IP module: Difference between revisions
|  (Created page with "The IP module operates on layer 3 of the network stack. It stores information about all IPv4 and IPv6 addresses. For every address, the corresponding network traffic is accoun...") | 
| (No difference) | 
Revision as of 08:13, 23 April 2020
The IP module operates on layer 3 of the network stack. It stores information about all IPv4 and IPv6 addresses. For every address, the corresponding network traffic is accounted, the used protocols and their individual traffic. The communication peers are stored as well as the traffic between both IP addresses. Every connection and its amount of traffic and the protocol can be accessed too.
Web interface
IP addresses tab
The IP addresses tab shows the complete list of all IP addresses seen by the system. The button row allows for select specific information to be shown or hidden so that only the relevant information fit on the screen. By clicking on “Counters (combined)” the table toggles between sent and received bytes and packets displayed in either one column or in separate columns for sorting purposes. For each address, the table contains the following information:
- Alternative names
The names are gathered from different data sources. If known, the DNS name is shown first. Secondly, there can be the DHCP name as announced by the system itself. Thirdly, the name of the vendor of the network card of the system using the IP address is shown as well. These three names allow to easily identify the system behind an IP address. The name information are also used when filtering the table for some entered string.
- First (recent) activity
This column shows the time of first activity of an IP address after some long inactivity period. This columns can be sorted to see the IP addresses that are active in the recent past.
- Last activity
The last activity of an IP is the time of the last packet for that IP.
- Packets and Bytes
This is the number of packets and bytes, sent by the IP address as a blue arrow up, and the received packets and bytes as a yellow arrow down.
- Packets/s and Bits/s
These both numbers describe the current throughput of this IP address.
- TCP packets and UDP packets
This is the number of TCP and UDP packets that have been seen for this IP.
- TCP payload and retransmissions
These two columns show the number of bytes transmitted as TCP payload and how many bytes have been retransmitted, indicating a bad connection quality.
- Graph
The graph column shows the history graph of the traffic for each IP address. It shows the timestamp on the x-axis and the bytes on the y-axis. The resolution can be changed by using the control buttons on the top of the web page.
- PCAP
It is possible to download the traffic of an IP address by clicking on the download button. The captured packets are not stored on the system but they are directly sent over the HTTP connection to your computer. To stop capture, click on the same button again (which turned to a STOP symbol), or go to the capture traffic page in the generic section and stop the corresponding download.
When multiple pages are available, there will be a control field for switching pages.
The IP search bar allows to enter IP addresses or names to see only those element for which the entered string is part of the IP address or name. 
Also, complex filter expressions are possible, if the string starts with an open parenthesis “(“. See Live filtering of tables for a detailed description about how to use this feature.
The columns can be sorted also, for example to easily spot the IP addresses with the most bytes, or the highest current throughput.
Below the table a CSV download button provides the ability to download the whole table contents in CSV format. Sorting and filtering are applied as selected for the table but all IPs in the table are exported, not only the currently visible page.
IP groups tab
The IP statistics can also be summarized for a group of IP addresses. This is useful for getting an overview of the traffic of a specific part of the network, for instance all servers or client PCs. Any IP subnet can be configured to be used as a group and the statistics will then show the amount of traffic for all IP addresses within the subnet, its peer addresses and so. Multiple IP groups can overlap so that an IP address is part of multiple IP groups. When Virtual Link Groups are defined, the IP group is accounted separately for each Virtual Link Group.
The name of a matching IP group is shown in all places where IP names are shown to make it easy to identify the IP address details. For example, if IP groups are defined for multiple data center locations (each having a different IP subnet), the name of the data center is visible for each IP address in its subnet. Filtering for those names is also possible in the IP list to be able to find IP addresses.
Configuration
To open the configuration dialog, click on the button “Configure groups”. The dialog allows to add new groups by clicking on the plus button in the first column. Existing groups can be removed by clicking the corresponding minus button. For each group, a name can be entered. Then the subnets for this group must be configured by clicking on “Add subnet” button on right side of the dialog. The subnet must be entered as an IP address and the mask prefix.
Examples are 10.1.2.3/8 for a class A subnet, or 192.168.1.0/24 or class C subnet. Multiple subnets per group are possible.
To apply the configuration press on the “Save” button. The changes take effect immediately. The number of possible IP groups is limited by a global configuration setting in the IP module configuration section (see below for detailed information about these settings). By default, up to 32 IP groups can be configured. The maximum number of IP groups can be increased to 65535. Increasing the maximum number of IP groups reduced the available memory for measurement data so it should only set to the value necessary for the actual use case to avoid wasting memory for unused IP groups.
IP groups may overlap which means that an IP address is allowed to be part of multiple groups. The traffic counters for that IP will be accounted for all matching groups so the total sum of the traffic of those groups will be higher than the sum of the individual IPs.
Available statistics
The statistics available for each group are almost identical as for individual IP addresses. The “IP groups” tab lists the groups and their traffic just like the “IP addresses” tab lists the IP addresses and their traffic. Clicking on a group name leads to the group detail view which is similar to the IP detail view. For a group, you can see the amount of traffic, the protocols used, the peer IP addresses, open TCP ports, and TCP statistics. For details, see the section “Per IP statistics” below. In addition to the IP details view, there is also a tab“List of IPs” which shows the traffic statistics for the IP addresses of this group. Capturing traffic for a group will capture the network traffic of all IP addresses within this group.
Global IP statistics tab
The global IP statistics shows global sums about the processed IPv4 and IPv6 traffic and often used layer 4 protocols. Non-IP packets such as ARP packets are indicated as other traffic and are not covered by this module. The available information is:
- Layer 3 protocols (IPv4, IPv6 and non-IP traffic, its distribution over time and a history graph)
- Layer 4 protocols (TCP, UDP and traffic for other often used layer 4 protocols, its distribution over time and a history graph)
- Number of IPv4 fragmented packets (distribution over time and a history graph)
For layer 3 and layer 4 protocols, traffic can be downloaded by clicking on the PCAP download button. The captured packets are not stored on the system but they are directly sent over the HTTP connection to your computer. To stop capture, click on the same button again (which turned to a STOP symbol), or go to the capture traffic page in the generic section and stop the corresponding download.
Per IP statistics
It is possible to select an IP from the list of IP addresses and get an more detailed view of the information stored about that IP. The headline of the page includes three buttons. The first left arrow button navigates back to the complete IP overview. The second download button allows to download the traffic for the current IP address. The third button allows for opening this manual section. Below the buttons there are two graphs for the packets and bytes sent and received by the IP address. The third section contains six tabs for various information about the selected IP.
Overview tab
This tab summarizes all the standard information from the main IP view, such as
- the alternative names,
- the packet and bytes counters, and
- the current throughput.
Additionally, the top DPI protocols are printed both in the table as well as a pie chart at the bottom of the page. The last line in the table shows the MAC addresses seen for this IP address. There can be multiple MAC addresses for the same IP, for example if the DHCP reuse the IP address after some time. The last new connection time is the start time of the last connection seen for this IP. There is also a download button to capture the traffic for the specific IP and MAC address pair. The final two rows shows all VLAN tags that have been seen for the given IP. An IP address might be visible in multiple VLANs. If the Multimeter is installed at a mirror port of a switch which also modifies the VLAN tag, it might happen that an IP address is seen without a VLAN tag (none) and a specific VLAN tag. This setup will decrease the quality of the results as connections use the VLAN information too to distinguish connections. The measurement results can be improved if the mirror port is reconfigured to only see traffic with VLAN or completely without VLAN tags. The last row shows the devices interfaces at which the IP has been seen. The displayed interface always considers the sender side of an IP connection. This information helps especially in bridge mode to determine at which side of an link the IP address is visible as sender of packets.
Layer 3 QoS tab
This tab lists all seen IP DSCP values for the current IP. Several traffic counters are displayed and a history graph of the traffic over time. A PCAP button allows for capturing the specific QoS tagged traffic for that IP. By clicking on the shown DSCP class name you will be redirected to the ‘Connection’ tab with a filter active that only shows connections for that specific DSCP value.
Layer 2 QoS tab
This tab lists all seen MPLS traffic classes and VLAN priority code points for the current IP. Several traffic counters are displayed and a history graph of the traffic over time. A PCAP button allows for capturing the specific QoS tagged traffic for that IP. By clicking on the shown QoS class name you will be redirected to the Connection tab with a filter active that only shows connections for that specific QoS.
Protocols tab
This tab lists the DPI protocols for the current IP. The download button allows to capture the traffic for the IP and protocol pair.
Peers tab
The Peers tab shows all communication peers the current IP address has talked to. The table contains the IP address which can be clicked to see the statistics for that IP. The alternative names are shown, depending on which data is available (DNS name, DHCP name, NIC vendor name). The packets and bytes columns show the total amount of data transferred between those two IP addresses. The list of peers can be filtered by entering a string into the text area. Also, complex filter expressions are possible, if the string starts with an open parenthesis “(“. See Live filtering of tables for details.
Connections tab
The connection tabs lists all connections which involves the current IP. The button rows allow to select which kind of information should be shown. The table lists the client and server side and shows the IP address, port, and corresponding country of that IP. The layer 4 protocol is the protocol of the layer 4 protocol used (TCP, UDP, or others). The start time is the time of the first packet for that connection, while the last activity column shows the time of the last packet seen so far for the connection. It is possible to sort for both fields to see the most recent active connections. The number of packets and bytes as well as the current throughput is shown too. The DPI protocol column shows the detect layer 7 protocol. The Response time column contains response times for TCP and the maximum HTTP response for HTTP connections, or the SSL response times for SSL connections. The column also contains a score for this connection and this IP, based on the average response times of the server. See HTTP module and SSL module for additional information. When sorting the column and more than one time value is shown in a field, the maximum of all time values of that field is taken into account. The TCP retransmissions columns shows the number of bytes that have been retransmitted on TCP layer because of packet loss. High percentage indicate connection problems for this communication pair. The TCP max window size columns show the size of the biggest TCP receive window announced for each direction of a connection. The TCP window size limit columns show the maximum possible value that could be used for the TCP receive window size. This is calculated from the announced TCP window scale option for each direction of a connection. The raw window scale (ws) shift count value is displayed in parentheses next to the byte value. The TCP window size limit usage columns show the ratio of the TCP max window size values compared to the TCP window size limit values in percent. The Client announced and negotiated TLS version and cipher suites columns shows the TLS versions and all supported cipher suites announced by the client during a SSL client hello. In the negotiated columns the currently used TLS version and cipher suite is shown as indicated by the SSL server hello. As the client announced cipher suite list can be quite long, it is possible expand or minimize the list by click on it. The column Meta data may contain additional information that could be retrieved depending on the protocol. For instance, for HTTP traffic this column shows the request URL and response code for the last transaction seen in the corresponding connection. The columns VLANs and Interfaces shows which VLAN tags has been seen for a specific connection and at which interface the connection has been established. This is especially helpful in bridge mode to determine at which side of link the connection has been established. The column MPLS shows all seen MPLS labels for every direction of the connection. The full label stack is shown. A no label indication is given, if no MPLS labels have been used. If a MPLS label changes at any time while the connection is active, a ‘changed’ indication is given. In this case the latter MPLS labels are displayed. The column QoS shows all seen QoS service classes for every direction of the connection. IP DSCP, outermost MPLS traffic classes and outermost VLAN priority code points may be detected and displayed. If a QoS class changes at any time while the connection is active, a ‘changed’ indication is given. In this case the latter QoS service classes are displayed. The column Graph shows the historical throughput for each connection. A PCAP button allows for capturing the specific connection. The list of connections can be filtered by entering a string into the text area. Also, complex filter expressions are possible, if the string starts with an open parenthesis “(“. See Live filtering of tables for details.
Open TCP server ports
This tab shows the list of ports for which the IP address has accessed incoming connections. It shows which service is (usually) behind the port. Additionally, the first and last connection time is shown as well. Also, there is button to capture traffic for the current IP and the corresponding port.
TCP statistics
This web page shows statistics about the response time of TCP connection handshake of all TCP connections of the current IP address. Also, the amount of data retransmitted due to packet loss is shown on the right side of the page. The graphs below show the historical data for each TCP handshake. The data point is the average handshake time and the vertical line shows the min and max handshake time for that specific time window (depending on the zoom level). Up to two graphs might be visible, one for data when the IP connected other IPs as a client, and another graph for data when the IP has been connected from other IPs as a server. The connection table below shows a subset of the main connection table only for TCP connnections for this IP. When sorting the handshake and response time columns and more than one time value is shown in a field, the maximum of all time values of that field is taken into account.
HTTP server statistics
This tab shows statistics (if available) of all HTTP requests handled by the current IP address. The statistics contains:
- HTTP server names: All host names are shown that have been used to contact the HTTP server on this IP.
- Sent HTTP responses: This is the total number of requests/responses that have been seen on the network.
- Average response time: This is the average response time in milliseconds for all servers.
- Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/wiki/Standard_deviation)
- Minimum response time: This is the smallest response time seen on the network.
- Maximum response time: This is the largest response time seen on the network.
The graph shows the historical data for all responses. Below the graph, the number of response codes for each main code family is shown together with the last URL requested.
SSL server statistics
This tab shows statistics (if available) of all SSL requests handled by the current IP address. The statistics contains:
- SSL server names: All host names are shown that have been used to contact the SSL server on this IP.
- Response time for SSL handshake
– Number of handshake: This is the total number of SSL requests/responses that have been seen for this IP.
– Average response time: This is the average response time in milliseconds.
– Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/ wiki/Standard_deviation)
– Minimum response time: This is the smallest response time.
– Maximum response time: This is the largest response time.
- Response time for SSL data
– Number of first data responses: This is the total number of initial SSL data requests/responses that have been seen for this IP.
– Average response time: This is the average response time in milliseconds.
– Standard deviation: This value shows the variation of the response times (https://en.wikipedia.org/ wiki/Standard_deviation)
– Minimum response time: This is the smallest response time.
– Maximum response time: This is the largest response time.
The graphs shows the historical data for all handshakes and SSL first data responses
SSL/TLS infos
This tab shows statistics (if available) of all negotiated SSL/TLS versions and cipher suites used by the current IP address either as server or client.
SIP statistics
This tab shows statistics (if available) of all SIP request methods, all SIP response types as well as all SIP request/response pairs sent or received by the current IP address.
RTP statistics
This tab shows statistics (if available) of all RTP connections which involve the current IP address as either client or server. A list shows all connections with client and server IP addresses and ports. The RTP payload type is shown as well as timing informations and counters, jitter and MOS values and SSRC (synchronization source) of both client and server. The min and max audio levels (decibel relative to full scale, dBFS) per direction are shown if G.711 A-Law or μ-Law is used. For calculation, raw A-Law or μ-Law values are converted to 16 bit PCM values. Those values are then converted to dbFS: value_dBFS = 20 * log10(abs(pcm_value) / 32768) Values range from 0 dBFS (loudest) to -96 dBFS (absolute silence). Graphs per connection show packets and packet loss, jitter, MOS and the max audio level of clinet and server over time. A PCAP button allows for PCAP capturing. If a proper codec is used, audio capture buttons for both directions are available allowing downloads in MP3 format. Following codecs are supported for audio extraction:
- G.711 A-Law and μ-Law
- G.722
- G.729
Configuration settings
By clicking on the gear button on the top left of the IP statistics web page, you can access the configuration section.
- Store connection information for every IP This option is enabled by default.
When enabled, the IP measurement module stores every connection for each IP. This includes historical packet counter so you can see for individual connection at which time the connection transferred which amount of data. Connection data will be stored as long as possible regarding the total memory usage. Disabling this option will increase the minimum storage time significantly.
- Store layer 7 protocol information for every IP The network protocols and their historical traffic data is stored for each IP if this option is enabled.
Disabling this option will increase the minimum storage time slightly.
- Track number of new connections for every IP When
This option is enabled, TCP connections per IP will be tracked. Connections are divided into valid and invalid connections for server and client direction and the amount is shown. Disabling this option will increase the minimum storage time slightly.
- Store traffic history graph for IP peers
This option allows enabling or disabling the traffic history graph that is shown per peer in the “Peers” tab for an IP. Disabling this option will increase the minimum storage time slightly.
- Enable RTP measurement
This option allows enabling or disabling of RTP related statistics that are shown in the “RTP statistics” tab for an IP. Jitter and MOS calculation in the SIP module also depends on this switch. Disabling this option will increase the minimum storage time slightly.
- Store QoS information for every IP
This option enables or disables to storage of Quality of Service information per IP. These information require additional memory so if these information are not necessary, memory can be save to increase global data storage time.
- Store SSL/TLS information for every connection
This option enables or disables to storage of SSL/TLS information per IP. This includes used and announced encryption ciphers which can take additional memory per IP connection. If these information are not nec- essary, memory can be save to increase global data storage time.
- Maximum number of IP groups
This option configures how many IP groups can be defined. The minimum (and default) value is 32 IP groups. The maximum value is 65535 IP groups. A new configuration value only takes effect after restarting the packet processing in the Adminstration menu.
