MAC module: Difference between revisions
| No edit summary | No edit summary | ||
| (12 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
| The MAC module operates on layer 2 of the network stack. It stores information about all MAC addresses. For every address, the corresponding network traffic is accounted, the used protocols and their individual traffic.   | The MAC module operates on layer 2 of the network stack. It stores information about all MAC addresses. For every address, the corresponding network traffic is accounted, the used protocols and their individual traffic. The communication MAC peers are stored as well as the traffic between both MAC addresses. | ||
| The communication MAC peers are stored as well as the traffic between both MAC addresses. | |||
| The button row allows for enabling and disabling specific columns so that only the relevant information fit onto the display.   | The button row allows for enabling and disabling specific columns so that only the relevant information fit onto the display.   | ||
| By clicking on  | By clicking on '''Counters (combined)''' the table toggles between sent and received bytes and packets displayed in either one column or in separate columns for sorting purposes. | ||
| The list contains all MAC addresses seen by the system. For each address, the table contains the following information: | The list contains all MAC addresses seen by the system. For each address, the table contains the following information: | ||
| * MAC | |||
| *MAC | :The MAC address with additional information like the NIC vendor or detected OS.   | ||
| The MAC address with additional information like the NIC vendor or detected OS. | :The address can be clicked to reach the detailed page for additional information for that specific MAC address. | ||
| The address can be clicked to reach the detailed page for additional information for that specific MAC address. | |||
| *NIC vendor | *NIC vendor | ||
| The NIC vendor name as specified in the IEEE OUI assignment | :The NIC vendor name as specified in the IEEE OUI assignment ([http://standards-oui.ieee.org/oui.txt]) | ||
| org/oui.txt | :Be aware that some MAC addresses are defined globally and do not belong to any vendor like broadcast or multicast addresses. | ||
| Be aware that some MAC addresses are defined globally and do not belong to any vendor like broadcast or multicast addresses. | |||
| * Detected OS: | * Detected OS: | ||
| A list of all detected OS that are mapped behind this MAC address. The OS is detected by Host specific Layer 7 patterns. This information can be used to search or identify specific systems. | :A list of all detected OS that are mapped behind this MAC address. The OS is detected by Host specific Layer 7 patterns. This information can be used to search or identify specific systems. Be aware that routing and NAT allows more than one OS behind one MAC address. | ||
| Be aware that routing and NAT allows more than one OS behind one MAC address. | |||
| * DHCP host name | * DHCP host name | ||
| The DHCP name is passively extracted from the dhcp request. It can be used to identify specific system with the DHCP name like printers etc. | :The DHCP name is passively extracted from the dhcp request. It can be used to identify specific system with the DHCP name like printers etc. | ||
| * First (recent) activity | * First (recent) activity | ||
| This columns shows the first time when this MAC showed activity for the first time or after a long time of inactivity. | :This columns shows the first time when this MAC showed activity for the first time or after a long time of inactivity. | ||
| * Last activity | * Last activity | ||
| The last activity is the last time a packet have been received or send by the MAC address. | :The last activity is the last time a packet have been received or send by the MAC address. | ||
| * Packets and Bytes | * Packets and Bytes | ||
| This is the number of packets and bytes, received by the MAC address as a red arrow down, and the sent bytes as a green arrow up | :This is the number of packets and bytes, received by the MAC address as a red arrow down, and the sent bytes as a green arrow up. | ||
| * Packets/s and Bit/s | |||
| :These two numbers describe the current throughput of this MAC address, for down- and up-link. | |||
| * MAC peer count | * MAC peer count | ||
| Number of MAC addresses which have sent or received packets from this MAC address. The counter is increased at the first packet between 2 MAC addresses. It is decreased after the no activity between 2 MACs for the global timeout. | :Number of MAC addresses which have sent or received packets from this MAC address. The counter is increased at the first packet between 2 MAC addresses. It is decreased after the no activity between 2 MACs for the global timeout. | ||
| * Active IP count | * Active IP count | ||
| Number of IPs mapped behind this IP address. The counter is increased at the first packet for an MAC/IP pair. It is decreased after the no activity for a MAC/IP pair 2 MACs for the global timeout.   | :Number of IPs mapped behind this IP address. The counter is increased at the first packet for an MAC/IP pair. It is decreased after the no activity for a MAC/IP pair 2 MACs for the global timeout.   | ||
| :This number can be very high for routers, NAT gateways or similar as they can map millions of IPs to one MAC address. | |||
| This number can be very high for routers, NAT gateways or similar as they can map millions of IPs to one MAC address. | |||
| * Open connections | * Open connections | ||
| The numbers described the number of currently open connections and the maximum number of connections open (simultaneously ). | :The numbers described the number of currently open connections and the maximum number of connections open (simultaneously). | ||
| * L7 protocol | |||
| :This column lists all seen L7 protocols for that particular MAC address. The Top 10 protocols are shown by default. The view can be toggled to show all by clicking on it. | |||
| * Graph | * Graph | ||
| The column shows the history graph of the traffic for each MAC address. It shows the timestamp on the x-axis and the bytes on the y-axis. The resolution can be changed by using the control buttons on the top of the web page. | :The column shows the history graph of the traffic for each MAC address. It shows the timestamp on the x-axis and the bytes on the y-axis. The resolution can be changed by using the control buttons on the top of the web page. The graph icon allows for selecting different graph types such as load (bps or packets/s) or connections. | ||
| * Capture traffic | * Capture traffic | ||
| It is possible to download the traffic of a MAC address by clicking on the capture button.   | :It is possible to download the traffic of a MAC address by clicking on the capture button.   | ||
| The captured packets are not stored on the system but they are directly sent over the HTTP connection to the user’s computer.   | :The captured packets are not stored on the system but they are directly sent over the HTTP connection to the user’s computer.  To stop capture, click again on the capture button or go to the [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] page in the generic section and stop the corresponding download. | ||
| To stop capture, click again on the capture button or go to the [[1-_Generic_modules(Teil_1)#Capture_module|Capture module]] page in the generic section and stop the corresponding download. | |||
| When multiple pages are available, there will be a control field for switching pages. | When multiple pages are available, there will be a control field for switching pages. | ||
| The MAC search bar allows to enter MAC addresses or names to see only those element for which the entered string is part of the IP address, NIC Vendor name, the operating system or DHCP host name. Also, complex filter expressions are possible, if the string starts with an open parenthesis  | The MAC search bar allows to enter MAC addresses or names to see only those element for which the entered string is part of the IP address, NIC Vendor name, the operating system or DHCP host name. Also, complex filter expressions are possible, if the string starts with an open parenthesis '''('''. See [[Live filtering of tables]] for a detailed description about how to use this feature. | ||
| The columns can be sorted also, for example to easily spot the MAC addresses with the most bytes, or the highest current throughput. | The columns can be sorted also, for example to easily spot the MAC addresses with the most bytes, or the highest current throughput. | ||
| '''Detailed MAC Statistics'''   | '''Detailed MAC Statistics'''   | ||
| Line 81: | Line 60: | ||
| For each MAC address, a more detailed view can be opened by clicking on the corresponding MAC address on the list of all MAC addresses. | For each MAC address, a more detailed view can be opened by clicking on the corresponding MAC address on the list of all MAC addresses. | ||
| The header line contains buttons to return the main MAC view, to download traffic for this specific MAC address, access this documentation, and to delete the statistics for only this MAC address. | The header line contains buttons to return the main MAC view, to download traffic for this specific MAC address, access this documentation, and to delete the statistics for only this MAC address. | ||
| '''Overview'''   | '''Overview'''   | ||
| Line 89: | Line 67: | ||
| The open connection row contains a graph showing the history of the number of open connections. As for any graph in the web interface, the resolution can be changed with the time buttons at the top of the page. | The open connection row contains a graph showing the history of the number of open connections. As for any graph in the web interface, the resolution can be changed with the time buttons at the top of the page. | ||
| '''Layer 3 Protocols'''   | '''Layer 3 Protocols'''   | ||
| Line 98: | Line 75: | ||
| The graph shows the complete history of that protocol for the MAC address.   | The graph shows the complete history of that protocol for the MAC address.   | ||
| The capture button allows for capturing traffic for the MAC and protocol combination. | The capture button allows for capturing traffic for the MAC and protocol combination. | ||
| '''Layer 7 Protocols''' | '''Layer 7 Protocols''' | ||
| Line 107: | Line 83: | ||
| The graph shows the complete history of that protocol for the MAC address. The capture button allows for capturing traffic for the MAC and protocol combination. | The graph shows the complete history of that protocol for the MAC address. The capture button allows for capturing traffic for the MAC and protocol combination. | ||
| The protocol name in the first column can be clicked to reach the [[7-_L7_-_Application(Teil_1)#L7_module|L7 module]] for that protocol. | The protocol name in the first column can be clicked to reach the [[7-_L7_-_Application(Teil_1)#L7_module|L7 module]] for that protocol. | ||
| '''Active IPs'''   | '''Active IPs'''   | ||
| Line 117: | Line 92: | ||
| These values allow for identifying which IP address might be in use at the moment. | These values allow for identifying which IP address might be in use at the moment. | ||
| The capture button allows for download traffic for the MAC and IP address combination. | The capture button allows for download traffic for the MAC and IP address combination. | ||
| '''MAC peers'''    | '''MAC peers'''    | ||
| Line 126: | Line 99: | ||
| The usual traffic statistics are shown including a history graph. | The usual traffic statistics are shown including a history graph. | ||
| The capture button allows for capturing traffic between those two MAC addresses only.    | The capture button allows for capturing traffic between those two MAC addresses only.    | ||
| '''Peer countries'''   | '''Peer countries'''   | ||
| Line 133: | Line 105: | ||
| The country is identified based on the IP addresses seen for the MAC peers. | The country is identified based on the IP addresses seen for the MAC peers. | ||
| The capture button allows for capturing traffic for the current MAC address and the selected country for any possible peer. | The capture button allows for capturing traffic for the current MAC address and the selected country for any possible peer. | ||
| '''Outer VLANs'''   | '''Outer VLANs'''   | ||
| Line 142: | Line 112: | ||
| The tab contains the usual traffic statistics including a history graph.   | The tab contains the usual traffic statistics including a history graph.   | ||
| The capture button allows for capturing traffic for the MAC and outer VLAN combination. | The capture button allows for capturing traffic for the MAC and outer VLAN combination. | ||
| '''Outer MPLS'''   | '''Outer MPLS'''   | ||
| Line 150: | Line 118: | ||
| The tab contains the usual traffic statistics including a history graph. | The tab contains the usual traffic statistics including a history graph. | ||
| The capture button allows for capturing traffic for the MAC and outer MPLS combination. | The capture button allows for capturing traffic for the MAC and outer MPLS combination. | ||
| '''Resetting statistics'''    | '''Resetting statistics'''    | ||
| The stored data about each MAC can be removed by clicking on the trashcan button on the top right of the MAC statistics web page. | The stored data about each MAC can be removed by clicking on the trashcan button on the top right of the MAC statistics web page. | ||
| '''Web interface''' | '''Web interface''' | ||
| Line 163: | Line 128: | ||
| |[[File:MAC module.png|1000px|none|right]] | |[[File:MAC module.png|1000px|none|right]] | ||
| |} | |} | ||
| == Global MAC statistics == | |||
| The tab 'Global MAC statistics' shows the following counters and graphs: | |||
| * '''Total traffic''' The total L2 traffic. | |||
| * '''Unicast traffic''' The amount of traffic directed to unicast MAC addresses. | |||
| * '''Broadcast traffic''' The amount of traffic directed to broadcast MAC addresses. | |||
| * '''Multicast traffic''' The amount of traffic directed to multicast MAC addresses. | |||
| For each traffic type there is a PCAP button which allows to capture the respective traffic. | |||
Latest revision as of 12:50, 9 May 2022
The MAC module operates on layer 2 of the network stack. It stores information about all MAC addresses. For every address, the corresponding network traffic is accounted, the used protocols and their individual traffic. The communication MAC peers are stored as well as the traffic between both MAC addresses.
The button row allows for enabling and disabling specific columns so that only the relevant information fit onto the display. By clicking on Counters (combined) the table toggles between sent and received bytes and packets displayed in either one column or in separate columns for sorting purposes. The list contains all MAC addresses seen by the system. For each address, the table contains the following information:
- MAC
- The MAC address with additional information like the NIC vendor or detected OS.
- The address can be clicked to reach the detailed page for additional information for that specific MAC address.
- NIC vendor
- The NIC vendor name as specified in the IEEE OUI assignment ([1])
- Be aware that some MAC addresses are defined globally and do not belong to any vendor like broadcast or multicast addresses.
- Detected OS:
- A list of all detected OS that are mapped behind this MAC address. The OS is detected by Host specific Layer 7 patterns. This information can be used to search or identify specific systems. Be aware that routing and NAT allows more than one OS behind one MAC address.
- DHCP host name
- The DHCP name is passively extracted from the dhcp request. It can be used to identify specific system with the DHCP name like printers etc.
- First (recent) activity
- This columns shows the first time when this MAC showed activity for the first time or after a long time of inactivity.
- Last activity
- The last activity is the last time a packet have been received or send by the MAC address.
- Packets and Bytes
- This is the number of packets and bytes, received by the MAC address as a red arrow down, and the sent bytes as a green arrow up.
- Packets/s and Bit/s
- These two numbers describe the current throughput of this MAC address, for down- and up-link.
- MAC peer count
- Number of MAC addresses which have sent or received packets from this MAC address. The counter is increased at the first packet between 2 MAC addresses. It is decreased after the no activity between 2 MACs for the global timeout.
- Active IP count
- Number of IPs mapped behind this IP address. The counter is increased at the first packet for an MAC/IP pair. It is decreased after the no activity for a MAC/IP pair 2 MACs for the global timeout.
- This number can be very high for routers, NAT gateways or similar as they can map millions of IPs to one MAC address.
- Open connections
- The numbers described the number of currently open connections and the maximum number of connections open (simultaneously).
- L7 protocol
- This column lists all seen L7 protocols for that particular MAC address. The Top 10 protocols are shown by default. The view can be toggled to show all by clicking on it.
- Graph
- The column shows the history graph of the traffic for each MAC address. It shows the timestamp on the x-axis and the bytes on the y-axis. The resolution can be changed by using the control buttons on the top of the web page. The graph icon allows for selecting different graph types such as load (bps or packets/s) or connections.
- Capture traffic
- It is possible to download the traffic of a MAC address by clicking on the capture button.
- The captured packets are not stored on the system but they are directly sent over the HTTP connection to the user’s computer. To stop capture, click again on the capture button or go to the Capture module page in the generic section and stop the corresponding download.
When multiple pages are available, there will be a control field for switching pages. The MAC search bar allows to enter MAC addresses or names to see only those element for which the entered string is part of the IP address, NIC Vendor name, the operating system or DHCP host name. Also, complex filter expressions are possible, if the string starts with an open parenthesis (. See Live filtering of tables for a detailed description about how to use this feature.
The columns can be sorted also, for example to easily spot the MAC addresses with the most bytes, or the highest current throughput.
Detailed MAC Statistics
For each MAC address, a more detailed view can be opened by clicking on the corresponding MAC address on the list of all MAC addresses. The header line contains buttons to return the main MAC view, to download traffic for this specific MAC address, access this documentation, and to delete the statistics for only this MAC address.
Overview
The overview tab contains graphs for both packets and bytes of the MAC address. The tables below show raw data for the current throughput and the total packets/bytes processed, also split for IPv4, IPv6, and non-IP packets. The next rows contain additional statistics about the MAC. The number of IP addresses seen behind that MAC address leads to the Active IPs tab, while the MAC peers number leads to the MAC peers tab.
The open connection row contains a graph showing the history of the number of open connections. As for any graph in the web interface, the resolution can be changed with the time buttons at the top of the page.
Layer 3 Protocols
The Layer 3 protocols tab list all MAC protocols seen for this MAC address with parameters like bytes and packets. The First packet time is the time of the very first packet that has been identified as the corresponding protocol for this MAC address. Analogously, the Last packet time is the time when the last packet has been seen for the protocol. The graph shows the complete history of that protocol for the MAC address. The capture button allows for capturing traffic for the MAC and protocol combination.
Layer 7 Protocols
The Layer 7 protocols tab list all DPI protocols seen for this MAC address with parameters like bytes and packets. The First packet time is the time of the very first packet that has been identified as the corresponding DPI protocol for this MAC address. Analogously, the Last packet time is the time when the last packet has been seen for the protocol. The graph shows the complete history of that protocol for the MAC address. The capture button allows for capturing traffic for the MAC and protocol combination. The protocol name in the first column can be clicked to reach the L7 module for that protocol.
Active IPs
The Active IPs tab lists all IP addresses that has been seen behind the MAC address. For routers the list usually contains a lot of IP addresses (like all external IP addresses), while for internal MAC addresses of client computers, the list usually contains only one or a few IP addresses. Multiple addresses may happen if IPs are dynamically assigned to client computers. The table contains all known alternative names from different sources such as DHCP or DNS resolving. The first and last packet time describes the time when the IP appeared first for this MAC address, and has been used last. These values allow for identifying which IP address might be in use at the moment. The capture button allows for download traffic for the MAC and IP address combination.
MAC peers
The table contains all MAC addresses the current MAC address has sent packets to or received packets from. The vendor and DHCP name is shown (if available) helping identifying the system behind that MAC address. The usual traffic statistics are shown including a history graph. The capture button allows for capturing traffic between those two MAC addresses only.
Peer countries
Similar to the MAC peers, the countries tab lists all countries to which the current MAC addresses has sent packets to (or received packets from). The country is identified based on the IP addresses seen for the MAC peers. The capture button allows for capturing traffic for the current MAC address and the selected country for any possible peer.
Outer VLANs
The Outer VLANs tab lists all outer VLAN tags seen for the MAC address, also showing the amount of traffic for which no VLAN tag has been used. The tab contains the usual traffic statistics including a history graph. The capture button allows for capturing traffic for the MAC and outer VLAN combination.
Outer MPLS
The Outer MPLS tab lists all outer MPLS labels seen for the MAC address, also showing the amount of traffic for which no MPLS label has been used. The tab contains the usual traffic statistics including a history graph. The capture button allows for capturing traffic for the MAC and outer MPLS combination.
Resetting statistics
The stored data about each MAC can be removed by clicking on the trashcan button on the top right of the MAC statistics web page.
Web interface
Global MAC statistics
The tab 'Global MAC statistics' shows the following counters and graphs:
- Total traffic The total L2 traffic.
- Unicast traffic The amount of traffic directed to unicast MAC addresses.
- Broadcast traffic The amount of traffic directed to broadcast MAC addresses.
- Multicast traffic The amount of traffic directed to multicast MAC addresses.
For each traffic type there is a PCAP button which allows to capture the respective traffic.
