Skip to main content

Hosts

Stats for each IP Host

Key Format

IPv4 hosts are keyed in the dotted hex format "C0.A8.01.04" to represent "192.168.1.4"

Counter group

GUIDTYPEBucke Size (secs)Topper Bucket(Secs):
{4CD742B1-C1CA-4708-BE78-0FCA2EB01A86}Native60300

Meter list

Resolution

These meters are update every BucketSize milliseconds. By default 60,000 or 1 minute.

IDDESCRIPTIONTOP COUNTBOTTOM COUNTTYPEUNITS
0Total500VT_RATE_COUNTERBps
1Received100VT_RATE_COUNTERBps
2Transmit100VT_RATE_COUNTERBps
3Total Packets00VT_RATE_COUNTERpps
4Active conns500VT_RUNNING_COUNTERconns
5Attacker alerts200VT_COUNTERalerts
6Homenet200VT_RATE_COUNTERBps
7External200VT_RATE_COUNTERBps
8TCP SYN sent100VT_COUNTERpackets
9TCP SYN recv100VT_COUNTERpackets
10TCP SYNACK sent100VT_COUNTERpackets
11Blacklist alerts200VT_COUNTERalerts
12Victim alerts200VT_COUNTERalerts
13New conns200VT_COUNTERconns
14Into Interface200VT_RATE_COUNTERBps
15Outof Interface200VT_RATE_COUNTERBps
16Flow Records1000VT_COUNTERFrecs

Total

Total bandwidth seen by the host in both transmit and receive direction.

Received

Receive bandwidth of the host, where the the IP Address of the host is in the "Destination IP" of the packet

Transmit

Transmit bandwidth of the host, where the the IP Address of the host is in the "Source IP" of the packet

Total Packets

Number of packets seen for this host as either the source IP or destination IP.

Active conns

Number of concurrently active IP Flows involving this host at the end of the streaming window. Toppers for this metric generally feature hosts with long running flows such as video, audio, conferencing, file transfers and so.

Attacker alerts

Number of IDS, BadFellas alerts where this host was the source IP of the packet that triggered the alert.

Homenet

Traffic bandwidth where the other IP Address is within the organizations Home Network.

External

Traffic bandwidth where the other IP Address is outside the Home Network.

TCP SYN sent

How many TCP SYN packets were sent with this IP Address as source IP. The client of a TCP service if you will.

TCP SYN recv

How many TCP SYN packets were sent with this IP Address as destination IP.The server of a TCP service if you will.

TCP SYNACK sent

SYN+ACK is the response to a SYN as part of the TCP Session Creation handshake. How many SYN+ACK packets were sent from this IP Adddress as source. This represents server connection setup.

Blacklist alerts

How many alerts were generated involving this IP as a source or destination. THis comes from BadFellas Threat Intelligence plugin , trisul-badfellas.

Victim alerts

How many alerts were generated with this IP Address as a destination address.

New conns

How many new connections were made involving this IP Address. Generally toppers for this metric feature short high frequency connections such as DNS servers and clients, or other such traffic.

Into Interface

👉 This metric only appears in a Filtered Counter Group where the parent counter group is Hosts and Filter is a NetFlow interface

When used with NetFlow Interface Tracker, this metric is bandwidth involving this IP Address as source or destination that is ingressing the interface specified in the Interface Tracker.

Outof Interface

👉 This metric appears only in a Filtered Counter Group when combined with a NetFlow Interface as a "Filter" and parent counter group as "Hosts"

When used with NetFlow Interface Tracker, this metric is bandwidth involving this IP Address as source or destination that is egressing the interface specified in the interface tracker.

Flow Records

Number of NetFlow records with this IP Address involved as source or destination.

Cardinality counters

See cardinality counters