One of the great features of Scrutinizer is the My View page, which allows a customized interface on a per user basis. It also allows the use of many different existing gadgets, or with a little HTML know-how, our customers can make their own.
Plixer’s Flow Analytics module comes with several gadgets built in that give the administrator even more visibility into network traffic. One is called the Top Flows gadget, a chart that displays how many flows and conversations are attributed to the top 10 hosts communicating – across all routers set to be monitored. In order to understand the chart below, it’s important to know what we mean by Flows and Conversations.
A conversation between two people involves a series of exchanges of statements, right? A conversation between hosts in Scrutinizer and Flow Analytics works the same way. A conversation in this gadget is the number of unique hosts the source or destination host is communicating with.
Consider a Flow as the number of unique entries for a host in the database for the time frame selected. Clear as mud?
Let’s take a look at the chart:
We have two main columns – Top Src Flows and Conv and “Top Dst Flows and Conv” with hosts listed in order of the greatest number of Flows.
“Ok great… So as a network administrator why is this important to me?”
I’m glad you asked…
First this is an informative chart, not an alarming gadget. The reason entries are yellow is because their are outstanding alarms for the host displayed. Mouse over the ‘!’ sign to see how many and click to drill in and see them.
Second, it’s not all about the ratios of Flows vs. Conversations. For example, lets say you’re walking down the street and this guy says…
“Hey buddy… Come here. I got a great deal for you today. Come here!!!”
If you ignore the person and don’t say anything back, this is considered a scan. It could involve one or hundreds of packets in one direction. Because he was trying to get you to respond, he would be using TCP. However, because you didn’t respond, flows are only created in one direction. One conversation occurred using one or more flows.
Some may reply, “No thank you sir… Please don’t kill me”, and walk away. In this case, a conversation occurred on one or more unique ports with TCP hand shakes and so flows go in both directions. Two conversations occurred with 2 or more flows depending on the number of applications involved. Routers and switches create unique flows when the source and destination ports, among other things, don’t match up.
The million dollar question…
Do flows in one direction mean that something is wrong? NO! For example, if on that same corner someone started singing a song to you and you decide to stand there and listen without even so much as a “thank you”. This would be like UDP with each lyric causing a unique flow in one direction (e.g. syslogs or SNMP traps, etc.). This is because UDP doesn’t require the hand shakes that TCP does. The above results in one conversation and generally hundreds of flows.
And that’s the way it works. A high ratio of flows to conversations does not necessarily mean good. A low ratio doesn’t either. A high ratio with both at the exact same number does imply something is suspicious! Maybe I’ll digress on this later.
…Anyway, that’s why the Top Flows gadget is important to you.