Wednesday 30 October 2019

Filtering on traffic between subnets

When looking at sFlowTrend traffic graphs and reports, sometimes you will want to focus on specific traffic of interest, for example understanding traffic patterns between subnets. To do this you can use a filter in a network traffic Top N chart or report. The help includes a section on filtering which outlines how to build filters. The UI for both network traffic TopN charts and report query sections includes a filter builder. The filter builder has a dropdown menu that lists the traffic database keys that can be used as filter terms. You can also use filter functions in a filter and these filter functions can be typed directly into the filter bar. One such filter function is the inSubnet function. There are two forms of the inSubnet filter function:

inSubnet(address, subnet, maskBits)

In this form address is the database address key field that you would like to test (for example ipServer), subnet and maskBits define the subnet to test against for inclusion. For example inSubnet(ipServer, "", 24) will return true for any IP server address that is in subnet Note the quotes "" around the subnet address. 

This form of the filter function can also be used for testing IPv6 addresses for subnet inclusion. For example the inSubnet(ipSource, "2001:db8:a::", 64), can be used to show traffic sourced by any address in the subnet 2001:db8:a::/64.

This example shows the top connections for server addresses in the subnet. It also uses a custom Top N chart that includes serverAddress, serverPort, clientAddress as key fields, so that the connections are not broken out by ephemeral client port. See the help for more information on configuring Custom Top N charts.

inSubnet(address, subnetName) 

In this form, address is the database address key field that you would like to test (for example ipSource) and subnetName has previously been defined as a subnet in the sFlowTrend configuration (see the help section on configuring subnets). For example inSubnet(ipSource, "East Bay") will return true for any IP source address that is in the predefined subnet named East Bay.