menu to enter the Protocol+Port Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Sub-Network for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Protocol+Port reports, the Report Table will display top N Protocol+Port (services). In addition, the
snapshot function also provide for user to inspect the detail information. The detail information
please refer to Application section of Report/Sub-Network/Attribute Report.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
273
7.6.3.4
TOS
The TOS traffic analysis of Sub-Network attribute report provides the information about the
ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network, which is
aggregated according to the 256 TOS values. Each row of Report Table will display the Into
Sub-Network/Out of Sub-Network traffic for the TOS and the value in the Sum column is the total
amount of the Into Sub-Network/Out of Sub-Network traffic. Totally, top 128 TOS will be stored to
database and top N (N: default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Sub-Network menu to enter
the TOS Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Sub-Network for details.
Except the data listed in Report Table is different, other descriptions are all the same. For TOS
reports, the Report Table will display top N TOSes. In addition, the snapshot function also provide
for user to inspect the detail information. The detail information please refer to Application section
of Report/Sub-Network/Attribute Report.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.6.3.5
Packet Size
The Packet Size traffic analysis of Sub-Network attribute report provides the information about
the ingress/egress (Into Sub-Network/Out of Sub-Network) traffic for a specific sub-network,
which is aggregated according to the packet size. The packet size is calculated by dividing the
bytes with number of packets. The packet size segments are: <32, 32-64, 64-96, 96-128,
128-160, 160-192, 192-224, 224-256, 256-320, 320-384, 384-448, 448-512, 512-768, 768-1024,
1024-1536, and >1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Sub-Network menu
to enter the Packet Size Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Sub-Network for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Packet
Size reports, the Report Table will display all segments of Packet Size. In addition, the snapshot
function also provide for user to inspect the detail information. The detail information please refer to
Application section of Report/Sub-Network/Attribute Report.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
274
7.7
Server
Server menu provides various built-in reports for traffic analysis within a server itself, between
servers, between a server and other sub-networks, between a server and Neighbor ASes and
between a server and Countries. The traffic data of Server report is collected from the Server
boundaries defined in the system. There are three types of analysis reports for Server traffic:
Summary Report, Breakdown Report, Attribute Report and TopN Report. In following sections,
we will introduce how to query various Server traffic reports.
When users click on the unfolding mark of Report / Server, all its sub menus will be unfolded
including Summary Report, Breakdown Report, and Attribute Report.
7.7.1
Summary Report
The summary report of the Server traffic presents the traffic analysis about the server from the
viewpoints of comparing the total traffic of each server-farm group and analyzing the detail traffic
of server hosts in the server-farm. With the Server summary report, users can briefly know not
only the total traffic of each server but also the detail traffic analysis for server. When users click
on the Summary Report sub menu of Report / Server, there are two sub menus will be shown:
Compare and Detail.
7.7.1.1
Compare
The Compare traffic analysis of Server summary report provides users the information about the
ingress/egress (Into Server/Out of Server) traffic for all server-farms to compare the differences
with the total amount. The Top N Report Table will display all Server-farms.
Click on the Compare sub menu of Summary Report under the Report / Server menu to enter
the Compare Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Server-farm Group: All server-farms (default) and the defined server-farm groups (All
server-farm groups defined in the Group menu of System Admin / Preferences will be shown
here).
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second), pps (packet per second) and conn (connections in 5 minute).
275
Note
1.
2.
A connection is a connected client-server IP pair where the client builds the connection
with the server.
Only legal TCP protocol is supported for connection counting. Therefore, when the
receiving TCP flows flag equals SYN only or SYN+ACK only, the IP pair will not be
treated as a legal connection.
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Server-farm and the lower part
represents the traffic out of Server-farm. In the chart, each stacked band represents one kind of
traffic and it is additive, that is to say the outer edge of all stacked bands represents the total
traffic of all bands. (The objects with colors next to check boxes indicate which server-farm traffic
they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
This table will display the traffic analyses statistics for all server-farms that configured in the system
or some if you selected some specific server-farm from drop-down list (In Query Bar) to view.
There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different Server-farms traffic clearly by unselecting the
Server-farm and leave those they want. An All check box for users to conveniently select all
check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
your selection. In addition, users can use Download Excel-XML button to download tabular
data of the table with XML file, which can be read by the Excel program. The downloaded file will
separate the Average, Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.1.2
Detail
The Detail traffic analysis of Server summary report provides the information about the
average/current/maximum traffic aggregated according to each server IP (Into to Server-Farm
and Out of Server-Farm) for a specific Server-farm.
Click on the Detail sub menu of Summary Report under the Report / Server menu to enter the
Detail Report window.
276
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Server-farm Group: All server-farms (default) and the defined server-farm groups (All
server-farm groups defined in the Group menu of System Admin / Preferences will be shown
here).
Server-farm: every server-farm configured in the Server-farm group (It will be converted
according to the group selected in the Server-farm Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second), pps (packet per second) and conn (connections in 5 minute).
Note
1.
2.
A connection is a connected client-server IP pair where the client builds the connection
with the server.
Only legal TCP protocol is supported for connection counting. Therefore, when the
receiving TCP flows flag equals SYN only or SYN+ACK only, the IP pair will not be
treated as a legal connection.
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
It is a Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Server-farm and the lower part
represents the traffic out of Server-farm. In the chart, each stacked band represents one kind of
traffic and it is additive, that is to say the outer edge of all stacked bands represents the total traffic
of all bands. (The objects with colors next to check boxes indicate which server-farm traffic they
are.)
Report Table
There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
277
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different server hosts of traffic in the server-farm clearly. An All
check box for users to conveniently select all check boxes at once. Please click on Submit
button (in Query Bar) to refresh the screen for your selection. In addition, users can use
Download Excel-XML button to download tabular data of the table with XML file, which can be
read by the Excel program. The downloaded file will separate the Average, Current, and Maximum
tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.2
Breakdown Report
The breakdown report is unlike the macroscopic summary report; it provides the further analysis
in some kind of specific traffic. The breakdown report of the Server traffic provides the traffic
analysis between a server-farm and other network objects. There are four kinds of breakdown
reports: Sub-Network, Neighbor ASN, Origin ASN, and Area. Since the number of
sub-networks/Neighbor entities and IP addresses may be very large, the data aggregated will be
saved for every 30 minutes.
When users click on the unfolding mark of Breakdown Report under the Report / Server menu,
all its sub menus will be unfolded including Sub-Network, Neighbor ASN, Origin ASN, and
Area.
7.7.2.1
Sub-Network
The Sub-Network traffic analysis of Server-farm breakdown report provides the traffic
information between a specific server-farm and sub-networks. Each row of Report Table will
display Into Server-farm, Out of Server-farm and sum traffic for each sub-network. And the
maximum number for the listed sub-network in Report Table is 300. Click on the Sub-network
sub menu of Breakdown Report under the Report/Server menu to enter the Sub-Network
Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Server-farm Group: All server-farms (default) and the defined server-farm groups (All
server-farm groups defined in the Group menu of System Admin / Preferences will be shown
here).
Server-farm: every server-farm configured in the Server-farm group (It will be converted
according to the group selected in the Server-farm Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
278
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into server-farm and the lower part
represents the traffic out of server-farm from a specific sub-network. In the chart, each stacked
band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked
bands represents the total traffic of all bands. (The objects with colors next to check boxes
indicate which sub-network they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different sub-networks of traffic into/Out of the Server-farm
clearly and leave those they want. An All check box for users to conveniently select all check
boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for your
selection. In addition, users can use Download Excel-XML button to download tabular data of
the table with XML file, which can be read by the Excel program. The downloaded file will separate
the Average, Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.2.2
Neighbor ASN
The Neighbor ASN traffic analysis of Server breakdown report provides the traffic information
about the traffic through each Neighbor AS (defined in the system) to/from a specific
server-farm. And the maximum number for the listed Neighbor ASes in Report Table is 128.
Each row of Report Table will display ingress, egress and sum traffic for each Neighbor AS. Click
on the Neighbor ASN sub menu of Breakdown Report under the Report / Server menu to
enter the Neighbor ASN Report window.
279
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Server for details.
Except the data listed in Report Table are different, other descriptions are all the same. For
Neighbor ASN breakdown reports, the Report Table will display the traffic between a specific
server-farm and the Neighbor entities.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.2.3
Origin ASN
The Origin ASN traffic analysis of Server breakdown report provides the top N listing for Origin
AS traffic into/out of a specific server-farm. Because the number of Origin ASes may be large,
therefore, only top 128 ASNs will be saved to DB. The top N (N: default = 25) ASNs will be
displayed and each in a row. Each row of Report Table will display ingress, egress and sum
traffic for each Origin ASN. Click on the Origin ASN sub menu of Breakdown Report under the
Report / Server menu to enter the Origin ASN Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Server for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Origin
ASN reports, the Report Table will display top N Origin ASNs.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.2.4
Area
The Area in system or the Country is mapped by a group of IP addresses. The Area traffic
analysis of Server breakdown report provides Top N listing about the traffic of each Area
(specified in the System Admin/Preference/Name Mapping function) into/out of a specific
server-farm. And the maximum number for the listed areas in report table is 128. Each row of
Report Table will display ingress, egress and sum traffic for each area. Click on the Area sub
menu of Breakdown Report under the Report/Server menu to enter the Area Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Server for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Area
reports, the Report Table will display top N areas.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
280
7.7.3
Attribute Report
The attribute report provides the analysis information about some common attributes. With
common attribute reports, users can really understand how their network resources are actually
been using. The attribute report of the Server traffic has five kinds: Application, Protocol,
Protocol+Port, TOS, and Packet Size.
When users click on the unfolding mark of Attribute Report under the Report / Server menu, all
its sub menus will be unfolded including Application, Protocol, Protocol+Port, TOS, and
Packet Size.
7.7.3.1
Application
The Application traffic analysis of Server attribute report provides the information about the
ingress/egress (Into Server-farm/Out of Server-farm) traffic for a specific server-farm, which is
aggregated according to the user defined application groups on source and destination ports
separately for different traffic directions. Up to top 128 applications will be saved to DB. The top N
(N: default = 25) applications will be displayed and each in a row.
In this report, users can obtain not only the traffic Into Server-farm and Out of Server-farm for
applications but also the traffic between the Request side and the Response side. For example,
when a client issues a request to a server, the traffic belongs to Request traffic; when a server
replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a
client is the Request side.) A Service drop-down list is provided for users to select the traffic
direction. There are two items selectable, Inside, and Outside. Inside means the server is inside
the entity (Home Network, Sub-Network, Server-farm) and represents the data of Request of
Ingress traffic or the data of Response of Egress traffic. Outside means the server is outside the
entity and represents the data of Response of Ingress traffic or the data of Request of Egress
traffic.
Click on the Application sub menu of Attribute Report under the Report / Server menu to enter
the Application Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Server for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Application reports, the Report Table will display top N Applications.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.3.2
Protocol
The Protocol traffic analysis of Server attribute report provides the information about the
ingress/egress (Into Server-farm/Out of Server-farm) traffic for a specific server-farm, which is
aggregated according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 128 protocols
will be stored to database and top N (N: default = 25) will be displayed for report. Each row of
Report Table will display the Into Server-farm/Out of Server-farm traffic for the protocol and the
value in the Sum column is the total amount of the Into Server-farm and Out of Server-farm traffic.
Click on the Protocol sub menu of Attribute Report under the Report / Server menu to enter the
Protocol Report window.
281
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Server for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Protocol
reports, the Report Table will display top N Protocols.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.3.3
Protocol/Port
The Protocol/Port traffic analysis of Server attribute report provides the information about the
ingress/egress (Into Server-Farm/Out of Server-Farm) traffic for a specific server-farm, which is
aggregated according to protocol plus port number (service) for TCP and UDP (if the ICMP, the
traffic will be aggregated according to the code and type of the ICMP). Each row of Report Table
will display the Into Server-farm/Out of Server-farm traffic for the protocol/port (service) and the
value in the Sum column is the total amount of the Into Server-farm and Out of Server-farm traffic.
The top 128 will be stored to database and top N (N: default = 50) will be displayed for report.
In this report, users can obtain not only the traffic Into Server-farm and Out of Server-farm for the
service (protocol/port), but also the traffic between the Request side and the Response side. For
example, when a client issues a request to a server, the traffic belongs to Request traffic; when a
server replies to a client, the traffic belongs to Response traffic. (A server is the Response side and
a client is the Request side.) A Service drop-down list is provided for users to select the traffic
direction. There are two items selectable, Inside, and Outside. Inside means the server is inside
the entity (Home Network, Sub-Network, Server-farm) and represents the data of Request of
Ingress traffic or the data of Response of Egress traffic. Outside means the server is outside the
entity and represents the data of Response of Ingress traffic or the data of Request of Egress
traffic.
Click on the Protocol/Port sub menu of Attribute Report under the Report / Server menu to
enter the Protocol/Port Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Server for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Protocol+Port reports, the Report Table will display top N Protocol+Port.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.3.4
TOS
The TOS traffic analysis of Server attribute report provides the information about the
ingress/egress (Into Server-farm/Out of Server-farm) traffic for a specific server-farm, which is
aggregated according to the 256 TOS values. Each row of Report Table will display the Into
Server-farm/Out of Server-farm traffic for the TOS and the value in the Sum column is the total
amount of the Into Server-farm/Out of Server-farm traffic. Totally, top 128 TOS will be stored to
database and top N (N: default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the Report / Server menu to enter the TOS
Report window.
2009 Genie Network Resource Management Inc. All Rights Reserved.
282
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Sub-Network section of Breakdown Report
of Report / Server for details.
Except the data listed in Report Table is different, other descriptions are all the same. For TOS
reports, the Report Table will display top N TOSes.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.3.5
Packet Size
The Packet Size traffic analysis of Server attribute report provides the information about the
ingress/egress (Into Server-farm/Out of Server-farm) traffic for a specific server-farm, which is
aggregated according to the packet size. The packet size is calculated by dividing the bytes with
number of packets. The packet size segments are: <32, 32-64, 64-96, 96-128, 128-160, 160-192,
192-224, 224-256, 256-320, 320-384, 384-448, 448-512, 512-768, 768-1024, 1024-1536, and
>1536.
Click on the Packet Size sub menu of Attribute Report under the Report / Server menu to enter
the Packet Size Report window.
Report Descriptions
There are three parts in the Report window: Query Bar, Report Chart, and Report Table. Please
refer to the Report Descriptions part in the Sub-Network section of Breakdown Report of
Report / Server for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Packet
Size reports, the Report Table will display Packet Size distribution.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.7.4
TopN Report
The TopN traffic analysis of Server report provides the top N listing for the traffic according to the
TopN Report Template. Because the number of data may be large, therefore, only top 256 entries
will be saved to DB. The top N (N: default = 64) aggregation keys will be displayed and each in a
row. Each row of Report Table will display Into Server-farm, Out of Server-farm and sum traffic for
paired of entries.
Click on the TopN Report sub menu under the Report / Server menu to enter the TopN Report
window.
Report Descriptions
There are three parts in the TopN Report window: Query Bar, Report Chart and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Server-farm Group: All server-farms (default) and the defined server-farm groups (All
server-farm groups defined in the Group menu of System Admin / Preferences will be shown
here).
Server-farm: every server-farm configured in the Server-farm group (It will be converted
according to the group selected in the Server-farm Group drop-down list.)
TopN Report: every TopN report configured in the server-farm (The TopN reports of a
server-farm are defined in the System Admin/Network/Server function).
283
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: there three output formats for selection: Show on Web, Download Graph CSV, and
Download XML file.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into server-farm and the lower part
represents the traffic out of server-farm. In the chart, each stacked band represents one kind of
traffic and it is additive, that is to say the outer edge of all stacked bands represents the total
traffic of all bands. (The objects with colors next to check boxes indicate which topN entries they
are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Egress, Ingress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Egress, Ingress, and
Sum traffic statistics.
Report Table
There are four tabs at the right top corner of the table: Average, Current, Maximum and Usage.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Usage: the usage values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different entries aggregation traffic into/Out of the Server-farm
clearly and leave those they want. An All check box for users to conveniently select all check
boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for your
selection. In addition, users can use Download Excel-XML button to download tabular data of
the table with XML file, which can be read by the Excel program. The downloaded file will separate
the Average, Current, Maximum and Usage tables into different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
284
7.8
Rule-based Report
Rule-based Report menu provides traffic analysis reports for rule-based Filters which are
configured in the system and based on users definitions. The system provides not only the
Compare report which compares each Filter within one same Filter group but also the Detail report
which presents detail traffic information of a Filter. In addition, the TopN report analyzed based on
Filters traffic flow is also provided. There are two types of analysis reports for Filter traffic:
Summary Report, and TopN Report. In following sections, we will introduce how to query various
Rule-based traffic reports.
When users click on the unfolding mark of Report / Rule-based Report, all its sub menus will be
unfolded including Summary Report, and TopN Report.
7.8.1
Summary Report
The summary report of the Rule-based Filter traffic presents the traffic analysis about the Filter
from the viewpoints of comparing the total traffic of each Filter within a Filter group and analyzing
the detail traffic of one Filter. With the Rule-based Summary report, users can briefly know not
only the total traffic of each Filter but also the detail traffic analysis for each Filter. When users
click on the Summary Report sub menu of Report / Rule-based Report, there are two sub
menus will be shown: Compare and Detail.
7.8.1.1
Compare
The Compare traffic analysis of Rule-based Summary report provides users the information
about the original direction/opposite direction (Filter/Opposite) traffic for each Filter itself to
compare the differences with the total amount. The Top N Report Table will display all filters (N:
maximum = 1024).
Click on the Compare sub menu of Summary Report under the Report / Rule-based Report
menu to enter the Compare Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Filter Group: the defined Filter groups (All Filter groups defined in the Group menu of System
Admin / Network / Preferences will be shown here, except the default All Filters group.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
285
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second), pps (packet per second), and fps (flow per second).
Output: users can view the report on the web, download it in the CSV format or XML file by
selecting Show on Web, Download Graph CSV, or Download XML file from the drop-down
list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the total traffic of Filters original direction and the
lower part represents the total traffic of Filters opposite direction. In the chart, each stacked
band represents one kind of traffic and it is additive, that is to say the outer edge of all stacked
bands represents the total traffic of all bands. (The objects with colors next to check boxes
indicate which Filter they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Filter, Opposite, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Filter, Opposite, and
Sum traffic statistics.
Report Table
This table will display the traffic analysis statistics for all Filters that configured in a specific group in
the Filter Group drop-down list (In Query Bar) to view. There are three tabs at the right top corner
of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different Filters of traffic clearly by unselecting the Filter and
leave those they want. An All check box for users to conveniently select all check boxes at once.
Please click on Submit button (in Query Bar) to refresh the screen for your selection. In addition,
users can use Download Excel-XML button to download tabular data of the table with XML file,
which can be read by the Excel program. The downloaded file will separate the Average, Current,
and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
7.8.1.2
Detail
The Detail traffic analysis of Rule-based Summary report presents the traffic analyses of each
Filters original and opposite directions for a specific time interval. With this report, users can
know the ingress/egress traffic of each Filter displayed by bps, pps, and fps.
Click on the Detail sub menu of Summary Report under the Report / Rule-based Report menu
to enter the Detail Report window.
286
Report Descriptions
There are two parts in the Detail Report window: Query Bar, and Report Chart.
Query Bar
This part is located on the top of the screen and contains condition options below:
Filter Group: the defined Filter groups (All Filter groups defined in the Group menu of System
Admin / Network / Preferences will be shown here.).
Filter: every Filter configured in the Filter group (It will be converted according to the group
selected in the Filter Group drop-down list.)
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Output: users can view the report on the web, download it in the PDF file, CSV format, or XML
file by selecting Show on Web, Download PDF file, Download Graph CSV, or Download
XML file from the drop-down list.
Report Type: there are two kinds of output report types provided Standard, and Trend. The
default setting is standard. Note that Trend report is not available for Daily report.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Standard Report Chart. There are three line charts displayed here: bps, pps, and fps. The
X-coordinate represents time and will be converted according to the time interval selected by
users. The Y-coordinate represents the calculation unit of the traffic. The data is divided into two
parts by the X-axis. The upper part represents the total traffic of Filters original direction and the
lower part represents the total traffic of Filters opposite direction. In the chart, the average,
maximum, and current traffic values are indicated. The objects with colors below the chart
indicate which traffic direction they are.
Trend Report Chart. This chart uses historical flow data to generate the average trend line for a
specific time period in the past. The trend line can help users to identify potential traffic amount
in the near future.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
287
7.8.2
TopN Report
Rule-based TopN Report presents the TopN analyses and reports which use defined Filters as
analysis criteria. Three types of aggregation keys are provided (Source, Destination, and
Directionless) and over ten kinds of aggregation methods are available to select (IP, Protocol,
Application, Interfaceetc.). Up to top 256 top-N objects will be stored in DB and top N (N: 16,
32, 64, 128, or 256) will be displayed for report. With this report, users can easily and quickly
obtain top-N origins and targets of the traffic analysis.
Click on the TopN Report sub menu of Report / Rule-based Report menu to enter the TopN
Report window. The system will display various analysis reports and statistics according to the
selected TopN Report defined, traffic unit, and time interval.
Report Descriptions
There are three parts in the TopN Report window: Query Bar, and Report Chart.
Query Bar
This part is located on the top of the screen and contains condition options below:
Filter Group: the defined Filter groups (All Filter groups defined in the Group menu of System
Admin / Network / Preferences will be shown here.).
Filter: every Filter configured in the Filter group (It will be converted according to the group
selected in the Filter Group drop-down list.)
TopN Report: every enabled TopN report configured in the selected Filter.
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the
OK
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second), and pps (packet per second).
Output: users can view the report on the web, download it in the CSV format or XML file by
selecting Show on Web, Download Graph CSV, or Download XML file from the drop-down
list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Submit : after finishing the query conditions, click on this button to submit the query.
2009 Genie Network Resource Management Inc. All Rights Reserved.
288
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the original directions total traffic of sorted top-N
objects and the lower part represents the opposite directions total traffic of sorted top-N objects.
In the chart, each stacked band represents one kind of traffic and it is additive, that is to say the
outer edge of all stacked bands represents the total traffic of all bands. (The objects with colors
next to check boxes indicate which sorted top-N object they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Filter, Opposite, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Filter, Opposite, and
Sum traffic statistics.
Report Table
This table will display the traffic analysis statistics for all TopN reports that configured in a specific
Filter in the Filter drop-down list (In Query Bar) to view. There are tabs at the right top corner of the
table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Usage: the percentage of the usage during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different sorted top-N objects of traffic clearly by unselecting the
sorted top-N objects and leave those they want. An All check box for users to conveniently select
all check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
your selection. In addition, users can use Download Excel-XML button to download tabular
data of the table with XML file, which can be read by the Excel program. The downloaded file will
separate the Average, Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
289
MSP Customer
The MSP Customer menu includes the sub functions, Anomaly Console, Report and users can click on
the unfolding mark of MSP Customer. This function will show when the system support the MSP
module (value-added function). Please refer to the following section to get the detail descriptions.
8.1
Anomaly Console
The Anomaly Console function of MSP Customer provides various reports of anomaly events.
Anomaly Console allows users to list out a variety of anomaly events detected via several searching
filters, provides summary and detailed traffic characteristics for each detected anomaly event, can
generate appropriate ACL (Access Control List) commands as suggestions for network operators and
snapshots for advanced traffic inspect.
After clicking the Anomaly Console sub menu of MSP Customer, users will enter the Anomaly
Console window (see the figure 8.1-1). The following sections is going to introduce how to use Anomaly
Console function to query anomaly events and read its related reports.
290
Duration: a time period that represents how long an anomaly event lasts. The displaying format is
00 hours / 00 mins / 00 secs (e.g. 27 hours / 37 mins / 42 secs).
Direction: the traffic direction of an anomaly event.
Type: a category plus an anomaly type and with a monitored traffic statistic object (e.g. Traffic
Anomaly by bps / Protocol-Misuse with TCP SYN Flooding by pps / Application with Code Red
by pps).
Resource: the detection scope of a detected anomaly event and its related information. For
Traffic anomaly, here will show resource type and the resource name of detection scope only.
For Protocol-Misuse and Application anomalies, then here will show anomaly type, resource
name, and event-triggered host IP address.
291
|<
<<
>>
>|
The Page drop-down list: to go to a specific page selected from the drop-down list. The
numerator represents the page you are going to list and the denominator represents the
total pages.
2. An Anomaly ID searching function is provided. It is located next to the Page-control
buttons and above the configuration view list. Users can input the ID of the anomaly in the
Anomaly ID blank and then press the View button to quickly find out a specific anomaly
from plenty of listed anomalies. The Summary Anomaly report of the searched anomaly will
pop up. Please refer to the following step, Descriptions of Summary Anomaly Report, for
detail.
3. A Rows per Page drop-down list is provided to control the displayed entries per page of
the Anomaly Console view list. There are five options to select: 10, 15, 20, 25, and 30. The
number 10 with an asterisk means the default value.
Figure 5.1-2 MSP Customer/Anomaly Console -- the Summary Anomaly Report of the
Anomaly Event
292
Traffic Characteristics
The system provides view points for users to understand the evolution of the selected
anomaly event in terms of its traffic characteristics at different time points (sorting by per
minute).
2009 Genie Network Resource Management Inc. All Rights Reserved.
294
In addition, this Detail report of Summary Anomaly Report window also provides two functions that
allow users to link to the Snapshot with the provided anomaly traffic characteristics and view the ACL
commands generated by the system. These two functions are implemented by the Snapshot and
Generate ACL buttons. Please follow the steps below:
Decide one or more analyzed traffic characteristics as the snapshot analysis criteria and
click on the Lock check boxes (at the end of the rows) of the decided traffic
characteristics.
2.
Decide one or more traffic characteristics as the target that you want to lock and click on
the Lock check boxes (at the end of the rows) of the decided traffic characteristics.
Click on Update button in the ACL Generate Tool window to generate ACL commands.
After you press the button, the system will generate appropriate ACL commands
according to the traffic characteristics you selected and show the commands in the Result
text box. A Router Type drop-down list is provided in order to meet different needs of ACL
commands for different router brands (Cisco / Juniper / Foundry). With different router
types selected, the system will generate different ACL commands for users. Note that
TCP Flag is only available for the Cisco router type.
295
8.2
Report
All pre-defined (built-in) and rule-based reports of MSP Customer entities are aggregated into the
Report sub menu of MSP Customer for convenience. Including Traffic, Boundary Traffic, Top
Talker, Attribute Report, and TopN Report sub menus will be displayed when users click on the
unfolding mark of Report under the MSP Customers main menu.
8.2.1
Traffic
The Traffic report of MSP Customer presents the traffic analysis for every MSP Customer entity
configured in the system. With this report, users can know the ingress/egress traffic of each MSP
Customer entity displayed by bps, and pps. Click on the Traffic sub menu of MSP Customer/Report to
enter the Traffic Report window. The system will display various analysis reports for MSP Customer
traffic according to the selected MSP Customer entity, and time interval.
Report Descriptions
There are two parts in the Traffic Report window: Query Bar, and Report Chart.
Query Bar
This part is located on the top of the screen and contains condition options below:
MSP Customer: list all MSP Customer entities configured in the system.
Note
A button will be available to browse all listed entries.
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Output: users can view the report on the web or download it in the PDF format by selecting
Show on Web or Download PDF File from the drop-down list.
Report Type: there is the Standard report provided.
Submit : after finishing the query conditions, click on this button to submit the query.
296
Report Chart
Standard Report Chart. There are two line charts displayed here: bps, and pps. The
X-coordinate represents time and will be converted according to the time interval selected by
users. The Y-coordinate represents the calculation unit of the traffic. The upper part represents
the traffic into the selected MSP Customer entity and the lower part represents the traffic out of
the selected MSP Customer entity. In the chart, the average and maximum traffic values are
indicated. The objects with colors below the chart indicate which traffic direction they are.
Operation Procedure to Query Reports
1. Select a MSP Customer entity from the MSP Customer dropped down list or through
Browse button.
2. Select Time Range or Period for specifying reports time interval.
3. Specify the start/end date and time from the From/Until drop-down lists.
4. Choose Show on web or Download PDF file from the drop-down list to view.
5. Click on Submit button to refresh the screen and generate your report.
8.2.2
Boundary Traffic
The Boundary Traffic analysis report provides the information about the average/current/maximum
traffic aggregated according to defined elements for a specific MSP server.
Click on the Boundary Traffic under the MSP Customer/Report menu to enter the Boundary Traffic
Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
MSP Customer: list every MSP customer configured in the MSP Customer menu of System
Admin/Network function.
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Submit : after finishing the query conditions, click on this button to submit the query.
297
Report Chart
This report is presented as a line chart. The X-coordinate represents time and will be converted
according to the time interval selected by users The Y-coordinate represents traffic flow. In the
chart, each line represents one kind of traffic and its data will be matching the data listed in Report
Table. (The objects with colors next to check boxes indicate what traffic they are.)
Report Table
This table will display the traffic analyses statistics for all routers bounded into MSP Customer
when you select some specific MSP customer in the drop-down list (In Query Bar) to view. There
are tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. Users can compare different bounded routers of traffic clearly. An All check box for users
to select conveniently all check boxes at once. Please click on Submit button (in Query Bar) to
refresh the screen for your selection. In addition, users can use Download Excel-XML button to
download tabular data of the table with XML file, which can be read by the Excel program. The
downloaded file will separate the Average, Current, and Maximum tables into three different
worksheets.
Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP
Customer/Report for details.
8.2.3
Top Talker
The Top Talker traffic analysis of MSP Customer breakdown report provides the top N listing for the
traffic of IP address from/to the MSP Customer. Because the number of IP addresses may be large,
therefore, only top 128 IP addresses will be saved to DB. The top N (N: default = 25) IP addresses will
be displayed and each in a row. Each row of Report Table will display ingress, egress and sum traffic for
each IP address. Click on the Top Talker sub menu under the MSP Customer/Report to enter the Top
Talker Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
MSP Customer: list all MSP Customer entities configured in the system.
Time Range: a flexible way specifies the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
2009 Genie Network Resource Management Inc. All Rights Reserved.
298
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is Stacked Chart.
Talker: there are two directions of Talker provided: Inside, and Outside. Inside indicates the Top
Talker report listing the hosts within the MSP Customer Network. Outside shows the Top
Listener report as top N listing of outside hosts which are most visited by the MSP Customer
network.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into MSP entity and the lower part
represents the traffic out of MSP entity. In the chart, each stacked band represents one kind of
traffic and it is additive, that is to say the outer edge of all stacked bands represents the total
traffic of all bands. (The objects with colors next to check boxes indicate which Talkers they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Ingress, Egress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Ingress, Egress, and
Sum traffic statistics.
Report Table
There are four tabs at the right top corner of the table: Average, Current, Maximum, and Usage.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Usage: the usage values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. Therefore, users can compare different traffic clearly. An All check box for users to select
all check boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for
your selection. In addition, users can use Download Excel-XML button to download tabular
data of the table with XML file, which can be read by the Excel program. The downloaded file will
separate the Average, Current, Maximum and Usage tables into different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP
Customer/Report for details.
8.2.4
Attribute Report
The attribute report of MSP Customers provides the analysis information about some common
attributes. With common attribute reports, users can really understand how their network resources are
actually been used. The attribute report of the MSP Customers traffic has three kinds: Application,
Protocol, Protocol/Port, TOS, and Packet Size.
When users click on the unfolding mark of Attribute Report under the MSP Customer/Report main
menu, all its sub menus will be unfolded including Application, Protocol, Protocol/Port, TOS, and
Packet Size.
299
8.2.4.1
Application
The Application traffic analysis of MSP Customers attribute report provides the information about the
ingress/egress (Into MSP/Out of MSP) traffic for a specific MSP Customer entity, which is aggregated
according to the user defined application groups on source and destination ports separately for different
traffic directions. Up to top 128 applications will be saved to DB. The top N (N: default = 25) applications
will be displayed and each in a row.
In this report, users can obtain not only the traffic Into MSP Customer and Out of MSP Customer for
applications but also the traffic between the Request side and the Response side. For example, when a
client issues a request to a server, the traffic belongs to Request traffic; when a server replies to a client,
the traffic belongs to Response traffic. (A server is the Response side and a client is the Request side.)
A Service drop-down list is provided for users to select the traffic direction. There are two items
selectable, Inside, and Outside. Inside means the server is inside the MSP Customer entity and
represents the data of Request of Ingress traffic or the data of Response of Egress traffic. Outside
means the server is outside the MSP Customer entity and represents the data of Response of Ingress
traffic or the data of Request of Egress traffic.
Click on the Application sub menu of Attribute Report under the MSP Customer/Report main menu
to enter the Application Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
MSP Customer: list all MSP Customer entities configured in the system.
Time Range: a flexible way specifies the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: there are bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
Service: there are traffic directions, Inside or Outside, to specify.
Submit : after finishing the query conditions, click on this button to submit the query.
300
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into MSP Customer entity and the lower
part represents the traffic out of MSP Customer entity. In the chart, each stacked band
represents one kind of traffic and it is additive, that is to say the outer edge of all stacked bands
represents the total traffic of all bands. (The objects with colors next to check boxes indicate
which application they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Ingress, Egress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Ingress, Egress, and
Sum traffic statistics.
Report Table
There are tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different applications of traffic clearly by unselecting the
application and leave those they want. An All check box for users to conveniently select all check
boxes at once. Please click on Submit button (in Query Bar) to refresh the screen for your
selection. In addition, users can use Download Excel-XML button to download tabular data of
the table with XML file, which can be read by the Excel program. The downloaded file will separate
the Average, Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP
Customer/Report for details.
8. 2. 4 .2 P ro t o co l
The Protocol traffic analysis of MSP Customer attribute report provides the information about the
ingress/egress (Into MSP/Out of MSP) traffic for a specific MSP Customer entity, which is aggregated
according to the protocol (e.g. TCP/6, UDP/17, ICMP/1...). Totally, top 50 protocols will be stored to
database and top N (N: default = 25) will be displayed for report. Each row of Report Table will display
the Into Customer/Out of Customer traffic for the protocol and the value in the Sum column is the total
amount of the Into Customer and Out of Customer traffic.
Click on the Protocol sub menu of Attribute Report under the MSP Customer to enter the Protocol
Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Application section of Attribute Report under
the MSP Customer/Report main menu for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Protocol
reports, the Report Table will display top N Protocols.
Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP
Customer/Report function for details.
301
8.2.4.3
Protocol/Port
The Protocol/Port traffic analysis of MSP Customer attribute report provides the information about the
ingress/egress (Into MSP/Out of MSP) traffic for a specific MSP Customer entity, which is aggregated
according to protocol plus port number (service). Each row of Report Table will display the Into
Customer /Out of Customer traffic for the Protocol/Port (service) and the value in the Sum column is the
total amount of the Into Customer and Out of Customer traffic. The top 128 will be stored to database
and top N (N: default = 25) will be displayed for report.
In this report, users can obtain not only the traffic Into MSP Customer and Out of MSP Customer for the
service (Protocol/Port), but also the traffic between the Request side and the Response side. For
example, when a client issues a request to a server, the traffic belongs to Request traffic; when a server
replies to a client, the traffic belongs to Response traffic. (A server is the Response side and a client is
the Request side.) A Service drop-down list is provided for users to select the traffic direction. There are
two items selectable, Inside, and Outside. Inside means the server is inside the MSP Customer entity
and represents the data of Request of Ingress traffic or the data of Response of Egress traffic. Outside
means the server is outside the MSP Customer entity and represents the data of Response of Ingress
traffic or the data of Request of Egress traffic.
Click on the Protocol/Port sub menu of Attribute Report under the MSP Customer/Report main
menu to enter the Protocol/Port Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Application section of Attribute Report of
MSP Customer/Report for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Protocol/Port reports, the Report Table will display top N Protocol/Port (services).
Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP
Customer/Report for details.
8. 2. 4 .4 TO S
The TOS traffic analysis of MSP Customer attribute report provides the information about the
ingress/egress (Into MSP /Out of MSP) traffic for a specific MSP Customer entity, which is aggregated
according to the 256 TOS values. Each row of Report Table will display the Into MSP Customer /Out of
MSP Customer traffic for the TOS and the value in the Sum column is the total amount of the Into MSP
Customer /Out of MSP Customer traffic. Totally, top 50 TOS will be stored to database and top N (N:
default = 25) will be displayed for report.
Click on the TOS sub menu of Attribute Report under the MSP Customer/Report main menu to
enter the TOS Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Application section of Attribute Report under
MSP Customer/Report menu for details.
Except the data listed in Report Table is different, other descriptions are all the same. For TOS
reports, the Report Table will display top N TOSes.
Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP
Customer/Report for details.
302
8.2.4.5
Packet Size
The Packet Size traffic analysis of MSP Customer attribute report provides the information about the
ingress/egress (Into MSP /Out of MSP) traffic for a specific MSP Customer entity, which is aggregated
according to the packet size. The packet size is calculated by dividing the bytes with number of packets.
The packet size segments are: <32, 32-64, 64-96, 96-128, 128-160, 160-192, 192-224, 224-256,
256-320, 320-384, 384-448, 448-512, 512-768, 768-1024, 1024-1536, and >1536.
Click on the Packet Size sub menu of Attribute Report under the MSP Customer/Report to enter the
Packet Size Report window.
Report Descriptions
There are three parts in the Report window: Query Bar, Report Chart, and Report Table. Please
refer to the Report Descriptions part in the Application section of Attribute Report under MSP
Customer/Report.
Except the data listed in Report Table is different, other descriptions are all the same. For Packet
Size reports, the Report Table will display the segments of Packet Size that are recorded the traffic
data.
Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP
Customer/Report function for details.
8.2.5
TopN Report
The TopN Report of MSP Customer presents the TopN analyses and reports. Up to top 256 top-N
objects will be stored in DB and top N (N: 16, 32, 64, 128, or 256) will be displayed for report. With this
report, users can obtain top-N origins easily and quickly and targets of the traffic analysis. Click on the
TopN Report sub menu under MSP Customer/Report menu to enter the TopN Report window. The
system will display various analysis reports and statistics according to the selected TopN Report
defined, traffic unit, and time interval.
Note
Only the MSP administrator, which is defined in the System Admin/Network/MSP Customer/MSP
Customer function, can configure the aggregation rule of TopN report to the MSP Collector device. In
addition, here only displays defined TopN Reports of the MSP Customers.
Click on the unfolding mark of the TopN Report sub menu of MSP Customer/Report to enter the TopN
Report window.
Report Descriptions
There are three parts in the Detail Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
MSP Customer: select the specified MSP customer.
TopN Report: the defined TopN reports configured in the selected MSP customer.
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
303
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: there are bps and pps in the drop-down list.
Output: users can view the report on the web, download it in the CSV format, PDF file or XML
file by selecting Show on Web, Download Graph CSV, Download PDF file, or Download
XML file from the drop-down list.
Chart: there are three kinds of output report types provided Stacked Chart, Bar Chart and Pie
Chart. The default setting is Stacked Chart.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic matched defined filter entity and the
lower part represents the opposite direction. In the chart, each stacked band represents one kind
of traffic and it is additive, that is to say the outer edge of all stacked bands represents the total
traffic of all bands. (The objects with colors next to check boxes indicate which TopN they are.)
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Ingress, Egress, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Ingress (Filter), Egress
(Opposite), and Sum traffic statistics.
Report Table
This table will display the traffic analysis statistics for all TopN reports that configured in a specific
Filter in the Filter drop-down list (In Query Bar) to view. There are four tabs at the right upper
corner of the table: Average, Current, Maximum and Usage.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. Therefore, users can compare different sorted top-N objects of traffic clearly. An All check
box for users to select all check boxes at once. Please click on Submit button (in Query Bar) to
refresh the screen for your selection. In addition, users can use Download Excel-XML button to
download tabular data of the table with XML file, which can be read by the Excel program. The
downloaded file will separate the Average, Current, Maximum and Usage tables into different
worksheets.
Please refer to the Operation Procedure to Query Reports part in the Traffic section of MSP
Customer/Report for details.
304
Anomaly Activities
Anomaly Activities menu provides overall anomaly traffic reports, different from Report menu which
focuses on defined network detection scopes (Internet, Neighbor, Backbone, Router, Interface,
Sub-Network, Rule-based Report) to present all their related traffic reports, and also different from
Anomaly Console menu which is based on every single anomaly event to present the anomaly
traffic report. There are two kinds of anomaly activity reports provided in the system. One is about the
Dark IP activity; the other is about the abnormal Application activity. When users click on the
unfolding mark of Anomaly Activities, all its sub menus will be unfolded including Dark IP and
Worm.
9.1
Dark IP
Dark IP menu provides various built-in dark IP traffic analysis reports. The system will base on all
detected dark IP traffic to compile various traffic statistics, such as overall dark IP traffic, each
infected host traffic, each victim host traffic, into/out of each interface traffic, and into/out of each
Sub-Network entity. There are two types of analysis reports for Dark IP traffic: Summary Report,
and Breakdown Report. In following sections, we will introduce how to query various Dark IP
traffic reports.
When users click on the unfolding mark of Anomaly Activities / Dark IP, all its sub menus will be
unfolded including Summary Report, and Breakdown Report.
9.1.1
Summary Report
The summary report of the Dark IP traffic presents the overall dark IP traffic analysis for entire
network of users. With the Dark IP summary report, users can briefly know how much traffic
from/to dark IP space, how much traffic of dark IP dropped by the routers, and the number of the
infected hosts. Click on the Summary Report sub menu of Anomaly Activities / Dark IP menu
to enter the Summary Report window. The system will display various analysis reports for dark
IP traffic according to the selected traffic unit, time interval, and traffic type.
Click on the Sub-Network sub menu of Breakdown Report under the Anomaly Activities /
Dark IP menu to enter the Interface Report window.
Report Descriptions
There are two parts in the Traffic Report window: Query Bar, and Report Chart.
Query Bar
This part is located on the top of the screen and contains condition options below:
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
305
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
IP version: only Both shows in the dropped down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
There are three line charts displayed here: infected hosts, bps, and pps. The X-coordinate
represents time and will be converted according to the time interval selected by users. The
Y-coordinate represents the calculation unit of the traffic. In the chart, the average, maximum and
current traffic values are indicated. In infected hosts report chart, the number of infected hosts will
be shown over time period. The maximum number supported by each Collector is 2000. In bps
and pps report charts, the In traffic is the traffic into Dark IP space (Destination is a dark IP), the
Out traffic is the traffic out of dark IP space (Source is a dark IP), and the Drop is the traffic
dropped by the routers.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
9.1.2
Breakdown Report
The breakdown report is unlike the macroscopic summary report; it provides the further analysis
in some kind of specific traffic. The breakdown report of the Dark IP traffic includes five types of
reports: Infected Hosts, Victim Hosts, Home Prefix, Interface, and Sub-Network.
When users click on the unfolding mark of Breakdown Report under the Anomaly Activities /
Dark IP menu, all its sub menus will be unfolded including Infected Hosts, Victim Hosts,
Interface, and SUB-NETWORK.
9.1.2.1
Infected Hosts
The Infected Hosts traffic analysis of Dark IP breakdown report provides the information about
the traffic amount of each infected host in a (Top N) Report Table. Totally, top 64 infected hosts
will be stored to database and top N (N: default = 25) will be displayed for report. Each row of
Report Table will display infected host IP, traffic amount, and total percentage. Click on the
Infected Hosts sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu
to enter the Infected Hosts Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
2009 Genie Network Resource Management Inc. All Rights Reserved.
306
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
IP version: only Both shows in the dropped down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents infected host number. In the chart, each
stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all
stacked bands represents the total traffic of all bands. (The objects with colors next to check
boxes indicate which infected host they are.)
Bar Chart. Bar Chart is presented with horizontal bars and displays Egress traffic statistics for
each infected host and the total traffic statistics for all.
Pie Chart. There is one pie chart presented to represent Egress traffic statistics.
Report Table
This table will display all kinds of traffic analysis statistics of infected hosts detected. There are
three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different infected hosts of traffic clearly by unselecting the host
and leave those they want. An All check box for users to conveniently select all check boxes at
once. Please click on Submit button (in Query Bar) to refresh the screen for your selection. In
addition, users can use Download Excel-XML button to download tabular data of the table with
XML file, which can be read by the Excel program. The downloaded file will separate the Average,
Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
307
9.1.2.2
Victim Hosts
The Victim Hosts traffic analysis of Dark IP breakdown report provides the information about the
traffic amount of each victim host in a (Top N) Report Table. Totally, top 64 victim hosts will be
stored to database and top N (N: default = 25) will be displayed for report. Each row of Report
Table will display victim host IP, traffic amount, and total percentage. Click on the Victim Hosts
sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu to enter the
Victim Hosts Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
IP version: only Both shows in the dropped down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents victim host number. In the chart, each
stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all
stacked bands represents the total traffic of all bands. (The objects with colors next to check
boxes indicate which victim host they are.)
Bar Chart. Bar Chart is presented with horizontal bars and displays Ingress traffic statistics for
each infected host and the total traffic statistics for all.
Pie Chart. There is one pie chart presented to represent Ingress traffic statistics.
Report Table
This table will display all kinds of traffic analysis statistics of victim hosts detected. There are three
tabs at the right top corner of the table: Average, Current, and Maximum.
2009 Genie Network Resource Management Inc. All Rights Reserved.
308
9.1.2.3
Interface
The Interface traffic analysis of Dark IP breakdown report provides the information about the
dark IP traffic of each interface (the traffic sent to the interface from Dark IP space and the traffic
sent to Dark IP space from the interface). The system will display Top N (N: maximum = 64;
default = 25) interfaces in a (Top N) Report Table. Each row of Report Table will display router
name, interface name, into interface traffic, out of interface traffic, and sum traffic for each
interface. Click on the Interface sub menu of Breakdown Report under the Anomaly Activities
/ Dark IP menu to enter the Interface Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Infected Hosts section of Breakdown Report
of Anomaly Activities / Dark IP for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Interface
reports, the Report Table will display top N Interfaces and there is no total percentage statistics
provided.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
9.1.2.4
Sub-Network
The Sub-Network traffic analysis of Dark IP breakdown report provides the information about the
dark IP traffic of Sub-Network entities defined in the system (the traffic sent to the Sub-Network
entity from Dark IP space and the traffic sent to Dark IP space from the Sub-Network entity). The
system will display Top N (N: maximum = 64; default = 25) entities in a (Top N) Report Table.
Each row of Report Table will display Sub-Network name, into Sub-Network traffic, out of
Sub-Network traffic, sum traffic, and total percentage for each Sub-Network. Click on the
Sub-Network sub menu of Breakdown Report under the Anomaly Activities / Dark IP menu
to enter the Interface Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
309
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
IP version: only Both shows in the dropped down list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the dark IP traffic into Sub-Network and the lower
part represents the traffic out of Sub-Network. In the chart, each stacked band represents one
kind of traffic and it is additive, that is to say the outer edge of all stacked bands represents the
total traffic of all bands.
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Into-SubNetwork, Out-of-SubNetwork, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Into-SubNetwork,
Out-of-SubNetwork, and Sum traffic statistics.
Report Table
There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare the traffic of the selected entries clearly. An All check box to
conveniently select all check boxes at once. Please click on Submit button (in Query Bar) to
refresh the screen for your selection. In addition, users can use Download Excel-XML button to
download tabular data of the table with XML file, which can be read by the Excel program. The
downloaded file will separate the Average, Current, and Maximum tables into three different
worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
310
9.2
Worm
Worm menu provides various built-in application anomaly traffic analysis reports. The system will
base on all detected abnormal application traffic to compile various traffic statistics, such as overall
application anomaly traffic, each infected host traffic, into/out of each interface traffic, and into/out
of each Sub-Network entity. There are two types of analysis reports for Application Anomaly traffic:
Summary Report, and Breakdown Report. In following sections, we will introduce how to query
various Application Anomaly traffic reports.
When users click on the unfolding mark of Anomaly Activities / Worm, all its sub menus will be
unfolded including Summary Report, and Breakdown Report.
9.2.1
Summary Report
The summary report of the Worm traffic presents the overall abnormal application traffic analysis.
With the Application Anomaly summary report, users can briefly know how much abnormal
application traffic in/out of Home network. Click on the Summary Report sub menu of Anomaly
Activities / Worm menu to enter the Summary Report window. The system will display various
analysis reports for worm traffic according to the selected traffic unit, time interval, and traffic
type.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
IP Version: only Both shows in the dropped down list.
Submit : after finishing the query conditions, click on this button to submit the query.
311
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users The Y-coordinate represents traffic flow. The data is divided into two
parts by the X-axis. The upper part represents the traffic into Home and the lower part
represents the traffic out of Home. In the chart, each stacked band represents one kind of traffic
and it is additive, that is to say the outer edge of all stacked bands represents the total traffic of
all bands.
Bar Chart. Bar Chart is presented with horizontal bars and three different colors of bars are used
to separately represent Into-Home, Out-of-Home, and Sum traffic statistics.
Pie Chart. There are three pie charts presented to separately represent Into-Home, Out-of-Home,
and Sum traffic statistics.
Report Table
There are three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare the traffic of the selected entries clearly. An All check box to
conveniently select all check boxes at once. Please click on Submit button (in Query Bar) to
refresh the screen for your selection. In addition, users can use Download Excel-XML button to
download tabular data of the table with XML file, which can be read by the Excel program. The
downloaded file will separate the Average, Current, and Maximum tables into three different
worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
9.2.2
Breakdown Report
The breakdown report is unlike the macroscopic summary report; it provides the further analysis
in some kind of specific traffic. The breakdown report of the Worm traffic includes three types of
reports: Infected Hosts, Interface, and Sub-Network.
When users click on the unfolding mark of Breakdown Report under the Anomaly Activities /
Worm menu, all its sub menus will be unfolded including Infected Hosts, Interface, and
Sub-Network.
9.2.2.1
Infected Hosts
The Infected Hosts traffic analysis of Worm breakdown report provides the information about the
traffic amount of each infected host in a (Top N) Report Table. Totally, top 64 infected hosts will
be stored to database and top N (N: default = 25) will be displayed for report. Each row of Report
Table will display infected host IP, traffic amount, and total percentage. Click on the Infected
Hosts sub menu of Breakdown Report under the Anomaly Activities / Worm menu to enter
the Infected Hosts Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Query Bar
This part is located on the top of the screen and contains condition options below:
Worm: select a worm type from the dropped down list.
Note
All listed worm types are defined and enabled in the Application Anomaly in the System
Admin/Network/Anomaly function.
2009 Genie Network Resource Management Inc. All Rights Reserved.
312
Time Range: a flexible way to specify the time interval for displaying report. There are two ways
provided to specify the time interval in the system: one is Time Range and the other is Period
(Please see the description below for details). Once users choose this way, please specify the
start time and end time of analysis report from the Start Time and Until drop-down lists.
Period: daily, weekly, monthly, quarterly, and yearly. This is another way different from Time
Range to specify reports time interval. In this way, five fixed time interval are provided to present
analysis report with an end time specified from the Until drop-down list. Once users choose this
way, the Start Time drop-down list will be unavailable.
Start Time: year, month, date, and time. This drop-down list represents the start time of reports
time interval. Users can specify the start date of the analysis report from either the
year/month/date drop-down lists or a year-month-date time table. After clicking on Start Time,
the year-month-date time table will be shown. Specify the year and month from the drop-down
lists in the time table, select the date by using your cursor to click on (the selected date will be
highlighted), and then click on the OK button. Or click on the Cancel button to close the
time table. Specify the time from the time drop-down list after finishing the selections of year,
month, and date. If users choose the Period way to specify the reports time interval, this
drop-down list will be unavailable.
Until: year, month, date, and time. This drop-down list represents the end time of reports time
interval. Please refer to the Start Times description above for operation.
Unit: bps (bit per second) and pps (packet per second).
Output: users can view the report on the web or download it in the CSV format by selecting
Show on Web or Download Graph CSV from the drop-down list.
Chart: there are three types of output report charts provided Stacked Chart, Bar Chart, and Pie
Chart. The default setting is stacked chart.
IP version: only Both shows in the dropped list.
Submit : after finishing the query conditions, click on this button to submit the query.
Report Chart
Stacked Chart. The X-coordinate represents time and will be converted according to the time
interval selected by users. The Y-coordinate represents infected host number. In the chart, each
stacked band represents one kind of traffic and it is additive, that is to say the outer edge of all
stacked bands represents the total traffic of all bands. (The objects with colors next to check
boxes indicate which infected host they are.)
Bar Chart. Bar Chart is presented with horizontal bars and displays Egress traffic statistics for
each infected host and the total traffic statistics for all.
Pie Chart. There is one pie chart presented to represent Egress traffic statistics.
Report Table
This table will display all kinds of traffic analysis statistics of infected hosts detected. There are
three tabs at the right top corner of the table: Average, Current, and Maximum.
Average: the average values during the selected time interval.
Current: the values of the last data during the selected time interval.
Maximum: the maximum values during the selected time interval.
Users can click on the tabs to view the detail data for each. The blue tab means you are entering
the page now. Clicking on the check box in the front of the row means to draw the traffic in Report
Chart. So that users can compare different infected hosts of traffic clearly by unselecting the host
and leave those they want. An All check box for users to conveniently select all check boxes at
once. Please click on Submit button (in Query Bar) to refresh the screen for your selection. In
addition, users can use Download Excel-XML button to download tabular data of the table with
XML file, which can be read by the Excel program. The downloaded file will separate the Average,
Current, and Maximum tables into three different worksheets.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
313
9.2.2.2
Interface
The Interface traffic analysis of Worm breakdown report provides the information about the traffic
of each interface. The system will display Top N (N: maximum = 64; default = 25) interfaces in a
(Top N) Report Table. Each row of Report Table will display router name, interface name, into
interface traffic, out of interface traffic, and sum traffic for each interface. Click on the Interface
sub menu of Breakdown Report under the Anomaly Activities / Worm menu to enter the
Interface Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Infected Hosts section of Breakdown Report
of Anomaly Activities / Worm for details.
Except the data listed in Report Table is different, other descriptions are all the same. For Interface
reports, the Report Table will display top N Interfaces and there is no total percentage statistics
provided.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
9.2.2.3
Sub-Network
The Sub-Network traffic analysis of Worm breakdown report provides the information about the
worm traffic of Sub-Network entities defined in the system. The system will display Top N (N:
maximum = 64; default = 25) entities in a (Top N) Report Table. Each row of Report Table will
display Sub-Network name, into Sub-Network traffic, out of Sub-Network traffic, sum traffic, and
total percentage for each Sub-Network. Click on the Sub-Network sub menu of Breakdown
Report under the Anomaly Activities / Worm menu to enter the Interface Report window.
Report Descriptions
There are three parts in the Traffic Report window: Query Bar, Report Chart, and Report Table.
Please refer to the Report Descriptions part in the Infected Hosts section of Breakdown Report
of Anomaly Activities / Worm for details.
Except the data listed in Report Table is different, other descriptions are all the same. For
Sub-Network reports, the Report Table will display top N Sub-Network entities.
Please refer to the Operation Procedure to Query Reports part in the Summary Report section
of Report / Internet for details.
314
316
317
3. You have to apply for the SSL server certificates through the Certificate Authorities like
Verisign and other independent third parties.
Note
The certificate authorities may issue the SSL server certificates via email, or a download file or
directly displaying contents on a popped up window. Save the content of SSL server certificates as a
file, getcacert.cer, for GenieATM download.
4. Download the SSL server certificate issued by the Certificate Authorities to GenieATM.
ATM # copy ftp certificate
Address of remote host?
192.168.12.100
Source file name? (absolute path, file name with path)
/getcacert.cer
[Waiting for FTP transmission ...]
FTP file from: /getcacert.cer
[FTP_STATUS] FTP_SUCCESS, 593 Bytes received
[copy ftp certificate ... OK]
ATM #
5. Backup SSL files(CRT, CSR, and Key files) to FTP server
ATM # copy ssl-files ftp
Address of remote host?
192.168.1.1
Destination file path? (The path to store SSL files)
/backup
[Waiting for FTP transmission ...]
FTP file to: /backup/mykey.key
[FTP_STATUS] FTP_SUCCESS, 887 Bytes transferred
FTP file to: /backup/mysite.csr
[FTP_STATUS] FTP_SUCCESS, 700 Bytes transferred
FTP file to: /backup/mysite.crt
[FTP_STATUS] FTP_SUCCESS, 1098 Bytes transferred
[copy ssl-files ftp ... OK]
ATM #
Note
Strongly suggest backup the CRT, CSR and private Key files in case of unexpected situation.
318
RQ AR
ST
SP
1
1
1
1
1
1
1
1
1
0-1
0-1
0-1
1
0-1
-
1
1
1
1
0-1
1
1
1
1
1
1
0-1
1
1
1
2
3
4
5
9
10
13
14
15
18
19
20
1
1
-
1
1
1
21
24
26
29
1
1
1
1
30
31
35
0-1
36
0-1
0-1
37
38
0-1
39
0-1
40
0-1
41
0-1
42
User-Name
User-Password
NAS-IP-Address
NAS-Port
Service-Type
Login-IP-Host
Replay-Message
Class
Session-Timeout
Idle-Timeout
Calling-Station-Id
NAS-Identifier
Acct-Status-Type
2865
2865
2865
2865
2865
2865
2865
2865
2865
2865
2865
2865
2866
1
2
4
5
6
14
18
25
27
28
31
32
40
Type of
Value
String
String
Ipaddr
Integer
Integer
Ipaddr
String
String
Integer
Integer
String
String
Integer
Acct-Delay-Time
Acct-Session-Id
Acct-Session-Time
Acct-Terminate-Cause
2866
2866
2866
2866
41
44
46
49
Integer
String
Integer
Integer
Enent-Timestamp
NAS-Port-Type
NAS-Port-ID
2869
2865
2869
55
61
87
Integer
Integer
Integer
GENIE-USER-ROLE
9926
60
Integer
GENIE-USER-GROUP-ID
GENIE-USER-SubNetwork-ID
GENIE-USER-LANGUAGE
9926
9926
9926
61
62
63
Integer
Integer
Integer
GENIE-USER-STATUS
9926
64
Integer
GENIE-CLI-Privilege
9926
80
Integer
GENIE-CLI-Command
9926
81
String
Attribute
Vender
ID
Value
User input
User input
ATM IP
Request port
Login (1)
User IP
From RADIUS
From RADIUS
From RADIUS
X
User IP (add 0)
ATM IP
1: START
2: STOP
0-4
ATM
ATM
1: User Request
2: Lost Carrier
4: Idle Timeout
5: Session Timeout
6: Admin Reset
7: Admin Reboot
ATM
Ethernet (15)
0: eth0
1: eth1
101: ADMINISTRATOR
102: SUPERUSER
103: VIEWING-ONLY
104: Sub-Network-USER
0: WESTERM
1: TRADITIONAL-CHINESE
2: SIMPLIFIED-CHINESE
3: SHIFT-JIS
1: ACTIVE
0: INACTIVE
1: Normal-Mode
2: Enable-Mode
3: Configure-Mode
320