Report Documentation

Events 1
Events
Last Log Interval
Overview
The Last Log Interval is used to view the log time for all elements in the Database.
The following information is presented in the Last Log Interval report:
• Cluster - the cluster the element belongs to
• Element - the name of the element
• Last Log Time - the last time the element wrote a record to the database
Interpreting the report

• Use this information to identify if any elements are having trouble communicating with the database or have gone offline.
Log Browser
Overview
The Log Browser is used to view the available log files on the target Network Demographics server located under /var/log. By default, the
Log Browser is configured to display the Network Demographics log file which is located at /var/log/svreports.
The following information is presented in the Log Browser report for the Network Demographics log file:
• Date - timestamp that the message was recorded
• Level - severity of the log message. Valid options include: DEBUG, INFO, WARNING, ERROR, FATAL
• Message - the actual log message
Other log files may have different headings than those listed above.
Configuring the report

To examine other message logs, select the Data Source tab on the configuration screen. In the "Data Source" dropdown, select the log
file you wish to view, and press the "Submit" button. Once the "Data Source" is selected click "Run Report" to see the log.
For information on specific log messages refer to the appropriate Operations Guide.

• Use this information to identify if any errors or unusual messages have been generated by a module, or if you suspect that
there may be a problem.
• Report shows which users have logged into the reports server and when. This provides security access information without
having to log into the element directly and check logs.
• Sort the report by date in descending order to see the most current messages.
• Sort the report by message to determine if the same message is reoccurring and how frequently it is reoccurring.
NDS Audit Log Browser

Overview
The Network Demographics Server Audit Log Browser is used to view the Audit Log for the users of the Network Demographics Server. By
default, the Log Browser is configured to display the Network Demographics Server audit log file which is located at /var/log/svreports-
audit.
The following information is presented in the Network Demographics Server Audit Log Browser report for the Network Demographics
Server audit log file:
• Level - severity of the log message. Valid options include: DEBUG, INFO, WARNING, ERROR
• User - the user that the message corresponds to

Events 2

SED Audit Log Browser

Overview
The Subscriber Experience Dashboard Audit Log Browser is used to view the Audit Log for the users of the Subscriber Experience
Dashboard. By default, the Log Browser is configured to display the Subscriber Experience Dashboard audit log file which is located at
/var/log/svreports-audit.
The following information is presented in the Subscriber Experience Dashboard Audit Log Browser report for the Subscriber Experience
Dashboard audit log file:
• Level - severity of the log message. Valid options include: DEBUG, INFO, WARNING, ERROR
• User - the user that the message corresponds to


Software 3
Software
Installed Software
Overview
The Installed Software report displays the list of software packages that are installed on the current Network Demographics server.
The following information is presented in the Installed Software report:

• Package - name of the software package
• Version - version of the installed software package
• Description - description of the software package
There is no configuration necessary for this report.

Use this information to ensure that the correct version of software required for the desired operation is installed.
To examine the packages that are installed on a different element in the cluster, log on to the report server on the specific element.
System Utilization 4
System Utilization
CPU Utilization
Overview
The CPU Utilization report shows the processing power being consumed by the element(s) for the selected time period.

Select a time period and the elements you wish to monitor for CPU utilization.
Note that if you select multiple elements, an individual chart is generated for each element.

Use this report to track potential processing bottlenecks and to ensure smooth operation. High CPU usage can result in slower
performance. Although an element will run successfully at 100% load, some data may be lost and subscriber experience may be affected.
Memory Utilization
Overview
The Memory Utilization report shows the amount of memory being consumed by the element(s) for the selected time period.

Select a time period and the elements you wish to monitor for memory utilization.
Note that if you select multiple elements, an individual chart is generated for each element.

Normal operation should not reach 100%. If this is observed, the device is most likely being over-utilized. Although an element will run at
100% utilization, some data may be lost and subscriber experience may be affected.
Server Processes
Overview
The Current Processes report details the processes that are currently running on the Network Demographics server to which you are
connected. To examine the CPU processes on a different element, log on to the report server on the specific element.
The following information is presented in the Installed Software report:

• User - User ID (UID) indicates the owner of the process
• PID - process identification number
• CPU - percentage CPU usage
• Memory - percentage memory usage
• RSS - resident set size (real memory size of the process in 1024 byte units)
• State - symbolic process state
• Started - time process started
• Time - accumulated CPU time (user + system)
• Command - command and arguments

Use this information to identify processes that are consuming scarce resources.
• sort by the CPU field to identify which processes are consuming the most resources.
• sort by the Started field to identify which processes on the element have been restarted and when.
• sort by the User field to identify which users are running processes on the server.
by Connections 5
by Connections
Connections by Protocol
Overview
Use the Connections by Protocol report to identify the number of connection attempts per protocol and network. The report contains the
following three charts:
• Connections - Stacked bar chart showing the total number of active connections during the reporting interval.
• New connections - Stacked bar chart showing the total number of new connections created during the reporting interval
• Peak connections - Stacked bar chart showing the peak number of concurrent active connections over the reporting interval.
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the connections for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.

Connections
• This report shows the total number of active connections in each reporting interval.
• If a connection starts in one interval and remains connected through the next few intervals, it will be counted in every one of
these intervals.
New connections
• This report shows the total number of new connections initiated in each reporting interval.
• For example, in a single 15 minutes interval, Connection A starts and stops and Connection B starts and stops. The number of
new connections in that interval is 2.
• If a connection starts in one interval and remains connected through the next few intervals, it will only be counted as only 1
new connection overall, in the interval it was started in.
Peak connections
• This report shows the peak number of concurrent active connections over the reporting interval.
those intervals.
• For example, if Connection A starts and stops, and then Connection B starts and stops, peak connections is 1. If Connection A
starts, then Connection B starts, then Connection A ends, then Connection B ends, peak connections is 2.
Connections per Host

Overview
The Average Connections per Hosts by Protocol report identifies the average number of connections being made over the specified
protocols by each host. The report contains the following two charts:
• Average Connections per Host - Stacked bar chart showing the average number of active connections per active hosts for
the specified protocols for each reporting interval.
• Average New Connections per Host - Stacked bar chart showing the average number of new connections per new hosts for
the specified protocols for each reporting interval.

Average Connections per Host
• The average connections per host value is calculated by taking the total number of active connections in each reporting
interval and dividing it by the total number of active hosts in each reporting interval.
Average New Connections per Host
by Connections 6
• The average new connections per host value is calculated by taking the total number of new connections in each reporting
interval and dividing it by the total number of new hosts in each reporting interval.
by Hosts 7
by Hosts
Hosts
Overview
Use the Hosts report to identify the number of hosts discovered on the network. The Hosts report, by default, contains a single chart
showing the maximum number of unique hosts seen in a single PTS logging interval. This report has two optional components.
• Hosts - Stacked bar chart showing the maximum number of unique hosts that had active connections in a single PTS logging
interval.
• Peak Hosts (optional) - Stacked bar chart used for legacy purposes.
• New Hosts (optional) - Stacked bar chart showing the total number of hosts that started a connection in each reporting
interval.
Select a time period and the elements you wish to monitor for host stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
Hosts
• This report shows the maximum number of unique hosts that had active connections in a single PTS logging interval (by
default 15 minutes)
• If a host starts and stops multiple times during the same reporting interval, it will only be counted once.
• If a hosts starts a connection in Interval 1 and remains connected through Interval 2 and 3, it will be counted in
all three reporting interval.
• When the reporting interval spans multiple logging intervals, the peak value of the intervals will be used.
Peak Hosts
• This report is inactive by default.
• When activated, it can be used to show any historic peak hosts count collected with PTS 5.4. After upgrading to PTS 5.5,
however, this report will show a zero count from the date of the upgrade.
New Hosts
• When activated, it will show the total number of hosts that started one or more connections in each reporting interval.
Hosts by Protocol
Overview
Use the Hosts by Protocol report to identify the number of hosts using the specified protocols. The Hosts by Protocol, by default, contains
a single chart showing the maximum number of unique hosts seen in a single PTS logging interval per protocol and network. This report
has two optional components.
interval for the specified protocols.
•
Finally, select the protocols in which you wish to monitor the number of hosts for. Selecting a large number of protocols may reduce the

Hosts
default 15 minutes) for the specified protocols.
by Hosts 8
Peak hosts
New hosts
Hosts by Protocol w/Active

Overview
Use the Hosts by Protocol with Total Active Hosts report to compare how the number of hosts associated with specified protocols compares
to the total number of active hosts on the network. The report contains the following chart:
• Hosts by Protocol with Total Hosts - Overlaid area chart showing the total number of hosts with active connections for
each specified protocols and the total number of active hosts in each reporting interval.

• A host is counted when it has an active connection over the reporting interval.
• If a hosts starts a connection in Interval 1 and remains connected through Interval 2 and 3, it will be counted in all three
reporting interval.
• Use this report to gauge the popularity of specific protocols within the selected networks.
Note: a single host may be using multiple protocols simultaneously. This means that you cannot
implicitly add hosts across protocols to determine the total number of hosts. To identify the number of
total unique hosts, see the Hosts report.
Protocol Adoption
Overview
Use the Protocol Adoption report to identify what percentage of active hosts are using specific protocols during the reporting period. Use
this report to gauge the popularity of different protocols.
The report contains the following chart:
• Protocol Adoption - Overlaid area chart showing the percentage of active hosts using each specified protocol across each
reporting interval.

• The percentage of active hosts is calculated by dividing the number of hosts with active connections for a specified protocol
with the total number of active hosts in each reporting interval.
reporting interval.
by Network 9
by Network
Bandwidth by Hour
Overview
Use the Bandwidth by Hour report to identify the amount of bandwidth being consumed for each hour accross a date range. Use this
information to see the trend effect of bandwidth in daily cycles.
• Bandwidth by Hour - Stacked bar chart showing the amount of bandwidth consumed by each selected hour. This is
measured as the average bitrate (bits per second) over time.
Select a time period and the elements you wish to monitor for protocol bandwidth. Please select a reporting range within 1 month from
now. You can build virtual clusters of Sandvine elements using the Element Selection configuration area.
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols and protocol categories in which you wish to monitor.
Finally, select the hours of the day which you wish to monitor. It is recommended that you analyze 5-10 hours at a time.

Bandwidth by Hour
• highlights the most popular hours in the day that are consuming network bandwidth
Hosts by Hour
Overview
The Hosts by Hour report to identifies the amount of hosts with active connections in the selected protocols for each hour across a date
range. The report contains the following chart:
• Hosts by Hour - Stacked bar chart showing the amount of hosts by each selected hour.
Select a time period and the elements you wish to monitor for protocol bandwidth. Please select a reporting range within 1 month from
now.You can build virtual clusters of Sandvine elements using the Element Selection configuration area.
external, and peer subnets. Select the protocols and protocol categories in which you wish to monitor.
Finally, select the hours of the day which you wish to monitor. It is recommended that you analyze 5-10 hours at a time.

• Use the Hosts by Hour report to see the trend effect of hosts in daily cycles.
• This report highlights the most popular hours in the day when hosts with active connections for specified protocols are active.
• The number of hosts is the total number of hosts that had active connections across the hour
reporting interval.
Network Flow Differential

Overview
The Network Flow Differential report shows the egress of traffic between different networks. This report clearly shows when uploads
exceed downloads per protocol and vice versa.

Select a time period and the elements you wish to monitor for traffic flow. You can build virtual clusters of Sandvine elements using the
by Network 10
Finally, select the protocols in which you wish to monitor the traffic flow. Selecting a large number of protocols may reduce the visibility of
these items in the corresponding chart. It is recommended that you analyze 1 protocol at a time to avoid confusion and overlap.
Note: selecting the same networks in both Source Network and Destination Network will result in a chart
that has no data due to the same data being subtracted from itself.

• positive traffic implies that there is more bandwidth leaving your network
• negative traffic implies that there is more bandwidth coming into your network
• use this report to identify time-of-day trends between networks.
Network Flow Matrix

Overview
The Network Flow Matrix is a pivot table that allows you to summarize the volume of traffic between networks.
Two tables are provided:
• Total Byte Flow - identifies the actual number of bytes that are being transferred between peer networks.
• Percentage Byte Flow - identifies the number of bytes as a percentage that are being transferred between peer networks.
external, and peer subnets. It is recommended that you select all of the available networks for both Source Network and Destination
Network.
Finally, select the protocols in which you wish to monitor the traffic flow. It is recommended that you analyze all of the protocols together
in order to identify the total traffic flow, as the results of all protocols will be aggregated together.

Use the information from this report to understand the amount of traffic that is flowing between your configured networks. Follow the
intersection between columns and rows to understand exactly how much traffic is flowing between your networks. The egress of traffic is
represented as starting from the network identified in the row and flowing to the network identified in the appropriate column. No value in
a cell indicates no traffic was present.
Upstream / Downstream Bandwidth

Overview
Use the Upstream / Downstream Bandwidth by Protocol report to identify the amount of upload and download bandwidth being consumed
for selected protocols in the overall system. This report requires only external networks to be selected, selecting internal networks will
lead to misleading results.
The report contains the following charts:
• Network Flow: Data to - Stacked area chart showing the amount of bandwidth flowing to the selected networks, as
consumed by each selected protocol. This is measured as the average bitrate (bits per second) over time.
• Network Flow: Data from - Stacked area chart showing the amount of bandwidth originating from the selected networks, as
consumed by each selected protocol. This is measured as the average bitrate (bits per second) over time.
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area. It is recommended that you report on a single element at a time.
external, and peer subnets. Please select only external networks in the Network selection.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.

Bandwidth by Protocol
• Network Flow: Data to - highlights the most popular protocols that are consuming network upstream bandwidth
• Network Flow: Data from - highlights the most popular protocols that are consuming network downstream bandwidth
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
by Network 11
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
by Network Element 12
by Network Element
Published Expression
Overview
Use the Published Expressions report to see generic policy-based measurement statistics. Multiple measurements can be viewed in a
single chart on the same x and y axis, regardless of units.
• Published Expression - Overlay line chart showing the values of the selected policy-based measurements across time. When
consolidating values across multiple time intervals, the selected "Aggregate Method" will be used.
• Select a time period and the elements you wish to monitor.
• Select the aggregation method to use
• This is the aggregation method to use on the measurement value when consolidating across multiple time
intervals and network elements
• Select the policy measurements to chart
• Selections can be made directly in the "Policy Expression Selections" box
• Searching can be done by typing the search string into "Enter Filter" textbox
• Wildcard queries can be used by adding filter strings to the "Published Expressions" box
• Apply unit conversion (optional)
• In the Presentation tab, in the "Data Manipulation" section, change can be made to the "Display byte-based units
as" and "Display packet-based units as" dropdown box
• All selected measurements with units matching "bytes" or "packets" will be converted according to the setting of
those two dropdown boxes
• For example, if bytes-based units is set to "bits/sec", any bytes measurements will be charted in bps
The information presented on this report should be interpreted in light of the type of data collected (gauge vs. interval) and the
corresponding policy that triggers the stat collection.
by Network Element Interface 13
by Network Element Interface

Bandwidth by Interface
Overview
Use the Bandwidth by Interface report to identify the amount of bandwidth being consumed on the specified physical network interface.
• Bandwidth by Interface - Area chart showing the amount of bandwidth consumed on the specified physical network
interface. This is measured as the average bitrate (bits per second) over time.
Select a time period and the elements you wish to monitor for bandwidth consumption. You can build virtual clusters of Sandvine elements
The Network Interface Selection area allows you to select the physical wiring ports of the Sandvine element, similar to MRTG-style charts.

Bandwidth by Interface
• highlights the amount of network traffic on the specified physical network interface
• provides a comparison with MRTG-style reports based on total bandwidth
Overview
Use the Bandwidth by Protocol report to identify the amount of bandwidth being consumed for selected protocols. Use this information to
see the net effect of protocol traffic over the specified physical network interface.
• Bandwidth by Protocol - Stacked area chart showing the amount of bandwidth consumed by each selected protocol. This is
time.

• highlights the most popular protocols that are consuming network bandwidth
Packets by Interface
Overview
Use the Packets by Interface report to identify the amount of packets being consumed on the specified physical network interface.
• Packets by Interface - Area chart showing the amount of packets consumed on the specified physical network interface.
This is measured as the average bitrate (bits per second) over time.
Select a time period and the elements you wish to monitor for bandwidth consumption. You can build virtual clusters of Sandvine elements

Packets by Interface
• highlights the amount of network traffic on the specified physical network interface
• provides a comparison with MRTG-style reports based on total packets
Packets by Protocol
Overview
Use the Packets by Protocol report to identify the amount of packets being consumed for selected protocols. Use this information to see
the net effect of protocol traffic over the specified physical network interface.
• Packets by Protocol - Stacked area chart showing the amount of packets consumed by each selected protocol. This is
time.

Packets by Protocol
Top Protocol Histogram

Overview
Use the Top Ten Protocol Histogram report to identify the top protocols that are consuming bandwidth across the specified physical
network interfaces.
• Top Ten Protocol Histogram - Pareto (or histogram) chart showing the percentage of bandwidth consumed by each
selected protocol.
Select a time period and the elements you wish to monitor for protocol bandwidth consumption. You can build virtual clusters of Sandvine
elements using the Element Selection configuration area.
Finally, select the protocols and protocol categories in which you wish to monitor network bandwidth.

Top Ten Protocol Histogram
• highlights the most popular protocols
by Protocol 16
by Protocol
Overview
see the net effect of protocol traffic over the specified networks.
using the Element Selection configuration area.
time.

Bandwidth Intensity
Overview
The Bandwidth Intensity report shows which protocols are "bandwidth hungry" - protocols which have a high bandwidth per number of
hosts. This report also indicates which protocols have a high user base.
This report contains the following two charts:
• Bandwidth Intensity (Receive) - Overlaid line chart showing the percentage of received bytes subtracted by the
percentage of hosts using each protocol.
• Bandwidth Intensity (Transmit) - Overlaid line chart showing the percentage of transmitted bytes subtracted by the
percentage of hosts using each protocol.
Finally, select the protocols and protocol categories in which you wish to monitor.

• negative values imply that the protocol has a high number of hosts.
• exceptionally high values indicate that the protocol consumes a large volume of bandwidth per host.
• values that gravitate around zero indicate that the protocol is not exceptional.
by Protocol 17
Bandwidth per Host

Overview
The Bandwidth per Host report shows the average protocol bandwidth consumption rate divided by the number of hosts in each reporting
interval. This report contains the following two charts:
• Average Bandwidth per Host (Receive) - Stacked bar chart showing the average bitrate (measured in bits per second)
divided by the number of hosts using each protocol.
• Average Bandwidth per Host (Transmit) - Stacked bar chart showing the average bitrate (measured in bits per second)
divided by the number of hosts using each protocol.
time.

The Bandwidth per Host report is calculated by dividing the number of hosts with active connections of the selected protocols by the
average protocol bandwidth consumption rate in each reporting interval.
Use this report to identify which protocols are consuming the highest rate of bandwidth per host. For example a protocol with one user
with a bandwidth of 80 Mbps will appear in the chart to have a higher value than a protocol with forty users consuming 800 Mbps. This is
useful for identify emerging "problem protocols".
Protocol Adoption
Overview
Use the Protocol Adoption report to identify what percentage of active hosts are using specific protocols during the reporting period. Use
this report to gauge the popularity of different protocols.
• Protocol Adoption - Overlaid area chart showing the percentage of active hosts using each specified protocol across each
reporting interval.

• The percentage of active hosts is calculated by dividing the number of hosts with active connections for a specified protocol
with the total number of active hosts in each reporting interval.
reporting interval.
Protocol Summary
Overview
Use the Protocol Summary report view protocol summary information, including the amount of bandwidth being consumed and the
number of hosts using the selected protocols. Use this information to see an overview of protocol traffic over the specified networks.
The following information is presented in the Protocol Summary report:

Field Description
Protocol The name of the protocol
Receive The amount of bandwidth received through this protocol. This is measured in bytes.
TransmitThe amount of bandwidth transmitted through this protocol. This is measured in bytes.
Hosts The number of hosts who used this protocol.
by Protocol 18

Select a time period and the cluster and elements you wish to monitor for protocol bandwidth and hosts information. You can build virtual
clusters of Sandvine elements using the Element Selection configuration area.
time.

Protocol Summary
• Highlights the most popular protocols that are consuming network bandwidth and the amount of hosts using them
• The number of hosts is interpreted as the maximum number of hosts in a single reporting interval between the start and end
dates
Top Protocol Histogram

Overview
Use the Top Ten Protocol Histogram report to identify the top protocols that are consuming bandwidth across the specified networks.
selected protocol.

by Domain 19
by Domain
Top Domains
Overview
The Top DNS Domains report indicates the total number of requests associated with the top N domains for the reporting period.
The report contains the following table:
Field Description
Domain Name The domain name.
Total Requests Total number of requests during the reporting period.
Rate (requests/second)Displays the total number of requests divided by the number of seconds in the report period.
Note: domains are determined by the three most significant segments of the domain name. For
example, www.google.co.uk and maps.google.co.uk both are mapped to the domain name google.co.uk.

Select a time period and the clusters you wish to monitor.

• report is limited by the value set for top n. This value defaults to 20.
• use this report to ascertain the impact of a specific domain on the network. For example, are 25% of all requests on the
network directed at one domain.
Top Domains Histogram

Overview
The Top DNS Domains Histogram report indicates the most requested domain names for the reporting period.
• Top DNS Domains - Histogram chart showing the total requests for the most popular domain names.

• use this report to ascertain the impact of a specific domain on the network. For example, are 25% of all requests on the
network directed at one domain.
by Server 20
by Server
Efficiency
Overview
The DNS Efficiency report provides a general overview of the capability of the DNS system the service requests at any point in time. This
report measures the total number of responses over a period of time against the total number of requests during the same period.
• DNS Efficiency - area chart outlining the percentage of all requests that receive a response.
Select a time period and the elements you wish to monitor for DNS requests|responses. You can build virtual clusters of Sandvine
external, and peer subnets. It is recommended that you select the networks that contain the DNS servers you wish to report against in the
Destination Network.
The DNS Server Selection area allows you to select individual DNS servers to report against.
Finally, select the DNS request and response types you wish to monitor.

• use the report to identify reliability of DNS server response rate.
• use in combination with the "Warning" and "Fail" thresholds to identify periods where the server efficiency falls below these
thresholds.
Mean Time to Respond

Overview
The DNS Mean Time to Respond report provides a specific measurement of requests being fulfilled or not and can be used to pinpoint
degradation and trigger potential responses to such degradation.
• Mean Time to Respond - line chart outlining the average time for DNS requests from subscribers or other hosts to the
corresponding domain name server response.

• use in combination with the "Warning" and "Fail" thresholds to identify periods where the server MTTR is not meeting these
targets.
MTTR Histogram
Overview
The Mean Time to Respond Histogram report displays a frequency distribution of the mean time to respond to requests.
• Mean Time to Respond Histogram - histogram chart outlining the total number of responses that occurred in an elapsed
time bin measured in milliseconds.
by Server 21

• goal is to have the highest volume of requests in the lowest response time bin.
• if the histogram is skewed with the highest volume being in the higher response time bins, a problem exists.
Server Performance Summary

Overview
The DNS Server Performance Analysis report displays a number of summary reports for the selected DNS server. The report contains the
following items:
• Dashboard Over Time - table displaying the Mean Time to Respond and Efficiency for the previous hour, day, week, and
month.
• DNS Requests - stacked area chart displaying the number of requests per second during the reporting period.
• DNS Responses - stacked area chart displaying the number of responses per second during the reporting period.
• Mean Time to Respond - line chart outlining the average time of DNS requests from subscribers or other hosts to the
• use this report to evaluate performance for the reporting period.
• compare the DNS Requests and DNS Responses report to determine if the number of responses is significantly less than the
number of requests. If this occurs, further investigation is warranted.
• examine the Mean Time to Respond Histogram to ensure that the highest volume of responses are in the lowest time frame
bin. If the report is skewed toward a higher response time, further investigation is warranted.
Volume
Overview
Use the DNS Volume report to identify the number of DNS requests and responses directed to each configured DNS server.
The report contains the following two charts iterated for each detected DNS server:
• DNS Requests - Stacked area chart showing the number of DNS requests for each selected type from the originating network
to the DNS server or network.
• DNS Responses - Stacked area chart showing the number of DNS responses for each selected type from the DNS server to
the originating network.

• use the report to identify distribution between DNS request|response types.
• use the report to identify what is considered to be 'normal' DNS traffic for your network.
• compare the rate of requests. An unusually high volume over a short period of time may indicate malicious intent.
by Subscriber 22
by Subscriber
Top Talkers
Overview
The Top DNS Talkers report lists the top N subscribers that have issued DNS requests of a specific type over a specified period of time.
Field Description
Subscriber The name or IP address of the subscriber.
Requests Total number of requests make by the subscriber for the reporting period for the selected request types.
Rate (requests/second)Displays the total number of requests divided by the number of seconds in the report period.

Select the DNS request type to categorize the top talkers against. The results from all selected request types will be aggregated together
to determine the eventual top talkers.

• use this report to identify which subscribers are generating the most requests.
• report displays the top N talkers (default is 10).
Top Talkers Histogram

Overview
The Top DNS Talkers Histogram report indicates the subscribers that sent the most DNS requests for the reporting period.
• Top DNS Talkers - Histogram chart showing the total requests sent by each subscriber.

• use this report to identify which subscribers are generating the most requests.
DNS 23
DNS
Network Summary
Overview
The DNS Network Dashboard report provides an overview of the most recent performance of the DNS servers across the entire network.
This report provides the MTTR and DNS efficiency metric for the collection of DNS servers across the entire network.
Field Description
Status Indicates the status of MTTR and DNS efficiency metrics. Values include:
Fail - is highlighted in red and indicates that the network has dropped below a MTTR or DNS threshold.
Pass - indicates a targets have been met or exceeded the MTTR and DNS thresholds.
Warning - indicates that either an MTTR or DNS metric is approaching a fail threshold.
Network The network name.
Server Health The ratio of total number of DNS servers with a Pass status to the total number of DNS servers. For example, 9/10
indicates that for a group of 10 servers, 9 have PASS status.
Efficiency The aggregate ratio of successful requests to failed requests for each DNS server.
Mean Time to Mean time to respond to a request measured in milliseconds/response.
Respond

Drilldowns
DNS Server Dashboard
To examine details on specific DNS servers within a network, click the network to drill down to the DNS Server Dashboard.

• use this report to identify networks which are not meeting the targets and require further investigation or remediation.
• a status of 'Fail" is critical and should be immediately investigated.
• a status of "Warning" indicates that for at least one of the metrics, the Fail threshold is being approached.
Server Summary
Overview
The DNS Server Dashboard report provides an overview of the most recent performance of the DNS servers across the entire cluster. This
report provides the MTTR and DNS efficiency metric for each DNS server aggregated across the entire cluster.
Field Description
DNS Server IP address of the DNS server.
Mean Time to RespondMean time to respond to a request measured in milliseconds/response.

DNS 24
Drilldowns
DNS Server Performance Analysis
To examine details on a specific DNS servers within a network click the DNS Server IP address.

• use this report to identify individual servers which are not meeting the targets and require further investigation or
remediation.
Total Request Volume

Overview

by Protocol 25
by Protocol
Overview
time.

Overview

Connections
these intervals.
New connections
by Protocol 26
Peak connections
those intervals.
Hosts by Protocol
Overview
•

Hosts
Peak hosts
New hosts
Audit Log 27
Audit Log
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
The following information is presented in the Audit Log report:

Field Description
Host The IP address of the host under attack.
Audit Time The time stamp (date and time in time zone of current database) when the action was applied.
Action TakenThe action taken will be a malicious traffic mitigation action such as limit-flows-in, limit-flows-out, limit-pattern, reroute,
nullroute, email-alert, shell command and so forth.
State There are four possible state for a mitigation action:
• Action Begin - action has started for this detection.
• Action End - action has been removed for this detection.
• Reaffirm - action is already in place and reaffirmed.
• Negate - multiple malicious detections are being simultaneously mitigated by this action, and one of these
detections has ended. The action remains in place until all of the detections being mitigated have ended. This
only applies to complex rules where the same host has multiple detections.
Detection The time a new host was observed to be exhibiting malicious behaviour based on the number of events/time during the
Confirmationperiod.

Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements

Audit Log
• report is sorted on Audit Time to provide a chronological list of mitigation events.
• sort on the Host field to see if the same host is under multiple attacks.
• examine the Action Taken to identify the mitigation action that was taken.
Drilldowns
Audit Log by Host
To examine all of the audit log entries for a specific host for the reporting period, drilldown uses the host IP address.
Audit Log by Host

Overview
Use the Audit Log by Host report to identify all of the actions taken by the WDTM for a specific host during the reporting period. Each
record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to confirm what
actions were taken for a host and when the action was taken.
The following information is presented in the Audit Log by Host report:

Field Description
Confirmationperiod.
Audit Log 28

Specify the list of IP addresses that you wish to view audit logs for.

Audit Log
• examine the Audit Time and State fields to identify when the action was taken and when it was ended.
by Spammer 29
by Spammer
Bandwidth
Overview
Use the Spam Bandwidth by Spammer report to identify the bandwidth that is being consumed by specific spammers.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps).
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.

• look for spikes which indicate an increase in the bandwidth being used by a spammer.
• over time, check to see if patterns emerge.
Message Details
Overview
Use the Spam Message Details by Spammer report to get an overview of spam activity for specific spammers.
The report contains the following three charts:
• Attempted Messages - Stacked bar chart identifying the total number of attempted messages that the spammer attempted
to send.
• Recipients - Stacked bar chart identifying the total number of recipients that the spam emails were addressed to.
• Senders - Stacked bar chart identifying the number of unique sender email addresses from which the spammer was sending
spam.

• over time, look for patterns. For example, is spam sent at a regular interval (between 9AM and 5 PM daily), or every hour and
so forth.
• large increase in number of recipients will have the greatest negative impact on the network.
by Spammer 30
SMTP State
Overview
Use the Spam SMTP State Analysis by Spammer report to find details on the state (or flow) of the session.
• SMTP Sessions - Stacked bar chart identifying the total number of sessions initiated.
• SMTP Errors - Stacked bar chart identifying the total number of SMTP errors received from all SMTP servers within all
sessions.
• SMTP Resets - Stacked bar chart identifying the total number of RSET commands issued from the spammer for all sessions.

• session and Resets are related. A low number of sessions and high resets indicates a large volume of email being sent through
one connection.
• a high number of errors indicates that invalid email addresses are being used (both sender or receiver may be invalid) which
is indicative of a spammer.
Spam Detections
Overview
Use the Spam Attacks by Spammer report to provide detailed information on specific Spam parameters. The parameters that appear on
this report relate directly to spam detection metrics.
Use this report to examine the specific values for a spam attack.
Field Description
Spammer The IP address of the subscriber.
Network The network associated with the host IP address.
Active The cumulative time malicious traffic was actually detected during the report period.
Time
Total The cumulative total of recipients a subscriber has attempted to send an email to.
Recipients
AttemptedThe cumulative total email messages a subscriber has attempted to send.
Messages
Sessions The cumulative total SMTP sessions a subscriber has initiated with all SMTP servers.
Errors The cumulative total errors a subscriber has received from all SMTP servers.
Resets The cumulative total RSET commands a subscriber has issued during all SMTP sessions.
Unique The number of unique recipients discovered per hour that a subscriber has attempted to send email to.
Recipients
Unique The number of unique recipient domains discovered per hour that a subscriber has attempted to send email to.
Recipient
Domains
Unique The number of unique sender email addresses discovered per hour that a subscriber has attempted to send email from.
Senders
Unique The number of unique sender domains discovered per hour that a subscriber has attempted to send email from.
Sender
Domains
Unique The number of unique SMTP servers discovered per hour that a subscriber has connected to.
Servers
Unique The number of unique connection names or IP addresses discovered per hour that a subscriber used when connecting to an
EHLO SMTP server.
Names
Bytes The total number of bytes sent.
Last The date and time in the current time zone that the attack was last detected.
Detected
View If a check mark is present, an action has been applied and there is an audit log on the details.
Audit If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack, but
WDTM has only been configured to mitigate above specific thresholds.
by Spammer 31


• examine total recipients (default sort order) to see the impact on the network.
• examine the values to determine the severity of the spam infection.
• each entry in the table is one spam detection. One entry may entry a long-lived detection.
• sort by Last Detected to see the most current detection.
Drilldowns
Spam Attacks by Spammer
To view additional information about spam attacks for a specific spammer, drilldown uses the source IP address. Malicious Bandwidth
by Source
To examine the address scan malicious bandwidth for a specific host for the reporting period, drilldown uses the source IP address.
Bandwidth by Subscriber
To examine the bandwidth for a specific subscriber for the reporting period, drilldown uses the source subscriber and is only available if
the source subscriber is known.
Message Details by Spammer
To examine recipient details for the spam attack, drilldown uses the source IP address. This report indicates the number of attempted
messages and recipients.
SMTP State by Spammer
To examine the SMTP state for the spammer, drilldown uses the source IP address.
Malicious Bandwidth by Source
To examine the user bandwidth malicious bandwidth for a specific host for the reporting period, drilldown uses the source IP address.
Audit Log by Detection
To examine the audit log for a specific attack, drilldown uses the attack identification and is only available if the View Audit column is
checked. If the check mark is not present, no actions have been applied and no drilldown is available.
Top Spammers 32
Top Spammers
by Bytes
Use this report to identify the top hosts who are generating the most spam by bytes. By default, the top 100 subscribers are displayed.
This is configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is generating spam.
Network The network associated with the host.
Bytes The number of bytes transmitted by the host during the reporting period.


• hosts generating the highest amount of spam should be investigated.
Drilldowns
Spam Bandwidth by Source IP Address
To examine the malicious bandwidth for a specific host for the reporting period, drill down on the source IP address.
by Bytes Histogram
Field Description


Drilldowns
by Detections
Use this report to identify the hosts which are generating the most spam. By default, the top 100 subscribers are displayed. This is
configurable on the Presentation page.
Field Description
Source IP AddressThe IP address of the host that is sending spam.
Detections The number of spam sessions detected during the reporting period.

Top Spammers 33

• hosts sending the highest amount of spam should be investigated further.
Drilldowns
by Detections Histogram
Field Description


Drilldowns
Spam 34
Spam
Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.
Spam 35


Audit Log
Bandwidth
Overview
second (bps).
second (pps).

Malicious Bandwidth
Overview
Use the Malicious Bandwidth report to identify the malicious bandwidth detected across the selected networks for the report period. Use
this report to examine the total malicious bandwidth for selected protocols and to see how much of this bandwidth was mitigated by the
WDTM.
The report contains the following four charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified by traffic type.
• Mitigated Bandwidth - Stacked area chart identifying the detected malicious bandwidth that was mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified by traffic type.
• Mitigated Packet Rate - Stacked area chart identifying the detected malicious packets that were mitigated by the WDTM by
chart.
Spam 36
Finally, choose the types of malicious traffic that you wish to analyze.

Malicious Bandwidth
• look for consistently high bandwidth. This may indicate ongoing background activity on the network.
• look for spikes as this may indicate a new occurrence that requires mitigation.
• use this chart to see the history of malicious traffic and to determine what is "steady state", and what is a change that
requires further investigation.
Mitigated Bandwidth
• use this chart to verify existing WDTM thresholds with respect to the overall mitigation strategy.
Malicious Packet Rate
• look for spikes which may indicate that multiple new users are infected.
Mitigated Packet Rate
Malicious Hosts
Overview
Use the Malicious Hosts report to identify the malicious hosts detected across the selected networks for the report period. Use this report
to examine the total malicious hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
• Malicious Hosts - Stacked area chart identifying the detected malicious hosts identified by traffic type.
• Mitigated Hosts - Stacked area chart identifying the detected malicious hosts that were mitigated by the WDTM by traffic
type. Malicious hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
Select a time period and the elements you wish to monitor for malicious hosts. You can build virtual clusters of Sandvine elements using
the Element Selection configuration area.

Malicious Hosts
• look for spikes which may show that multiple new users that are infected.
• use this report to see the history of malicious hosts to determine what is "steady state" and what is a change that requires
further investigation.
Mitigated Hosts
Note: these charts display raw count totals. This can affect the reports by appearing to provide different
peak results, which is caused by the scaling of these values over different time intervals. For example, if
you chose to report on data for a one week period of time, that reporting interval may be broken up into
one hour segments within the chart. Lets assume that if we took four consecutive plotted points within
the chart we had the series (4, 7, 13, 17). These values would represent the total number of events for
that particular hour. If we re-ran the report but with a two week time period, we would find that in this
particular time range, we would have less bins but with higher values. In this example, we would expect
to see the following series of values for the same appropriate time points (11, 30). This is caused by the
fact that the two-week report must collapse time bins, which in turn stacks the resulting bin values.
Spam 37
Message Details
Overview
to send.
spam.

so forth.
SMTP State
Overview
sessions.

one connection.
Spam Detection Details

Overview
Use the Spam Attack Details report to provide comprehensive details on the metrics collected on attacks for the selected spammer. Note
that this report consists of two tables - Spam Attack Thresholds and Spam Attack Details. The Thresholds table indicates the threshold set
for the metric. The Attack Details table displays the value for each of the metrics. Any value indicated in red exceeds the threshold.
Field Description
Logtime Date and time, in current time zone, when that data was entered.
The following data represents accumulated totals. Note that these values can't be compared with the threshold values which are in rate/
hour (should never see red values in these columns).
Bytes The bandwidth used by the attack.
Packets The number of packets used by the attack.
Spam 38
Total Recipients The number of recipient email addresses a subscriber has attempted to send email to.
Attempted Messages The number of messages a subscriber has attempted to send.
Sessions Total number of SMTP session a subscriber has initiated with all SMTP servers.
Errors Total number of errors a subscriber has received from all SMTP servers.
Resets Total number of RSET commands a subscriber has issued during all SMTP sessions.
The following values represent rate/hour and should be compared with the thresholds.
Unique Recipients Total number of unique recipients a subscriber has attempted to send email to.
Unique Recipient Domains Total number of unique recipient domains a subscriber has attempted to send email to.
Unique Senders Total number of unique sender email addresses a subscriber has attempted to send email from.
Unique Sender Domains Total number of unique sender email domains a subscriber has attempted to send email from.
Unique EHLO Names Total number of unique connection names of IP addresses used by a subscriber when connecting to an
SMTP server.
The following values represent rate/period and should be compared with the thresholds. A period is 5 minutes in duration.
Recipients per Sample Period Total number of unique recipients a subscriber has attempted to send email to per sample period.
Attempted Messages per Total number of attempted email messages a subscriber has attempted to send per sample period.
Sample Period
Sessions per Sample Period Total number of SMTP sessions a subscriber has initiated with all SMTP servers.
Server per Sample Period Total number of unique servers a subscriber has connected to per sample period.
The following values are comparisons of like metrics and can be compared with the thresholds.
Total Recipients per Unique Total number of recipient email addresses a subscriber has attempted to send email to for every
Recipient unique recipient email address.
Total Senders per Unique Total number of sender email addresses a subscriber has attempted to send from for every unique
Sender email address.
Attempted Messages per Total number of email messages a subscriber has attempted to send for every successfully sent email.
Successful

You must first run the Spam Attacks by Spammer report in order to drill down to this report for a particular attack by a spammer.

• an understanding of the thresholds that are in place is critical to interpreting this report.
• use this report to identify exactly what thresholds a subscriber has exceeded to be deemed a spammer.
Spam Detections
Overview
Field Description
Time
Recipients
Messages
Recipients
Recipient
Domains
Senders
Sender
Domains
Servers
Spam 39
EHLO SMTP server.
Names
Detected


Drilldowns
by Source
Spammer Contribution
Overview
Use the Spammer Contribution report to compare the total email traffic with that which was detected as being spam for the reporting
period. Use this report to see how much of the email traffic on the network is actually spam.
• Spammer Contribution - Overlaid area chart identifying the detected email and spam-based traffic.

• look for large spikes which may indicate a new attack that warrants further investigation.
• use this report to ascertain what is spam background traffic on the network.
Spam 40
Top Spammers
Overview
Use the Top Spammers report to identify the top N subscribers who are sending spam (default is top 100).
Field Description
Network The network subnet associated with the host IP address.
Active Cumulative time malicious traffic was actually detected during the report period.
Time
Total Total number of recipients a subscriber has attempted to send email to.
Recipients
AttemptedTotal number of email messages a subscriber has attempted to send.
Messages
Sessions The total number of SMTP sessions a subscriber has initiated with all SMTP servers.
Bytes The number of bytes sent.
Detected


• each spammer will appear on this report once.
• table is sorted by default on the Recipients field. The number of recipients can have the greatest impact on the network.
• sort on Bytes to see which spammer is using the most bandwidth.
• examine the View Audit column to see which attacks have not been mitigated and may require mitigation.
Drilldowns
by Source
Audit Log 41
Audit Log
Audit Log
Overview

Field Description
• Begin - action has started for this detection.
• End - action has been removed for this detection.
Attack The time a new host was observed to be exhibiting malicious behaviour based on the number of events/time during the
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.
Audit Log 42


Audit Log
Top Talkers 43
Top Talkers
by Bytes
Use this report to identify the hosts which have receiving the most SYN flood data by bytes. By default, the top 100 subscribers are
displayed. This is configurable on the Presentation page.
Field Description
Destination IP AddressThe IP address of the host that is under attack.
Bytes The number of bytes received by the host during the reporting period.


• hosts receiving the highest number of bytes should be investigated further.
• sort the report by Network to determine if a specific network is under attack.
Drilldowns
Malicious Bandwidth by Destination
To examine the SYN flood malicious bandwidth for a specific host for the reporting period, drilldown uses the destination IP address.
by Bytes Histogram
This report contains the following chart:
• SYN Flood Top Talkers by Bytes Histogram - histogram chart identifying the top hosts that are receiving SYN flood
malicious bandwidth.

by Detections
Use this report to identify the hosts which have receiving the most SYN flood attacks. By default, the top 100 subscribers are displayed.
Field Description
Detections The number SYN flood detections during the reporting period.


• hosts receiving the highest number of detections should be investigated further.
Top Talkers 44
Drilldowns
Use this report to identify the hosts which have received the most SYN flood attacks. By default, the top 10 subscribers are displayed. This
is configurable on the Presentation page.
• SYN Flood Top Talkers by Detections Histogram - histogram chart identifying the top hosts that are receiving SYN flood
attacks.

SYN Flood Detections 45
SYN Flood Detections

Audit Log
Overview

Field Description
• Begin - action has started for this detection.
• End - action has been removed for this detection.
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.


Audit Log
Bandwidth by Destination
Overview
Use the Malicious Bandwidth by Destination IP Address report to identify the malicious bandwidth detected across the selected networks
for a specific host. Use this report to identify hosts under a SYN flood attack.
second (bps).
second (pps).
Finally, choose the destination host that you wish to analyze.

• look for spikes which indicate an increase in the bandwidth being targeted at the host.
• look for a single host associated with a significant amount of the traffic - this host is under a more severe attack.
Note: a value of 0 only indicates that the bandwidth dropped below the detection threshold for the
period; not that the activity stopped.
Note: only SYN packets are counted. If the host is being sent non-SYN packets, they will not be counted
in this report.
Detected Hosts
Overview
Use the Attacked Hosts report to identify the attacked hosts detected across the selected networks for the report period. Use this report to
examine the total attacked hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
• Attacked Hosts - Stacked area chart identifying the detected hosts that are being attacked by traffic type.
• Mitigated Hosts - Stacked area chart identifying the attacked hosts that were mitigated by the WDTM by traffic type.
Attacked hosts that are detected and managed by actions that do not drop packets are not shown on this chart.

Select a time period and the elements you wish to monitor for attacked hosts. You can build virtual clusters of Sandvine elements using

Attacked Hosts
• use this report to see the history of attacked hosts to determine what is "steady state" and what is a change that requires
Mitigated Hosts
Malicious Bandwidth
Overview
WDTM.
chart.
chart.

Malicious Bandwidth
Mitigated Bandwidth
Note: for a given detection type it is possible for the dropped bandwidth to be less than malicious
bandwidth. To understand why, it becomes necessary to understand how the WDTM Detection Engine
and WDTM Detection Aggregator work. When an attack starts, it is analyzed by the WDTM Detection
Engine. During this time, the attack is not confirmed, but its bytes and packets are counted. When the
Detection Engine determines that thresholds were crossed (as specified by detection-config rules) the
event is reported to the WDTM Detection Aggregator which is responsible for aggregating detection
events in an attempt to reduce false positives. When the Detection Aggregator confirms that the
event(s) constitute an attack due to timed-host-percent thresholds being crossed (as specified by
aggregator-config rules) it applies mitigation actions (as specified by wmd-rules). At this point, the
bytes/packets counted before the attack was confirmed are logged as malicious bytes/packets and show
up in the Malicious Bandwidth/Malicious Packet Rate graphs. This counted malicious traffic is impossible
to mitigate since it would require knowledge that the traffic was malicious before it looked malicious, and
so the traffic will not be counted as mitigated. Since new malicious traffic is always being detected for
the first time, this means that overall, malicious traffic will typically be greater than mitigated traffic.
For some detections, this contrast between malicious and mitigated is much larger. Spam especially
exhibits this large contrast. This is because the mitigated traffic is predominantly syn packets that are
dropped before the tcp flow is established. As a result, the minutes required to confirm a spam attack
could result in many bytes and packets of unmitigated malicious traffic. When the attack is confirmed,
although many bytes and packets are in theory mitigated by dropping the flow, we can only honestly
report a very small fraction of that traffic that was actually mitigated on the wire, specifically the syn
packets.
SYN Flood Detections

Overview
Use the SYN Flood Attacks report to detect a host that is being maliciously attacked.
SYN floods are attacks that attempt to overload a target by requesting a large number of sessions which causes the target to maintain a
state or resource for each connection. The attacker is therefore attempting to force the target to consume all of its available resources so
that it can no longer function. This type of attack is a directed attack, usually with malicious intent. Note that SYN floods only apply to
TCP.
Field Description
DestinationThe IP address of the host that is under attack.
IP Address
Subscriber The name of the subscriber associated with the IP address. If the IP address is not associated with an internal subscriber,
this column will appear empty.
Network The network associated with the destination IP address.
Protocol Layer 4 protocol of the OSI stack.
DestinationPort to which the attack is being directed.
Port
Application Typical service found on the destination port.
Active The amount of time the attack has been on the network using bandwidth which exceeds the set threshold.
Time
Bandwidth The average bit rate calculated over the active time measured in bits-per-second.
Packet The average packets per second calculated over the active time measured in packets-per-second.
Rate
Detected
View Audit If a check mark is present, an action has been applied and there is an audit log on the details.
If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack,
but WDTM has only been configured to mitigate above specific thresholds.

The Flow Selection area allows you to select the egress, or direction, of the traffic from the selected networks.

• sort on the Active Time column in descending order to determine if a significant attack is in progress (who are the worst
offenders).
• sort the data by Destination IP Address to see the destination addresses. Check to see if the addresses being attacked are
related addresses. If so, this may indicate a directed DoS attack.
• also examine the Destination Port field to identify specific ports that are being targeted.
• sort by Network to see where the attack is originating - inside or outside the network.
Drilldowns
Bandwidth by Destination Subscriber
To examine the bandwidth for a specific subscriber for the reporting period, drilldown uses the destination subscriber and is only available
if the destination subscriber is known.
Application/Malware by Port
To examine the typical applications and exploits for a specific port, drilldown uses the destination port.
Audit Log 50
Audit Log
Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.
Audit Log 51


Audit Log
Top Talkers 52
Top Talkers
by Bytes
Use this report to identify the hosts which have receiving the most bandwidth by bytes. By default, the top 100 subscribers are displayed.
Field Description
Bytes The number of bytes received by the host during the reporting period.


Drilldowns
User Bandwidth Malicious Bandwidth by Destination IP Address
To examine the user bandwidth for a specific host for the reporting period, drill down on the destination IP address.
by Bytes Histogram
• User Bandwidth Top Talkers by Bytes Histogram - histogram chart identifying the top hosts that are receiving a large
amount of bandwidth.

by Detections
Use this report to identify the hosts which have receiving the most bandwidth. By default, the top 100 subscribers are displayed. This is
Field Description
Detections The number detections during the reporting period.


Top Talkers 53
Drilldowns
User Bandwidth Malicious Bandwidth by Destination IP Address
To examine the bandwidth for a specific host for the reporting period, drill down on the destination IP address.
Use this report to identify the hosts which have been detected as receiving excessive bandwidth. By default, the top 10 subscribers are
• User Bandwidth Top Talkers by Detections Histogram - histogram chart identifying the top hosts that are receiving
excessive bandwidth.

User Bandwidth Detections 54
User Bandwidth Detections

Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.


Audit Log
Overview
Use the Malicious Bandwidth by Destination IP Address report to identify the malicious bandwidth detected across the selected networks
for a specific host. Use this report to identify hosts under a user bandwidth attack.
second (bps). If the policy changes during the date range the minimum threshold value is used.
second (pps).

Bandwidth by Source
Overview
Use the Malicious Bandwidth by Source IP Address report to identify the malicious bandwidth detected across the selected networks for a
specific host. Use this report to identify hosts under a user bandwidth attack.
second (bps). If the policy changes during the date range the minimum threshold value is used.
second (pps).
Finally, choose the source host that you wish to analyze.

Detected Hosts
Overview
Use the Attacked Hosts report to identify the attacked hosts detected across the selected networks for the report period. Use this report to
examine the total attacked hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
• Attacked Hosts - Stacked area chart identifying the detected hosts that are being attacked by traffic type.
• Mitigated Hosts - Stacked area chart identifying the attacked hosts that were mitigated by the WDTM by traffic type.
Attacked hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
Select a time period and the elements you wish to monitor for attacked hosts. You can build virtual clusters of Sandvine elements using

Attacked Hosts
• use this report to see the history of attacked hosts to determine what is "steady state" and what is a change that requires
Mitigated Hosts
Malicious Bandwidth
Overview
WDTM.
chart.
chart.

Malicious Bandwidth
Mitigated Bandwidth
packets.
User Bandwidth Detections

Overview
Use the User Bandwidth Attacks report to detect a host that is being maliciously attacked.
User bandwidth attacks attempt to disable a host by overloading it with data. When the target is under attack, usually the inbound
download pipe is saturated and no legitimate traffic can be accommodated. The victim is helpless against the attack.
Bandwidth attacks are usually distributed (multiple attackers involved) and can be devastating to both the target and the network. This
type of attack can be very difficult to mitigate, especially if the attacker is able to "spoof" their source address.
Bandwidth attacks are detected by measuring the amount of traffic destined to host and comparing that against a threshold. The
threshold, which is determined in the WDTM policy files, must be set above the maximum download rate to avoid false positives.
Depending on the network configuration and the location of core servers (e-mail, nntp, http and so forth) the WDTM may falsely identify
hosts as being attacked. If this is the case it is possible to add the specific hosts to an "angel list".
Field Description
IP Address
Network The network associated with the destination IP address.
Time
Rate
Detected


• use this report to see the history of user bandwidth attacks to determine what is baseline traffic and what is a change that
Drilldowns
User Bandwidth Flood Malicious Bandwidth by Destination IP Address
To examine the user bandwidth malicious bandwidth for a specific host for the reporting period, drilldown on the destination IP address.
1. In the Destination IP Address column, click the IP address.
The User Bandwidth Malicious Bandwidth by Destination IP Address report for the selected IP address appears.
Subscriber Bandwidth by Protocol

To examine the bandwidth for a specific subscriber for the reporting period, drilldown on the subscriber column.
1. In the Subscriber column, click the subscriber name.
The Subscriber Bandwidth by Protocol report for the selected subscriber appears.
Audit Log
To examine the audit log for a specific IP address, drill down on the check mark icon.
If a check mark is present, an action have been applied and there is an audit log on the details of the action.
If the check mark is not present, no actions has been applied.
1. In the View Audit column, click the check mark.
The User Bandwidth Audit Log report appears.
Audit Log 59
Audit Log
Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.
Audit Log 60


Audit Log
Top Talkers 61
Top Talkers
by Bytes
Use this report to identify the top hosts who are conducting address scans data by bytes. By default, the top 100 subscribers are
Field Description
Source IP AddressThe IP address of the host that is address scanning.


• hosts generating the highest number of bytes should be investigated.
Drilldowns
Address Scan Malicious Bandwidth by Source IP Address
To examine the address scan malicious bandwidth for a specific host for the reporting period, drill down on the source IP address.
by Bytes Histogram
Use this report to identify the top hosts which are transmitting address scan traffic by bytes. By default, the top 10 subscribers are
• Address Scan Top Talkers by Bytes Histogram - histogram chart identifying the top hosts that are transmitting address
scans.

• hosts transmitting the highest number of bytes should be investigated further.
by Detections
Use this report to identify the hosts which are transmitting the most address scans. By default, the top 100 subscribers are displayed. This
Field Description
Source IP AddressThe IP address of the host that is sending address scans.
Detections The number of address scans detected during the reporting period.


• hosts transmitting the highest number of scans should be investigated further.
Drilldowns
Address Scan Malicious Bandwidth by Source IP Address
Top Talkers 62
Use this report to identify the hosts which are transmitting the most address scans. By default, the top 10 subscribers are displayed. This
• Address Scan Top Talkers by Detections Histogram - histogram chart identifying the top hosts that are transmitting
address scans.

• hosts transmitting the highest number of detections should be investigated further.
Address Scans 63
Address Scans
Address Scans
Overview
Use the Address Scans report to identify infected hosts that are address scanning and have been mitigated for the report period.
Address scans are defined as a single host initiating many new TCP/IP flows to many destination hosts on a specific port. Address scans
are the primary method used by worms to find vulnerable hosts. Use this report to identify potential attackers.
The address scan detector is configurable. Thresholds can be set that define the number of flows per second over a time period. For
example, you might want to identify hosts that are initially sending more than 15 flows per second for 15 seconds. A host that is found to
be scanning at this rate will attempt to contact over 225 hosts in a 15 second period.
Field Description
Source IP The IP address of host who is doing the address scanning.
Address
Network The network associated with the source IP address.
DestinationPort to which the attack is being directed. If this is an ICMP attack, then port is referring to the ICMP type.
Port
Malware Typical malware (worm, trojan, virus, etc.) that exploits the application or port.
Time
Rate
Detected
Generate the report for internal subscribers to determine who is performing address scans. For each host that is found scanning there are
three possible causes:
• the traffic is legitimate.
• the traffic is malicious as a result of specific user actions.
• the traffic is malicious and generated by a worm or virus, perhaps without the knowledge of the user.

• sort on the Active Time field in descending order to determine how long the attack has been in progress (default sort order).
• sort by Destination Port. If a number of IP addresses are scanning on the same port, this usually indicates an attack. This will
also show the most active ports.
• sort by Source IP Address to determine who is infected multiple times. Use this report to generate a list of infected IP
addresses.
• a host may appear in the list multiple times as several actions may be taken for a detection. For example, the limit packets
action and a captive portal action may be applied to a detection.
Drilldowns
Address Scans 64
Address Scans by Port

Overview
The Address Scans by Port report shows the ports on which address scanning is occurring.
Use this report to identify if address scans are occurring on new ports and to determine if new worms/trojans are becoming prolific.
Field Description
Destination PortPort to which the address scan is being directed.
Malware Typical malware (worm, trojan, virus, etc.) that exploits the application or port.
Packet The total packets on the port for the report period.

• examine the Malware column. Any "Unknown" should be investigated further to determine if this is a new virus.
• if there is a significant number of packets of an "unknown" nature contact Sandvine Customer Support to have the occurrence
further investigated.
Drilldowns
Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Address Scans 65
Audit Log by Host

Overview

Field Description
Confirmationperiod.


Audit Log
Bandwidth by Source
Overview
Use the Malicious Bandwidth by Source IP Address report to identify the outgoing malicious bandwidth generated by a source host. Use
this report to identify hosts under performing user-bandwidth attacks.
second (bps).
second (pps). If the policy changes during the date range the minimum threshold value is used.

• look for constant activity over a period of time - low amount of data for a long period of time -- indicates an attack is in
progress (more covert).
Address Scans 66
Frequency Histogram
Overview
The Frequency Histogram shows the total number of packets for specific exploits per port for the report period. The histogram is ordered
from highest number of packets to lowest number of packets.
Use this report to see which ports have the highest address scan traffic.
If all protocols are selected, only the top ten ports will appear on the chart.
• Address Scans Frequency Histogram - histogram bar chart identifying the number of malicious packets identified on each
port.

• use this report to identify TCP ports to mitigate.
• any "unknown" protocol with a significant amount of traffic should be investigated further to determine if this is a new exploit.
Malicious Bandwidth
Overview
WDTM.
chart.
chart.

Malicious Bandwidth
Mitigated Bandwidth
Address Scans 67
packets.
Malicious Hosts
Overview

Malicious Hosts
Mitigated Hosts
Address Scans 68
Audit Log 69
Audit Log
Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Action TakenThe action taken will be a malicious traffic mitigation actions such as limit-flows-in, limit-flows-out, limit-pattern, reroute,
Confirmationperiod.
Audit Log 70


Audit Log
Flow Flood Detections 71
Flow Flood Detections

Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Action TakenThe action taken will be a malicious traffic mitigation actions such as limit-flows-in, limit-flows-out, limit-pattern, reroute,
Confirmationperiod.


Audit Log
Overview
Use the Malicious Bandwidth by Destination IP Address report to identify the flow flood activity directed to a specific IP address. Use this
report to identify the victim of a flow flood attack and the severity of those attacks.
second (bps).

• look for patterns, such as time of day attacks.
Bandwidth by Source
Overview
Use the Malicious Bandwidth by Source IP Address report to identify all flow flood activity for a host during the reporting period. This may
encompass one or more detections. Use this report to identify hosts that are initiating flow flood attacks and the severity of those attacks.
second (bps).


• look for patterns, such as time of day attacks.
Flow Flood Detections

Overview
Use the Flow Flood Attacks report to identify infected hosts and intended victims of the attack.
Flow flood attacks are attacks where one host is attempting to connect to another host many times. Use this report to identify both the
host initiating an attack and the intended victim.
An attacker is identified if they are sending more than a defined number of flows per second for more than a specific number of seconds,
as determined by the rule that is implemented. For example, an attacker may be identified if they are sending more than 15 flows per
second for more than 15 seconds to the same destination hosts. In this example, this means that the attacker is trying to create more
than 255 flows with another hosts. DoS flow flood attacks may be caused either by a worm or by a deliberate attacker. This may apply to
UDP, TCP, and ICMP.
Field Description
Source IP The IP address of the host that is initiating the attack. Note that if the IP address is indicated as 0.0.0.0 they may be using a
Address spoofed IP address.
IP Address
DestinationPort to which the attack is being directed.
Port
Time
Flow Rate The average flows per second calculated over the active time measured in flows-per-second.
Detected


• sort on Active Time to determine if a significant attack is in progress.
• sort by the Source IP Address field to see who is doing the attacking and if they are attacking multiple destinations.
• sort by the Destination IP Address to see if the addresses being attacked are related. If so, this may indicate a directed DoS
attack.
• examine the Destination Port field to identify if a specific port is being target.
Drilldowns
To examine the flow flood malicious bandwidth from a specific host for the reporting period, drilldown uses the source IP address.
To examine the flow flood malicious bandwidth directed towards a specific host for the reporting period, drilldown uses the destination IP
address.
Bandwidth by Destination Subscriber
To examine the bandwidth for a specific subscriber for the reporting period, drilldown uses the destination subscriber and is only available
if the destination subscriber is known.
Malicious Bandwidth
Overview
WDTM.
chart.
chart.

Malicious Bandwidth
Mitigated Bandwidth
packets.
Malicious Hosts
Overview

Malicious Hosts
Mitigated Hosts
Audit Log 76
Audit Log
Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.
Audit Log 77


Audit Log
Top Talkers 78
Top Talkers
by Bytes
Use this report to identify the top hosts who are generating malicious bandwidth by bytes. By default, the top 100 subscribers are
Field Description
Source IP AddressThe IP address of the host that is generating malicious bandwidth.


• hosts generating the highest number of bytes should be investigated.
Drilldowns
Packet Signature Malicious Bandwidth by Source IP Address
by Bytes Histogram
Use this report to identify the top hosts which are generating malicious bandwidth by bytes. By default, the top 10 subscribers are
• Packet Signature Top Talkers by Bytes Histogram - histogram chart identifying the top hosts that are generating

• hosts generating the highest number of bytes should be investigated further.
by Detections
Use this report to identify the hosts which are generating malicious bandwidth that matches a packet signature. By default, the top 100
subscribers are displayed. This is configurable on the Presentation page.
Field Description
Source IP AddressThe IP address of the host that is sending malicious bandwidth.
Detections The number of packet signature detections during the reporting period.


• hosts generating the highest number of detections should be investigated further.
Drilldowns
Packet Signature Malicious Bandwidth by Source IP Address
Top Talkers 79
Use this report to identify the hosts which are generating the most malicious bandwidth. By default, the top 10 subscribers are displayed.
• Packet Signature Top Talkers by Detections Histogram - histogram chart identifying the top hosts that are generating

• hosts generating the highest number of detections should be investigated further.
Static Signature Detections 80
Static Signature Detections

Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.


Audit Log
Bandwidth by Source
Overview
Use the Packet Signature Bandwidth Detected by Source IP Address report to identify the outgoing malicious bandwidth generated by a
source host. Use this report to identify hosts under performing user-bandwidth attacks.
second (bps).
second (pps).

• look for spikes - many indicate new malicious activity.
• look for constant activity over a period of time - low amount of data for a long period of time -- indicates an attack is in
progress (more covert)
Frequency Histogram
Overview
The Frequency Histogram shows the total number of packets for the top ten packet signatures detected for the report period. The data is
sorted from highest to lowest.
Use this report to identify the most active packet signatures on the selected networks for the report period.
• Packet Signature Frequency Histogram - histogram bar chart identifying the number of malicious packets identified for
each packet signature.

The Packet Signature Selection area allows you to select the supported packet signatures to report on.

• use the data presented on this report to assist with mitigation decisions.
Malicious Bandwidth
Overview
WDTM.
chart.
chart.

Malicious Bandwidth
Mitigated Bandwidth
packets.
Malicious Hosts
Overview

Malicious Hosts
Mitigated Hosts
Static Signature Detections

Overview
Use the Packet Signature Detections report to identify hosts that are transmitting traffic that matches a packet signature during the report
period.
Use this report to see the hosts that are generating packet signature traffic.
Field Description
Source IP The IP address of the host initiating the packet signature attack.
Address
SubscriberThe name of the subscriber associated with the IP address. If the IP address is not associated with an internal subscriber, this
column will appear empty.
Source The network associated with the source IP address.
Network
Packet Typical packet signature found on the destination port.
Signature
Time
Bytes The total number of bytes discovered during the reporting period.
Packets The total number of packets discovered during the reporting period.
Detected

The Network Selection area allows you to select your virtual networks. These can be configured to analyze data for internal, external, and
peer subnets.

• look for hosts infected by specific worms/trojans/backdoors etc.
• examine the Active Time to determine the severity of the attack.
Drilldowns
To examine the malicious bandwidth for a specific host for the reporting period, drilldown uses the source IP address.
Audit Log 85
Audit Log
Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.
Audit Log 86


Audit Log
by Spammer 87
by Spammer
Bandwidth
Overview
second (bps).
second (pps).

Message Details
Overview
to send.
spam.

so forth.
by Spammer 88
SMTP State
Overview
sessions.

one connection.
Spam Detections
Overview
Field Description
Time
Recipients
Messages
Recipients
Recipient
Domains
Senders
Sender
Domains
Servers
EHLO SMTP server.
Names
Detected
by Spammer 89


Drilldowns
by Source
Top Spammers 90
Top Spammers
by Bytes
Field Description


Drilldowns
by Bytes Histogram
Field Description


Drilldowns
by Detections
Field Description

Top Spammers 91

Drilldowns
Field Description


Drilldowns
Spam 92
Spam
Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Drilldowns
Audit Log by Host
Audit Log by Host

Overview

Field Description
Confirmationperiod.
Spam 93


Audit Log
Bandwidth
Overview
second (bps).
second (pps).

Malicious Bandwidth
Overview
WDTM.
chart.
chart.
Spam 94

Malicious Bandwidth
Mitigated Bandwidth
Malicious Hosts
Overview

Malicious Hosts
Mitigated Hosts
Spam 95
Message Details
Overview
to send.
spam.

so forth.
SMTP State
Overview
sessions.

one connection.
Spam Detection Details

Overview
Use the Spam Attack Details report to provide comprehensive details on the metrics collected on attacks for the selected spammer. Note
that this report consists of two tables - Spam Attack Thresholds and Spam Attack Details. The Thresholds table indicates the threshold set
for the metric. The Attack Details table displays the value for each of the metrics. Any value indicated in red exceeds the threshold.
Field Description
Logtime Date and time, in current time zone, when that data was entered.
The following data represents accumulated totals. Note that these values can't be compared with the threshold values which are in rate/
hour (should never see red values in these columns).
Bytes The bandwidth used by the attack.
Packets The number of packets used by the attack.
Spam 96
Total Recipients The number of recipient email addresses a subscriber has attempted to send email to.
Attempted Messages The number of messages a subscriber has attempted to send.
Sessions Total number of SMTP session a subscriber has initiated with all SMTP servers.
Errors Total number of errors a subscriber has received from all SMTP servers.
Resets Total number of RSET commands a subscriber has issued during all SMTP sessions.
The following values represent rate/hour and should be compared with the thresholds.
Unique Recipients Total number of unique recipients a subscriber has attempted to send email to.
Unique Recipient Domains Total number of unique recipient domains a subscriber has attempted to send email to.
Unique Senders Total number of unique sender email addresses a subscriber has attempted to send email from.
Unique Sender Domains Total number of unique sender email domains a subscriber has attempted to send email from.
Unique EHLO Names Total number of unique connection names of IP addresses used by a subscriber when connecting to an
SMTP server.
The following values represent rate/period and should be compared with the thresholds. A period is 5 minutes in duration.
Recipients per Sample Period Total number of unique recipients a subscriber has attempted to send email to per sample period.
Attempted Messages per Total number of attempted email messages a subscriber has attempted to send per sample period.
Sample Period
Sessions per Sample Period Total number of SMTP sessions a subscriber has initiated with all SMTP servers.
Server per Sample Period Total number of unique servers a subscriber has connected to per sample period.
The following values are comparisons of like metrics and can be compared with the thresholds.
Total Recipients per Unique Total number of recipient email addresses a subscriber has attempted to send email to for every
Recipient unique recipient email address.
Total Senders per Unique Total number of sender email addresses a subscriber has attempted to send from for every unique
Sender email address.
Attempted Messages per Total number of email messages a subscriber has attempted to send for every successfully sent email.
Successful

You must first run the Spam Attacks by Spammer report in order to drill down to this report for a particular attack by a spammer.

• an understanding of the thresholds that are in place is critical to interpreting this report.
• use this report to identify exactly what thresholds a subscriber has exceeded to be deemed a spammer.
Spam Detections
Overview
Field Description
Time
Recipients
Messages
Recipients
Recipient
Domains
Senders
Sender
Domains
Servers
Spam 97
EHLO SMTP server.
Names
Detected


Drilldowns
by Source
Spammer Contribution
Overview
Use the Spammer Contribution report to compare the total email traffic with that which was detected as being spam for the reporting
period. Use this report to see how much of the email traffic on the network is actually spam.
• Spammer Contribution - Overlaid area chart identifying the detected email and spam-based traffic.

• look for large spikes which may indicate a new attack that warrants further investigation.
• use this report to ascertain what is spam background traffic on the network.
Spam 98
Top Spammers
Overview
Use the Top Spammers report to identify the top N subscribers who are sending spam (default is top 100).
Field Description
Network The network subnet associated with the host IP address.
Active Cumulative time malicious traffic was actually detected during the report period.
Time
Total Total number of recipients a subscriber has attempted to send email to.
Recipients
AttemptedTotal number of email messages a subscriber has attempted to send.
Messages
Sessions The total number of SMTP sessions a subscriber has initiated with all SMTP servers.
Bytes The number of bytes sent.
Detected


• each spammer will appear on this report once.
• table is sorted by default on the Recipients field. The number of recipients can have the greatest impact on the network.
• sort on Bytes to see which spammer is using the most bandwidth.
• examine the View Audit column to see which attacks have not been mitigated and may require mitigation.
Drilldowns
by Source
Malicious Bandwidth 99
Malicious Bandwidth
Applications/Malware by Port
Overview
Use the Application/Malware by Port report to identify the typical applications and malware encountered on specific ports. This report is
provided for informational purposes only.
The report contains the following two tables:
• Typical Applications by Port - table identifying all of the known applications that typically runs on the specified ports.
• Typical Malware by Port - table identifying all of the known malware that typically runs on the specified ports.
Select the TCP/UDP ports that you wish to view applications and malware for.

Typical Applications by Port
• highlights the applications that are standardized for a specific port. For a complete list, please visit IANA.
Typical Malware by Port
• highlights the malware that is known to target a specific port.
Audit Log
Overview

Field Description
Confirmationperiod.


Audit Log
Audit Log by Host

Overview

Field Description
Confirmationperiod.


Audit Log
Malicious Bandwidth
Overview
WDTM.
chart.
The Network Selection area allows you to select your virtual configured networks. These can be configured to analyze data for internal,

Malicious Bandwidth
Mitigated Bandwidth
packets.
Malicious Hosts
Overview

Malicious Hosts
Mitigated Hosts

Overview
Use the Malicious Packet Rate report to identify the malicious packets detected across the selected networks for the report period. Use this
report to examine the total malicious packets for selected protocols and to see how much of this bandwidth was mitigated by the WDTM.
traffic type. Malicious packets that are detected and managed by actions that do not drop packets are not shown on this chart.
from the Destination Network lists.

by Server 103
by Server
Efficiency
Overview
The DNS Efficiency report provides a general overview of the capability of the DNS system the service requests at any point in time. This
report measures the total number of responses over a period of time against the total number of requests during the same period.

• use the report to identify reliability of DNS server response rate.
• use in combination with the "Warning" and "Fail" thresholds to identify periods where the server efficiency falls below these
thresholds.
Mean Time to Respond

Overview
The DNS Mean Time to Respond report provides a specific measurement of requests being fulfilled or not and can be used to pinpoint
degradation and trigger potential responses to such degradation.
• Mean Time to Respond - line chart outlining the average time for DNS requests from subscribers or other hosts to the

• use in combination with the "Warning" and "Fail" thresholds to identify periods where the server MTTR is not meeting these
targets.
MTTR Histogram
Overview
The Mean Time to Respond Histogram report displays a frequency distribution of the mean time to respond to requests.
by Server 104

• goal is to have the highest volume of requests in the lowest response time bin.
• if the histogram is skewed with the highest volume being in the higher response time bins, a problem exists.
Server Performance Summary

Overview
The DNS Server Performance Analysis report displays a number of summary reports for the selected DNS server. The report contains the
following items:
• Dashboard Over Time - table displaying the Mean Time to Respond and Efficiency for the previous hour, day, week, and
month.
• DNS Requests - stacked area chart displaying the number of requests per second during the reporting period.
• DNS Responses - stacked area chart displaying the number of responses per second during the reporting period.
• Mean Time to Respond - line chart outlining the average time of DNS requests from subscribers or other hosts to the
• use this report to evaluate performance for the reporting period.
• compare the DNS Requests and DNS Responses report to determine if the number of responses is significantly less than the
number of requests. If this occurs, further investigation is warranted.
• examine the Mean Time to Respond Histogram to ensure that the highest volume of responses are in the lowest time frame
bin. If the report is skewed toward a higher response time, further investigation is warranted.
Volume
Overview

DNS Service Quality Assurance 105
DNS Service Quality Assurance

Network Summary
Overview
The DNS Network Dashboard report provides an overview of the most recent performance of the DNS servers across the entire network.
This report provides the MTTR and DNS efficiency metric for the collection of DNS servers across the entire network.
Field Description
Network The network name.
Server Health The ratio of total number of DNS servers with a Pass status to the total number of DNS servers. For example, 9/10
indicates that for a group of 10 servers, 9 have PASS status.
Mean Time to Mean time to respond to a request measured in milliseconds/response.
Respond

Drilldowns
DNS Server Dashboard
To examine details on specific DNS servers within a network, click the network to drill down to the DNS Server Dashboard.

• use this report to identify networks which are not meeting the targets and require further investigation or remediation.
• a status of 'Fail" is critical and should be immediately investigated.
• a status of "Warning" indicates that for at least one of the metrics, the Fail threshold is being approached.
Server Summary
Overview
The DNS Server Dashboard report provides an overview of the most recent performance of the DNS servers across the entire cluster. This
report provides the MTTR and DNS efficiency metric for each DNS server aggregated across the entire cluster.
Field Description
DNS Server IP address of the DNS server.
Mean Time to RespondMean time to respond to a request measured in milliseconds/response.

DNS Service Quality Assurance 106
Drilldowns
DNS Server Performance Analysis
To examine details on a specific DNS servers within a network click the DNS Server IP address.

• use this report to identify individual servers which are not meeting the targets and require further investigation or
remediation.
by Protocol 107
by Protocol
Overview
time.

Overview

Connections
these intervals.
New connections
by Protocol 108
Peak connections
those intervals.
Hosts by Protocol
Overview
•

Hosts
Peak hosts
New hosts
by Network 109
by Network
Redirected Network Flow Differential
Overview
The Network Flow Differential report shows the egress of traffic between different networks. This report clearly shows when uploads
exceed downloads per protocol and vice versa.

Finally, select the protocols in which you wish to monitor the traffic flow. Selecting a large number of protocols may reduce the visibility of
these items in the corresponding chart. It is recommended that you analyze 1 protocol at a time to avoid confusion and overlap.
Note: selecting the same networks in both Source Network and Destination Network will result in a chart
that has no data due to the same data being subtracted from itself.

• positive traffic implies that there is more bandwidth leaving your network
• negative traffic implies that there is more bandwidth coming into your network
• use this report to identify time-of-day trends between networks.
Redirected Network Flow Matrix

Overview
The Network Flow Matrix is a pivot table that allows you to summarize the volume of traffic between networks.
Two tables are provided:
• Total Byte Flow - identifies the actual number of bytes that are being transferred between peer networks.
• Percentage Byte Flow - identifies the number of bytes as a percentage that are being transferred between peer networks.
external, and peer subnets. It is recommended that you select all of the available networks for both Source Network and Destination
Network.
Finally, select the protocols in which you wish to monitor the traffic flow. It is recommended that you analyze all of the protocols together
in order to identify the total traffic flow, as the results of all protocols will be aggregated together.

Use the information from this report to understand the amount of traffic that is flowing between your configured networks. Follow the
intersection between columns and rows to understand exactly how much traffic is flowing between your networks. The egress of traffic is
represented as starting from the networks identified in the row and flowing to the network identified in the appropriate column. No value
in a cell indicates no traffic was present.
by Protocol 110
by Protocol
Overview
time.

Overview

Connections
these intervals.
New connections
by Protocol 111
Peak connections
those intervals.
Hosts by Protocol
Overview
•

Hosts
Peak hosts
New hosts
Redirected Bandwidth by Protocol

Overview
time.
by Protocol 112

Redirected Connections by Protocol

Overview
Use the Connections by Protocol report to identify the number of connections being made and which protocols are being used.
The report contains the following three charts that provide information on the number of connection attempts per protocol and network.
• Peak connections - Stacked area chart showing the maximum number of connections established by active hosts. This is the
peak number of simultaneous connections for any given period during the reporting interval. For example, if during the
reporting internal a user opens two connections, closes one of them and then opens another connection, the peak
simultaneous connections for this user is two.
• New connections - Stacked bar chart showing the total number of new connections created during the reporting interval.
From the previous example where a user opens two connections, closes one of them and then opens another connection, the
new connections count for this user would be three.
• Failed connections - Stacked bar chart showing the total number of rejected connections during the reporting interval.

The information presented on this report should be interpreted in light of whether the connections being examined are internal or external.
Use this report to examine the effectiveness of session management strategies.
Peak connections
• number of internal connections should not vary significantly.
• when session management is implemented, the peak number of external connections should decrease.
New connections
• if session management is implemented, the number of new connections should drop and should reflect the value implemented
by session limiting.
Failed connections
• external failed connections will increase when session management is applied to control uploads.
Note: internal connections should seldom have any failed connections.
Note: both of the New and Failed Connections charts display raw count totals. This can affect the reports
by appearing to provide different peak results, which is caused by the scaling of these values over
different time intervals. For example, if you chose to report on data for a one week period of time, that
reporting interval may be broken up into one hour segments within the chart. Lets assume that if we
took four consecutive plotted points within the chart we had the series (4, 7, 13, 17). These values
would represent the total number of events for that particular hour. If we re-ran the report with a two
week time period, we would find that in this particular time range, we would have less bins but with
higher values. In this example, we would expect to see the following series of values for the same
appropriate time points (11, 30). This is caused by the fact that the two-week report must collapse time
bins, which in turn stacks the resulting bin values.
by Protocol 113
Redirected Hosts by Protocol

Overview
Use the Hosts by Protocol report to identify the number of hosts discovered by protocol. The Hosts by Protocol report contains two charts
that provide information on the number of connection attempts per protocol and network.
• Peak Hosts - Stacked area chart showing the maximum number of simultaneous hosts during the reporting interval. For
example, if during the reporting interval two different hosts are discovered, one of them closes their connection and then
another host is discovered, the peak simultaneous host count is two.
• New Hosts - Stacked bar chart showing the total number of new hosts discovered during the reporting interval. If a host
connects, disconnects and then reconnects during the same reporting interval, they will be discovered (counted) twice.
Note: a single host may be using multiple protocols simultaneously. This means that you cannot
implicitly add hosts across protocols to determine the total number of hosts. To identify the number of
total unique hosts, see the Hosts report.

Peak hosts
• use this report to identify the number of simultaneous hosts (users) per protocol.
• use this information to measure the popularity of protocols on the network.
New hosts
• use this report to identify the number of new hosts discovered by protocol for the reporting period.
Note: the New Hosts chart displays raw count totals. This can affect the reports by appearing to provide
different peak results, which is caused by the scaling of these values over different time intervals. For
example, if you chose to report on data for a one week period of time, that reporting interval may be
broken up into one hour segments within the chart. Lets assume that if we took four consecutive plotted
points within the chart we had the series (4, 7, 13, 17). These values would represent the total number
of events for that particular hour. If we re-ran the report but with a two week time period, we would find
that in this particular time range, we would have less bins but with higher values. In this example, we
would expect to see the following series of values for the same appropriate time points (11, 30). This is
caused by the fact that the two-week report must collapse time bins, which in turn stacks the resulting
bin values.
Redirected Top Protocol Histogram

Overview
Use the Top Ten Protocol Histogram report to identify the top protocols that are consuming bandwidth across the specified networks.
selected protocol.

Redirection 114
Redirection
Redirection Efficiency
Overview
Use the Peer-to-Peer Redirection Efficiency report to estimate how successful the Sandvine PPE element is at redirecting peer-to-peer
traffic within your indexed peer networks.
• Redirection Efficiency - Layered area chart showing the percentage of redirected bandwidth by each selected protocol.
The Network Selection area allows you to select your configured virtual networks. It is imperative that these are configured precisely so
that all of your internal networks are selected in the Destination Network listbox, and all of your internal networks PLUS your indexed
peering points are selected in the Source Network listbox. It is important that you do not select any external networks in either listbox.
time.

Redirection Efficiency
• highlights the efficiecny of redirecting peer-to-peer protocols within your indexed peer networks
Routing Table Entries

Overview
Use the Routing Table report to see the number files that have been routed on a single network. Use this information to verify that traffic
is being routed.
• Peak Entries - Stacked area chart showing the peak number of indexed files that have been routed for the reporting period.
• New Entries - Stacked bar chart showing the total number of new indexed files that have been routed for the reporting
period.
time.

Peak Entries
• highlights the threshold of simultaneous peak indexed files
New Entries
• highlights the total of new indexed files discovered
Note: the New Entries chart displays raw count totals. This can affect the reports by appearing to
provide different peak results, which is caused by the scaling of these values over different time
intervals. For example, if you chose to report on data for a one week period of time, that reporting
interval may be broken up into one hour segments within the chart. Lets assume that if we took four
consecutive plotted points within the chart we had the series (4, 7, 13, 17). These values would
represent the total number of events for that particular hour. If we re-ran the report with a two week
time period, we would find that in this particular time range, we would have less bins but with higher
values. In this example, we would expect to see the following series of values for the same appropriate
time points (11, 30). This is caused by the fact that the two-week report must collapse time bins, which
in turn stacks the resulting bin values.
by Protocol 115
by Protocol
Average Calls per User
Overview
Use the Average Calls per User report to determine the average number of calls per user for the reporting period.
• Average Calls per User (Receive) - Stacked bar chart showing the number of calls divided by the number of users per
period.
• Average Calls per User (Transmit) - Stacked bar chart showing the number of calls divided by the number of users per
period.
Finally, select the providers that you are interested in.

Average Calls per User
• highlights the average number of VoIP calls per user on the network
Overview
time.

by Protocol 116
Calls by Protocol
Overview
The Calls by Protocol report shows the number of calls and blocked calls by protocol per reporting period for the selected VoIP providers.
• Calls by Protocol - Stacked bar chart showing the number of calls per period.
• Blocked Calls by Protocol - Stacked bar chart showing the number of blocked calls per period.

Calls and Blocked Calls
• highlights the total number of VoIP calls or blocked calls per period, respectively
• identify the VoIP protocols that are being used
• see time-of-day trends for VoIP usage
• determine popularity of accepted VoIP protocols
Note: the Calls chart display raw count totals. This can affect the reports by appearing to provide
of events for that particular hour. If we re-ran the report with a two week time period, we would find
bin values.
Note: the Blocked Calls chart will only have data if the feature is enabled.
Overview
• Peak connections - Stacked area chart showing the peak number of concurrent active connections over the reporting
interval.

Connections
these intervals.
• Peak is used when aggregating over multiple logging intervals; ie the number of connections is the max value amongst the
logging intervals.
New connections
by Protocol 117
• Sum is used when aggregating over multiple logging intervals; ie the number of new connections is the sum of new
connections in each logging interval.
Peak connections
those intervals.
• Peak is used when aggregating over multiple logging intervals; ie the number of peak connections is the max value amongst
the logging intervals.
Minutes by Protocol
Overview
The Minutes report shows the number of minutes by protocol per reporting period for the selected VoIP providers.
• Minutes - Stacked bar chart showing the number of minutes per period.

Minutes
• highlights the total number of VoIP minutes per period
• identify the VoIP protocols that are being used
• determine popularity of accepted VoIP protocols
Note: the Minutes chart display raw count totals. This can affect the reports by appearing to provide
bin values.
Subscriber Count
Overview
Use the Subscriber Count by Protocol report to determine the number of subscriber associated with a VoIP protocol for the reporting
period.
• Subscriber Count by Protocol - Displays the number of subscribers for a particular VoIP protocol.
Field Description
Protocol The name of the VoIP protocol.
Subscriber CountThe number of subscribers who used this protocol.
From the Subscriber Count table, you can drilldown to the following reports:
• Calls by Protocol - chart of the number of calls and blocked calls by protocol
• Minutes by Protocol - chart of the number of minutes of calls by protocol
by Protocol 118

Select the clusters you wish to query.
Select the VoIP protocols and protocol categories in which you wish to monitor.
Select the VoIP Providers of interest.
Finally, select a time period to monitor.

Subscriber Count by Protocol
• highlights the number of subscribers associated with a particular VoIP protocol.
Users by Protocol
Overview
Use the Users by Protocol report to identify the number of users discovered by protocol. The Users by Protocol report contains two charts
that provide information on the number of connection attempts per protocol and network.
• Peak Users - Stacked area chart showing the maximum number of simultaneous users during the reporting interval. For
example, if during the reporting interval two different users are discovered, one of them closes their connection and then
another user is discovered, the peak simultaneous user count is two.
• New Users - Stacked bar chart showing the total number of new users discovered during the reporting interval. If a user
connects, disconnects and then reconnects during the same reporting interval, they will be discovered (counted) twice.
Select a time period and the elements you wish to monitor for user stats. You can build virtual clusters of Sandvine elements using the
Finally, select the protocols in which you wish to monitor the number of users for. Selecting a large number of protocols may reduce the
Note: a single user may be using multiple protocols simultaneously. This means that you cannot
implicitly add users across protocols to determine the total number of users. To identify the number of
total unique users, see the Hosts report.

Peak Users
• use this report to identify the number of simultaneous users (users) per protocol.
• use this information to measure the popularity of protocols on the network.
New Users
• use this report to identify the number of new users discovered by protocol for the reporting period.
Note: the New Users chart displays raw count totals. This can affect the reports by appearing to provide
of events for that particular hour. If we re-ran the report but with a two week time period, we would find
bin values.
by Provider 119
by Provider
Average Call Duration
Overview
Use the Average Call Duration report to determine the average length of each call per protocol for the reporting period.
• Average Call Duration - Stacked bar chart showing the number of minutes divided by the number of calls per period.

Average Call Duration
• highlights the average length of VoIP calls on the selected networks
Calls by Provider
Overview
The Calls by Provider report shows the number of calls and blocked calls by provider per reporting period for the selected VoIP providers.
• Calls by Provider - Stacked bar chart showing the number of calls per period.
• Blocked Calls by Provider - Stacked bar chart showing the number of blocked calls per period.

Calls and Blocked Calls
• highlights the total number of VoIP calls or blocked calls per period, respectively
• identify the VoIP providers that are being used
• determine popularity of specific VoIP providers
Note: the Calls chart display raw count totals. This can affect the reports by appearing to provide
bin values.
Note: the Blocked Calls chart will only have data if the feature is enabled.
by Provider 120
Minutes by Provider
Overview
The Minutes report shows the number of minutes by provider per reporting period for the selected VoIP providers.
• Minutes - Stacked bar chart showing the number of minutes per period.

Minutes
• highlights the total number of VoIP minutes per period
• determine popularity of accepted VoIP providers
Note: the Minutes chart display raw count totals. This can affect the reports by appearing to provide
bin values.
Subscriber Count
Overview
Use the Subscriber Count by Provider report to determine the number of subscriber associated with a VoIP provider for the reporting
period.
• Subscriber Count by Provider - Displays the number of subscribers for a particular VoIP provider.
Field Description
Provider The name of the VoIP provider.
Subscriber CountThe number of subscribers who used this protocol.
From the Subscriber Count table, you can drilldown to the following reports:
• VoIP Subsciber Summary - table of quality measures of calls made by subscribers associated with the VoIP provider
• Calls by Provider - chart of the number of calls and blocked calls by provider
• Minutes by Provider - chart of the number of minutes of calls by provider

Subscriber Count by Provider
• highlights the number of subscribers associated with a particular VoIP provider.
by Provider 121
Subscribers by Provider
Overview
The Subscribers by Provider report shows the number of subscribers associated with each provider per reporting period for the selected
VoIP providers.

Subscribers by Provider
• highlights the total number of subscribers per period
• determine popularity of accepted VoIP providers
by Network 122
by Network
InterNetwork Call Quality Distribution
Overview
Use the InterNetwork Metric Histogram report to display the distribution of VoIP quality measures of calls across specified physical
network interfaces.
• InterNetwork Metric Histogram - Histogram chart showing the number of calls in each range of quality metric scores. The
configured failure threshold value is used to distinguish between good quality calls and poor quality calls, as reflected in the
histogram bar colours

Select the quality metric to display.
If you wish to set the failure thresholds to values different from the default settings, select the Presentation tab and locate the VoIP
Quality Settings section. Set the quality threshold parameters as desired.

InterNetwork Metric Histogram
• Shows the distribution of quality scores for the selected metric

Overview
This report is accessible through a VoIP summary table drilldown only. Use the Jitter Score report to display the distribution VoIP quality
measures of calls corresponding to the original drilldown table row.
• Jitter Score - Histogram chart showing the number of calls in each range of quality metric scores. The configured failure
threshold value is used to distinguish between good quality calls and poor quality calls, as reflected in the histogram bar
colours


Jitter Score
• Shows the distribution of the Jitter score of VoIP calls

Overview
This report is accessible through a VoIP summary table drilldown only. Use the Latency Score report to display the distribution VoIP
quality measures of calls corresponding to the original drilldown table row.
• Latency Score - Histogram chart showing the number of calls in each range of quality metric scores. The configured failure
colours
by Network 123


Latency Score
• Shows the distribution of the Latency score of VoIP calls

Overview
This report is accessible through a VoIP summary table drilldown only. Use the MOS-CQ Score report to display the distribution VoIP
• MOS-CQ Score - Histogram chart showing the number of calls in each range of quality metric scores. The configured failure
colours


MOS-CQ Score
• Shows the distribution of the MOS-CQ score of VoIP calls

Overview
This report is accessible through a VoIP summary table drilldown only. Use the MOS-EP Score report to display the distribution VoIP
• MOS-EP Score - Histogram chart showing the number of calls in each range of quality metric scores. The configured failure
colours


MOS-EP Score
• Shows the distribution of the MOS-EP score of VoIP calls

Overview
This report is accessible through a VoIP summary table drilldown only. Use the MOS-G.107 Score report to display the distribution VoIP
• MOS-G.107 Score - Histogram chart showing the number of calls in each range of quality metric scores. The configured
failure threshold value is used to distinguish between good quality calls and poor quality calls, as reflected in the histogram
bar colours

by Network 124

MOS-G.107 Score
• Shows the distribution of the MOS-G.107 score of VoIP calls

Overview
This report is accessible through a VoIP summary table drilldown only. Use the MOS-LQ Score report to display the distribution VoIP
• MOS-LQ Score - Histogram chart showing the number of calls in each range of quality metric scores. The configured failure
colours


MOS-LQ Score
• Shows the distribution of the MOS-LQ score of VoIP calls

Overview
This report is accessible through a VoIP summary table drilldown only. Use the Packet Loss Score report to display the distribution VoIP
• Packet Loss Score - Histogram chart showing the number of calls in each range of quality metric scores. The configured
bar colours


Packet Loss Score
• Shows the distribution of the Packet Loss score of VoIP calls
InterNetwork Summary
Overview
Use the VoIP Quality of Experience by InterNetwork Summary report to examine the VoIP quality of calls for different networks.
InterNetwork VoIP Call Quality Summary - Displays the number of calls measured by the system and their quality scores in each flow
direction summarized to the network level
Field Description
Cluster The name of the cluster of Sandvine elements.
Source The source network.
Network
Destination The destination network.
Network
Network The direction of the flow between the source and destination networks.
Participation
Total Calls The total number of calls measured in the specified date range.
by Network 125
Poor Calls The number of calls that are determined to be below the configured quality metric threshold (for example MOS-CQ score
below 3.6).
% Poor The percentage of poor calls over total calls. The value is colour-coded to identify quality concerns green represents an
Calls acceptable number of poor calls, yellow represents a marginally acceptable number of poor calls, and red shows an
unacceptable number of poor calls.
[x.x - y.y] The number of calls that falls within the quality range.
From the InterNetwork Summary table, you can drilldown to the following reports:
• VoIP Quality of Experience by Provider Summary - QoE Summary of VoIP calls by VoIP providers
• InterNetwork "Metric" Score - Histogram charts of measured calls according to the chosen MOS metric
Note: It is recommended that only the date portion of the start and end date is specified; do not set a
time. This is because the summary-level VoIP QoE data are consolidated on a per day (24 hours) basis.

InterNetwork Summary
• % total columns identify the percentage of poor calls associated with a particular network pair
• The percentages are colour-coded to identify quality issues green represents an acceptable number of poor calls, yellow
represents a marginally acceptable number of poor calls, and red shows an unacceptable number of poor calls
Network Call Quality Distribution

Overview
Use the Network Metric Histogram report to display the distribution of VoIP quality measures of calls across specified physical network
interfaces.
• Network Metric Histogram - Histogram chart showing the number of calls in each range of quality metric scores. The

Select the clusters and networks you wish to query.

Network Metric Histogram

Overview
colours
by Network 126


Jitter Score

Overview
colours


Latency Score

Overview
colours


MOS-CQ Score

Overview
colours

by Network 127

MOS-EP Score

Overview
bar colours


MOS-G.107 Score

Overview
colours


MOS-LQ Score

Overview
bar colours


Packet Loss Score
by Network 128
Network Summary
Overview
Use the VoIP Quality of Experience by Network Summary report to examine the VoIP quality of calls for different networks.
Network VoIP Call Quality Summary - Displays the number of calls measured by the system and their quality scores in each flow
direction
Field Description
Network The source network.
Network The direction of the flow from the point of view of the network.
Participation
Total Calls The total number of calls measured in the specified date range.
below 3.6).
% Poor The number of poor calls over total calls. The value is colour-coded to identify quality concerns green represents an
From the Network Summary table, you can drilldown to the following reports:
• VoIP Quality of Experience by InterNetwork Summary - QoE Summary of VoIP calls between source and destination
networks
• Network "Metric" Score - Histogram charts of measured calls according to the chosen MOS metric

Network Summary
• % total columns identify the percentage of poor calls associated with a particular network
by Provider 129
by Provider
Provider by Network Summary
Overview
Use the VoIP Quality of Experience for Providers by Network Summary report to examine the VoIP quality of calls for different providers.
Provider by Network VoIP Call Quality Summary - Displays the number of measured calls and their quality scores in each flow
direction summarized to the network and provider level
Field Description
Source The source network.
Network
Destination The destination network.
Network
VoIP The name of the VoIP provider.
Provider
Network The direction of the flow between the source and destination networks.
Participation
Total Calls The total number of calls associated with the provider during the selected date range.
below 3.6).
From the Provider by Network Summary table, you can drilldown to the following reports:
• VoIP Quality of Experience by Provider Summary - QoE Summary of VoIP calls by VoIP providers
• Provider "Metric" Score - Histogram charts of measured calls according to the chosen MOS metric

Provider by Network Summary
• % total columns identify the percentage of poor calls associated with a particular VoIP provider
Provider Call Quality Distribution

Overview
Use the Provider Metric Histogram report to display the distribution of VoIP quality measures of calls across specified VoIP providers.
• Provider Metric Histogram - Histogram chart showing the number of calls in each range of quality metric scores. The
by Provider 130

Select the clusters and networks you wish to query.

Provider Metric Histogram

Overview
colours


Jitter Score

Overview
colours


Latency Score

Overview
by Provider 131
colours


MOS-CQ Score

Overview
colours


MOS-EP Score

Overview
bar colours


MOS-G.107 Score

Overview
colours
by Provider 132


MOS-LQ Score

Overview
bar colours


Packet Loss Score
Provider Summary
Overview
Use the VoIP Quality of Experience by Provider Summary report to examine the VoIP quality of calls for different providers. This report is
different from the Provider by Network Quality of Experience report in that it does not sort on source and destination networks.
Provider VoIP Call Quality Summary - Displays the number of measured calls and their quality scores in each flow direction
summarized to the provider level
Field Description
VoIP The name of the VoIP provider.
Provider
Network The direction of the flow.
Participation
Total Calls The total number of calls associated with the provider during the selected date range.
below 3.6).
From the Provider Summary table, you can drilldown to the following reports:
• VoIP Quality of Experience by Subscriber Summary - QoE Summary of VoIP calls on a subscriber level
• Provider "Metric" Score - Histogram charts of measured calls according to the chosen MOS metric
by Provider 133

Provider Summary
• % total columns identify the percentage of poor calls associated with a particular VoIP provider
• Drilldown to the Subscriber Summary report to identify subscribers who may be affected by poor provider quality.
by Subscriber 134
by Subscriber
Subscriber Call Log
Overview
Use the Subscriber Call Details report to view the complete call details of a specific subscriber. The report consists a single table that
shows recent details of all calls in the selected time range.
Recent Call Details - Displays all calls associated with a subscriber that are currently available.
Field Description
Subscriber The name of the subscriber or subscriber IP address.
Peer IP or phone number of the peer, if available.
VoIP Provider The VoIP provider for the VoIP calls.
Subscriber NetworkThe network associated with the subscriber.
Peer Network The network associated with the peer.
Element The Sandvine element that detected the call.
Start Time The start time of the call.
Call Time The duration of the call.
MOS-CQ Rx The MOS-CQ score of the receiving side of the call.
MOS-CQ Tx The MOS-CQ score of the transmitting side of the call.
Jitter Rx The jitter (in milliseconds) of the receiving side of the call.
Jitter Tx The jitter (in milliseconds) of the transmitting side of the call.
Packet Loss Rx The packet loss (as a percentage) of the receiving side of the call.
Packet Loss Tx The packet loss (as a percentage) of the transmitting side of the call.

Enter the Subscriber to query.

Recent Call Details
• This table shows the detailed call logs of recent calls associated with the subscriber
Subscriber Call Quality Distribution

Overview
Use the Subscriber Metric Histogram report to display the distribution of VoIP quality measures of calls across the specified subscriber and
VoIP provider.
• Subscriber Metric Histogram - Histogram chart showing the number of calls in each range of quality metric scores. The

by Subscriber 135

Subscriber Metric Histogram

Overview
colours


Jitter Score

Overview
colours


Latency Score

Overview
colours


MOS-CQ Score
by Subscriber 136

Overview
colours


MOS-EP Score

Overview
bar colours


MOS-G.107 Score

Overview
colours


MOS-LQ Score
by Subscriber 137

Overview
bar colours


Packet Loss Score
Subscriber Poor Call History

Overview
Use the Subscriber Poor Call History report to view the historic call details of poor calls associated with a specific subscriber. The report
consists a single table with the same structure as the Subscriber Call Log report, with the difference that only poor calls from the selected
time range are displayed. In general, the detailed records of older good quality calls are not saved for any significant period of time, only
poor quality calls are archived.
History of Poor Calls - Displays the details of older poor quality calls only.
Field Description
Peer IP or phone number of the peer, if available.
VoIP Provider The VoIP provider for the VoIP calls.
Subscriber NetworkThe network associated with the subscriber.
Peer Network The network associated with the peer.
Element The Sandvine element that detected the call.
Start Time The start time of the call.
Call Time The duration of the call.
MOS-CQ Rx The MOS-CQ score of the receiving side of the call.
MOS-CQ Tx The MOS-CQ score of the transmitting side of the call.
Jitter Rx The jitter (in milliseconds) of the receiving side of the call.
Jitter Tx The jitter (in milliseconds) of the transmitting side of the call.
Packet Loss Rx The packet loss (as a percentage) of the receiving side of the call.
Packet Loss Tx The packet loss (as a percentage) of the transmitting side of the call.


History of Poor Calls
• This table shows an archive of historic poor calls associated with a subscriber
• Examining a user's history of poor calls can help determine whether quality issues occur when the subscriber is always dialing
the call, for example, or when the call is between a specific pair of networks, or when a specific VoIP provider is used.
Note: What is considered a poor call by the History of Poor Calls database is independent of the failing
threshold settings on Network Demographics. The metric thresholds are configurable by the user and
are meant to be flexible. The rules for saving poor call details information, however, is fixed.
by Subscriber 138
Subscriber Summary
Overview
Use the VoIP Quality of Experience by Subscriber Summary report to see a summary of calls made by a specific subscriber
Subscriber VoIP Call Quality Summary - Displays the number of measured calls and the total duration based on the VoIP Provider and
protocol
Field Description
VoIP ProviderThe name of the VoIP provider.
Protocol The VoIP protocol used for the calls.
Total Calls The total number of calls associated with the subscriber during the selected date range.
Call Duration The total call durations of all the calls.
From the Subscriber Summary table, you can drilldown to the following reports:
• Subscriber Call Log - Detailed log of individual calls for the subscriber for all VoIP providers.
• Subscriber Call Log by Provider - Detailed log of individual calls for the subscriber for the VoIP provider shown in the table
row.
• Subscriber Bandwidth by Protocol - Bandwidth by Protocol report for that subscriber.
Select the VoIP Protocols of interest.
Top Talkers 139
Top Talkers
by Poor Calls
This report shows the top talkers with the highest number of poor quality calls, as determined by VoIP quality metrics.
Over larger periods of time, this value can increase quite dramatically.

1. Select the clusters. By varying the cluster selection, you can differentiate the list of top talkers for different segments of your network
(for example, by region) based on how you have configured your clusters.
3. Select a quality metric to display.
2. Select a start and end date for the reporting interval. This allows you to determine who the Top Talkers were during a particular time.

Use this report to identify the most active subscribers on the network with the largest number of poor quality calls for the reporting
period.
Top Talkers 140
Top Talkers
by Calls
This report shows the top talkers by total VoIP call volume.


Use this report to identify the most active subscribers on the network for the reporting period.
Drilling down on a specific user

You can view additional information for a selected subscriber by clicking the table row containing the subscriber which will bring up the
drilldown menu.
The following drilldowns are available:

• Subscriber Bandwidth by Protocol
• Subscriber Bandwidth by Protocol Summary
by Duration
This report shows the top talkers by total VoIP call duration.



drilldown menu.

• VoIP Subscriber Call Logs
Viewing Top Talkers by Provider by Duration

This report can be configured to display call duration consolidated by VoIP providers as well. To create this report:
• In the "Presentation" tab, select add VoIP Provider to the existing selection for Consolidate Data By and Display Columns.
by Protocol 141
by Protocol
Overview
time.

Overview

Connections
these intervals.
New connections
by Protocol 142
Peak connections
those intervals.
Hosts by Protocol
Overview
•

Hosts
Peak hosts
New hosts
Web Browsing 143
Web Browsing
Top URLs
Overview
The Top URL report indicates the total number of requests associated with the top N URLs for the reporting period.
Field Description
URL The URL
Hits Total number of hits seen against the URL during the reporting period.

Note: You can roll up the URLs to show just the primary domains. For example:
channel1.facebook.com, channel2.facebook.com, channel3.facebook.com can all be consolidated into
*.facebook.com. This setting is located in the "Presentation" tab, under the "Data Manipulation" section.
Open the advanced configuration section to find the "Roll up HTTP domains" checkbox. Check this box to
enable URL roll up.

• The report shows the Top N URLs access by users on the selected networks based on hits. The default value of N is 100.
• The report has drilldown options. Click on a row and the drilldown menu will offer a link to the DNS WHOIS lookup for that
domain.
• Use this report to ascertain the impact of a specific URL on the network. For example, are 25% of all requests on the network
directed at one URL.
Top URLs
Overview
The Top URL report indicates the total number of requests associated with the top N URLs for the reporting period.
Field Description
URL The URL
Hits Total number of hits seen against the URL during the reporting period.

enable URL roll up.

• The report has drilldown options. Click on a row and the drilldown menu will offer a link to the DNS WHOIS lookup for that
domain.
Web Browsing 144
Top URLs Histogram

Overview
The Top URL Histogram report indicates the most requested URL names for the reporting period.
• Top URL - Histogram chart showing the total hits for the most popular URL names.
enable URL roll up.

Top URLs Histogram

Overview
The Top URL Histogram report indicates the most requested URL names for the reporting period.
• Top URL - Histogram chart showing the total hits for the most popular URL names.
enable URL roll up.

Subscriber Lookup 145
Subscriber Lookup
Lookup Attribute History by Name
Overview
Use the Attribute Assignment Histogram by Name report to examine the attribute assignment history of specified users.
Field Description
Subscriber The name of the subscriber.
Attribute Type The name of the subscriber attribute definition.
Attribute ValueThe value of the subscriber attribute.
Audit Event The audit event that occured.
Audit Time The time the event occured.

1. Input the names of the subscriber.
2. Select the attribute of interest.
3. Select the date range.

This report can be used to determine when different attribute values are assigned to subscribers.
Lookup Attributes by Name

Overview
Use the Subscriber Attribute Lookup by Name report to identify the attributes assigned to a specific subscriber and when the attributes
were set.
Field Description
Attribute Type The attribute that was set.
Attribute ValueThe value assigned to the attribute.
Effective Time Date and time of when the attribute value becomes effective.

Enter the subscribers of interest.

• this report is sorted by subscriber.
• use this report to see how many attributes and the type of attributes that have been set for a specific subscriber.
Lookup by Attribute
Overview
Use the Subscriber Lookup by Attribute report to identify which subscribers are assigned to specific attributes.
Field Description
Effective TimeThe time the selected attribute was assigned to the subscriber.

Select the attribute of interest.
Subscriber Lookup 146

This report can be used to determine which attributes are assigned to internal subscribers.
Lookup by IP
Overview
Use the Subscriber Lookup by IP report to identify which subscribers were assigned to specific IP addresses during the reporting period.
The report has two components:
• Current Subscriber IPs - shows the subscriber current assigned the specified IP.
• Subscriber IP History - shows the list of all subscribers that were associated with the IP in the past, for the specified date
range.
The reports consist of the following table:
Field Description
IP AddressThe IP address associated with the subscriber.
Login TimeThe time the subscriber logged in using the indicated IP address.

Enter IP addresses of interest and select a date range for the report.

This report can be used to determine which IP addresses are mapped to internal subscribers for a given period of time.
Lookup IP by Name
Overview
Use the Subscriber IP Lookup report to identify which IP addresses were assigned to specific subscribers during the reporting period.
• Current Subscriber IPs - shows the list of IP current assigned to the specified subscriber.
• Subscriber IP History - shows the list of all IP that were assigned to a specified subscriber in the past, for the specified date
range.
The reports contain the following table:
Field Description
IP AddressThe IP address associated with the subscriber.
Login TimeThe time the subscriber logged in using the indicated IP address.

Enter subscribers of interest and select a date range for the report.

This report can be used to determine which IP addresses are mapped to internal subscribers for a given period of time.
NAT Mappings 147
NAT Mappings
Lookup by Private IP
Overview
Use the Lookup by Private NAT IP report to map private NAT IPs to public subscriber IPs.
• Current NAT Mappings - shows the current assigned private IP addresses.
• NAT Mapping History - shows the list of all private IP addresses that were associated with the public IP in the past, for the
specified date range.
Field Description
Public IP The Public NAT IP address.
Low Port The low port in the port range.
High Port The high port in the port range.
Private IP The Private NAT IP address.
Session QualifierThe session qualifier value for the private IP address, if applicable.
Login Time The time the IP addresses were logged.

1. Enter the Private IP addresses
2. Select a date range

This report can be used to determine which private NAT IP addresses are mapped to public IP addresses for a given period of time.
Drilldowns
Subscriber Lookup by IP
To view the subscribers associated with the internal NAT IP address.
Lookup by Public IP
Overview
Use the Lookup by Public NAT IP report to map public NAT IPs to private subscriber IPs.
• Current NAT Mappings - shows the current assigned private IP addresses.
• NAT Mapping History - shows the list of all private IP addresses that were associated with the public IP in the past, for the
specified date range.
Field Description

1. Enter the Public IP address
2. Enter the Low Port value (optional)
3. Enter the High Port value (optional; if high port is provided, low port most also be provided)
4. Use the Add button to add another IP address; Use the Remove icon beside each row to remove an IP address

This report can be used to determine which public NAT IP addresses are mapped to internal subscriber IP addresses for a given period of
time.
NAT Mappings 148
Drilldowns
Subscriber Lookup by IP
To view the subscribers associated with the internal NAT IP address.
Lookup IP by Name
Overview
Use the NAT IP Lookup by Name report to show the public and private NAT IP addresses of a subscriber.
• Current NAT Mappings - shows the current assigned NAP IP addresses.
• NAT Mapping History - shows the list of all NAP IP addresses that were associated with the subscriber in the past.
Field Description

1. Enter the Subscriber name

This report can be used to determine which NAT IP addresses are mapped to subscribers for a given period of time.
Subscriber Licensing 149
Subscriber Licensing
Active Subscribers
Overview
The Active Subscribers report is used to support Sandvine's commercial per-Active Subscriber software licensing model. The report
contains the following chart:
• Active Subscribers - Bar chart displaying a rolling 30-day value of the peak or high water mark number of active subscribers
in any one hour interval for the last 30 days
1. Select a start date and end date for the reporting interval.
The dates will be rounded to 00:00,
The time zone for this report is not configurable

• A subscriber is considered active when their upload and download data volume exceeds 1000 bytes within one hour.
• The "# of subscribers" measurement displayed in this report represents the peak number of unique active subscribers in a
single one hour interval for the past 30 days.
• The numeric value for each day ("d") is a rolling 30-day value of peak active subscribers for the date range from "d" to "d - 30
days".
Provisioned Subscribers
Overview
The Provisioned Subscribers report is used to support Sandvine's commercial per-Provisioned Subscriber software licensing model. The
report contains the following chart:
• Provisioned Subscribers - Bar chart displaying a rolling 30 day count of the number of unique subscribers that were active
in any one hour interval for the past 30 days
The dates will be rounded to 00:00,
The time zone for this report is not configurable

• A subscriber is considered active when their upload and download data volume exceeds 1000 bytes within one hour.
• The "# of subscribers" measurement displayed in this report represents a count of the number of unique active subscribers for
the last 30 days.
• The numeric value for each day ("d") is a rolling 30 day count of unique active subscribers for the date range from "d" to "d -
30 days".
Subscriber Attribute 150
Subscriber Attribute
Bandwidth by Attribute
Use the Subscriber Bandwidth report to examine and drill-down on the activity for specific subscribers. This report provides information on
the number of connections, downloads (bytes), uploads (bytes) and total bandwidth.
Note: to generate this report you must manually add subscribers to the Subscribers list.
Note: the 'No Protocol Detail' protocol identifies the network bandwidth consumed by a subscriber that is
not identified on a per-protocol basis, enabling the report to present the total bandwidth consumed by
the subscriber. There are two situations that can cause the 'No Protocol Detail' protocol to appear:
- not all of the protocols were selected on the configuration page.
- the Sandvine element was not configured to identify network bandwidth on a per-protocol basis for the
subscriber. For example, if the element is configured to only collect protocol-level data for top talkers,
and the user falls in and out of the top talker threshold, they may have periods of time where no
protocol detail is collected. Similarly, the element could be configured to only collect detailed data for a
subset of protocols per user, which results in the remainder of the protocols being consolidated into the
'No Protocol Detail' protocol.

You can view additional information about a selected subscriber.
To view more detail about a specific subscriber:

1. Click the subscriber.
The Subscriber Bandwidth by Protocol report configuration page appears.
2. Select the desired options and run the report.
Bandwidth by Attribute
Use this report to examine the bandwidth consumption activity for groups of subscribers as a whole, grouped by subscriber attributes. This
report provides information on the number of connections, received bandwidth, and transmitted bandwidth.
This report contains the following histogram charts:
• Connections - Bar chart showing connection counts over time.
• Received Bandwidth - Area chart showing received bandwidth over time.
• Transmitted Bandwidth - Area chart showing transmitted bandwidth over time.
1. Select the clusters that you wish to see bandwidth usage from. By varying the clusters selected, you can query for usage from
different portions of your network (for example, by region).
2. Select the subscriber attributes you wish to filter subscribers with Only one attribute definition can be selected at a time, but all
values under the definition can be selected.
Use this report to examine detailed bandwidth consumption activity for groups of subscribers for specific users by protocol, for specific
subscriber attributes. Use this report to identify usage trends for groups of subscribers.
This report contains the following charts:
• Connections - Bar chart showing connection counts over time.
• Received Bandwidth - Area chart showing received bandwidth over time.
• Transmitted Bandwidth - Area chart showing transmitted bandwidth over time.
2. Select protocols and protocol categories.
Subscriber Attribute 151
Subscriber Count
Overview
Use the Subscriber Count by Attribute report to identify the number of subscribers with the specified attribute.
Field Description
Attribute Value The attribute value.
Subscriber CountThe number of subscribers with the specified attribute value set.

Select the attribute of interest.

This report can be used to determine how many subscribers currently have a particular attribute.
Subscriber Bandwidth Usage 152
Subscriber Bandwidth Usage

Bandwidth
Use the Subscriber Bandwidth report to examine and drill-down on the activity for specific subscribers. This report provides information on
the number of connections, downloads (bytes), uploads (bytes) and total bandwidth.

You can view additional information about a selected subscriber.
To view more detail about a specific subscriber:

1. Click the subscriber.
The Subscriber Bandwidth by Protocol report configuration page appears.
2. Select the desired options and run the report.
Use this report to examine detailed network activity for specific users by protocol. This report contains three charts - Connections,
Transmitted Bandwidth and Received Bandwidth broken out by individual protocol. This report breaks the data out by individual protocol
and time of day. Use this report to identify usage trends for individual subscribers.
Bandwidth by Protocol Matrix

The Subscriber Bandwidth Matrix is a pivot table that allows you to summarize activity for specific users by protocol.
No value in a cell indicates no traffic was present.
Bandwidth by Protocol Summary

The Subscriber Bandwidth Summary is a tabular report that allows you to summarize all types of activity for specific users by protocol.
No value in a cell indicates no traffic was present.
Bandwidth Summary
Use the Subscriber Bandwidth Summary report to examine the activity for specific subscribers. This report provides information on the
number of connections, downloads (bytes), and uploads (bytes).
Merged Bandwidth by Protocol

Use this report to examine detailed network activity for specific users by protocol. This report contains three charts - Connections,
Transmitted Bandwidth and Received Bandwidth broken out by individual protocol. This report breaks the data out by individual protocol
and time of day. Use this report to identify usage trends for individual subscribers.
User Bandwidth Upstream

Overview
Use the User Upstream Bandwidth Attacks report to detect a host that is maliciously attacking another.
User bandwidth attacks attempt to disable a host by overloading it with data. When the target is under attack, usually the inbound
download pipe is saturated and no legitimate traffic can be accommodated. The victim is helpless against the attack.
Bandwidth attacks are usually distributed (multiple attackers involved) and can be devastating to both the target and the network. This
type of attack can be very difficult to mitigate, especially if the attacker is able to "spoof" their source address.
Upstream Bandwidth attacks are detected by measuring the amount of traffic coming from host and comparing that against a threshold.
The threshold, which is determined in the WDTM policy files, must be set above the maximum upload rate to avoid false positives.
Depending on the network configuration and the location of core servers (e-mail, nntp, http and so forth) the WDTM may falsely identify
hosts as carrying out attacks. If this is the case it is possible to add the specific hosts to an "angel list".
Field Description
Source IP The IP address of the host that is carrying out the attack.
Address
SubscriberThe name of the subscriber associated with the IP address. If the IP address is not associated with an internal subscriber, this
column will appear empty.
Time
BandwidthThe average bit rate calculated over the active time measured in bits-per-second.
Rate
Detected


• use this report to see the history of user upstream bandwidth attacks to determine what is baseline traffic and what is a
change that requires further investigation.
Drilldowns
by Bandwidth 155
by Bandwidth
Received Bandwidth
This report shows the top talkers by received bandwidth.
Over larger periods of time, this value can increase quite dramatically. Some users find that converting the units that this report is
measured in to bytes-per-second over larger reporting intervals improves the readability of the report. This can be done on the
Presentation tab of the Configuration page by changing the Units dropdown from 'bytes' to 'bits/sec'.



drilldown menu.

Received Bandwidth Histogram

Use this report to identify the subscribers that are receiving the most bandwidth. By default, the top 10 subscribers are displayed. This is
• Received Bandwidth - histogram chart showing the amount of received bandwidth for each of the top subscribers.
1. Select the clusters that you wish to calculate the Top Talkers from. By varying the clusters selected, you can determine who the Top
Talkers are for different portions of your network (for example, by region).
2. Select a start date and end date for the reporting interval. This allows you to determine who the Top Talkers were during a particular
interval.

• determine the subscribers who are receiving the most bandwidth on the network.
Total Bandwidth
This report shows the top talkers by total bandwidth.


by Bandwidth 156

drilldown menu.

Total Bandwidth Histogram

Use this report to identify the subscribers that are consuming the most bandwidth. By default, the top 10 subscribers are displayed. This is
• Total Bandwidth - histogram chart showing the amount of total bandwidth for each of the top subscribers.
interval.

• determine the subscribers who are consuming the most bandwidth on the network.
Transmitted Bandwidth
This report shows the top talkers by transmitted bandwidth.



drilldown menu.

Transmitted Bandwidth Histogram

Use this report to identify the subscribers that are transmitting the most bandwidth. By default, the top 10 subscribers are displayed. This
• Transmitted Bandwidth - histogram chart showing the amount of transmitting bandwidth for each of the top subscribers.
interval.
by Bandwidth 157

• determine the subscribers who are transmitting the most bandwidth on the network.
by Connections 158
by Connections
Connections
Use this report to identify the subscribers with the most connections. By default, the top 100 subscribers are displayed. This is

interval.

You can view additional information for a selected subscriber by clicking the table row containing the subscriber. This will bring up the
drilldown menu.
You can drilldown to the follow reports:

• Bandwidth by Subscriber
• Bandwidth by Protocol Matrix
Connections Histogram
Use this report to identify the subscribers with the most connections. By default, the top 10 subscribers are displayed. This is configurable
on the Presentation page.
• Connections - histogram chart showing the number of connections for each of the top subscribers.
interval.

• determine the subscribers who are using the most number of connections on the network.
by Protocol 159
by Protocol
Overview
This report shows the bandwidth by protocol consolidated for the top N users. Use this report to identify the traffic and protocol usage of
your top subscribers.

1. Select the clusters you are interested in. By varying the clusters selected, you can determine who the Top Talkers are for different
portions of your network (for example, by region).
3. To change the number of top subscriber, change the "Top N Subscribers" field in the Presentation Tab, in the Data Manipulation
section. The "Top N" parameter can be used to limit the number of protocols shown in the report.

Use this report to examine detailed network activity of the most active subscribers on the network for the reporting period.
Connections
Use this report to identify the subscribers with the most connections under the selected protocols. By default, the top 100 subscribers are

2. Select the protocols and protocol categories in which you wish to monitor.
interval.

drilldown menu.

Connections Histogram
Use this report to identify the subscribers with the most connections under the selected protocols. By default, the top 10 subscribers are
• Connections - histogram chart showing the number of connections for each of the top subscribers.
interval.

• determine the subscribers who are using the most number of connections on the network.
by Protocol 160
Received Bandwidth
This report shows the number of bytes downloaded by the top N users over the selected protocols. By default, the top 100 subscribers are

interval.

drilldown menu.


Use this report to identify the subscribers that are receiving the most bandwidth over the selected protocols. By default, the top 10
• Received Bandwidth - histogram chart showing the amount of received bandwidth for each of the top subscribers.
interval.

• determine the subscribers who are receiving the most bandwidth on the network.
Total Bandwidth
This report shows the total bandwidth for the top N users. This is configurable on the Presentation page.

interval.


drilldown menu.

by Protocol 161

Use this report to identify the subscribers that are consuming the most bandwidth. By default, the top 10 subscribers are displayed. This is
• Total Bandwidth - histogram chart showing the amount of total bandwidth for each of the top subscribers.
interval.

• determine the subscribers who are consuming the most bandwidth on the network.
This report shows the number of bytes uploaded by the top N users based on the selected protocols. Top 100 are displayed by default.

interval.

Use this report to identify which subscribers are uploading the largest number of bytes during the reporting period.

drilldown menu.


Use this report to identify the subscribers that are transmitting the most bandwidth based on the selected protocols. By default, the top 10
• Transmitted Bandwidth - histogram chart showing the amount of transmitting bandwidth for each of the top subscribers.
interval.

• determine the subscribers who are transmitting the most bandwidth on the network.
by Subscriber Attribute 162
by Subscriber Attribute
Received Bandwidth
This report shows the top talkers by received bandwidth and filters the subscribers who have the selected attribute values.
This report by default lists the top talkers by received bytes. Over larger periods of time, this value can increase quite dramatically. Some
users find that converting the units that this report is measured in to bytes-per-second over larger reporting intervals improves the
readability of the report. This can be done on the Presentation tab of the Configuration page by changing the Units dropdown from 'bytes'
to 'bits/sec'.

2. Select the attribute values. The attribute values you select will determine which subscribers are retained for determining the list of top
talkers.

Use this report to identify the most active subscribers on the network for the reporting period who have a specific attribute value. This
report is useful for determining which subscribers in different tiers are consuming the most bandwidth on your network.

drilldown menu.

Subscriber Summary
Use the Subscriber Summary Filtered by Attribute report to examine the activity for specific subscribers that have a specific attribute set
for them. This report provides information on the number of connections, downloads (bytes), and uploads (bytes).
Note: to generate this report you must select the attribute values you wish to filter the top subscribers
by.
Total Bandwidth
This report shows the top talkers by total bandwidth and filters the subscribers who have the selected attribute values.
This report by default lists the top talkers by total bytes. Over larger periods of time, this value can increase quite dramatically. Some
users find that converting the units that this report is measured in to bytes-per-second over larger reporting intervals improves the
to 'bits/sec'.

talkers.


drilldown menu.

This report shows the top talkers by transmitted bandwidth and filters the subscribers who have the selected attribute values.
This report by default lists the top talkers by transmitted bytes. Over larger periods of time, this value can increase quite dramatically.
Some users find that converting the units that this report is measured in to bytes-per-second over larger reporting intervals improves the
to 'bits/sec'.

talkers.


drilldown menu.

Trend Analysis 164
Trend Analysis
Bandwidth Distribution
Use this report to see the distribution of bandwidth amongst subscribers that are consuming the most bandwidth. By default, the top 100
subscribers are displayed. This value is configurable on the Presentation page.
• Bandwidth Distribution - Pareto chart showing the distribution of bandwidth usage amongst top subscribers.
interval.
3 (optional) In the Presentation tab, select the number of top subscribers you wish to sample. The default is 100.

• The y-axis represents the percentage of top subscribers.
• The x-axis represents the percentage of bandwidth.
• An example interpretation could be that 20% of the top subscribers consumes 0-5% of the total bandwidth of all the top
subscribers, and 2% of the top subscribers consumes 95-100% of the total bandwidth of the top subscribers selected.
Subscriber Summary w/Top Protocol

Overview
This report shows the total bandwidth for the top N users, along with their top protocol. The top N value is configurable on the
Presentation tab.
Subscriber Summary with Top Protocol - Displays bandwidth information for the top N users
Field Description
Cluster The cluster.
Subscriber The subscriber name or IP.
Top ProtocolThe top protocol used by the subscriber
% of Total The % of bandwidth of the top protocol over the total bandwidth consumed by that subscriber.
Connections The number of total connections across all protocols.
Received The total received bandwidth across all protocols.
Transmit The total transmitted bandwidth across all protocols.
Total The total bandwidth consumed by the subscriber.
From this table, you can drilldown to the following reports:

• Subscriber Bandwidth Summary - Chart of basic bandwidth over time for a specific subscriber (no protocol details)
• Subscriber Bandwidth - Table summary of basic bandwidth for a specific subscriber (no protocol details)
• Subscriber Bandwidth by Protocol - Chart of protocol bandwidth over time for a specific subscriber (for measured
protocols only)
• Subscriber Bandwidth by Protocol Summary - Table summary of protocol bandwidth statistics for a specific subscriber
(for measured protocols only)
Note: the bandwidth values in the Subscriber Summary with Top Protocol table will match the values in
the Subscriber Bandwidth reports. It is likely that the "By Protocol" reports will show less traffic, as they
contain bandwidth metrics for measured protocols only, instead of for all subscriber bandwidth.

interval.

by Bandwidth 165
by Bandwidth
Use this to identify the pattern of received bandwidth usage among subscribers over a specified time period. By grouping users into usage
bands, by received bandwidth, the histogram will clearly indicate the most common bandwidth ranges and help you to validate your
network tiers.
This report contains the following histogram chart:
• Received Bandwidth Histogram by Subscribers - histogram chart showing subscriber counts allocated into bandwidth
range buckets.
• Received Bandwidth Histogram by Bandwidth - histogram chart showing total bandwidth of all subscribers allocated into
bandwidth range buckets.
2. Configure the histogram bin. Choose Fixed Bin Sizes if you want all equal size bins. Choose and configure Custom Bin Sizes to
configure bins of varying sizes.
By default, the histogram reports will show the percentage of total subscribers and bandwidth in each bin. To show the actual number of
subscribers or bandwidth, configure the report as follows:
1. Open the Presentation tab.

2. Find the Data Manipulation section and click the Advanced Configuration button to show advanced configuration parameters.
3. In the Display as Percentage dropdown, change the setting from "Totals" to "Off".
Another useful view of the data is to chart it in a pie chart instead of a histogram bar chart. To configure the report to render as a pie
chart:
1. Open the Component tab.

2. Change the Display Mechanism of the two components from "Chart (Histogram)" to "Chart (Pie)".
3. Click the Submit button.
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.

Received Bandwidth Histogram by Subscribers
• The y-axis represents the percentage of subscribers (or the number of subscribers if configured as such).
• The x-axis contains total received bandwidth ranges.
• Each bar contain the percentage of subscribers (or the number of subscriber) that falls into each bandwidth bucket.
• Hover over each bar in the chart to see the total received bandwidth of the subscribers in that bucket in the tooltip.
• Example: Assuming the number of bins is specified as 3, and the size of each bin is specified as 10 MB. You will be able to tell
that, say, 20% of total subscribers receive between 0 - 10 MB of bandwidth, 15% receive 10-20 MB, 10% received 20-30 MB,
and all other subscribers receive more than 30 MB.
Received Bandwidth Histogram by Bandwidth
• The y-axis represents the percentage of total received bandwidth (or the actual total received bandwidth if configured as
such).
• The x-axis contains total bandwidth ranges.
• Each bar contains the total bandwidth of all subscribers that falls into each bandwidth bucket.
• Hover over each bar in the chart to see the total number of subscribers in that bucket in the tooltip.
Received Bandwidth Summary

Use this report to identify the pattern of received bandwidth usage among subscribers over a specified time period. By grouping users into
usage bands, by received bandwidth, the histogram will clearly indicate the most common bandwidth ranges and help you to validate your
network tiers.
This report contains the table:

by Bandwidth 166
Received Bandwidth Summary - tabular view of a histogram showing the usage of received bandwidth of all subscribers, allocated into
bandwidth range buckets. If available in your SPB version, it will also show the total received bytes, % of bandwidth, average bytes per
subscriber, and average bandwidth per subscriber for each bandwidth range.
Field Description
Bandwidth The bandwidth range consumed by the subscriber.
Range
# of The number of subscribers with total received bandwidth within the bandwidth range, for the specified time period.
Subscribers
% of The number of subscribers shown as a percentage of the total subscriber count.
Subscribers
Total RX The sum of received bandwidth for all subscribers in the bandwidth range.
Bandwidth*
% of The bandwidth value shown as a percentage of total bandwidth across all bins.
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total RX Bandwidth / # of Subscribers.
Sub*
Avg BW/Sub* The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total RX
Bandwidth / # of Subscribers / seconds in the reporting period.
* If this data does not appear, this feature is not available in your version of the SPB. Please contact Sandvine Customer Support for
more information.


Use this report to see usage trends of all subscribers on the network for the reporting period.

Use this to identify the pattern of total bandwidth usage among subscribers over a specified time period. By grouping users into usage
bands, by total bandwidth, the histogram will clearly indicate the most common bandwidth ranges and help you to validate your network
tiers.
• Total Bandwidth Histogram by Subscribers - histogram chart showing subscriber counts allocated into bandwidth range
buckets.
• Total Bandwidth Histogram by Bandwidth - histogram chart showing total bandwidth of all subscribers allocated into
bandwidth range buckets.

chart:
by Bandwidth 167


Total Bandwidth Histogram by Subscribers
• Hover over each bar in the chart to see the total bandwidth of the subscribers in that bucket in the tooltip.
that, say, 20% of total subscribers use between 0 - 10 MB of bandwidth, 15% use 10-20 MB, 10% use 20-30 MB, and all
other subscribers use more than 30 MB.
Total Bandwidth Histogram by Bandwidth
• The y-axis represents the percentage of total bandwidth (or the actual total bandwidth if configured as such).
Total Bandwidth Summary

Use this report to identify the pattern of total bandwidth usage among subscribers over a specified time period. By grouping users into
usage bands, by total bandwidth, the histogram will clearly indicate the most common bandwidth ranges and help you to validate your
network tiers.
Total Bandwidth Summary - tabular view of a histogram showing the usage of total bandwidth of all subscribers, allocated into
bandwidth range buckets. If available in your SPB version, it will also show the total bytes, % of bandwidth, average bytes per subscriber,
and average bandwidth per subscriber for each bandwidth range.
Field Description
Range
# of The number of subscribers with total bandwidth within the bandwidth range, for the specified time period.
Subscribers
Subscribers
Total The sum of total bandwidth for all subscribers in the bandwidth range.
Bandwidth*
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total Bandwidth / # of Subscribers.
Sub*
Avg BW/ The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total Bandwidth /
Sub* # of Subscribers / seconds in the reporting period.
more information.

by Bandwidth 168


Use this to identify the pattern of transmitted bandwidth usage among subscribers over a specified time period. By grouping users into
usage bands, by transmitted bandwidth, the histogram will clearly indicate the most common bandwidth ranges and help you to validate
your network tiers.
• Transmitted Bandwidth Histogram by Subscribers - histogram chart showing subscriber counts allocated into bandwidth
range buckets.
• Transmitted Bandwidth Histogram by Bandwidth - histogram chart showing total bandwidth of all subscribers allocated
into bandwidth range buckets.

chart:


Transmitted Bandwidth Histogram by Subscribers
• The x-axis contains total transmitted bandwidth ranges.
• Hover over each bar in the chart to see the total transmitted bandwidth of the subscribers in that bucket in the tooltip.
that, say, 20% of total subscribers transmit between 0 - 10 MB of bandwidth, 15% transmit 10-20 MB, 10% transmit 20-30
MB, and all other subscribers transmit more than 30 MB.
Transmitted Bandwidth Histogram by Bandwidth
• The y-axis represents the percentage of total transmitted bandwidth (or the actual total transmitted bandwidth if configured
as such).
by Bandwidth 169
Transmitted Bandwidth Summary

Use this report to identify the pattern of transmitted bandwidth usage among subscribers over a specified time period. By grouping users
into usage bands, by transmitted bandwidth, the histogram will clearly indicate the most common bandwidth ranges and help you to
validate your network tiers.
Transmitted Bandwidth Summary - tabular view of a histogram showing the usage of transmitted bandwidth of all subscribers,
allocated into bandwidth range buckets. If available in your SPB version, it will also show the total transmitted bytes, % of bandwidth,
average bytes per subscriber, and average bandwidth per subscriber for each bandwidth range.
Field Description
Range
# of The number of subscribers with total transmitted bandwidth within the bandwidth range, for the specified time period.
Subscribers
Subscribers
Total TX The sum of transmitted bandwidth for all subscribers in the bandwidth range.
Bandwidth*
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total TX Bandwidth / # of Subscribers.
Sub*
Avg BW/Sub* The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total TX
more information.


by Subscriber Attribute
Use this to identify the pattern of received bandwidth usage among subscribers over a specified time period, filtered by subscriber
attributes. By grouping users into usage bands, by received bandwidth, the histogram will clearly indicate the most common bandwidth
ranges and help you to validate your network tiers.
• Received Bandwidth Histogram by Subscribers - histogram chart showing the counts of subscribers associated with the
selected attribute definition and values, allocated into bandwidth range buckets by received bandwidth usage.
• Received Bandwidth Histogram by Bandwidth - histogram chart showing the total received bandwidth of subscribers
associated with the selected attribute definition and values, allocated into bandwidth range buckets by received bandwidth
usage.
By default, the histogram report will show the percentage of total subscribers in each bin.
To show the number of subscribers or bandwidth in each bin, configure the report as follows:
To show the percentage of subscribers per bin or bandwidth, configure the report as follows:
2. In the Chart Enhancements section, find the Chart Layering Method dropdown and change the setting to "Percentage".
To show the each attribute value in a separate bar, configure the report as follows:
2. In the Chart Enhancements section, find the Chart Layering Method dropdown and change the setting to "Side by Side".

Use this report to correlate the number of subscribers in each bandwidth usage band with their overall bandwidth consumption.
Received Bandwidth Histogram by Subscribers

• The x-axis contains received bandwidth ranges.
Received Bandwidth Histogram by Bandwidth
• The y-axis represents the percentage of bandwidth (or the bandwidth amount if configured as such).
• The x-axis contains received bandwidth ranges.
• Each bar contains the total received bandwidth of all subscribers that falls into each bandwidth bucket.
Received Bandwidth Summary

Use this report to identify the pattern of received bandwidth usage among subscribers over a specified time period, filtered by subscriber
attributes. By grouping users into usage bands, by received bandwidth, the histogram will clearly indicate the most common bandwidth
ranges and help you to validate your network tiers.
Received Bandwidth Summary - tabular view of a histogram showing the usage of received bandwidth of all subscribers associated
with the selected attribute definition and values, allocated into bandwidth range buckets. If available in your SPB version, it will also show
the total received bytes, % of bandwidth, average bytes per subscriber, and average bandwidth per subscriber for each bandwidth range.
Field Description
Attribute The attribute value of the subscribers in the histogram.
Value
Range
# of The number of subscribers with total received bandwidth within the bandwidth range, for the specified time period.
Subscribers
Subscribers
Total RX The sum of received bandwidth for all subscribers in the bandwidth range.
Bandwidth*
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total RX Bandwidth / # of Subscribers.
Sub*
Avg BW/Sub* The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total RX
more information.



Use this to identify the pattern of total bandwidth usage among subscribers over a specified time period, filtered by subscriber attributes.
By grouping users into usage bands based on their total bandwidth consumption, the histogram will clearly indicate the most common
bandwidth ranges and help you to validate your network tiers.
• Total Bandwidth Histogram by Subscribers - histogram chart showing the counts of subscribers associated with the
selected attribute definition and values, allocated into bandwidth range buckets by total bandwidth usage.
• Total Bandwidth Histogram by Bandwidth - histogram chart showing the total bandwidth of subscribers associated with
the selected attribute definition and values, allocated into bandwidth range buckets by total bandwidth usage.

Total Bandwidth Histogram by Subscribers

Total Bandwidth Histogram by Bandwidth
Total Bandwidth Summary

Use this report to identify the pattern of total bandwidth usage among subscribers over a specified time period, filtered by subscriber
attributes. By grouping users into usage bands, by total bandwidth, the histogram will clearly indicate the most common bandwidth ranges
and help you to validate your network tiers.
Total Bandwidth Summary - tabular view of a histogram showing the usage of total bandwidth of all subscribers associated with the
selected attribute definition and values, allocated into bandwidth range buckets. If available in your SPB version, it will also show the total
bytes, % of bandwidth, average bytes per subscriber, and average bandwidth per subscriber for each bandwidth range.
Field Description
Value
Range
# of The number of subscribers with total bandwidth within the bandwidth range, for the specified time period.
Subscribers
Subscribers
Total The sum of total bandwidth for all subscribers in the bandwidth range.
Bandwidth*
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total Bandwidth / # of Subscribers.
Sub*
Avg BW/ The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total Bandwidth /
Sub* # of Subscribers / seconds in the reporting period.
more information.



Use this to identify the pattern of transmitted bandwidth usage among subscribers over a specified time period. By grouping users into
usage bands, by transmitted bandwidth, the histogram will clearly indicate the most common bandwidth ranges and help you to validate
your network tiers.
• Transmitted Bandwidth Histogram by Subscribers - histogram chart showing the counts of subscribers associated with
the selected attribute definition and values, allocated into bandwidth range buckets by transmitted bandwidth usage.
• Transmitted Bandwidth Histogram by Bandwidth - histogram chart showing the total transmitted bandwidth of
subscribers associated with the selected attribute definition and values, allocated into bandwidth range buckets by transmitted
bandwidth usage.

Transmitted Bandwidth Histogram by Subscribers

• The x-axis contains transmitted bandwidth ranges.
that, say, 20% of total subscribers transmit between 0 - 10 MB of bandwidth, 15% transmit 10-20 MB, 10% transmit 20-30
MB, and all other subscribers transmit more than 30 MB.
Transmitted Bandwidth Histogram by Bandwidth
• The x-axis contains transmitted bandwidth ranges.
• Each bar contains the total received bandwidth of all subscribers that falls into each bandwidth bucket.
Transmitted Bandwidth Summary

Use this report to identify the pattern of transmitted bandwidth usage among subscribers over a specified time period, filtered by
subscriber attributes. By grouping users into usage bands, by transmitted bandwidth, the histogram will clearly indicate the most common
bandwidth ranges and help you to validate your network tiers.
Transmitted Bandwidth Summary - tabular view of a histogram showing the usage of transmitted bandwidth of all subscribers
associated with the selected attribute definition and values, allocated into bandwidth range buckets. If available in your SPB version, it will
also show the total transmitted bytes, % of bandwidth, average bytes per subscriber, and average bandwidth per subscriber for each
bandwidth range.
Field Description
Value
Range
# of The number of subscribers with total transmitted bandwidth within the bandwidth range, for the specified time period.
Subscribers
Subscribers
Total TX The sum of transmitted bandwidth for all subscribers in the bandwidth range.
Bandwidth*
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total TX Bandwidth / # of Subscribers.
Sub*
Avg BW/Sub* The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total TX
more information.


Trend Analysis 176
Trend Analysis
Average Bandwidth
Overview
Use the Average Subscriber Bandwidth report to determine the average total, transmit, and received subscriber bandwidth usage in your
network. The report contains the following chart:
• Average Bandwidth - Overlay area chart showing the amount of average total, received and transmitted bandwidth
consumed by all subscribers. This is measured as the average bitrate (bits per second) over time.
You may wish to show each traffic flow in its own chart. To do so, in the "Presentation" tab, select "Traffic Flow" in the "Iterate Results By"
select box.

Average Bandwidth
• Shows the average subscriber bandwidth separated into total, transmitted, and received flows
• Average bandwidth is calculated by dividing the bandwidth in each reporting interval with the total number of unique
subscribers in that interval
Note: The average received and transmitted bandwidth is calculated from the total overall number of
unique subscriber seen in the interval, and not from the subset of subscribers who had non-zero
received or transmitted bandwidth.
Unique Subscriber Count

Overview
Use the Unique Subscriber Count Over Time report to determine the total number of unique subscribers in each cluster over time. The
report contains the following chart:
• Unique Subscriber Count - Stacked bar chart the number of unique subscribers in each cluster.
1. Select the clusters that you wish to see subscriber count for. By varying the clusters selected, you can query for usage from different

• The y-axis represents the number of unique subscribers
• The x-axis contains date information
Unique Top Subscriber Count by Protocol

Overview
Use the Unique Top Subscriber Count by Protocol report to determine the total number of unique top talker subscribers in each cluster
across each protocol. The report contains the following chart:
• Unique Top Subscriber Count by Protocol - Overlay bar chart showing the number of unique subscribers in each cluster
across each protocol.
1. Select the clusters that you wish to see subscriber count for. By varying the clusters selected, you can query for usage from different
2. Select the Protocols that you wish to see subscriber count for. By varying the protocols selected, you can filter the particular protocol
usage of subscribers.
Trend Analysis 177

• The y-axis represents the number of unique subscribers
• The x-axis contains date information
Note: This report will only include subscribers marked as top talkers who have detailed protocol
statistics being collected.
Streaming Video 178
Streaming Video
Subscribers Over Time
Overview
This report shows the peak number of subscribers with streaming video traffic over time, measured in the number of subscribers.
1. Select the cluster and element.
• Use this report to estimate the total number of subscribers consuming streaming video traffic over time
Top Video Providers by Consumption

Overview
This report shows the top video providers by bandwidth consumption, measured in bytes.
By default, the top 25 providers are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.

• Use this report to identify the most popular video providers based on bytes consumption
Top Video Providers by Download Time

Overview
This report shows the top video providers by download time, measured in seconds.
value.

• The download time is the time required to download the video
• It can be used as a rough estimate of watched time, but in general, the download time will be shorter than the watch time,
especially when buffering occurs
Top Video Providers over Time

Overview
This report contains an area chart showing the bitrate of the top video providers over time, measured in bits/sec.
Streaming Video 179
value.

• Use this report to determine the impact of streaming video traffic
• This report can be used in conjunction with the regular Bandwidth by Protocol report to further break down video streaming
protocols
Websites 180
Websites
Top Websites by Bandwidth over Time
Overview
This report contains an area chart showing the bitrate of the top websites over time, measured in bits/sec.
By default, the top 25 websites are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.

• Use this report to identify website usage trends over time
• This report can be used in conjunction with the regular Bandwidth by Protocol report to further break down Web Browsing
protocols like HTTP
Top Websites by Consumption

Overview
This summary report shows the top websites by total consumption, measured in bytes.
value.

• Use this report to identify the websites that consumes the most bytes in the network
• Note that the distribution breakdown is calculated solely on the entries shown in the report, and not based on all websites
seen in the network
Top Websites by Hits

Overview
This summary report shows the top websites by total page hits.
value.

• Use this report to identify the websites that were requested the most in the network
• Note that the distribution breakdown is calculated solely on the entries shown in the report, and not based on all websites
seen in the network
Websites 181
Top Websites by Hits over Time

Overview
This report contains an area chart showing the number of page hits of the top websites over time.
value.

• Use this report to trend which websites are popular over time
Client Device 182
Client Device
Bandwidth by Client Device
Overview
This report shows upstream and downstream bandwidth by client device over time.
3. Select the client devices to include in the report.
4. Select the protocols to include in the report.
• Use this report to see how the bandwidth used by one or more client devices is trending over time.
• Note that this report is only based on HTTP traffic analysis. Other traffic associated with the device is not represented in this
report.
Top Client Devices by Protocol

Overview
This report shows the top client devices for selected protocols.
By default, the top 25 devices are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.
This report will show the sum of all devices for the selected protocols. To show the devices broken out by each protocol, go to the
"Presentation" tab and select "Protocol" and "NbiClientDevice" in the "Consolidate Data By" entry.

• Use this report to understand what devices are being used to consume selected protocols.
• Note that this report is only based on HTTP traffic analysis. Protocols that are not HTTP-based will not display any results in
this report.
Top HTTP Protocols per Client Device

Overview
This report shows the top protocols for each selected client device.
3. Select the client devices to include in the report.
By default, the top 25 protocols are shown for each device. This number can be changed by going to the "Presentation" tab and changing
the "Top N" value.

• Use this report to understand what protocols are being used on each client device.
• Note that this report is only based on HTTP traffic analysis. Protocols that are not HTTP-based will not be shown in this report.
AS Path 183
AS Path
Top Next Hop AS
Overview
This report shows the top autonomous systems used as a next hop, measured in bytes.
By default, the top 25 ASs are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N" value.

• Use this report to identify top ASs used as a next hop.
Top Origin AS
Overview
This report shows the top autonomous systems used as an origin AS, measured in bytes.

• Use this report to identify top ASs used as a origin AS.
Top Second Hop AS

Overview
This report shows the top autonomous systems used as a second hop, measured in bytes.

• Use this report to identify top ASs used as a second hop (the hop following the next hop).

Report Documentation

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Report Documentation

Încărcat de

Drepturi de autor:

Formate disponibile

Events 1

Interpreting the report

Configuring the report

Interpreting the report

NDS Audit Log Browser

Configuring the report

Interpreting the report

SED Audit Log Browser

Configuring the report

Interpreting the report

The following information is presented in the Installed Software report:

Interpreting the report

Configuring the report

Interpreting the report

Configuring the report

Interpreting the report

The following information is presented in the Installed Software report:

Interpreting the report

Interpreting the report

Connections per Host

Interpreting the report

Interpreting the report

Hosts by Protocol w/Active

Interpreting the report

Interpreting the report

Interpreting the report

Interpreting the report

Network Flow Differential

Configuring the report

Interpreting the report

Network Flow Matrix

Interpreting the report

Upstream / Downstream Bandwidth

Interpreting the report

by Network Element Interface

Interpreting the report

Interpreting the report

Interpreting the report

Interpreting the report

Top Protocol Histogram

Interpreting the report

Interpreting the report

Interpreting the report

Bandwidth per Host

Interpreting the report

Interpreting the report

The following information is presented in the Protocol Summary report:

Configuring the report

Interpreting the report

Top Protocol Histogram

Interpreting the report

Configuring the report

Interpreting the report

Top Domains Histogram

Interpreting the report

Interpreting the report

Mean Time to Respond

Interpreting the report

Interpreting the report

Server Performance Summary

Interpreting the report

Configuring the report

Interpreting the report

Top Talkers Histogram