Documente Academic
Documente Profesional
Documente Cultură
Events
Last Log Interval
Overview
The Last Log Interval is used to view the log time for all elements in the Database.
The following information is presented in the Last Log Interval report:
• Cluster - the cluster the element belongs to
• Element - the name of the element
• Last Log Time - the last time the element wrote a record to the database
Log Browser
Overview
The Log Browser is used to view the available log files on the target Network Demographics server located under /var/log. By default, the
Log Browser is configured to display the Network Demographics log file which is located at /var/log/svreports.
The following information is presented in the Log Browser report for the Network Demographics log file:
• Date - timestamp that the message was recorded
• Level - severity of the log message. Valid options include: DEBUG, INFO, WARNING, ERROR, FATAL
• Message - the actual log message
Other log files may have different headings than those listed above.
For information on specific log messages refer to the appropriate Operations Guide.
The following information is presented in the Network Demographics Server Audit Log Browser report for the Network Demographics
Server audit log file:
• Date - timestamp that the message was recorded
• Level - severity of the log message. Valid options include: DEBUG, INFO, WARNING, ERROR
• User - the user that the message corresponds to
• Message - the actual log message
Other log files may have different headings than those listed above.
For information on specific log messages refer to the appropriate Operations Guide.
The following information is presented in the Subscriber Experience Dashboard Audit Log Browser report for the Subscriber Experience
Dashboard audit log file:
• Date - timestamp that the message was recorded
• Level - severity of the log message. Valid options include: DEBUG, INFO, WARNING, ERROR
• User - the user that the message corresponds to
• Message - the actual log message
Other log files may have different headings than those listed above.
For information on specific log messages refer to the appropriate Operations Guide.
Software
Installed Software
Overview
The Installed Software report displays the list of software packages that are installed on the current Network Demographics server.
System Utilization
CPU Utilization
Overview
The CPU Utilization report shows the processing power being consumed by the element(s) for the selected time period.
Memory Utilization
Overview
The Memory Utilization report shows the amount of memory being consumed by the element(s) for the selected time period.
Server Processes
Overview
The Current Processes report details the processes that are currently running on the Network Demographics server to which you are
connected. To examine the CPU processes on a different element, log on to the report server on the specific element.
by Connections
Connections by Protocol
Overview
Use the Connections by Protocol report to identify the number of connection attempts per protocol and network. The report contains the
following three charts:
• Connections - Stacked bar chart showing the total number of active connections during the reporting interval.
• New connections - Stacked bar chart showing the total number of new connections created during the reporting interval
• Peak connections - Stacked bar chart showing the peak number of concurrent active connections over the reporting interval.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the connections for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
• The average new connections per host value is calculated by taking the total number of new connections in each reporting
interval and dividing it by the total number of new hosts in each reporting interval.
by Hosts 7
by Hosts
Hosts
Overview
Use the Hosts report to identify the number of hosts discovered on the network. The Hosts report, by default, contains a single chart
showing the maximum number of unique hosts seen in a single PTS logging interval. This report has two optional components.
• Hosts - Stacked bar chart showing the maximum number of unique hosts that had active connections in a single PTS logging
interval.
• Peak Hosts (optional) - Stacked bar chart used for legacy purposes.
• New Hosts (optional) - Stacked bar chart showing the total number of hosts that started a connection in each reporting
interval.
Configuring the report
Select a time period and the elements you wish to monitor for host stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Interpreting the report
Hosts
• This report shows the maximum number of unique hosts that had active connections in a single PTS logging interval (by
default 15 minutes)
• If a host starts and stops multiple times during the same reporting interval, it will only be counted once.
• If a hosts starts a connection in Interval 1 and remains connected through Interval 2 and 3, it will be counted in
all three reporting interval.
• When the reporting interval spans multiple logging intervals, the peak value of the intervals will be used.
Peak Hosts
• This report is inactive by default.
• When activated, it can be used to show any historic peak hosts count collected with PTS 5.4. After upgrading to PTS 5.5,
however, this report will show a zero count from the date of the upgrade.
New Hosts
• This report is inactive by default.
• When activated, it will show the total number of hosts that started one or more connections in each reporting interval.
Hosts by Protocol
Overview
Use the Hosts by Protocol report to identify the number of hosts using the specified protocols. The Hosts by Protocol, by default, contains
a single chart showing the maximum number of unique hosts seen in a single PTS logging interval per protocol and network. This report
has two optional components.
• Hosts - Stacked bar chart showing the maximum number of unique hosts that had active connections in a single PTS logging
interval for the specified protocols.
• Peak Hosts (optional) - Stacked bar chart used for legacy purposes.
• New Hosts (optional) - Stacked bar chart showing the total number of hosts that started a connection in each reporting
interval for the specified protocols.
•
Configuring the report
Select a time period and the elements you wish to monitor for host stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the number of hosts for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
• When the reporting interval spans multiple logging intervals, the peak value of the intervals will be used.
Peak hosts
• This report is inactive by default.
• When activated, it can be used to show any historic peak hosts count collected with PTS 5.4. After upgrading to PTS 5.5,
however, this report will show a zero count from the date of the upgrade.
New hosts
• This report is inactive by default.
• When activated, it will show the total number of hosts that started one or more connections in each reporting interval.
Note: a single host may be using multiple protocols simultaneously. This means that you cannot
implicitly add hosts across protocols to determine the total number of hosts. To identify the number of
total unique hosts, see the Hosts report.
Protocol Adoption
Overview
Use the Protocol Adoption report to identify what percentage of active hosts are using specific protocols during the reporting period. Use
this report to gauge the popularity of different protocols.
The report contains the following chart:
• Protocol Adoption - Overlaid area chart showing the percentage of active hosts using each specified protocol across each
reporting interval.
Configuring the report
Select a time period and the elements you wish to monitor for host stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the number of hosts for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
by Network
Bandwidth by Hour
Overview
Use the Bandwidth by Hour report to identify the amount of bandwidth being consumed for each hour accross a date range. Use this
information to see the trend effect of bandwidth in daily cycles.
The report contains the following chart:
• Bandwidth by Hour - Stacked bar chart showing the amount of bandwidth consumed by each selected hour. This is
measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. Please select a reporting range within 1 month from
now. You can build virtual clusters of Sandvine elements using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols and protocol categories in which you wish to monitor.
Finally, select the hours of the day which you wish to monitor. It is recommended that you analyze 5-10 hours at a time.
Hosts by Hour
Overview
The Hosts by Hour report to identifies the amount of hosts with active connections in the selected protocols for each hour across a date
range. The report contains the following chart:
• Hosts by Hour - Stacked bar chart showing the amount of hosts by each selected hour.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. Please select a reporting range within 1 month from
now.You can build virtual clusters of Sandvine elements using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. Select the protocols and protocol categories in which you wish to monitor.
Finally, select the hours of the day which you wish to monitor. It is recommended that you analyze 5-10 hours at a time.
Finally, select the protocols in which you wish to monitor the traffic flow. Selecting a large number of protocols may reduce the visibility of
these items in the corresponding chart. It is recommended that you analyze 1 protocol at a time to avoid confusion and overlap.
Note: selecting the same networks in both Source Network and Destination Network will result in a chart
that has no data due to the same data being subtracted from itself.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
by Network 11
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
by Network Element 12
by Network Element
Published Expression
Overview
Use the Published Expressions report to see generic policy-based measurement statistics. Multiple measurements can be viewed in a
single chart on the same x and y axis, regardless of units.
• Published Expression - Overlay line chart showing the values of the selected policy-based measurements across time. When
consolidating values across multiple time intervals, the selected "Aggregate Method" will be used.
Configuring the report
• Select a time period and the elements you wish to monitor.
• Select the aggregation method to use
• This is the aggregation method to use on the measurement value when consolidating across multiple time
intervals and network elements
• Select the policy measurements to chart
• Selections can be made directly in the "Policy Expression Selections" box
• Searching can be done by typing the search string into "Enter Filter" textbox
• Wildcard queries can be used by adding filter strings to the "Published Expressions" box
• Apply unit conversion (optional)
• In the Presentation tab, in the "Data Manipulation" section, change can be made to the "Display byte-based units
as" and "Display packet-based units as" dropdown box
• All selected measurements with units matching "bytes" or "packets" will be converted according to the setting of
those two dropdown boxes
• For example, if bytes-based units is set to "bits/sec", any bytes measurements will be charted in bps
Interpreting the report
The information presented on this report should be interpreted in light of the type of data collected (gauge vs. interval) and the
corresponding policy that triggers the stat collection.
by Network Element Interface 13
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Bandwidth by Protocol
Overview
Use the Bandwidth by Protocol report to identify the amount of bandwidth being consumed for selected protocols. Use this information to
see the net effect of protocol traffic over the specified physical network interface.
The report contains the following chart:
• Bandwidth by Protocol - Stacked area chart showing the amount of bandwidth consumed by each selected protocol. This is
measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area. It is recommended that you report on a single element at a time.
The Network Interface Selection area allows you to select the physical wiring ports of the Sandvine element, similar to MRTG-style charts.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
by Network Element Interface 14
Packets by Interface
Overview
Use the Packets by Interface report to identify the amount of packets being consumed on the specified physical network interface.
The report contains the following chart:
• Packets by Interface - Area chart showing the amount of packets consumed on the specified physical network interface.
This is measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for bandwidth consumption. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area. It is recommended that you report on a single element at a time.
The Network Interface Selection area allows you to select the physical wiring ports of the Sandvine element, similar to MRTG-style charts.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Packets by Protocol
Overview
Use the Packets by Protocol report to identify the amount of packets being consumed for selected protocols. Use this information to see
the net effect of protocol traffic over the specified physical network interface.
The report contains the following chart:
• Packets by Protocol - Stacked area chart showing the amount of packets consumed by each selected protocol. This is
measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area. It is recommended that you report on a single element at a time.
The Network Interface Selection area allows you to select the physical wiring ports of the Sandvine element, similar to MRTG-style charts.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
by Network Element Interface 15
by Protocol
Bandwidth by Protocol
Overview
Use the Bandwidth by Protocol report to identify the amount of bandwidth being consumed for selected protocols. Use this information to
see the net effect of protocol traffic over the specified networks.
The report contains the following chart:
• Bandwidth by Protocol - Stacked area chart showing the amount of bandwidth consumed by each selected protocol. This is
measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Bandwidth Intensity
Overview
The Bandwidth Intensity report shows which protocols are "bandwidth hungry" - protocols which have a high bandwidth per number of
hosts. This report also indicates which protocols have a high user base.
This report contains the following two charts:
• Bandwidth Intensity (Receive) - Overlaid line chart showing the percentage of received bytes subtracted by the
percentage of hosts using each protocol.
• Bandwidth Intensity (Transmit) - Overlaid line chart showing the percentage of transmitted bytes subtracted by the
percentage of hosts using each protocol.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols and protocol categories in which you wish to monitor.
Use this report to identify which protocols are consuming the highest rate of bandwidth per host. For example a protocol with one user
with a bandwidth of 80 Mbps will appear in the chart to have a higher value than a protocol with forty users consuming 800 Mbps. This is
useful for identify emerging "problem protocols".
Protocol Adoption
Overview
Use the Protocol Adoption report to identify what percentage of active hosts are using specific protocols during the reporting period. Use
this report to gauge the popularity of different protocols.
The report contains the following chart:
• Protocol Adoption - Overlaid area chart showing the percentage of active hosts using each specified protocol across each
reporting interval.
Configuring the report
Select a time period and the elements you wish to monitor for host stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the number of hosts for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
Protocol Summary
Overview
Use the Protocol Summary report view protocol summary information, including the amount of bandwidth being consumed and the
number of hosts using the selected protocols. Use this information to see an overview of protocol traffic over the specified networks.
by Domain
Top Domains
Overview
The Top DNS Domains report indicates the total number of requests associated with the top N domains for the reporting period.
The report contains the following table:
Field Description
Domain Name The domain name.
Total Requests Total number of requests during the reporting period.
Rate (requests/second)Displays the total number of requests divided by the number of seconds in the report period.
Note: domains are determined by the three most significant segments of the domain name. For
example, www.google.co.uk and maps.google.co.uk both are mapped to the domain name google.co.uk.
by Server
Efficiency
Overview
The DNS Efficiency report provides a general overview of the capability of the DNS system the service requests at any point in time. This
report measures the total number of responses over a period of time against the total number of requests during the same period.
The report contains the following chart:
• DNS Efficiency - area chart outlining the percentage of all requests that receive a response.
Configuring the report
Select a time period and the elements you wish to monitor for DNS requests|responses. You can build virtual clusters of Sandvine
elements using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select the networks that contain the DNS servers you wish to report against in the
Destination Network.
The DNS Server Selection area allows you to select individual DNS servers to report against.
Finally, select the DNS request and response types you wish to monitor.
MTTR Histogram
Overview
The Mean Time to Respond Histogram report displays a frequency distribution of the mean time to respond to requests.
The report contains the following chart:
• Mean Time to Respond Histogram - histogram chart outlining the total number of responses that occurred in an elapsed
time bin measured in milliseconds.
Configuring the report
Select a time period and the elements you wish to monitor for DNS requests|responses. You can build virtual clusters of Sandvine
elements using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
by Server 21
external, and peer subnets. It is recommended that you select the networks that contain the DNS servers you wish to report against in the
Destination Network.
The DNS Server Selection area allows you to select individual DNS servers to report against.
Volume
Overview
Use the DNS Volume report to identify the number of DNS requests and responses directed to each configured DNS server.
The report contains the following two charts iterated for each detected DNS server:
• DNS Requests - Stacked area chart showing the number of DNS requests for each selected type from the originating network
to the DNS server or network.
• DNS Responses - Stacked area chart showing the number of DNS responses for each selected type from the DNS server to
the originating network.
Configuring the report
Select a time period and the elements you wish to monitor for DNS requests|responses. You can build virtual clusters of Sandvine
elements using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select the networks that contain the DNS servers you wish to report against in the
Destination Network.
Finally, select the DNS request and response types you wish to monitor.
by Subscriber
Top Talkers
Overview
The Top DNS Talkers report lists the top N subscribers that have issued DNS requests of a specific type over a specified period of time.
The report contains the following table:
Field Description
Subscriber The name or IP address of the subscriber.
Requests Total number of requests make by the subscriber for the reporting period for the selected request types.
Rate (requests/second)Displays the total number of requests divided by the number of seconds in the report period.
DNS
Network Summary
Overview
The DNS Network Dashboard report provides an overview of the most recent performance of the DNS servers across the entire network.
This report provides the MTTR and DNS efficiency metric for the collection of DNS servers across the entire network.
The report contains the following table:
Field Description
Status Indicates the status of MTTR and DNS efficiency metrics. Values include:
Fail - is highlighted in red and indicates that the network has dropped below a MTTR or DNS threshold.
Pass - indicates a targets have been met or exceeded the MTTR and DNS thresholds.
Warning - indicates that either an MTTR or DNS metric is approaching a fail threshold.
Network The network name.
Server Health The ratio of total number of DNS servers with a Pass status to the total number of DNS servers. For example, 9/10
indicates that for a group of 10 servers, 9 have PASS status.
Efficiency The aggregate ratio of successful requests to failed requests for each DNS server.
Mean Time to Mean time to respond to a request measured in milliseconds/response.
Respond
Drilldowns
DNS Server Dashboard
To examine details on specific DNS servers within a network, click the network to drill down to the DNS Server Dashboard.
Server Summary
Overview
The DNS Server Dashboard report provides an overview of the most recent performance of the DNS servers across the entire cluster. This
report provides the MTTR and DNS efficiency metric for each DNS server aggregated across the entire cluster.
The report contains the following table:
Field Description
Status Indicates the status of MTTR and DNS efficiency metrics. Values include:
Fail - is highlighted in red and indicates that the network has dropped below a MTTR or DNS threshold.
Pass - indicates a targets have been met or exceeded the MTTR and DNS thresholds.
Warning - indicates that either an MTTR or DNS metric is approaching a fail threshold.
DNS Server IP address of the DNS server.
Efficiency The aggregate ratio of successful requests to failed requests for each DNS server.
Mean Time to RespondMean time to respond to a request measured in milliseconds/response.
Drilldowns
DNS Server Performance Analysis
To examine details on a specific DNS servers within a network click the DNS Server IP address.
by Protocol
Bandwidth by Protocol
Overview
Use the Bandwidth by Protocol report to identify the amount of bandwidth being consumed for selected protocols. Use this information to
see the net effect of protocol traffic over the specified networks.
The report contains the following chart:
• Bandwidth by Protocol - Stacked area chart showing the amount of bandwidth consumed by each selected protocol. This is
measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Connections by Protocol
Overview
Use the Connections by Protocol report to identify the number of connection attempts per protocol and network. The report contains the
following three charts:
• Connections - Stacked bar chart showing the total number of active connections during the reporting interval.
• New connections - Stacked bar chart showing the total number of new connections created during the reporting interval
• Peak connections - Stacked bar chart showing the peak number of concurrent active connections over the reporting interval.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the connections for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
• If a connection starts in one interval and remains connected through the next few intervals, it will only be counted as only 1
new connection overall, in the interval it was started in.
Peak connections
• This report shows the peak number of concurrent active connections over the reporting interval.
• If a connection starts in one interval and remains connected through the next few intervals, it will be counted in every one of
those intervals.
• For example, if Connection A starts and stops, and then Connection B starts and stops, peak connections is 1. If Connection A
starts, then Connection B starts, then Connection A ends, then Connection B ends, peak connections is 2.
Hosts by Protocol
Overview
Use the Hosts by Protocol report to identify the number of hosts using the specified protocols. The Hosts by Protocol, by default, contains
a single chart showing the maximum number of unique hosts seen in a single PTS logging interval per protocol and network. This report
has two optional components.
• Hosts - Stacked bar chart showing the maximum number of unique hosts that had active connections in a single PTS logging
interval for the specified protocols.
• Peak Hosts (optional) - Stacked bar chart used for legacy purposes.
• New Hosts (optional) - Stacked bar chart showing the total number of hosts that started a connection in each reporting
interval for the specified protocols.
•
Configuring the report
Select a time period and the elements you wish to monitor for host stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the number of hosts for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
Audit Log
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
by Spammer
Bandwidth
Overview
Use the Spam Bandwidth by Spammer report to identify the bandwidth that is being consumed by specific spammers.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps).
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Message Details
Overview
Use the Spam Message Details by Spammer report to get an overview of spam activity for specific spammers.
The report contains the following three charts:
• Attempted Messages - Stacked bar chart identifying the total number of attempted messages that the spammer attempted
to send.
• Recipients - Stacked bar chart identifying the total number of recipients that the spam emails were addressed to.
• Senders - Stacked bar chart identifying the number of unique sender email addresses from which the spammer was sending
spam.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
SMTP State
Overview
Use the Spam SMTP State Analysis by Spammer report to find details on the state (or flow) of the session.
The report contains the following three charts:
• SMTP Sessions - Stacked bar chart identifying the total number of sessions initiated.
• SMTP Errors - Stacked bar chart identifying the total number of SMTP errors received from all SMTP servers within all
sessions.
• SMTP Resets - Stacked bar chart identifying the total number of RSET commands issued from the spammer for all sessions.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
Spam Detections
Overview
Use the Spam Attacks by Spammer report to provide detailed information on specific Spam parameters. The parameters that appear on
this report relate directly to spam detection metrics.
Use this report to examine the specific values for a spam attack.
The report contains the following table:
Field Description
Spammer The IP address of the subscriber.
Network The network associated with the host IP address.
Active The cumulative time malicious traffic was actually detected during the report period.
Time
Total The cumulative total of recipients a subscriber has attempted to send an email to.
Recipients
AttemptedThe cumulative total email messages a subscriber has attempted to send.
Messages
Sessions The cumulative total SMTP sessions a subscriber has initiated with all SMTP servers.
Errors The cumulative total errors a subscriber has received from all SMTP servers.
Resets The cumulative total RSET commands a subscriber has issued during all SMTP sessions.
Unique The number of unique recipients discovered per hour that a subscriber has attempted to send email to.
Recipients
Unique The number of unique recipient domains discovered per hour that a subscriber has attempted to send email to.
Recipient
Domains
Unique The number of unique sender email addresses discovered per hour that a subscriber has attempted to send email from.
Senders
Unique The number of unique sender domains discovered per hour that a subscriber has attempted to send email from.
Sender
Domains
Unique The number of unique SMTP servers discovered per hour that a subscriber has connected to.
Servers
Unique The number of unique connection names or IP addresses discovered per hour that a subscriber used when connecting to an
EHLO SMTP server.
Names
Bytes The total number of bytes sent.
Last The date and time in the current time zone that the attack was last detected.
Detected
View If a check mark is present, an action has been applied and there is an audit log on the details.
Audit If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack, but
WDTM has only been configured to mitigate above specific thresholds.
by Spammer 31
Top Spammers
by Bytes
Use this report to identify the top hosts who are generating the most spam by bytes. By default, the top 100 subscribers are displayed.
This is configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is generating spam.
Network The network associated with the host.
Bytes The number of bytes transmitted by the host during the reporting period.
by Bytes Histogram
Use this report to identify the top hosts who are generating the most spam by bytes. By default, the top 100 subscribers are displayed.
This is configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is generating spam.
Network The network associated with the host.
Bytes The number of bytes transmitted by the host during the reporting period.
by Detections
Use this report to identify the hosts which are generating the most spam. By default, the top 100 subscribers are displayed. This is
configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is sending spam.
Network The network associated with the host.
Detections The number of spam sessions detected during the reporting period.
by Detections Histogram
Use this report to identify the hosts which are generating the most spam. By default, the top 100 subscribers are displayed. This is
configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is sending spam.
Network The network associated with the host.
Detections The number of spam sessions detected during the reporting period.
Spam
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
Bandwidth
Overview
Use the Spam Bandwidth by Spammer report to identify the bandwidth that is being consumed by specific spammers.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps).
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Malicious Bandwidth
Overview
Use the Malicious Bandwidth report to identify the malicious bandwidth detected across the selected networks for the report period. Use
this report to examine the total malicious bandwidth for selected protocols and to see how much of this bandwidth was mitigated by the
WDTM.
The report contains the following four charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified by traffic type.
• Mitigated Bandwidth - Stacked area chart identifying the detected malicious bandwidth that was mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified by traffic type.
• Mitigated Packet Rate - Stacked area chart identifying the detected malicious packets that were mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
Spam 36
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Malicious Hosts
Overview
Use the Malicious Hosts report to identify the malicious hosts detected across the selected networks for the report period. Use this report
to examine the total malicious hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
The report contains the following two charts:
• Malicious Hosts - Stacked area chart identifying the detected malicious hosts identified by traffic type.
• Mitigated Hosts - Stacked area chart identifying the detected malicious hosts that were mitigated by the WDTM by traffic
type. Malicious hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious hosts. You can build virtual clusters of Sandvine elements using
the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: these charts display raw count totals. This can affect the reports by appearing to provide different
peak results, which is caused by the scaling of these values over different time intervals. For example, if
you chose to report on data for a one week period of time, that reporting interval may be broken up into
one hour segments within the chart. Lets assume that if we took four consecutive plotted points within
the chart we had the series (4, 7, 13, 17). These values would represent the total number of events for
that particular hour. If we re-ran the report but with a two week time period, we would find that in this
particular time range, we would have less bins but with higher values. In this example, we would expect
to see the following series of values for the same appropriate time points (11, 30). This is caused by the
fact that the two-week report must collapse time bins, which in turn stacks the resulting bin values.
Spam 37
Message Details
Overview
Use the Spam Message Details by Spammer report to get an overview of spam activity for specific spammers.
The report contains the following three charts:
• Attempted Messages - Stacked bar chart identifying the total number of attempted messages that the spammer attempted
to send.
• Recipients - Stacked bar chart identifying the total number of recipients that the spam emails were addressed to.
• Senders - Stacked bar chart identifying the number of unique sender email addresses from which the spammer was sending
spam.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
SMTP State
Overview
Use the Spam SMTP State Analysis by Spammer report to find details on the state (or flow) of the session.
The report contains the following three charts:
• SMTP Sessions - Stacked bar chart identifying the total number of sessions initiated.
• SMTP Errors - Stacked bar chart identifying the total number of SMTP errors received from all SMTP servers within all
sessions.
• SMTP Resets - Stacked bar chart identifying the total number of RSET commands issued from the spammer for all sessions.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
The following data represents accumulated totals. Note that these values can't be compared with the threshold values which are in rate/
hour (should never see red values in these columns).
Bytes The bandwidth used by the attack.
Packets The number of packets used by the attack.
Spam 38
Total Recipients The number of recipient email addresses a subscriber has attempted to send email to.
Attempted Messages The number of messages a subscriber has attempted to send.
Sessions Total number of SMTP session a subscriber has initiated with all SMTP servers.
Errors Total number of errors a subscriber has received from all SMTP servers.
Resets Total number of RSET commands a subscriber has issued during all SMTP sessions.
The following values represent rate/hour and should be compared with the thresholds.
Unique Recipients Total number of unique recipients a subscriber has attempted to send email to.
Unique Recipient Domains Total number of unique recipient domains a subscriber has attempted to send email to.
Unique Senders Total number of unique sender email addresses a subscriber has attempted to send email from.
Unique Sender Domains Total number of unique sender email domains a subscriber has attempted to send email from.
Unique EHLO Names Total number of unique connection names of IP addresses used by a subscriber when connecting to an
SMTP server.
The following values represent rate/period and should be compared with the thresholds. A period is 5 minutes in duration.
Recipients per Sample Period Total number of unique recipients a subscriber has attempted to send email to per sample period.
Attempted Messages per Total number of attempted email messages a subscriber has attempted to send per sample period.
Sample Period
Sessions per Sample Period Total number of SMTP sessions a subscriber has initiated with all SMTP servers.
Server per Sample Period Total number of unique servers a subscriber has connected to per sample period.
The following values are comparisons of like metrics and can be compared with the thresholds.
Total Recipients per Unique Total number of recipient email addresses a subscriber has attempted to send email to for every
Recipient unique recipient email address.
Total Senders per Unique Total number of sender email addresses a subscriber has attempted to send from for every unique
Sender email address.
Attempted Messages per Total number of email messages a subscriber has attempted to send for every successfully sent email.
Successful
Spam Detections
Overview
Use the Spam Attacks by Spammer report to provide detailed information on specific Spam parameters. The parameters that appear on
this report relate directly to spam detection metrics.
Use this report to examine the specific values for a spam attack.
The report contains the following table:
Field Description
Spammer The IP address of the subscriber.
Network The network associated with the host IP address.
Active The cumulative time malicious traffic was actually detected during the report period.
Time
Total The cumulative total of recipients a subscriber has attempted to send an email to.
Recipients
AttemptedThe cumulative total email messages a subscriber has attempted to send.
Messages
Sessions The cumulative total SMTP sessions a subscriber has initiated with all SMTP servers.
Errors The cumulative total errors a subscriber has received from all SMTP servers.
Resets The cumulative total RSET commands a subscriber has issued during all SMTP sessions.
Unique The number of unique recipients discovered per hour that a subscriber has attempted to send email to.
Recipients
Unique The number of unique recipient domains discovered per hour that a subscriber has attempted to send email to.
Recipient
Domains
Unique The number of unique sender email addresses discovered per hour that a subscriber has attempted to send email from.
Senders
Unique The number of unique sender domains discovered per hour that a subscriber has attempted to send email from.
Sender
Domains
Unique The number of unique SMTP servers discovered per hour that a subscriber has connected to.
Servers
Spam 39
Unique The number of unique connection names or IP addresses discovered per hour that a subscriber used when connecting to an
EHLO SMTP server.
Names
Bytes The total number of bytes sent.
Last The date and time in the current time zone that the attack was last detected.
Detected
View If a check mark is present, an action has been applied and there is an audit log on the details.
Audit If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack, but
WDTM has only been configured to mitigate above specific thresholds.
Spammer Contribution
Overview
Use the Spammer Contribution report to compare the total email traffic with that which was detected as being spam for the reporting
period. Use this report to see how much of the email traffic on the network is actually spam.
The report contains the following chart:
• Spammer Contribution - Overlaid area chart identifying the detected email and spam-based traffic.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Top Spammers
Overview
Use the Top Spammers report to identify the top N subscribers who are sending spam (default is top 100).
The report contains the following table:
Field Description
Spammer The IP address of the subscriber.
Network The network subnet associated with the host IP address.
Active Cumulative time malicious traffic was actually detected during the report period.
Time
Total Total number of recipients a subscriber has attempted to send email to.
Recipients
AttemptedTotal number of email messages a subscriber has attempted to send.
Messages
Sessions The total number of SMTP sessions a subscriber has initiated with all SMTP servers.
Bytes The number of bytes sent.
Last The date and time in the current time zone that the attack was last detected.
Detected
View If a check mark is present, an action has been applied and there is an audit log on the details.
Audit If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack, but
WDTM has only been configured to mitigate above specific thresholds.
Audit Log
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
Top Talkers
by Bytes
Use this report to identify the hosts which have receiving the most SYN flood data by bytes. By default, the top 100 subscribers are
displayed. This is configurable on the Presentation page.
This report contains the following table:
Field Description
Destination IP AddressThe IP address of the host that is under attack.
Network The network associated with the host.
Bytes The number of bytes received by the host during the reporting period.
by Bytes Histogram
Use this report to identify the hosts which have receiving the most SYN flood data by bytes. By default, the top 10 subscribers are
displayed. This is configurable on the Presentation page.
This report contains the following chart:
• SYN Flood Top Talkers by Bytes Histogram - histogram chart identifying the top hosts that are receiving SYN flood
malicious bandwidth.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
by Detections
Use this report to identify the hosts which have receiving the most SYN flood attacks. By default, the top 100 subscribers are displayed.
This is configurable on the Presentation page.
This report contains the following table:
Field Description
Destination IP AddressThe IP address of the host that is under attack.
Network The network associated with the host.
Detections The number SYN flood detections during the reporting period.
Drilldowns
Malicious Bandwidth by Destination
To examine the SYN flood malicious bandwidth for a specific host for the reporting period, drilldown uses the destination IP address.
by Detections Histogram
Use this report to identify the hosts which have received the most SYN flood attacks. By default, the top 10 subscribers are displayed. This
is configurable on the Presentation page.
This report contains the following chart:
• SYN Flood Top Talkers by Detections Histogram - histogram chart identifying the top hosts that are receiving SYN flood
attacks.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
Bandwidth by Destination
Overview
Use the Malicious Bandwidth by Destination IP Address report to identify the malicious bandwidth detected across the selected networks
for a specific host. Use this report to identify hosts under a SYN flood attack.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps).
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the destination host that you wish to analyze.
Note: a value of 0 only indicates that the bandwidth dropped below the detection threshold for the
period; not that the activity stopped.
Note: only SYN packets are counted. If the host is being sent non-SYN packets, they will not be counted
in this report.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Detected Hosts
Overview
Use the Attacked Hosts report to identify the attacked hosts detected across the selected networks for the report period. Use this report to
examine the total attacked hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
The report contains the following two charts:
• Attacked Hosts - Stacked area chart identifying the detected hosts that are being attacked by traffic type.
• Mitigated Hosts - Stacked area chart identifying the attacked hosts that were mitigated by the WDTM by traffic type.
Attacked hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
SYN Flood Detections 47
Note: these charts display raw count totals. This can affect the reports by appearing to provide different
peak results, which is caused by the scaling of these values over different time intervals. For example, if
you chose to report on data for a one week period of time, that reporting interval may be broken up into
one hour segments within the chart. Lets assume that if we took four consecutive plotted points within
the chart we had the series (4, 7, 13, 17). These values would represent the total number of events for
that particular hour. If we re-ran the report but with a two week time period, we would find that in this
particular time range, we would have less bins but with higher values. In this example, we would expect
to see the following series of values for the same appropriate time points (11, 30). This is caused by the
fact that the two-week report must collapse time bins, which in turn stacks the resulting bin values.
Malicious Bandwidth
Overview
Use the Malicious Bandwidth report to identify the malicious bandwidth detected across the selected networks for the report period. Use
this report to examine the total malicious bandwidth for selected protocols and to see how much of this bandwidth was mitigated by the
WDTM.
The report contains the following four charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified by traffic type.
• Mitigated Bandwidth - Stacked area chart identifying the detected malicious bandwidth that was mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified by traffic type.
• Mitigated Packet Rate - Stacked area chart identifying the detected malicious packets that were mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: for a given detection type it is possible for the dropped bandwidth to be less than malicious
bandwidth. To understand why, it becomes necessary to understand how the WDTM Detection Engine
and WDTM Detection Aggregator work. When an attack starts, it is analyzed by the WDTM Detection
SYN Flood Detections 48
Engine. During this time, the attack is not confirmed, but its bytes and packets are counted. When the
Detection Engine determines that thresholds were crossed (as specified by detection-config rules) the
event is reported to the WDTM Detection Aggregator which is responsible for aggregating detection
events in an attempt to reduce false positives. When the Detection Aggregator confirms that the
event(s) constitute an attack due to timed-host-percent thresholds being crossed (as specified by
aggregator-config rules) it applies mitigation actions (as specified by wmd-rules). At this point, the
bytes/packets counted before the attack was confirmed are logged as malicious bytes/packets and show
up in the Malicious Bandwidth/Malicious Packet Rate graphs. This counted malicious traffic is impossible
to mitigate since it would require knowledge that the traffic was malicious before it looked malicious, and
so the traffic will not be counted as mitigated. Since new malicious traffic is always being detected for
the first time, this means that overall, malicious traffic will typically be greater than mitigated traffic.
For some detections, this contrast between malicious and mitigated is much larger. Spam especially
exhibits this large contrast. This is because the mitigated traffic is predominantly syn packets that are
dropped before the tcp flow is established. As a result, the minutes required to confirm a spam attack
could result in many bytes and packets of unmitigated malicious traffic. When the attack is confirmed,
although many bytes and packets are in theory mitigated by dropping the flow, we can only honestly
report a very small fraction of that traffic that was actually mitigated on the wire, specifically the syn
packets.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Audit Log
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
Top Talkers
by Bytes
Use this report to identify the hosts which have receiving the most bandwidth by bytes. By default, the top 100 subscribers are displayed.
This is configurable on the Presentation page.
This report contains the following table:
Field Description
Destination IP AddressThe IP address of the host that is under attack.
Network The network associated with the host.
Bytes The number of bytes received by the host during the reporting period.
by Bytes Histogram
Use this report to identify the hosts which have receiving the most SYN flood data by bytes. By default, the top 10 subscribers are
displayed. This is configurable on the Presentation page.
This report contains the following chart:
• User Bandwidth Top Talkers by Bytes Histogram - histogram chart identifying the top hosts that are receiving a large
amount of bandwidth.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
by Detections
Use this report to identify the hosts which have receiving the most bandwidth. By default, the top 100 subscribers are displayed. This is
configurable on the Presentation page.
This report contains the following table:
Field Description
Destination IP AddressThe IP address of the host that is under attack.
Network The network associated with the host.
Detections The number detections during the reporting period.
Drilldowns
User Bandwidth Malicious Bandwidth by Destination IP Address
To examine the bandwidth for a specific host for the reporting period, drill down on the destination IP address.
by Detections Histogram
Use this report to identify the hosts which have been detected as receiving excessive bandwidth. By default, the top 10 subscribers are
displayed. This is configurable on the Presentation page.
This report contains the following chart:
• User Bandwidth Top Talkers by Detections Histogram - histogram chart identifying the top hosts that are receiving
excessive bandwidth.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
Bandwidth by Destination
Overview
Use the Malicious Bandwidth by Destination IP Address report to identify the malicious bandwidth detected across the selected networks
for a specific host. Use this report to identify hosts under a user bandwidth attack.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps). If the policy changes during the date range the minimum threshold value is used.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps).
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the destination host that you wish to analyze.
Note: a value of 0 only indicates that the bandwidth dropped below the detection threshold for the
period; not that the activity stopped.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Bandwidth by Source
Overview
Use the Malicious Bandwidth by Source IP Address report to identify the malicious bandwidth detected across the selected networks for a
specific host. Use this report to identify hosts under a user bandwidth attack.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps). If the policy changes during the date range the minimum threshold value is used.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps).
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
User Bandwidth Detections 56
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the source host that you wish to analyze.
Note: a value of 0 only indicates that the bandwidth dropped below the detection threshold for the
period; not that the activity stopped.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Detected Hosts
Overview
Use the Attacked Hosts report to identify the attacked hosts detected across the selected networks for the report period. Use this report to
examine the total attacked hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
The report contains the following two charts:
• Attacked Hosts - Stacked area chart identifying the detected hosts that are being attacked by traffic type.
• Mitigated Hosts - Stacked area chart identifying the attacked hosts that were mitigated by the WDTM by traffic type.
Attacked hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
Configuring the report
Select a time period and the elements you wish to monitor for attacked hosts. You can build virtual clusters of Sandvine elements using
the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: these charts display raw count totals. This can affect the reports by appearing to provide different
peak results, which is caused by the scaling of these values over different time intervals. For example, if
you chose to report on data for a one week period of time, that reporting interval may be broken up into
one hour segments within the chart. Lets assume that if we took four consecutive plotted points within
the chart we had the series (4, 7, 13, 17). These values would represent the total number of events for
that particular hour. If we re-ran the report but with a two week time period, we would find that in this
particular time range, we would have less bins but with higher values. In this example, we would expect
to see the following series of values for the same appropriate time points (11, 30). This is caused by the
fact that the two-week report must collapse time bins, which in turn stacks the resulting bin values.
User Bandwidth Detections 57
Malicious Bandwidth
Overview
Use the Malicious Bandwidth report to identify the malicious bandwidth detected across the selected networks for the report period. Use
this report to examine the total malicious bandwidth for selected protocols and to see how much of this bandwidth was mitigated by the
WDTM.
The report contains the following four charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified by traffic type.
• Mitigated Bandwidth - Stacked area chart identifying the detected malicious bandwidth that was mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified by traffic type.
• Mitigated Packet Rate - Stacked area chart identifying the detected malicious packets that were mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: for a given detection type it is possible for the dropped bandwidth to be less than malicious
bandwidth. To understand why, it becomes necessary to understand how the WDTM Detection Engine
and WDTM Detection Aggregator work. When an attack starts, it is analyzed by the WDTM Detection
Engine. During this time, the attack is not confirmed, but its bytes and packets are counted. When the
Detection Engine determines that thresholds were crossed (as specified by detection-config rules) the
event is reported to the WDTM Detection Aggregator which is responsible for aggregating detection
events in an attempt to reduce false positives. When the Detection Aggregator confirms that the
event(s) constitute an attack due to timed-host-percent thresholds being crossed (as specified by
aggregator-config rules) it applies mitigation actions (as specified by wmd-rules). At this point, the
bytes/packets counted before the attack was confirmed are logged as malicious bytes/packets and show
up in the Malicious Bandwidth/Malicious Packet Rate graphs. This counted malicious traffic is impossible
to mitigate since it would require knowledge that the traffic was malicious before it looked malicious, and
so the traffic will not be counted as mitigated. Since new malicious traffic is always being detected for
the first time, this means that overall, malicious traffic will typically be greater than mitigated traffic.
For some detections, this contrast between malicious and mitigated is much larger. Spam especially
exhibits this large contrast. This is because the mitigated traffic is predominantly syn packets that are
dropped before the tcp flow is established. As a result, the minutes required to confirm a spam attack
could result in many bytes and packets of unmitigated malicious traffic. When the attack is confirmed,
although many bytes and packets are in theory mitigated by dropping the flow, we can only honestly
report a very small fraction of that traffic that was actually mitigated on the wire, specifically the syn
packets.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
User Bandwidth Detections 58
Drilldowns
User Bandwidth Flood Malicious Bandwidth by Destination IP Address
To examine the user bandwidth malicious bandwidth for a specific host for the reporting period, drilldown on the destination IP address.
1. In the Destination IP Address column, click the IP address.
The User Bandwidth Malicious Bandwidth by Destination IP Address report for the selected IP address appears.
Audit Log
To examine the audit log for a specific IP address, drill down on the check mark icon.
If a check mark is present, an action have been applied and there is an audit log on the details of the action.
If the check mark is not present, no actions has been applied.
1. In the View Audit column, click the check mark.
The User Bandwidth Audit Log report appears.
Audit Log 59
Audit Log
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
Top Talkers
by Bytes
Use this report to identify the top hosts who are conducting address scans data by bytes. By default, the top 100 subscribers are
displayed. This is configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is address scanning.
Network The network associated with the host.
Bytes The number of bytes transmitted by the host during the reporting period.
by Bytes Histogram
Use this report to identify the top hosts which are transmitting address scan traffic by bytes. By default, the top 10 subscribers are
displayed. This is configurable on the Presentation page.
This report contains the following chart:
• Address Scan Top Talkers by Bytes Histogram - histogram chart identifying the top hosts that are transmitting address
scans.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
by Detections
Use this report to identify the hosts which are transmitting the most address scans. By default, the top 100 subscribers are displayed. This
is configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is sending address scans.
Network The network associated with the host.
Detections The number of address scans detected during the reporting period.
by Detections Histogram
Use this report to identify the hosts which are transmitting the most address scans. By default, the top 10 subscribers are displayed. This
is configurable on the Presentation page.
This report contains the following chart:
• Address Scan Top Talkers by Detections Histogram - histogram chart identifying the top hosts that are transmitting
address scans.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
Address Scans
Address Scans
Overview
Use the Address Scans report to identify infected hosts that are address scanning and have been mitigated for the report period.
Address scans are defined as a single host initiating many new TCP/IP flows to many destination hosts on a specific port. Address scans
are the primary method used by worms to find vulnerable hosts. Use this report to identify potential attackers.
The address scan detector is configurable. Thresholds can be set that define the number of flows per second over a time period. For
example, you might want to identify hosts that are initially sending more than 15 flows per second for 15 seconds. A host that is found to
be scanning at this rate will attempt to contact over 225 hosts in a 15 second period.
The report contains the following table:
Field Description
Source IP The IP address of host who is doing the address scanning.
Address
Subscriber The name of the subscriber associated with the IP address. If the IP address is not associated with an internal subscriber,
this column will appear empty.
Network The network associated with the source IP address.
Protocol Layer 4 protocol of the OSI stack.
DestinationPort to which the attack is being directed. If this is an ICMP attack, then port is referring to the ICMP type.
Port
Application Typical service found on the destination port.
Malware Typical malware (worm, trojan, virus, etc.) that exploits the application or port.
Active The amount of time the attack has been on the network using bandwidth which exceeds the set threshold.
Time
Bandwidth The average bit rate calculated over the active time measured in bits-per-second.
Packet The average packets per second calculated over the active time measured in packets-per-second.
Rate
Last The date and time in the current time zone that the attack was last detected.
Detected
View Audit If a check mark is present, an action has been applied and there is an audit log on the details.
If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack,
but WDTM has only been configured to mitigate above specific thresholds.
Generate the report for internal subscribers to determine who is performing address scans. For each host that is found scanning there are
three possible causes:
• the traffic is legitimate.
• the traffic is malicious as a result of specific user actions.
• the traffic is malicious and generated by a worm or virus, perhaps without the knowledge of the user.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
The Flow Selection area allows you to select the egress, or direction, of the traffic from the selected networks.
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
Bandwidth by Source
Overview
Use the Malicious Bandwidth by Source IP Address report to identify the outgoing malicious bandwidth generated by a source host. Use
this report to identify hosts under performing user-bandwidth attacks.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps). If the policy changes during the date range the minimum threshold value is used.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the destination host that you wish to analyze.
Note: a value of 0 only indicates that the bandwidth dropped below the detection threshold for the
period; not that the activity stopped.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
Address Scans 66
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Frequency Histogram
Overview
The Frequency Histogram shows the total number of packets for specific exploits per port for the report period. The histogram is ordered
from highest number of packets to lowest number of packets.
Use this report to see which ports have the highest address scan traffic.
If all protocols are selected, only the top ten ports will appear on the chart.
The report contains the following chart:
• Address Scans Frequency Histogram - histogram bar chart identifying the number of malicious packets identified on each
port.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
The Flow Selection area allows you to select the egress, or direction, of the traffic from the selected networks.
Malicious Bandwidth
Overview
Use the Malicious Bandwidth report to identify the malicious bandwidth detected across the selected networks for the report period. Use
this report to examine the total malicious bandwidth for selected protocols and to see how much of this bandwidth was mitigated by the
WDTM.
The report contains the following four charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified by traffic type.
• Mitigated Bandwidth - Stacked area chart identifying the detected malicious bandwidth that was mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified by traffic type.
• Mitigated Packet Rate - Stacked area chart identifying the detected malicious packets that were mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
• use this chart to see the history of malicious traffic and to determine what is "steady state", and what is a change that
requires further investigation.
Mitigated Packet Rate
• use this chart to verify existing WDTM thresholds with respect to the overall mitigation strategy.
Note: for a given detection type it is possible for the dropped bandwidth to be less than malicious
bandwidth. To understand why, it becomes necessary to understand how the WDTM Detection Engine
and WDTM Detection Aggregator work. When an attack starts, it is analyzed by the WDTM Detection
Engine. During this time, the attack is not confirmed, but its bytes and packets are counted. When the
Detection Engine determines that thresholds were crossed (as specified by detection-config rules) the
event is reported to the WDTM Detection Aggregator which is responsible for aggregating detection
events in an attempt to reduce false positives. When the Detection Aggregator confirms that the
event(s) constitute an attack due to timed-host-percent thresholds being crossed (as specified by
aggregator-config rules) it applies mitigation actions (as specified by wmd-rules). At this point, the
bytes/packets counted before the attack was confirmed are logged as malicious bytes/packets and show
up in the Malicious Bandwidth/Malicious Packet Rate graphs. This counted malicious traffic is impossible
to mitigate since it would require knowledge that the traffic was malicious before it looked malicious, and
so the traffic will not be counted as mitigated. Since new malicious traffic is always being detected for
the first time, this means that overall, malicious traffic will typically be greater than mitigated traffic.
For some detections, this contrast between malicious and mitigated is much larger. Spam especially
exhibits this large contrast. This is because the mitigated traffic is predominantly syn packets that are
dropped before the tcp flow is established. As a result, the minutes required to confirm a spam attack
could result in many bytes and packets of unmitigated malicious traffic. When the attack is confirmed,
although many bytes and packets are in theory mitigated by dropping the flow, we can only honestly
report a very small fraction of that traffic that was actually mitigated on the wire, specifically the syn
packets.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Malicious Hosts
Overview
Use the Malicious Hosts report to identify the malicious hosts detected across the selected networks for the report period. Use this report
to examine the total malicious hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
The report contains the following two charts:
• Malicious Hosts - Stacked area chart identifying the detected malicious hosts identified by traffic type.
• Mitigated Hosts - Stacked area chart identifying the detected malicious hosts that were mitigated by the WDTM by traffic
type. Malicious hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious hosts. You can build virtual clusters of Sandvine elements using
the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: these charts display raw count totals. This can affect the reports by appearing to provide different
peak results, which is caused by the scaling of these values over different time intervals. For example, if
you chose to report on data for a one week period of time, that reporting interval may be broken up into
one hour segments within the chart. Lets assume that if we took four consecutive plotted points within
Address Scans 68
the chart we had the series (4, 7, 13, 17). These values would represent the total number of events for
that particular hour. If we re-ran the report but with a two week time period, we would find that in this
particular time range, we would have less bins but with higher values. In this example, we would expect
to see the following series of values for the same appropriate time points (11, 30). This is caused by the
fact that the two-week report must collapse time bins, which in turn stacks the resulting bin values.
Audit Log 69
Audit Log
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
Bandwidth by Destination
Overview
Use the Malicious Bandwidth by Destination IP Address report to identify the flow flood activity directed to a specific IP address. Use this
report to identify the victim of a flow flood attack and the severity of those attacks.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps). If the policy changes during the date range the minimum threshold value is used.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the destination host that you wish to analyze.
Note: a value of 0 only indicates that the bandwidth dropped below the detection threshold for the
period; not that the activity stopped.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Bandwidth by Source
Overview
Use the Malicious Bandwidth by Source IP Address report to identify all flow flood activity for a host during the reporting period. This may
encompass one or more detections. Use this report to identify hosts that are initiating flow flood attacks and the severity of those attacks.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps). If the policy changes during the date range the minimum threshold value is used.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Flow Flood Detections 73
Note: a value of 0 only indicates that the bandwidth dropped below the detection threshold for the
period; not that the activity stopped.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
• sort by the Destination IP Address to see if the addresses being attacked are related. If so, this may indicate a directed DoS
attack.
• examine the Destination Port field to identify if a specific port is being target.
Drilldowns
Malicious Bandwidth by Source
To examine the flow flood malicious bandwidth from a specific host for the reporting period, drilldown uses the source IP address.
Malicious Bandwidth by Destination
To examine the flow flood malicious bandwidth directed towards a specific host for the reporting period, drilldown uses the destination IP
address.
Bandwidth by Subscriber
To examine the bandwidth for a specific subscriber for the reporting period, drilldown uses the source subscriber and is only available if
the source subscriber is known.
Bandwidth by Destination Subscriber
To examine the bandwidth for a specific subscriber for the reporting period, drilldown uses the destination subscriber and is only available
if the destination subscriber is known.
Application/Malware by Port
To examine the typical applications and exploits for a specific port, drilldown uses the destination port.
Audit Log by Detection
To examine the audit log for a specific attack, drilldown uses the attack identification and is only available if the View Audit column is
checked. If the check mark is not present, no actions have been applied and no drilldown is available.
Malicious Bandwidth
Overview
Use the Malicious Bandwidth report to identify the malicious bandwidth detected across the selected networks for the report period. Use
this report to examine the total malicious bandwidth for selected protocols and to see how much of this bandwidth was mitigated by the
WDTM.
The report contains the following four charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified by traffic type.
• Mitigated Bandwidth - Stacked area chart identifying the detected malicious bandwidth that was mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified by traffic type.
• Mitigated Packet Rate - Stacked area chart identifying the detected malicious packets that were mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: for a given detection type it is possible for the dropped bandwidth to be less than malicious
bandwidth. To understand why, it becomes necessary to understand how the WDTM Detection Engine
and WDTM Detection Aggregator work. When an attack starts, it is analyzed by the WDTM Detection
Engine. During this time, the attack is not confirmed, but its bytes and packets are counted. When the
Detection Engine determines that thresholds were crossed (as specified by detection-config rules) the
event is reported to the WDTM Detection Aggregator which is responsible for aggregating detection
events in an attempt to reduce false positives. When the Detection Aggregator confirms that the
event(s) constitute an attack due to timed-host-percent thresholds being crossed (as specified by
aggregator-config rules) it applies mitigation actions (as specified by wmd-rules). At this point, the
bytes/packets counted before the attack was confirmed are logged as malicious bytes/packets and show
up in the Malicious Bandwidth/Malicious Packet Rate graphs. This counted malicious traffic is impossible
Flow Flood Detections 75
to mitigate since it would require knowledge that the traffic was malicious before it looked malicious, and
so the traffic will not be counted as mitigated. Since new malicious traffic is always being detected for
the first time, this means that overall, malicious traffic will typically be greater than mitigated traffic.
For some detections, this contrast between malicious and mitigated is much larger. Spam especially
exhibits this large contrast. This is because the mitigated traffic is predominantly syn packets that are
dropped before the tcp flow is established. As a result, the minutes required to confirm a spam attack
could result in many bytes and packets of unmitigated malicious traffic. When the attack is confirmed,
although many bytes and packets are in theory mitigated by dropping the flow, we can only honestly
report a very small fraction of that traffic that was actually mitigated on the wire, specifically the syn
packets.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Malicious Hosts
Overview
Use the Malicious Hosts report to identify the malicious hosts detected across the selected networks for the report period. Use this report
to examine the total malicious hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
The report contains the following two charts:
• Malicious Hosts - Stacked area chart identifying the detected malicious hosts identified by traffic type.
• Mitigated Hosts - Stacked area chart identifying the detected malicious hosts that were mitigated by the WDTM by traffic
type. Malicious hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious hosts. You can build virtual clusters of Sandvine elements using
the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: these charts display raw count totals. This can affect the reports by appearing to provide different
peak results, which is caused by the scaling of these values over different time intervals. For example, if
you chose to report on data for a one week period of time, that reporting interval may be broken up into
one hour segments within the chart. Lets assume that if we took four consecutive plotted points within
the chart we had the series (4, 7, 13, 17). These values would represent the total number of events for
that particular hour. If we re-ran the report but with a two week time period, we would find that in this
particular time range, we would have less bins but with higher values. In this example, we would expect
to see the following series of values for the same appropriate time points (11, 30). This is caused by the
fact that the two-week report must collapse time bins, which in turn stacks the resulting bin values.
Audit Log 76
Audit Log
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
Top Talkers
by Bytes
Use this report to identify the top hosts who are generating malicious bandwidth by bytes. By default, the top 100 subscribers are
displayed. This is configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is generating malicious bandwidth.
Network The network associated with the host.
Bytes The number of bytes transmitted by the host during the reporting period.
by Bytes Histogram
Use this report to identify the top hosts which are generating malicious bandwidth by bytes. By default, the top 10 subscribers are
displayed. This is configurable on the Presentation page.
This report contains the following chart:
• Packet Signature Top Talkers by Bytes Histogram - histogram chart identifying the top hosts that are generating
malicious bandwidth.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
by Detections
Use this report to identify the hosts which are generating malicious bandwidth that matches a packet signature. By default, the top 100
subscribers are displayed. This is configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is sending malicious bandwidth.
Network The network associated with the host.
Detections The number of packet signature detections during the reporting period.
by Detections Histogram
Use this report to identify the hosts which are generating the most malicious bandwidth. By default, the top 10 subscribers are displayed.
This is configurable on the Presentation page.
This report contains the following chart:
• Packet Signature Top Talkers by Detections Histogram - histogram chart identifying the top hosts that are generating
malicious bandwidth.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
Bandwidth by Source
Overview
Use the Packet Signature Bandwidth Detected by Source IP Address report to identify the outgoing malicious bandwidth generated by a
source host. Use this report to identify hosts under performing user-bandwidth attacks.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps).
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the destination host that you wish to analyze.
Note: a value of 0 only indicates that the bandwidth dropped below the detection threshold for the
period; not that the activity stopped.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Frequency Histogram
Overview
The Frequency Histogram shows the total number of packets for the top ten packet signatures detected for the report period. The data is
sorted from highest to lowest.
Use this report to identify the most active packet signatures on the selected networks for the report period.
The report contains the following chart:
• Packet Signature Frequency Histogram - histogram bar chart identifying the number of malicious packets identified for
each packet signature.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
Static Signature Detections 82
Malicious Bandwidth
Overview
Use the Malicious Bandwidth report to identify the malicious bandwidth detected across the selected networks for the report period. Use
this report to examine the total malicious bandwidth for selected protocols and to see how much of this bandwidth was mitigated by the
WDTM.
The report contains the following four charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified by traffic type.
• Mitigated Bandwidth - Stacked area chart identifying the detected malicious bandwidth that was mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified by traffic type.
• Mitigated Packet Rate - Stacked area chart identifying the detected malicious packets that were mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: for a given detection type it is possible for the dropped bandwidth to be less than malicious
bandwidth. To understand why, it becomes necessary to understand how the WDTM Detection Engine
and WDTM Detection Aggregator work. When an attack starts, it is analyzed by the WDTM Detection
Engine. During this time, the attack is not confirmed, but its bytes and packets are counted. When the
Detection Engine determines that thresholds were crossed (as specified by detection-config rules) the
event is reported to the WDTM Detection Aggregator which is responsible for aggregating detection
events in an attempt to reduce false positives. When the Detection Aggregator confirms that the
event(s) constitute an attack due to timed-host-percent thresholds being crossed (as specified by
aggregator-config rules) it applies mitigation actions (as specified by wmd-rules). At this point, the
bytes/packets counted before the attack was confirmed are logged as malicious bytes/packets and show
up in the Malicious Bandwidth/Malicious Packet Rate graphs. This counted malicious traffic is impossible
to mitigate since it would require knowledge that the traffic was malicious before it looked malicious, and
so the traffic will not be counted as mitigated. Since new malicious traffic is always being detected for
the first time, this means that overall, malicious traffic will typically be greater than mitigated traffic.
For some detections, this contrast between malicious and mitigated is much larger. Spam especially
exhibits this large contrast. This is because the mitigated traffic is predominantly syn packets that are
dropped before the tcp flow is established. As a result, the minutes required to confirm a spam attack
could result in many bytes and packets of unmitigated malicious traffic. When the attack is confirmed,
although many bytes and packets are in theory mitigated by dropping the flow, we can only honestly
report a very small fraction of that traffic that was actually mitigated on the wire, specifically the syn
packets.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
Static Signature Detections 83
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Malicious Hosts
Overview
Use the Malicious Hosts report to identify the malicious hosts detected across the selected networks for the report period. Use this report
to examine the total malicious hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
The report contains the following two charts:
• Malicious Hosts - Stacked area chart identifying the detected malicious hosts identified by traffic type.
• Mitigated Hosts - Stacked area chart identifying the detected malicious hosts that were mitigated by the WDTM by traffic
type. Malicious hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious hosts. You can build virtual clusters of Sandvine elements using
the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: these charts display raw count totals. This can affect the reports by appearing to provide different
peak results, which is caused by the scaling of these values over different time intervals. For example, if
you chose to report on data for a one week period of time, that reporting interval may be broken up into
one hour segments within the chart. Lets assume that if we took four consecutive plotted points within
the chart we had the series (4, 7, 13, 17). These values would represent the total number of events for
that particular hour. If we re-ran the report but with a two week time period, we would find that in this
particular time range, we would have less bins but with higher values. In this example, we would expect
to see the following series of values for the same appropriate time points (11, 30). This is caused by the
fact that the two-week report must collapse time bins, which in turn stacks the resulting bin values.
Bytes The total number of bytes discovered during the reporting period.
Packets The total number of packets discovered during the reporting period.
Last The date and time in the current time zone that the attack was last detected.
Detected
View If a check mark is present, an action has been applied and there is an audit log on the details.
Audit If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack, but
WDTM has only been configured to mitigate above specific thresholds.
Audit Log
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
by Spammer
Bandwidth
Overview
Use the Spam Bandwidth by Spammer report to identify the bandwidth that is being consumed by specific spammers.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps).
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Message Details
Overview
Use the Spam Message Details by Spammer report to get an overview of spam activity for specific spammers.
The report contains the following three charts:
• Attempted Messages - Stacked bar chart identifying the total number of attempted messages that the spammer attempted
to send.
• Recipients - Stacked bar chart identifying the total number of recipients that the spam emails were addressed to.
• Senders - Stacked bar chart identifying the number of unique sender email addresses from which the spammer was sending
spam.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
SMTP State
Overview
Use the Spam SMTP State Analysis by Spammer report to find details on the state (or flow) of the session.
The report contains the following three charts:
• SMTP Sessions - Stacked bar chart identifying the total number of sessions initiated.
• SMTP Errors - Stacked bar chart identifying the total number of SMTP errors received from all SMTP servers within all
sessions.
• SMTP Resets - Stacked bar chart identifying the total number of RSET commands issued from the spammer for all sessions.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
Spam Detections
Overview
Use the Spam Attacks by Spammer report to provide detailed information on specific Spam parameters. The parameters that appear on
this report relate directly to spam detection metrics.
Use this report to examine the specific values for a spam attack.
The report contains the following table:
Field Description
Spammer The IP address of the subscriber.
Network The network associated with the host IP address.
Active The cumulative time malicious traffic was actually detected during the report period.
Time
Total The cumulative total of recipients a subscriber has attempted to send an email to.
Recipients
AttemptedThe cumulative total email messages a subscriber has attempted to send.
Messages
Sessions The cumulative total SMTP sessions a subscriber has initiated with all SMTP servers.
Errors The cumulative total errors a subscriber has received from all SMTP servers.
Resets The cumulative total RSET commands a subscriber has issued during all SMTP sessions.
Unique The number of unique recipients discovered per hour that a subscriber has attempted to send email to.
Recipients
Unique The number of unique recipient domains discovered per hour that a subscriber has attempted to send email to.
Recipient
Domains
Unique The number of unique sender email addresses discovered per hour that a subscriber has attempted to send email from.
Senders
Unique The number of unique sender domains discovered per hour that a subscriber has attempted to send email from.
Sender
Domains
Unique The number of unique SMTP servers discovered per hour that a subscriber has connected to.
Servers
Unique The number of unique connection names or IP addresses discovered per hour that a subscriber used when connecting to an
EHLO SMTP server.
Names
Bytes The total number of bytes sent.
Last The date and time in the current time zone that the attack was last detected.
Detected
View If a check mark is present, an action has been applied and there is an audit log on the details.
Audit If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack, but
WDTM has only been configured to mitigate above specific thresholds.
by Spammer 89
Top Spammers
by Bytes
Use this report to identify the top hosts who are generating the most spam by bytes. By default, the top 100 subscribers are displayed.
This is configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is generating spam.
Network The network associated with the host.
Bytes The number of bytes transmitted by the host during the reporting period.
by Bytes Histogram
Use this report to identify the top hosts who are generating the most spam by bytes. By default, the top 100 subscribers are displayed.
This is configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is generating spam.
Network The network associated with the host.
Bytes The number of bytes transmitted by the host during the reporting period.
by Detections
Use this report to identify the hosts which are generating the most spam. By default, the top 100 subscribers are displayed. This is
configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is sending spam.
Network The network associated with the host.
Detections The number of spam sessions detected during the reporting period.
by Detections Histogram
Use this report to identify the hosts which are generating the most spam. By default, the top 100 subscribers are displayed. This is
configurable on the Presentation page.
This report contains the following table:
Field Description
Source IP AddressThe IP address of the host that is sending spam.
Network The network associated with the host.
Detections The number of spam sessions detected during the reporting period.
Spam
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
Bandwidth
Overview
Use the Spam Bandwidth by Spammer report to identify the bandwidth that is being consumed by specific spammers.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified measured in bits-per-
second (bps).
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified measured in packets-per-
second (pps).
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Malicious Bandwidth
Overview
Use the Malicious Bandwidth report to identify the malicious bandwidth detected across the selected networks for the report period. Use
this report to examine the total malicious bandwidth for selected protocols and to see how much of this bandwidth was mitigated by the
WDTM.
The report contains the following four charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified by traffic type.
• Mitigated Bandwidth - Stacked area chart identifying the detected malicious bandwidth that was mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
• Malicious Packet Rate - Stacked area chart identifying the detected malicious packets identified by traffic type.
• Mitigated Packet Rate - Stacked area chart identifying the detected malicious packets that were mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
Spam 94
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Malicious Hosts
Overview
Use the Malicious Hosts report to identify the malicious hosts detected across the selected networks for the report period. Use this report
to examine the total malicious hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
The report contains the following two charts:
• Malicious Hosts - Stacked area chart identifying the detected malicious hosts identified by traffic type.
• Mitigated Hosts - Stacked area chart identifying the detected malicious hosts that were mitigated by the WDTM by traffic
type. Malicious hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious hosts. You can build virtual clusters of Sandvine elements using
the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: these charts display raw count totals. This can affect the reports by appearing to provide different
peak results, which is caused by the scaling of these values over different time intervals. For example, if
you chose to report on data for a one week period of time, that reporting interval may be broken up into
one hour segments within the chart. Lets assume that if we took four consecutive plotted points within
the chart we had the series (4, 7, 13, 17). These values would represent the total number of events for
that particular hour. If we re-ran the report but with a two week time period, we would find that in this
particular time range, we would have less bins but with higher values. In this example, we would expect
to see the following series of values for the same appropriate time points (11, 30). This is caused by the
fact that the two-week report must collapse time bins, which in turn stacks the resulting bin values.
Spam 95
Message Details
Overview
Use the Spam Message Details by Spammer report to get an overview of spam activity for specific spammers.
The report contains the following three charts:
• Attempted Messages - Stacked bar chart identifying the total number of attempted messages that the spammer attempted
to send.
• Recipients - Stacked bar chart identifying the total number of recipients that the spam emails were addressed to.
• Senders - Stacked bar chart identifying the number of unique sender email addresses from which the spammer was sending
spam.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
SMTP State
Overview
Use the Spam SMTP State Analysis by Spammer report to find details on the state (or flow) of the session.
The report contains the following three charts:
• SMTP Sessions - Stacked bar chart identifying the total number of sessions initiated.
• SMTP Errors - Stacked bar chart identifying the total number of SMTP errors received from all SMTP servers within all
sessions.
• SMTP Resets - Stacked bar chart identifying the total number of RSET commands issued from the spammer for all sessions.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Select the protocols which you wish to monitor.
Finally, choose the spammer host addresses that you wish to analyze.
The following data represents accumulated totals. Note that these values can't be compared with the threshold values which are in rate/
hour (should never see red values in these columns).
Bytes The bandwidth used by the attack.
Packets The number of packets used by the attack.
Spam 96
Total Recipients The number of recipient email addresses a subscriber has attempted to send email to.
Attempted Messages The number of messages a subscriber has attempted to send.
Sessions Total number of SMTP session a subscriber has initiated with all SMTP servers.
Errors Total number of errors a subscriber has received from all SMTP servers.
Resets Total number of RSET commands a subscriber has issued during all SMTP sessions.
The following values represent rate/hour and should be compared with the thresholds.
Unique Recipients Total number of unique recipients a subscriber has attempted to send email to.
Unique Recipient Domains Total number of unique recipient domains a subscriber has attempted to send email to.
Unique Senders Total number of unique sender email addresses a subscriber has attempted to send email from.
Unique Sender Domains Total number of unique sender email domains a subscriber has attempted to send email from.
Unique EHLO Names Total number of unique connection names of IP addresses used by a subscriber when connecting to an
SMTP server.
The following values represent rate/period and should be compared with the thresholds. A period is 5 minutes in duration.
Recipients per Sample Period Total number of unique recipients a subscriber has attempted to send email to per sample period.
Attempted Messages per Total number of attempted email messages a subscriber has attempted to send per sample period.
Sample Period
Sessions per Sample Period Total number of SMTP sessions a subscriber has initiated with all SMTP servers.
Server per Sample Period Total number of unique servers a subscriber has connected to per sample period.
The following values are comparisons of like metrics and can be compared with the thresholds.
Total Recipients per Unique Total number of recipient email addresses a subscriber has attempted to send email to for every
Recipient unique recipient email address.
Total Senders per Unique Total number of sender email addresses a subscriber has attempted to send from for every unique
Sender email address.
Attempted Messages per Total number of email messages a subscriber has attempted to send for every successfully sent email.
Successful
Spam Detections
Overview
Use the Spam Attacks by Spammer report to provide detailed information on specific Spam parameters. The parameters that appear on
this report relate directly to spam detection metrics.
Use this report to examine the specific values for a spam attack.
The report contains the following table:
Field Description
Spammer The IP address of the subscriber.
Network The network associated with the host IP address.
Active The cumulative time malicious traffic was actually detected during the report period.
Time
Total The cumulative total of recipients a subscriber has attempted to send an email to.
Recipients
AttemptedThe cumulative total email messages a subscriber has attempted to send.
Messages
Sessions The cumulative total SMTP sessions a subscriber has initiated with all SMTP servers.
Errors The cumulative total errors a subscriber has received from all SMTP servers.
Resets The cumulative total RSET commands a subscriber has issued during all SMTP sessions.
Unique The number of unique recipients discovered per hour that a subscriber has attempted to send email to.
Recipients
Unique The number of unique recipient domains discovered per hour that a subscriber has attempted to send email to.
Recipient
Domains
Unique The number of unique sender email addresses discovered per hour that a subscriber has attempted to send email from.
Senders
Unique The number of unique sender domains discovered per hour that a subscriber has attempted to send email from.
Sender
Domains
Unique The number of unique SMTP servers discovered per hour that a subscriber has connected to.
Servers
Spam 97
Unique The number of unique connection names or IP addresses discovered per hour that a subscriber used when connecting to an
EHLO SMTP server.
Names
Bytes The total number of bytes sent.
Last The date and time in the current time zone that the attack was last detected.
Detected
View If a check mark is present, an action has been applied and there is an audit log on the details.
Audit If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack, but
WDTM has only been configured to mitigate above specific thresholds.
Spammer Contribution
Overview
Use the Spammer Contribution report to compare the total email traffic with that which was detected as being spam for the reporting
period. Use this report to see how much of the email traffic on the network is actually spam.
The report contains the following chart:
• Spammer Contribution - Overlaid area chart identifying the detected email and spam-based traffic.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Top Spammers
Overview
Use the Top Spammers report to identify the top N subscribers who are sending spam (default is top 100).
The report contains the following table:
Field Description
Spammer The IP address of the subscriber.
Network The network subnet associated with the host IP address.
Active Cumulative time malicious traffic was actually detected during the report period.
Time
Total Total number of recipients a subscriber has attempted to send email to.
Recipients
AttemptedTotal number of email messages a subscriber has attempted to send.
Messages
Sessions The total number of SMTP sessions a subscriber has initiated with all SMTP servers.
Bytes The number of bytes sent.
Last The date and time in the current time zone that the attack was last detected.
Detected
View If a check mark is present, an action has been applied and there is an audit log on the details.
Audit If the check mark is not present, WDTM is monitoring traffic for this host, but no mitigation actions have been applied. This
will happen if a host has not crossed the rule's high thresholds. In this case, WDTM has identified that this is a real attack, but
WDTM has only been configured to mitigate above specific thresholds.
Malicious Bandwidth
Applications/Malware by Port
Overview
Use the Application/Malware by Port report to identify the typical applications and malware encountered on specific ports. This report is
provided for informational purposes only.
The report contains the following two tables:
• Typical Applications by Port - table identifying all of the known applications that typically runs on the specified ports.
• Typical Malware by Port - table identifying all of the known malware that typically runs on the specified ports.
Configuring the report
Select the TCP/UDP ports that you wish to view applications and malware for.
Audit Log
Overview
Use the Audit Log report to identify the actions taken by the WDTM for malicious traffic based on the selected networks for the report
period. Each record in the log correlates to an action taken for a detection. A detection may have multiple actions. Use this report to
confirm what actions were taken for a host and when the action was taken.
Malicious Bandwidth
Overview
Use the Malicious Bandwidth report to identify the malicious bandwidth detected across the selected networks for the report period. Use
this report to examine the total malicious bandwidth for selected protocols and to see how much of this bandwidth was mitigated by the
WDTM.
The report contains the following two charts:
• Malicious Bandwidth - Stacked area chart identifying the detected malicious bandwidth identified by traffic type.
• Mitigated Bandwidth - Stacked area chart identifying the detected malicious bandwidth that was mitigated by the WDTM by
traffic type. Malicious bandwidth that is detected and managed by actions that do not drop packets are not shown on this
chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your virtual configured networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: for a given detection type it is possible for the dropped bandwidth to be less than malicious
bandwidth. To understand why, it becomes necessary to understand how the WDTM Detection Engine
and WDTM Detection Aggregator work. When an attack starts, it is analyzed by the WDTM Detection
Engine. During this time, the attack is not confirmed, but its bytes and packets are counted. When the
Malicious Bandwidth 101
Detection Engine determines that thresholds were crossed (as specified by detection-config rules) the
event is reported to the WDTM Detection Aggregator which is responsible for aggregating detection
events in an attempt to reduce false positives. When the Detection Aggregator confirms that the
event(s) constitute an attack due to timed-host-percent thresholds being crossed (as specified by
aggregator-config rules) it applies mitigation actions (as specified by wmd-rules). At this point, the
bytes/packets counted before the attack was confirmed are logged as malicious bytes/packets and show
up in the Malicious Bandwidth/Malicious Packet Rate graphs. This counted malicious traffic is impossible
to mitigate since it would require knowledge that the traffic was malicious before it looked malicious, and
so the traffic will not be counted as mitigated. Since new malicious traffic is always being detected for
the first time, this means that overall, malicious traffic will typically be greater than mitigated traffic.
For some detections, this contrast between malicious and mitigated is much larger. Spam especially
exhibits this large contrast. This is because the mitigated traffic is predominantly syn packets that are
dropped before the tcp flow is established. As a result, the minutes required to confirm a spam attack
could result in many bytes and packets of unmitigated malicious traffic. When the attack is confirmed,
although many bytes and packets are in theory mitigated by dropping the flow, we can only honestly
report a very small fraction of that traffic that was actually mitigated on the wire, specifically the syn
packets.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Malicious Hosts
Overview
Use the Malicious Hosts report to identify the malicious hosts detected across the selected networks for the report period. Use this report
to examine the total malicious hosts for selected protocols and to see how many of the hosts were mitigated by the WDTM.
The report contains the following two charts:
• Malicious Hosts - Stacked area chart identifying the detected malicious hosts identified by traffic type.
• Mitigated Hosts - Stacked area chart identifying the detected malicious hosts that were mitigated by the WDTM by traffic
type. Malicious hosts that are detected and managed by actions that do not drop packets are not shown on this chart.
Configuring the report
Select a time period and the elements you wish to monitor for malicious hosts. You can build virtual clusters of Sandvine elements using
the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols which you wish to monitor.
Finally, choose the types of malicious traffic that you wish to analyze.
Note: these charts display raw count totals. This can affect the reports by appearing to provide different
peak results, which is caused by the scaling of these values over different time intervals. For example, if
you chose to report on data for a one week period of time, that reporting interval may be broken up into
one hour segments within the chart. Lets assume that if we took four consecutive plotted points within
the chart we had the series (4, 7, 13, 17). These values would represent the total number of events for
that particular hour. If we re-ran the report but with a two week time period, we would find that in this
particular time range, we would have less bins but with higher values. In this example, we would expect
to see the following series of values for the same appropriate time points (11, 30). This is caused by the
fact that the two-week report must collapse time bins, which in turn stacks the resulting bin values.
Malicious Bandwidth 102
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
by Server 103
by Server
Efficiency
Overview
The DNS Efficiency report provides a general overview of the capability of the DNS system the service requests at any point in time. This
report measures the total number of responses over a period of time against the total number of requests during the same period.
The report contains the following chart:
• DNS Efficiency - area chart outlining the percentage of all requests that receive a response.
Configuring the report
Select a time period and the elements you wish to monitor for DNS requests|responses. You can build virtual clusters of Sandvine
elements using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select the networks that contain the DNS servers you wish to report against in the
Destination Network.
The DNS Server Selection area allows you to select individual DNS servers to report against.
Finally, select the DNS request and response types you wish to monitor.
MTTR Histogram
Overview
The Mean Time to Respond Histogram report displays a frequency distribution of the mean time to respond to requests.
The report contains the following chart:
• Mean Time to Respond Histogram - histogram chart outlining the total number of responses that occurred in an elapsed
time bin measured in milliseconds.
Configuring the report
Select a time period and the elements you wish to monitor for DNS requests|responses. You can build virtual clusters of Sandvine
elements using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
by Server 104
external, and peer subnets. It is recommended that you select the networks that contain the DNS servers you wish to report against in the
Destination Network.
The DNS Server Selection area allows you to select individual DNS servers to report against.
Volume
Overview
Use the DNS Volume report to identify the number of DNS requests and responses directed to each configured DNS server.
The report contains the following two charts iterated for each detected DNS server:
• DNS Requests - Stacked area chart showing the number of DNS requests for each selected type from the originating network
to the DNS server or network.
• DNS Responses - Stacked area chart showing the number of DNS responses for each selected type from the DNS server to
the originating network.
Configuring the report
Select a time period and the elements you wish to monitor for DNS requests|responses. You can build virtual clusters of Sandvine
elements using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select the networks that contain the DNS servers you wish to report against in the
Destination Network.
Finally, select the DNS request and response types you wish to monitor.
Drilldowns
DNS Server Dashboard
To examine details on specific DNS servers within a network, click the network to drill down to the DNS Server Dashboard.
Server Summary
Overview
The DNS Server Dashboard report provides an overview of the most recent performance of the DNS servers across the entire cluster. This
report provides the MTTR and DNS efficiency metric for each DNS server aggregated across the entire cluster.
The report contains the following table:
Field Description
Status Indicates the status of MTTR and DNS efficiency metrics. Values include:
Fail - is highlighted in red and indicates that the network has dropped below a MTTR or DNS threshold.
Pass - indicates a targets have been met or exceeded the MTTR and DNS thresholds.
Warning - indicates that either an MTTR or DNS metric is approaching a fail threshold.
DNS Server IP address of the DNS server.
Efficiency The aggregate ratio of successful requests to failed requests for each DNS server.
Mean Time to RespondMean time to respond to a request measured in milliseconds/response.
Drilldowns
DNS Server Performance Analysis
To examine details on a specific DNS servers within a network click the DNS Server IP address.
by Protocol
Bandwidth by Protocol
Overview
Use the Bandwidth by Protocol report to identify the amount of bandwidth being consumed for selected protocols. Use this information to
see the net effect of protocol traffic over the specified networks.
The report contains the following chart:
• Bandwidth by Protocol - Stacked area chart showing the amount of bandwidth consumed by each selected protocol. This is
measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Connections by Protocol
Overview
Use the Connections by Protocol report to identify the number of connection attempts per protocol and network. The report contains the
following three charts:
• Connections - Stacked bar chart showing the total number of active connections during the reporting interval.
• New connections - Stacked bar chart showing the total number of new connections created during the reporting interval
• Peak connections - Stacked bar chart showing the peak number of concurrent active connections over the reporting interval.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the connections for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
• If a connection starts in one interval and remains connected through the next few intervals, it will only be counted as only 1
new connection overall, in the interval it was started in.
Peak connections
• This report shows the peak number of concurrent active connections over the reporting interval.
• If a connection starts in one interval and remains connected through the next few intervals, it will be counted in every one of
those intervals.
• For example, if Connection A starts and stops, and then Connection B starts and stops, peak connections is 1. If Connection A
starts, then Connection B starts, then Connection A ends, then Connection B ends, peak connections is 2.
Hosts by Protocol
Overview
Use the Hosts by Protocol report to identify the number of hosts using the specified protocols. The Hosts by Protocol, by default, contains
a single chart showing the maximum number of unique hosts seen in a single PTS logging interval per protocol and network. This report
has two optional components.
• Hosts - Stacked bar chart showing the maximum number of unique hosts that had active connections in a single PTS logging
interval for the specified protocols.
• Peak Hosts (optional) - Stacked bar chart used for legacy purposes.
• New Hosts (optional) - Stacked bar chart showing the total number of hosts that started a connection in each reporting
interval for the specified protocols.
•
Configuring the report
Select a time period and the elements you wish to monitor for host stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the number of hosts for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
by Network
Redirected Network Flow Differential
Overview
The Network Flow Differential report shows the egress of traffic between different networks. This report clearly shows when uploads
exceed downloads per protocol and vice versa.
Note: selecting the same networks in both Source Network and Destination Network will result in a chart
that has no data due to the same data being subtracted from itself.
by Protocol
Bandwidth by Protocol
Overview
Use the Bandwidth by Protocol report to identify the amount of bandwidth being consumed for selected protocols. Use this information to
see the net effect of protocol traffic over the specified networks.
The report contains the following chart:
• Bandwidth by Protocol - Stacked area chart showing the amount of bandwidth consumed by each selected protocol. This is
measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Connections by Protocol
Overview
Use the Connections by Protocol report to identify the number of connection attempts per protocol and network. The report contains the
following three charts:
• Connections - Stacked bar chart showing the total number of active connections during the reporting interval.
• New connections - Stacked bar chart showing the total number of new connections created during the reporting interval
• Peak connections - Stacked bar chart showing the peak number of concurrent active connections over the reporting interval.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the connections for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
• If a connection starts in one interval and remains connected through the next few intervals, it will only be counted as only 1
new connection overall, in the interval it was started in.
Peak connections
• This report shows the peak number of concurrent active connections over the reporting interval.
• If a connection starts in one interval and remains connected through the next few intervals, it will be counted in every one of
those intervals.
• For example, if Connection A starts and stops, and then Connection B starts and stops, peak connections is 1. If Connection A
starts, then Connection B starts, then Connection A ends, then Connection B ends, peak connections is 2.
Hosts by Protocol
Overview
Use the Hosts by Protocol report to identify the number of hosts using the specified protocols. The Hosts by Protocol, by default, contains
a single chart showing the maximum number of unique hosts seen in a single PTS logging interval per protocol and network. This report
has two optional components.
• Hosts - Stacked bar chart showing the maximum number of unique hosts that had active connections in a single PTS logging
interval for the specified protocols.
• Peak Hosts (optional) - Stacked bar chart used for legacy purposes.
• New Hosts (optional) - Stacked bar chart showing the total number of hosts that started a connection in each reporting
interval for the specified protocols.
•
Configuring the report
Select a time period and the elements you wish to monitor for host stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the number of hosts for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Peak connections
• number of internal connections should not vary significantly.
• when session management is implemented, the peak number of external connections should decrease.
New connections
• if session management is implemented, the number of new connections should drop and should reflect the value implemented
by session limiting.
Failed connections
• external failed connections will increase when session management is applied to control uploads.
Note: both of the New and Failed Connections charts display raw count totals. This can affect the reports
by appearing to provide different peak results, which is caused by the scaling of these values over
different time intervals. For example, if you chose to report on data for a one week period of time, that
reporting interval may be broken up into one hour segments within the chart. Lets assume that if we
took four consecutive plotted points within the chart we had the series (4, 7, 13, 17). These values
would represent the total number of events for that particular hour. If we re-ran the report with a two
week time period, we would find that in this particular time range, we would have less bins but with
higher values. In this example, we would expect to see the following series of values for the same
appropriate time points (11, 30). This is caused by the fact that the two-week report must collapse time
bins, which in turn stacks the resulting bin values.
by Protocol 113
Note: a single host may be using multiple protocols simultaneously. This means that you cannot
implicitly add hosts across protocols to determine the total number of hosts. To identify the number of
total unique hosts, see the Hosts report.
Note: the New Hosts chart displays raw count totals. This can affect the reports by appearing to provide
different peak results, which is caused by the scaling of these values over different time intervals. For
example, if you chose to report on data for a one week period of time, that reporting interval may be
broken up into one hour segments within the chart. Lets assume that if we took four consecutive plotted
points within the chart we had the series (4, 7, 13, 17). These values would represent the total number
of events for that particular hour. If we re-ran the report but with a two week time period, we would find
that in this particular time range, we would have less bins but with higher values. In this example, we
would expect to see the following series of values for the same appropriate time points (11, 30). This is
caused by the fact that the two-week report must collapse time bins, which in turn stacks the resulting
bin values.
Redirection
Redirection Efficiency
Overview
Use the Peer-to-Peer Redirection Efficiency report to estimate how successful the Sandvine PPE element is at redirecting peer-to-peer
traffic within your indexed peer networks.
The report contains the following chart:
• Redirection Efficiency - Layered area chart showing the percentage of redirected bandwidth by each selected protocol.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. It is imperative that these are configured precisely so
that all of your internal networks are selected in the Destination Network listbox, and all of your internal networks PLUS your indexed
peering points are selected in the Source Network listbox. It is important that you do not select any external networks in either listbox.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.
Note: the New Entries chart displays raw count totals. This can affect the reports by appearing to
provide different peak results, which is caused by the scaling of these values over different time
intervals. For example, if you chose to report on data for a one week period of time, that reporting
interval may be broken up into one hour segments within the chart. Lets assume that if we took four
consecutive plotted points within the chart we had the series (4, 7, 13, 17). These values would
represent the total number of events for that particular hour. If we re-ran the report with a two week
time period, we would find that in this particular time range, we would have less bins but with higher
values. In this example, we would expect to see the following series of values for the same appropriate
time points (11, 30). This is caused by the fact that the two-week report must collapse time bins, which
in turn stacks the resulting bin values.
by Protocol 115
by Protocol
Average Calls per User
Overview
Use the Average Calls per User report to determine the average number of calls per user for the reporting period.
The report contains the following two charts:
• Average Calls per User (Receive) - Stacked bar chart showing the number of calls divided by the number of users per
period.
• Average Calls per User (Transmit) - Stacked bar chart showing the number of calls divided by the number of users per
period.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols and protocol categories in which you wish to monitor.
Finally, select the providers that you are interested in.
Bandwidth by Protocol
Overview
Use the Bandwidth by Protocol report to identify the amount of bandwidth being consumed for selected protocols. Use this information to
see the net effect of protocol traffic over the specified networks.
The report contains the following chart:
• Bandwidth by Protocol - Stacked area chart showing the amount of bandwidth consumed by each selected protocol. This is
measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
by Protocol 116
Calls by Protocol
Overview
The Calls by Protocol report shows the number of calls and blocked calls by protocol per reporting period for the selected VoIP providers.
The report contains the following two charts:
• Calls by Protocol - Stacked bar chart showing the number of calls per period.
• Blocked Calls by Protocol - Stacked bar chart showing the number of blocked calls per period.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols and protocol categories in which you wish to monitor.
Finally, select the providers that you are interested in.
Note: the Calls chart display raw count totals. This can affect the reports by appearing to provide
different peak results, which is caused by the scaling of these values over different time intervals. For
example, if you chose to report on data for a one week period of time, that reporting interval may be
broken up into one hour segments within the chart. Lets assume that if we took four consecutive plotted
points within the chart we had the series (4, 7, 13, 17). These values would represent the total number
of events for that particular hour. If we re-ran the report with a two week time period, we would find
that in this particular time range, we would have less bins but with higher values. In this example, we
would expect to see the following series of values for the same appropriate time points (11, 30). This is
caused by the fact that the two-week report must collapse time bins, which in turn stacks the resulting
bin values.
Note: the Blocked Calls chart will only have data if the feature is enabled.
Connections by Protocol
Overview
Use the Connections by Protocol report to identify the number of connection attempts per protocol and network. The report contains the
following three charts:
• Connections - Stacked bar chart showing the total number of active connections during the reporting interval.
• New connections - Stacked bar chart showing the total number of new connections created during the reporting interval
• Peak connections - Stacked area chart showing the peak number of concurrent active connections over the reporting
interval.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the connections for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
• If a connection starts in one interval and remains connected through the next few intervals, it will only be counted as only 1
new connection overall, in the interval it was started in.
• Sum is used when aggregating over multiple logging intervals; ie the number of new connections is the sum of new
connections in each logging interval.
Peak connections
• This report shows the peak number of concurrent active connections over the reporting interval.
• If a connection starts in one interval and remains connected through the next few intervals, it will be counted in every one of
those intervals.
• For example, if Connection A starts and stops, and then Connection B starts and stops, peak connections is 1. If Connection A
starts, then Connection B starts, then Connection A ends, then Connection B ends, peak connections is 2.
• Peak is used when aggregating over multiple logging intervals; ie the number of peak connections is the max value amongst
the logging intervals.
Minutes by Protocol
Overview
The Minutes report shows the number of minutes by protocol per reporting period for the selected VoIP providers.
The report contains the following two charts:
• Minutes - Stacked bar chart showing the number of minutes per period.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols and protocol categories in which you wish to monitor.
Finally, select the providers that you are interested in.
Note: the Minutes chart display raw count totals. This can affect the reports by appearing to provide
different peak results, which is caused by the scaling of these values over different time intervals. For
example, if you chose to report on data for a one week period of time, that reporting interval may be
broken up into one hour segments within the chart. Lets assume that if we took four consecutive plotted
points within the chart we had the series (4, 7, 13, 17). These values would represent the total number
of events for that particular hour. If we re-ran the report with a two week time period, we would find
that in this particular time range, we would have less bins but with higher values. In this example, we
would expect to see the following series of values for the same appropriate time points (11, 30). This is
caused by the fact that the two-week report must collapse time bins, which in turn stacks the resulting
bin values.
Subscriber Count
Overview
Use the Subscriber Count by Protocol report to determine the number of subscriber associated with a VoIP protocol for the reporting
period.
The report contains the following table:
• Subscriber Count by Protocol - Displays the number of subscribers for a particular VoIP protocol.
Field Description
Protocol The name of the VoIP protocol.
Subscriber CountThe number of subscribers who used this protocol.
From the Subscriber Count table, you can drilldown to the following reports:
• Calls by Protocol - chart of the number of calls and blocked calls by protocol
• Minutes by Protocol - chart of the number of minutes of calls by protocol
by Protocol 118
Users by Protocol
Overview
Use the Users by Protocol report to identify the number of users discovered by protocol. The Users by Protocol report contains two charts
that provide information on the number of connection attempts per protocol and network.
• Peak Users - Stacked area chart showing the maximum number of simultaneous users during the reporting interval. For
example, if during the reporting interval two different users are discovered, one of them closes their connection and then
another user is discovered, the peak simultaneous user count is two.
• New Users - Stacked bar chart showing the total number of new users discovered during the reporting interval. If a user
connects, disconnects and then reconnects during the same reporting interval, they will be discovered (counted) twice.
Configuring the report
Select a time period and the elements you wish to monitor for user stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the number of users for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
Note: a single user may be using multiple protocols simultaneously. This means that you cannot
implicitly add users across protocols to determine the total number of users. To identify the number of
total unique users, see the Hosts report.
Note: the New Users chart displays raw count totals. This can affect the reports by appearing to provide
different peak results, which is caused by the scaling of these values over different time intervals. For
example, if you chose to report on data for a one week period of time, that reporting interval may be
broken up into one hour segments within the chart. Lets assume that if we took four consecutive plotted
points within the chart we had the series (4, 7, 13, 17). These values would represent the total number
of events for that particular hour. If we re-ran the report but with a two week time period, we would find
that in this particular time range, we would have less bins but with higher values. In this example, we
would expect to see the following series of values for the same appropriate time points (11, 30). This is
caused by the fact that the two-week report must collapse time bins, which in turn stacks the resulting
bin values.
by Provider 119
by Provider
Average Call Duration
Overview
Use the Average Call Duration report to determine the average length of each call per protocol for the reporting period.
The report contains the following chart:
• Average Call Duration - Stacked bar chart showing the number of minutes divided by the number of calls per period.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols and protocol categories in which you wish to monitor.
Finally, select the providers that you are interested in.
Calls by Provider
Overview
The Calls by Provider report shows the number of calls and blocked calls by provider per reporting period for the selected VoIP providers.
The report contains the following two charts:
• Calls by Provider - Stacked bar chart showing the number of calls per period.
• Blocked Calls by Provider - Stacked bar chart showing the number of blocked calls per period.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols and protocol categories in which you wish to monitor.
Finally, select the providers that you are interested in.
Note: the Calls chart display raw count totals. This can affect the reports by appearing to provide
different peak results, which is caused by the scaling of these values over different time intervals. For
example, if you chose to report on data for a one week period of time, that reporting interval may be
broken up into one hour segments within the chart. Lets assume that if we took four consecutive plotted
points within the chart we had the series (4, 7, 13, 17). These values would represent the total number
of events for that particular hour. If we re-ran the report with a two week time period, we would find
that in this particular time range, we would have less bins but with higher values. In this example, we
would expect to see the following series of values for the same appropriate time points (11, 30). This is
caused by the fact that the two-week report must collapse time bins, which in turn stacks the resulting
bin values.
Note: the Blocked Calls chart will only have data if the feature is enabled.
by Provider 120
Minutes by Provider
Overview
The Minutes report shows the number of minutes by provider per reporting period for the selected VoIP providers.
The report contains the following two charts:
• Minutes - Stacked bar chart showing the number of minutes per period.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the protocols and protocol categories in which you wish to monitor.
Finally, select the providers that you are interested in.
Note: the Minutes chart display raw count totals. This can affect the reports by appearing to provide
different peak results, which is caused by the scaling of these values over different time intervals. For
example, if you chose to report on data for a one week period of time, that reporting interval may be
broken up into one hour segments within the chart. Lets assume that if we took four consecutive plotted
points within the chart we had the series (4, 7, 13, 17). These values would represent the total number
of events for that particular hour. If we re-ran the report with a two week time period, we would find
that in this particular time range, we would have less bins but with higher values. In this example, we
would expect to see the following series of values for the same appropriate time points (11, 30). This is
caused by the fact that the two-week report must collapse time bins, which in turn stacks the resulting
bin values.
Subscriber Count
Overview
Use the Subscriber Count by Provider report to determine the number of subscriber associated with a VoIP provider for the reporting
period.
The report contains the following table:
• Subscriber Count by Provider - Displays the number of subscribers for a particular VoIP provider.
Field Description
Provider The name of the VoIP provider.
Subscriber CountThe number of subscribers who used this protocol.
From the Subscriber Count table, you can drilldown to the following reports:
• VoIP Subsciber Summary - table of quality measures of calls made by subscribers associated with the VoIP provider
• Calls by Provider - chart of the number of calls and blocked calls by provider
• Minutes by Provider - chart of the number of minutes of calls by provider
Configuring the report
Select the clusters you wish to query.
Select the VoIP Providers of interest.
Finally, select a time period to monitor.
Subscribers by Provider
Overview
The Subscribers by Provider report shows the number of subscribers associated with each provider per reporting period for the selected
VoIP providers.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Finally, select the providers that you are interested in.
by Network
InterNetwork Call Quality Distribution
Overview
Use the InterNetwork Metric Histogram report to display the distribution of VoIP quality measures of calls across specified physical
network interfaces.
The report contains the following chart:
• InterNetwork Metric Histogram - Histogram chart showing the number of calls in each range of quality metric scores. The
configured failure threshold value is used to distinguish between good quality calls and poor quality calls, as reflected in the
histogram bar colours
InterNetwork Summary
Overview
Use the VoIP Quality of Experience by InterNetwork Summary report to examine the VoIP quality of calls for different networks.
The report contains the following table:
InterNetwork VoIP Call Quality Summary - Displays the number of calls measured by the system and their quality scores in each flow
direction summarized to the network level
Field Description
Cluster The name of the cluster of Sandvine elements.
Source The source network.
Network
Destination The destination network.
Network
Network The direction of the flow between the source and destination networks.
Participation
Total Calls The total number of calls measured in the specified date range.
by Network 125
Poor Calls The number of calls that are determined to be below the configured quality metric threshold (for example MOS-CQ score
below 3.6).
% Poor The percentage of poor calls over total calls. The value is colour-coded to identify quality concerns green represents an
Calls acceptable number of poor calls, yellow represents a marginally acceptable number of poor calls, and red shows an
unacceptable number of poor calls.
[x.x - y.y] The number of calls that falls within the quality range.
From the InterNetwork Summary table, you can drilldown to the following reports:
• VoIP Quality of Experience by Provider Summary - QoE Summary of VoIP calls by VoIP providers
• InterNetwork "Metric" Score - Histogram charts of measured calls according to the chosen MOS metric
Configuring the report
Select the clusters you wish to query.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
If you wish to set the failure thresholds to values different from the default settings, select the Presentation tab and locate the VoIP
Quality Settings section. Set the quality threshold parameters as desired.
Finally, select a time period to monitor.
Note: It is recommended that only the date portion of the start and end date is specified; do not set a
time. This is because the summary-level VoIP QoE data are consolidated on a per day (24 hours) basis.
Network Summary
Overview
Use the VoIP Quality of Experience by Network Summary report to examine the VoIP quality of calls for different networks.
The report contains the following table:
Network VoIP Call Quality Summary - Displays the number of calls measured by the system and their quality scores in each flow
direction
Field Description
Cluster The name of the cluster of Sandvine elements.
Network The source network.
Network The direction of the flow from the point of view of the network.
Participation
Total Calls The total number of calls measured in the specified date range.
Poor Calls The number of calls that are determined to be below the configured quality metric threshold (for example MOS-CQ score
below 3.6).
% Poor The number of poor calls over total calls. The value is colour-coded to identify quality concerns green represents an
Calls acceptable number of poor calls, yellow represents a marginally acceptable number of poor calls, and red shows an
unacceptable number of poor calls.
[x.x - y.y] The number of calls that falls within the quality range.
From the Network Summary table, you can drilldown to the following reports:
• VoIP Quality of Experience by InterNetwork Summary - QoE Summary of VoIP calls between source and destination
networks
• Network "Metric" Score - Histogram charts of measured calls according to the chosen MOS metric
Configuring the report
Select the clusters you wish to query.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
If you wish to set the failure thresholds to values different from the default settings, select the Presentation tab and locate the VoIP
Quality Settings section. Set the quality threshold parameters as desired.
Finally, select a time period to monitor.
Note: It is recommended that only the date portion of the start and end date is specified; do not set a
time. This is because the summary-level VoIP QoE data are consolidated on a per day (24 hours) basis.
by Provider
Provider by Network Summary
Overview
Use the VoIP Quality of Experience for Providers by Network Summary report to examine the VoIP quality of calls for different providers.
The report contains the following table:
Provider by Network VoIP Call Quality Summary - Displays the number of measured calls and their quality scores in each flow
direction summarized to the network and provider level
Field Description
Cluster The name of the cluster of Sandvine elements.
Source The source network.
Network
Destination The destination network.
Network
VoIP The name of the VoIP provider.
Provider
Network The direction of the flow between the source and destination networks.
Participation
Total Calls The total number of calls associated with the provider during the selected date range.
Poor Calls The number of calls that are determined to be below the configured quality metric threshold (for example MOS-CQ score
below 3.6).
% Poor The percentage of poor calls over total calls. The value is colour-coded to identify quality concerns green represents an
Calls acceptable number of poor calls, yellow represents a marginally acceptable number of poor calls, and red shows an
unacceptable number of poor calls.
[x.x - y.y] The number of calls that falls within the quality range.
From the Provider by Network Summary table, you can drilldown to the following reports:
• VoIP Quality of Experience by Provider Summary - QoE Summary of VoIP calls by VoIP providers
• Provider "Metric" Score - Histogram charts of measured calls according to the chosen MOS metric
Configuring the report
Select the clusters you wish to query.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the VoIP Providers of interest.
If you wish to set the failure thresholds to values different from the default settings, select the Presentation tab and locate the VoIP
Quality Settings section. Set the quality threshold parameters as desired.
Finally, select a time period to monitor.
Note: It is recommended that only the date portion of the start and end date is specified; do not set a
time. This is because the summary-level VoIP QoE data are consolidated on a per day (24 hours) basis.
• MOS-CQ Score - Histogram chart showing the number of calls in each range of quality metric scores. The configured failure
threshold value is used to distinguish between good quality calls and poor quality calls, as reflected in the histogram bar
colours
Provider Summary
Overview
Use the VoIP Quality of Experience by Provider Summary report to examine the VoIP quality of calls for different providers. This report is
different from the Provider by Network Quality of Experience report in that it does not sort on source and destination networks.
The report contains the following table:
Provider VoIP Call Quality Summary - Displays the number of measured calls and their quality scores in each flow direction
summarized to the provider level
Field Description
Cluster The name of the cluster of Sandvine elements.
VoIP The name of the VoIP provider.
Provider
Network The direction of the flow.
Participation
Total Calls The total number of calls associated with the provider during the selected date range.
Poor Calls The number of calls that are determined to be below the configured quality metric threshold (for example MOS-CQ score
below 3.6).
% Poor The percentage of poor calls over total calls. The value is colour-coded to identify quality concerns green represents an
Calls acceptable number of poor calls, yellow represents a marginally acceptable number of poor calls, and red shows an
unacceptable number of poor calls.
[x.x - y.y] The number of calls that falls within the quality range.
From the Provider Summary table, you can drilldown to the following reports:
• VoIP Quality of Experience by Subscriber Summary - QoE Summary of VoIP calls on a subscriber level
• Provider "Metric" Score - Histogram charts of measured calls according to the chosen MOS metric
Configuring the report
Select the clusters you wish to query.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Select the VoIP Providers of interest.
If you wish to set the failure thresholds to values different from the default settings, select the Presentation tab and locate the VoIP
Quality Settings section. Set the quality threshold parameters as desired.
Finally, select a time period to monitor.
by Provider 133
Note: It is recommended that only the date portion of the start and end date is specified; do not set a
time. This is because the summary-level VoIP QoE data are consolidated on a per day (24 hours) basis.
by Subscriber
Subscriber Call Log
Overview
Use the Subscriber Call Details report to view the complete call details of a specific subscriber. The report consists a single table that
shows recent details of all calls in the selected time range.
Recent Call Details - Displays all calls associated with a subscriber that are currently available.
Field Description
Subscriber The name of the subscriber or subscriber IP address.
Peer IP or phone number of the peer, if available.
VoIP Provider The VoIP provider for the VoIP calls.
Subscriber NetworkThe network associated with the subscriber.
Peer Network The network associated with the peer.
Element The Sandvine element that detected the call.
Start Time The start time of the call.
Call Time The duration of the call.
MOS-CQ Rx The MOS-CQ score of the receiving side of the call.
MOS-CQ Tx The MOS-CQ score of the transmitting side of the call.
Jitter Rx The jitter (in milliseconds) of the receiving side of the call.
Jitter Tx The jitter (in milliseconds) of the transmitting side of the call.
Packet Loss Rx The packet loss (as a percentage) of the receiving side of the call.
Packet Loss Tx The packet loss (as a percentage) of the transmitting side of the call.
History of Poor Calls - Displays the details of older poor quality calls only.
Field Description
Subscriber The name of the subscriber or subscriber IP address.
Peer IP or phone number of the peer, if available.
VoIP Provider The VoIP provider for the VoIP calls.
Subscriber NetworkThe network associated with the subscriber.
Peer Network The network associated with the peer.
Element The Sandvine element that detected the call.
Start Time The start time of the call.
Call Time The duration of the call.
MOS-CQ Rx The MOS-CQ score of the receiving side of the call.
MOS-CQ Tx The MOS-CQ score of the transmitting side of the call.
Jitter Rx The jitter (in milliseconds) of the receiving side of the call.
Jitter Tx The jitter (in milliseconds) of the transmitting side of the call.
Packet Loss Rx The packet loss (as a percentage) of the receiving side of the call.
Packet Loss Tx The packet loss (as a percentage) of the transmitting side of the call.
Note: What is considered a poor call by the History of Poor Calls database is independent of the failing
threshold settings on Network Demographics. The metric thresholds are configurable by the user and
are meant to be flexible. The rules for saving poor call details information, however, is fixed.
by Subscriber 138
Subscriber Summary
Overview
Use the VoIP Quality of Experience by Subscriber Summary report to see a summary of calls made by a specific subscriber
The report contains the following table:
Subscriber VoIP Call Quality Summary - Displays the number of measured calls and the total duration based on the VoIP Provider and
protocol
Field Description
Cluster The name of the cluster of Sandvine elements.
VoIP ProviderThe name of the VoIP provider.
Subscriber The name of the subscriber or subscriber IP address.
Protocol The VoIP protocol used for the calls.
Total Calls The total number of calls associated with the subscriber during the selected date range.
Call Duration The total call durations of all the calls.
From the Subscriber Summary table, you can drilldown to the following reports:
• Subscriber Call Log - Detailed log of individual calls for the subscriber for all VoIP providers.
• Subscriber Call Log by Provider - Detailed log of individual calls for the subscriber for the VoIP provider shown in the table
row.
• Subscriber Bandwidth by Protocol - Bandwidth by Protocol report for that subscriber.
Configuring the report
Select the clusters you wish to query.
Select the VoIP Protocols of interest.
Select the VoIP Providers of interest.
Enter the Subscriber to query.
Finally, select a time period to monitor.
Note: It is recommended that only the date portion of the start and end date is specified; do not set a
time. This is because the summary-level VoIP QoE data are consolidated on a per day (24 hours) basis.
Top Talkers 139
Top Talkers
by Poor Calls
This report shows the top talkers with the highest number of poor quality calls, as determined by VoIP quality metrics.
Over larger periods of time, this value can increase quite dramatically.
Top Talkers
by Calls
This report shows the top talkers by total VoIP call volume.
Over larger periods of time, this value can increase quite dramatically.
by Duration
This report shows the top talkers by total VoIP call duration.
Over larger periods of time, this value can increase quite dramatically.
by Protocol
Bandwidth by Protocol
Overview
Use the Bandwidth by Protocol report to identify the amount of bandwidth being consumed for selected protocols. Use this information to
see the net effect of protocol traffic over the specified networks.
The report contains the following chart:
• Bandwidth by Protocol - Stacked area chart showing the amount of bandwidth consumed by each selected protocol. This is
measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the elements you wish to monitor for protocol bandwidth. You can build virtual clusters of Sandvine elements
using the Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets. It is recommended that you select internal networks for the Source Network and external or peer networks
from the Destination Network.
Finally, select the protocols and protocol categories in which you wish to monitor. It is recommended that you analyze 5-10 protocols at a
time.
Note: due to the manner in which this data is presented as a running average, peak values may appear
to scale depending on the configured time interval for the report. It is generally recommended that if you
are looking for higher-grain accuracy that you run the report for a shorter interval of time. The scaling
issue results from peak values being diluted over the interval of the report. For example, if you chose to
report on data for a one week period of time, that reporting interval may be broken up into one hour
segments within the chart. Lets assume that if we took four consecutive plotted points within the chart
we had the series (4, 5, 17, 5). These values would represent the average rate of events for that
particular hour. If we re-ran the report with a two week time period, we would find that in this particular
time range, we would have less bins with lower values. In this example, we would expect to see the
following series of values for the same appropriate time points (4.5, 11). This is caused by the fact that
the two-week report must collapse time bins, which dilutes peak values through averaging.
Connections by Protocol
Overview
Use the Connections by Protocol report to identify the number of connection attempts per protocol and network. The report contains the
following three charts:
• Connections - Stacked bar chart showing the total number of active connections during the reporting interval.
• New connections - Stacked bar chart showing the total number of new connections created during the reporting interval
• Peak connections - Stacked bar chart showing the peak number of concurrent active connections over the reporting interval.
Configuring the report
Select a time period and the elements you wish to monitor. You can build virtual clusters of Sandvine elements using the Element
Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the connections for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
• If a connection starts in one interval and remains connected through the next few intervals, it will only be counted as only 1
new connection overall, in the interval it was started in.
Peak connections
• This report shows the peak number of concurrent active connections over the reporting interval.
• If a connection starts in one interval and remains connected through the next few intervals, it will be counted in every one of
those intervals.
• For example, if Connection A starts and stops, and then Connection B starts and stops, peak connections is 1. If Connection A
starts, then Connection B starts, then Connection A ends, then Connection B ends, peak connections is 2.
Hosts by Protocol
Overview
Use the Hosts by Protocol report to identify the number of hosts using the specified protocols. The Hosts by Protocol, by default, contains
a single chart showing the maximum number of unique hosts seen in a single PTS logging interval per protocol and network. This report
has two optional components.
• Hosts - Stacked bar chart showing the maximum number of unique hosts that had active connections in a single PTS logging
interval for the specified protocols.
• Peak Hosts (optional) - Stacked bar chart used for legacy purposes.
• New Hosts (optional) - Stacked bar chart showing the total number of hosts that started a connection in each reporting
interval for the specified protocols.
•
Configuring the report
Select a time period and the elements you wish to monitor for host stats. You can build virtual clusters of Sandvine elements using the
Element Selection configuration area.
The Network Selection area allows you to select your configured virtual networks. These can be configured to analyze data for internal,
external, and peer subnets.
Finally, select the protocols in which you wish to monitor the number of hosts for. Selecting a large number of protocols may reduce the
visibility of these items in the corresponding chart. It is recommended that you analyze 5-10 protocols at a time.
Web Browsing
Top URLs
Overview
The Top URL report indicates the total number of requests associated with the top N URLs for the reporting period.
The report contains the following table:
Field Description
URL The URL
Hits Total number of hits seen against the URL during the reporting period.
Note: You can roll up the URLs to show just the primary domains. For example:
channel1.facebook.com, channel2.facebook.com, channel3.facebook.com can all be consolidated into
*.facebook.com. This setting is located in the "Presentation" tab, under the "Data Manipulation" section.
Open the advanced configuration section to find the "Roll up HTTP domains" checkbox. Check this box to
enable URL roll up.
Top URLs
Overview
The Top URL report indicates the total number of requests associated with the top N URLs for the reporting period.
The report contains the following table:
Field Description
URL The URL
Hits Total number of hits seen against the URL during the reporting period.
Note: You can roll up the URLs to show just the primary domains. For example:
channel1.facebook.com, channel2.facebook.com, channel3.facebook.com can all be consolidated into
*.facebook.com. This setting is located in the "Presentation" tab, under the "Data Manipulation" section.
Open the advanced configuration section to find the "Roll up HTTP domains" checkbox. Check this box to
enable URL roll up.
Note: You can roll up the URLs to show just the primary domains. For example:
channel1.facebook.com, channel2.facebook.com, channel3.facebook.com can all be consolidated into
*.facebook.com. This setting is located in the "Presentation" tab, under the "Data Manipulation" section.
Open the advanced configuration section to find the "Roll up HTTP domains" checkbox. Check this box to
enable URL roll up.
Note: You can roll up the URLs to show just the primary domains. For example:
channel1.facebook.com, channel2.facebook.com, channel3.facebook.com can all be consolidated into
*.facebook.com. This setting is located in the "Presentation" tab, under the "Data Manipulation" section.
Open the advanced configuration section to find the "Roll up HTTP domains" checkbox. Check this box to
enable URL roll up.
Subscriber Lookup
Lookup Attribute History by Name
Overview
Use the Attribute Assignment Histogram by Name report to examine the attribute assignment history of specified users.
The report contains the following table:
Field Description
Subscriber The name of the subscriber.
Attribute Type The name of the subscriber attribute definition.
Attribute ValueThe value of the subscriber attribute.
Audit Event The audit event that occured.
Audit Time The time the event occured.
Lookup by Attribute
Overview
Use the Subscriber Lookup by Attribute report to identify which subscribers are assigned to specific attributes.
The report contains the following table:
Field Description
Subscriber The name of the subscriber.
Effective TimeThe time the selected attribute was assigned to the subscriber.
Lookup by IP
Overview
Use the Subscriber Lookup by IP report to identify which subscribers were assigned to specific IP addresses during the reporting period.
The report has two components:
• Current Subscriber IPs - shows the subscriber current assigned the specified IP.
• Subscriber IP History - shows the list of all subscribers that were associated with the IP in the past, for the specified date
range.
The reports consist of the following table:
Field Description
Subscriber The name of the subscriber.
IP AddressThe IP address associated with the subscriber.
Login TimeThe time the subscriber logged in using the indicated IP address.
Lookup IP by Name
Overview
Use the Subscriber IP Lookup report to identify which IP addresses were assigned to specific subscribers during the reporting period.
The report has two components:
• Current Subscriber IPs - shows the list of IP current assigned to the specified subscriber.
• Subscriber IP History - shows the list of all IP that were assigned to a specified subscriber in the past, for the specified date
range.
The reports contain the following table:
Field Description
Subscriber The name of the subscriber.
IP AddressThe IP address associated with the subscriber.
Login TimeThe time the subscriber logged in using the indicated IP address.
NAT Mappings
Lookup by Private IP
Overview
Use the Lookup by Private NAT IP report to map private NAT IPs to public subscriber IPs.
The report has two components:
• Current NAT Mappings - shows the current assigned private IP addresses.
• NAT Mapping History - shows the list of all private IP addresses that were associated with the public IP in the past, for the
specified date range.
The reports consist of the following table:
Field Description
Public IP The Public NAT IP address.
Low Port The low port in the port range.
High Port The high port in the port range.
Private IP The Private NAT IP address.
Session QualifierThe session qualifier value for the private IP address, if applicable.
Login Time The time the IP addresses were logged.
Drilldowns
Subscriber Lookup by IP
To view the subscribers associated with the internal NAT IP address.
Lookup by Public IP
Overview
Use the Lookup by Public NAT IP report to map public NAT IPs to private subscriber IPs.
The report has two components:
• Current NAT Mappings - shows the current assigned private IP addresses.
• NAT Mapping History - shows the list of all private IP addresses that were associated with the public IP in the past, for the
specified date range.
The reports consist of the following table:
Field Description
Public IP The Public NAT IP address.
Low Port The low port in the port range.
High Port The high port in the port range.
Private IP The Private NAT IP address.
Session QualifierThe session qualifier value for the private IP address, if applicable.
Login Time The time the IP addresses were logged.
Drilldowns
Subscriber Lookup by IP
To view the subscribers associated with the internal NAT IP address.
Lookup IP by Name
Overview
Use the NAT IP Lookup by Name report to show the public and private NAT IP addresses of a subscriber.
The report has two components:
• Current NAT Mappings - shows the current assigned NAP IP addresses.
• NAT Mapping History - shows the list of all NAP IP addresses that were associated with the subscriber in the past.
The reports consist of the following table:
Field Description
Subscriber The name of the subscriber.
Public IP The Public NAT IP address.
Low Port The low port in the port range.
High Port The high port in the port range.
Private IP The Private NAT IP address.
Session QualifierThe session qualifier value for the private IP address, if applicable.
Login Time The time the IP addresses were logged.
Subscriber Licensing
Active Subscribers
Overview
The Active Subscribers report is used to support Sandvine's commercial per-Active Subscriber software licensing model. The report
contains the following chart:
• Active Subscribers - Bar chart displaying a rolling 30-day value of the peak or high water mark number of active subscribers
in any one hour interval for the last 30 days
Configuring the report
1. Select a start date and end date for the reporting interval.
The dates will be rounded to 00:00,
The time zone for this report is not configurable
Provisioned Subscribers
Overview
The Provisioned Subscribers report is used to support Sandvine's commercial per-Provisioned Subscriber software licensing model. The
report contains the following chart:
• Provisioned Subscribers - Bar chart displaying a rolling 30 day count of the number of unique subscribers that were active
in any one hour interval for the past 30 days
Configuring the report
1. Select a start date and end date for the reporting interval.
The dates will be rounded to 00:00,
The time zone for this report is not configurable
Subscriber Attribute
Bandwidth by Attribute
Use the Subscriber Bandwidth report to examine and drill-down on the activity for specific subscribers. This report provides information on
the number of connections, downloads (bytes), uploads (bytes) and total bandwidth.
Note: to generate this report you must manually add subscribers to the Subscribers list.
Note: the 'No Protocol Detail' protocol identifies the network bandwidth consumed by a subscriber that is
not identified on a per-protocol basis, enabling the report to present the total bandwidth consumed by
the subscriber. There are two situations that can cause the 'No Protocol Detail' protocol to appear:
- not all of the protocols were selected on the configuration page.
- the Sandvine element was not configured to identify network bandwidth on a per-protocol basis for the
subscriber. For example, if the element is configured to only collect protocol-level data for top talkers,
and the user falls in and out of the top talker threshold, they may have periods of time where no
protocol detail is collected. Similarly, the element could be configured to only collect detailed data for a
subset of protocols per user, which results in the remainder of the protocols being consolidated into the
'No Protocol Detail' protocol.
Bandwidth by Attribute
Use this report to examine the bandwidth consumption activity for groups of subscribers as a whole, grouped by subscriber attributes. This
report provides information on the number of connections, received bandwidth, and transmitted bandwidth.
This report contains the following histogram charts:
• Connections - Bar chart showing connection counts over time.
• Received Bandwidth - Area chart showing received bandwidth over time.
• Transmitted Bandwidth - Area chart showing transmitted bandwidth over time.
Configuring the report
1. Select the clusters that you wish to see bandwidth usage from. By varying the clusters selected, you can query for usage from
different portions of your network (for example, by region).
2. Select the subscriber attributes you wish to filter subscribers with Only one attribute definition can be selected at a time, but all
values under the definition can be selected.
3. Select a start date and end date for the reporting interval.
Bandwidth by Protocol
Use this report to examine detailed bandwidth consumption activity for groups of subscribers for specific users by protocol, for specific
subscriber attributes. Use this report to identify usage trends for groups of subscribers.
This report contains the following charts:
• Connections - Bar chart showing connection counts over time.
• Received Bandwidth - Area chart showing received bandwidth over time.
• Transmitted Bandwidth - Area chart showing transmitted bandwidth over time.
Configuring the report
1. Select the clusters that you wish to see bandwidth usage from. By varying the clusters selected, you can query for usage from
different portions of your network (for example, by region).
2. Select protocols and protocol categories.
3. Select the subscriber attributes you wish to filter subscribers with Only one attribute definition can be selected at a time, but all
values under the definition can be selected.
Subscriber Attribute 151
4. Select a start date and end date for the reporting interval.
Note: the 'No Protocol Detail' protocol identifies the network bandwidth consumed by a subscriber that is
not identified on a per-protocol basis, enabling the report to present the total bandwidth consumed by
the subscriber. There are two situations that can cause the 'No Protocol Detail' protocol to appear:
- not all of the protocols were selected on the configuration page.
- the Sandvine element was not configured to identify network bandwidth on a per-protocol basis for the
subscriber. For example, if the element is configured to only collect protocol-level data for top talkers,
and the user falls in and out of the top talker threshold, they may have periods of time where no
protocol detail is collected. Similarly, the element could be configured to only collect detailed data for a
subset of protocols per user, which results in the remainder of the protocols being consolidated into the
'No Protocol Detail' protocol.
Subscriber Count
Overview
Use the Subscriber Count by Attribute report to identify the number of subscribers with the specified attribute.
The report contains the following table:
Field Description
Attribute Value The attribute value.
Subscriber CountThe number of subscribers with the specified attribute value set.
Note: to generate this report you must manually add subscribers to the Subscribers list.
Note: the 'No Protocol Detail' protocol identifies the network bandwidth consumed by a subscriber that is
not identified on a per-protocol basis, enabling the report to present the total bandwidth consumed by
the subscriber. There are two situations that can cause the 'No Protocol Detail' protocol to appear:
- not all of the protocols were selected on the configuration page.
- the Sandvine element was not configured to identify network bandwidth on a per-protocol basis for the
subscriber. For example, if the element is configured to only collect protocol-level data for top talkers,
and the user falls in and out of the top talker threshold, they may have periods of time where no
protocol detail is collected. Similarly, the element could be configured to only collect detailed data for a
subset of protocols per user, which results in the remainder of the protocols being consolidated into the
'No Protocol Detail' protocol.
Bandwidth by Protocol
Use this report to examine detailed network activity for specific users by protocol. This report contains three charts - Connections,
Transmitted Bandwidth and Received Bandwidth broken out by individual protocol. This report breaks the data out by individual protocol
and time of day. Use this report to identify usage trends for individual subscribers.
Note: to generate this report you must manually add subscribers to the Subscribers list.
Note: the 'No Protocol Detail' protocol identifies the network bandwidth consumed by a subscriber that is
not identified on a per-protocol basis, enabling the report to present the total bandwidth consumed by
the subscriber. There are two situations that can cause the 'No Protocol Detail' protocol to appear:
- not all of the protocols were selected on the configuration page.
- the Sandvine element was not configured to identify network bandwidth on a per-protocol basis for the
subscriber. For example, if the element is configured to only collect protocol-level data for top talkers,
and the user falls in and out of the top talker threshold, they may have periods of time where no
protocol detail is collected. Similarly, the element could be configured to only collect detailed data for a
subset of protocols per user, which results in the remainder of the protocols being consolidated into the
'No Protocol Detail' protocol.
Note: the 'No Protocol Detail' protocol identifies the network bandwidth consumed by a subscriber that is
not identified on a per-protocol basis, enabling the report to present the total bandwidth consumed by
the subscriber. There are two situations that can cause the 'No Protocol Detail' protocol to appear:
- not all of the protocols were selected on the configuration page.
Subscriber Bandwidth Usage 153
- the Sandvine element was not configured to identify network bandwidth on a per-protocol basis for the
subscriber. For example, if the element is configured to only collect protocol-level data for top talkers,
and the user falls in and out of the top talker threshold, they may have periods of time where no
protocol detail is collected. Similarly, the element could be configured to only collect detailed data for a
subset of protocols per user, which results in the remainder of the protocols being consolidated into the
'No Protocol Detail' protocol.
Note: the 'No Protocol Detail' protocol identifies the network bandwidth consumed by a subscriber that is
not identified on a per-protocol basis, enabling the report to present the total bandwidth consumed by
the subscriber. There are two situations that can cause the 'No Protocol Detail' protocol to appear:
- not all of the protocols were selected on the configuration page.
- the Sandvine element was not configured to identify network bandwidth on a per-protocol basis for the
subscriber. For example, if the element is configured to only collect protocol-level data for top talkers,
and the user falls in and out of the top talker threshold, they may have periods of time where no
protocol detail is collected. Similarly, the element could be configured to only collect detailed data for a
subset of protocols per user, which results in the remainder of the protocols being consolidated into the
'No Protocol Detail' protocol.
Bandwidth Summary
Use the Subscriber Bandwidth Summary report to examine the activity for specific subscribers. This report provides information on the
number of connections, downloads (bytes), and uploads (bytes).
Note: to generate this report you must manually add subscribers to the Subscribers list.
Note: to generate this report you must manually add subscribers to the Subscribers list.
Note: the 'No Protocol Detail' protocol identifies the network bandwidth consumed by a subscriber that is
not identified on a per-protocol basis, enabling the report to present the total bandwidth consumed by
the subscriber. There are two situations that can cause the 'No Protocol Detail' protocol to appear:
- not all of the protocols were selected on the configuration page.
- the Sandvine element was not configured to identify network bandwidth on a per-protocol basis for the
subscriber. For example, if the element is configured to only collect protocol-level data for top talkers,
and the user falls in and out of the top talker threshold, they may have periods of time where no
protocol detail is collected. Similarly, the element could be configured to only collect detailed data for a
subset of protocols per user, which results in the remainder of the protocols being consolidated into the
'No Protocol Detail' protocol.
Subscriber Bandwidth Usage 154
by Bandwidth
Received Bandwidth
This report shows the top talkers by received bandwidth.
Over larger periods of time, this value can increase quite dramatically. Some users find that converting the units that this report is
measured in to bytes-per-second over larger reporting intervals improves the readability of the report. This can be done on the
Presentation tab of the Configuration page by changing the Units dropdown from 'bytes' to 'bits/sec'.
Total Bandwidth
This report shows the top talkers by total bandwidth.
Over larger periods of time, this value can increase quite dramatically. Some users find that converting the units that this report is
measured in to bytes-per-second over larger reporting intervals improves the readability of the report. This can be done on the
Presentation tab of the Configuration page by changing the Units dropdown from 'bytes' to 'bits/sec'.
Transmitted Bandwidth
This report shows the top talkers by transmitted bandwidth.
Over larger periods of time, this value can increase quite dramatically. Some users find that converting the units that this report is
measured in to bytes-per-second over larger reporting intervals improves the readability of the report. This can be done on the
Presentation tab of the Configuration page by changing the Units dropdown from 'bytes' to 'bits/sec'.
by Connections
Connections
Use this report to identify the subscribers with the most connections. By default, the top 100 subscribers are displayed. This is
configurable on the Presentation page.
Connections Histogram
Use this report to identify the subscribers with the most connections. By default, the top 10 subscribers are displayed. This is configurable
on the Presentation page.
This report contains the following chart:
• Connections - histogram chart showing the number of connections for each of the top subscribers.
Configuring the report
1. Select the clusters that you wish to calculate the Top Talkers from. By varying the clusters selected, you can determine who the Top
Talkers are for different portions of your network (for example, by region).
2. Select a start date and end date for the reporting interval. This allows you to determine who the Top Talkers were during a particular
interval.
by Protocol
Bandwidth by Protocol
Overview
This report shows the bandwidth by protocol consolidated for the top N users. Use this report to identify the traffic and protocol usage of
your top subscribers.
Connections
Use this report to identify the subscribers with the most connections under the selected protocols. By default, the top 100 subscribers are
displayed. This is configurable on the Presentation page.
Connections Histogram
Use this report to identify the subscribers with the most connections under the selected protocols. By default, the top 10 subscribers are
displayed. This is configurable on the Presentation page.
This report contains the following chart:
• Connections - histogram chart showing the number of connections for each of the top subscribers.
Configuring the report
1. Select the clusters that you wish to calculate the Top Talkers from. By varying the clusters selected, you can determine who the Top
Talkers are for different portions of your network (for example, by region).
2. Select the protocols and protocol categories in which you wish to monitor.
3. Select a start date and end date for the reporting interval. This allows you to determine who the Top Talkers were during a particular
interval.
Received Bandwidth
This report shows the number of bytes downloaded by the top N users over the selected protocols. By default, the top 100 subscribers are
displayed. This is configurable on the Presentation page.
Total Bandwidth
This report shows the total bandwidth for the top N users. This is configurable on the Presentation page.
Transmitted Bandwidth
This report shows the number of bytes uploaded by the top N users based on the selected protocols. Top 100 are displayed by default.
This is configurable on the Presentation page.
by Subscriber Attribute
Received Bandwidth
This report shows the top talkers by received bandwidth and filters the subscribers who have the selected attribute values.
This report by default lists the top talkers by received bytes. Over larger periods of time, this value can increase quite dramatically. Some
users find that converting the units that this report is measured in to bytes-per-second over larger reporting intervals improves the
readability of the report. This can be done on the Presentation tab of the Configuration page by changing the Units dropdown from 'bytes'
to 'bits/sec'.
Subscriber Summary
Use the Subscriber Summary Filtered by Attribute report to examine the activity for specific subscribers that have a specific attribute set
for them. This report provides information on the number of connections, downloads (bytes), and uploads (bytes).
Note: to generate this report you must select the attribute values you wish to filter the top subscribers
by.
Note: the 'No Protocol Detail' protocol identifies the network bandwidth consumed by a subscriber that is
not identified on a per-protocol basis, enabling the report to present the total bandwidth consumed by
the subscriber. There are two situations that can cause the 'No Protocol Detail' protocol to appear:
- not all of the protocols were selected on the configuration page.
- the Sandvine element was not configured to identify network bandwidth on a per-protocol basis for the
subscriber. For example, if the element is configured to only collect protocol-level data for top talkers,
and the user falls in and out of the top talker threshold, they may have periods of time where no
protocol detail is collected. Similarly, the element could be configured to only collect detailed data for a
subset of protocols per user, which results in the remainder of the protocols being consolidated into the
'No Protocol Detail' protocol.
Total Bandwidth
This report shows the top talkers by total bandwidth and filters the subscribers who have the selected attribute values.
This report by default lists the top talkers by total bytes. Over larger periods of time, this value can increase quite dramatically. Some
users find that converting the units that this report is measured in to bytes-per-second over larger reporting intervals improves the
readability of the report. This can be done on the Presentation tab of the Configuration page by changing the Units dropdown from 'bytes'
to 'bits/sec'.
by Subscriber Attribute 163
Transmitted Bandwidth
This report shows the top talkers by transmitted bandwidth and filters the subscribers who have the selected attribute values.
This report by default lists the top talkers by transmitted bytes. Over larger periods of time, this value can increase quite dramatically.
Some users find that converting the units that this report is measured in to bytes-per-second over larger reporting intervals improves the
readability of the report. This can be done on the Presentation tab of the Configuration page by changing the Units dropdown from 'bytes'
to 'bits/sec'.
Trend Analysis
Bandwidth Distribution
Use this report to see the distribution of bandwidth amongst subscribers that are consuming the most bandwidth. By default, the top 100
subscribers are displayed. This value is configurable on the Presentation page.
This report contains the following chart:
• Bandwidth Distribution - Pareto chart showing the distribution of bandwidth usage amongst top subscribers.
Configuring the report
1. Select the clusters that you wish to calculate the Top Talkers from. By varying the clusters selected, you can determine who the Top
Talkers are for different portions of your network (for example, by region).
2. Select a start date and end date for the reporting interval. This allows you to determine who the Top Talkers were during a particular
interval.
3 (optional) In the Presentation tab, select the number of top subscribers you wish to sample. The default is 100.
Subscriber Summary with Top Protocol - Displays bandwidth information for the top N users
Field Description
Cluster The cluster.
Subscriber The subscriber name or IP.
Top ProtocolThe top protocol used by the subscriber
% of Total The % of bandwidth of the top protocol over the total bandwidth consumed by that subscriber.
Connections The number of total connections across all protocols.
Received The total received bandwidth across all protocols.
Transmit The total transmitted bandwidth across all protocols.
Total The total bandwidth consumed by the subscriber.
by Bandwidth
Received Bandwidth Histogram
Use this to identify the pattern of received bandwidth usage among subscribers over a specified time period. By grouping users into usage
bands, by received bandwidth, the histogram will clearly indicate the most common bandwidth ranges and help you to validate your
network tiers.
This report contains the following histogram chart:
• Received Bandwidth Histogram by Subscribers - histogram chart showing subscriber counts allocated into bandwidth
range buckets.
• Received Bandwidth Histogram by Bandwidth - histogram chart showing total bandwidth of all subscribers allocated into
bandwidth range buckets.
Configuring the report
1. Select the clusters that you wish to see bandwidth usage from. By varying the clusters selected, you can query for usage from
different portions of your network (for example, by region).
2. Configure the histogram bin. Choose Fixed Bin Sizes if you want all equal size bins. Choose and configure Custom Bin Sizes to
configure bins of varying sizes.
3. Select a start date and end date for the reporting interval.
By default, the histogram reports will show the percentage of total subscribers and bandwidth in each bin. To show the actual number of
subscribers or bandwidth, configure the report as follows:
Another useful view of the data is to chart it in a pie chart instead of a histogram bar chart. To configure the report to render as a pie
chart:
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
Received Bandwidth Summary - tabular view of a histogram showing the usage of received bandwidth of all subscribers, allocated into
bandwidth range buckets. If available in your SPB version, it will also show the total received bytes, % of bandwidth, average bytes per
subscriber, and average bandwidth per subscriber for each bandwidth range.
Field Description
Bandwidth The bandwidth range consumed by the subscriber.
Range
# of The number of subscribers with total received bandwidth within the bandwidth range, for the specified time period.
Subscribers
% of The number of subscribers shown as a percentage of the total subscriber count.
Subscribers
Total RX The sum of received bandwidth for all subscribers in the bandwidth range.
Bandwidth*
% of The bandwidth value shown as a percentage of total bandwidth across all bins.
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total RX Bandwidth / # of Subscribers.
Sub*
Avg BW/Sub* The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total RX
Bandwidth / # of Subscribers / seconds in the reporting period.
* If this data does not appear, this feature is not available in your version of the SPB. Please contact Sandvine Customer Support for
more information.
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
By default, the histogram reports will show the percentage of total subscribers and bandwidth in each bin. To show the actual number of
subscribers or bandwidth, configure the report as follows:
Another useful view of the data is to chart it in a pie chart instead of a histogram bar chart. To configure the report to render as a pie
chart:
by Bandwidth 167
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
Total Bandwidth Summary - tabular view of a histogram showing the usage of total bandwidth of all subscribers, allocated into
bandwidth range buckets. If available in your SPB version, it will also show the total bytes, % of bandwidth, average bytes per subscriber,
and average bandwidth per subscriber for each bandwidth range.
Field Description
Bandwidth The bandwidth range consumed by the subscriber.
Range
# of The number of subscribers with total bandwidth within the bandwidth range, for the specified time period.
Subscribers
% of The number of subscribers shown as a percentage of the total subscriber count.
Subscribers
Total The sum of total bandwidth for all subscribers in the bandwidth range.
Bandwidth*
% of The bandwidth value shown as a percentage of total bandwidth across all bins.
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total Bandwidth / # of Subscribers.
Sub*
Avg BW/ The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total Bandwidth /
Sub* # of Subscribers / seconds in the reporting period.
* If this data does not appear, this feature is not available in your version of the SPB. Please contact Sandvine Customer Support for
more information.
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
by Bandwidth 168
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
By default, the histogram reports will show the percentage of total subscribers and bandwidth in each bin. To show the actual number of
subscribers or bandwidth, configure the report as follows:
Another useful view of the data is to chart it in a pie chart instead of a histogram bar chart. To configure the report to render as a pie
chart:
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
Transmitted Bandwidth Summary - tabular view of a histogram showing the usage of transmitted bandwidth of all subscribers,
allocated into bandwidth range buckets. If available in your SPB version, it will also show the total transmitted bytes, % of bandwidth,
average bytes per subscriber, and average bandwidth per subscriber for each bandwidth range.
Field Description
Bandwidth The bandwidth range consumed by the subscriber.
Range
# of The number of subscribers with total transmitted bandwidth within the bandwidth range, for the specified time period.
Subscribers
% of The number of subscribers shown as a percentage of the total subscriber count.
Subscribers
Total TX The sum of transmitted bandwidth for all subscribers in the bandwidth range.
Bandwidth*
% of The bandwidth value shown as a percentage of total bandwidth across all bins.
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total TX Bandwidth / # of Subscribers.
Sub*
Avg BW/Sub* The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total TX
Bandwidth / # of Subscribers / seconds in the reporting period.
* If this data does not appear, this feature is not available in your version of the SPB. Please contact Sandvine Customer Support for
more information.
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
by Subscriber Attribute
Received Bandwidth Histogram
Use this to identify the pattern of received bandwidth usage among subscribers over a specified time period, filtered by subscriber
attributes. By grouping users into usage bands, by received bandwidth, the histogram will clearly indicate the most common bandwidth
ranges and help you to validate your network tiers.
This report contains the following histogram chart:
• Received Bandwidth Histogram by Subscribers - histogram chart showing the counts of subscribers associated with the
selected attribute definition and values, allocated into bandwidth range buckets by received bandwidth usage.
• Received Bandwidth Histogram by Bandwidth - histogram chart showing the total received bandwidth of subscribers
associated with the selected attribute definition and values, allocated into bandwidth range buckets by received bandwidth
usage.
Configuring the report
1. Select the clusters that you wish to see bandwidth usage from. By varying the clusters selected, you can query for usage from
different portions of your network (for example, by region).
2. Select the subscriber attributes you wish to filter subscribers with Only one attribute definition can be selected at a time, but all
values under the definition can be selected.
3. Configure the histogram bin. Choose Fixed Bin Sizes if you want all equal size bins. Choose and configure Custom Bin Sizes to
configure bins of varying sizes.
4. Select a start date and end date for the reporting interval.
By default, the histogram report will show the percentage of total subscribers in each bin.
To show the number of subscribers or bandwidth in each bin, configure the report as follows:
1. Open the Presentation tab.
2. Find the Data Manipulation section and click the Advanced Configuration button to show advanced configuration parameters.
3. In the Display as Percentage dropdown, change the setting from "Totals" to "Off".
To show the percentage of subscribers per bin or bandwidth, configure the report as follows:
1. Open the Presentation tab.
2. In the Chart Enhancements section, find the Chart Layering Method dropdown and change the setting to "Percentage".
3. Find the Data Manipulation section and click the Advanced Configuration button to show advanced configuration parameters.
4. In the Display as Percentage dropdown, change the setting from "Totals" to "Off".
To show the each attribute value in a separate bar, configure the report as follows:
1. Open the Presentation tab.
2. In the Chart Enhancements section, find the Chart Layering Method dropdown and change the setting to "Side by Side".
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
Received Bandwidth Summary - tabular view of a histogram showing the usage of received bandwidth of all subscribers associated
with the selected attribute definition and values, allocated into bandwidth range buckets. If available in your SPB version, it will also show
the total received bytes, % of bandwidth, average bytes per subscriber, and average bandwidth per subscriber for each bandwidth range.
Field Description
Attribute The attribute value of the subscribers in the histogram.
Value
Bandwidth The bandwidth range consumed by the subscriber.
Range
# of The number of subscribers with total received bandwidth within the bandwidth range, for the specified time period.
Subscribers
% of The number of subscribers shown as a percentage of the total subscriber count.
Subscribers
Total RX The sum of received bandwidth for all subscribers in the bandwidth range.
Bandwidth*
% of The bandwidth value shown as a percentage of total bandwidth across all bins.
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total RX Bandwidth / # of Subscribers.
Sub*
Avg BW/Sub* The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total RX
Bandwidth / # of Subscribers / seconds in the reporting period.
* If this data does not appear, this feature is not available in your version of the SPB. Please contact Sandvine Customer Support for
more information.
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
By default, the histogram report will show the percentage of total subscribers in each bin.
To show the number of subscribers or bandwidth in each bin, configure the report as follows:
1. Open the Presentation tab.
2. Find the Data Manipulation section and click the Advanced Configuration button to show advanced configuration parameters.
3. In the Display as Percentage dropdown, change the setting from "Totals" to "Off".
To show the percentage of subscribers per bin or bandwidth, configure the report as follows:
1. Open the Presentation tab.
2. In the Chart Enhancements section, find the Chart Layering Method dropdown and change the setting to "Percentage".
3. Find the Data Manipulation section and click the Advanced Configuration button to show advanced configuration parameters.
4. In the Display as Percentage dropdown, change the setting from "Totals" to "Off".
To show the each attribute value in a separate bar, configure the report as follows:
1. Open the Presentation tab.
2. In the Chart Enhancements section, find the Chart Layering Method dropdown and change the setting to "Side by Side".
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
Total Bandwidth Summary - tabular view of a histogram showing the usage of total bandwidth of all subscribers associated with the
selected attribute definition and values, allocated into bandwidth range buckets. If available in your SPB version, it will also show the total
bytes, % of bandwidth, average bytes per subscriber, and average bandwidth per subscriber for each bandwidth range.
Field Description
Attribute The attribute value of the subscribers in the histogram.
Value
Bandwidth The bandwidth range consumed by the subscriber.
Range
# of The number of subscribers with total bandwidth within the bandwidth range, for the specified time period.
Subscribers
% of The number of subscribers shown as a percentage of the total subscriber count.
Subscribers
Total The sum of total bandwidth for all subscribers in the bandwidth range.
Bandwidth*
% of The bandwidth value shown as a percentage of total bandwidth across all bins.
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total Bandwidth / # of Subscribers.
Sub*
Avg BW/ The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total Bandwidth /
Sub* # of Subscribers / seconds in the reporting period.
by Subscriber Attribute 173
* If this data does not appear, this feature is not available in your version of the SPB. Please contact Sandvine Customer Support for
more information.
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
By default, the histogram report will show the percentage of total subscribers in each bin.
To show the number of subscribers or bandwidth in each bin, configure the report as follows:
1. Open the Presentation tab.
2. Find the Data Manipulation section and click the Advanced Configuration button to show advanced configuration parameters.
3. In the Display as Percentage dropdown, change the setting from "Totals" to "Off".
To show the percentage of subscribers per bin or bandwidth, configure the report as follows:
1. Open the Presentation tab.
2. In the Chart Enhancements section, find the Chart Layering Method dropdown and change the setting to "Percentage".
3. Find the Data Manipulation section and click the Advanced Configuration button to show advanced configuration parameters.
4. In the Display as Percentage dropdown, change the setting from "Totals" to "Off".
To show the each attribute value in a separate bar, configure the report as follows:
1. Open the Presentation tab.
2. In the Chart Enhancements section, find the Chart Layering Method dropdown and change the setting to "Side by Side".
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
by Subscriber Attribute 174
Transmitted Bandwidth Summary - tabular view of a histogram showing the usage of transmitted bandwidth of all subscribers
associated with the selected attribute definition and values, allocated into bandwidth range buckets. If available in your SPB version, it will
also show the total transmitted bytes, % of bandwidth, average bytes per subscriber, and average bandwidth per subscriber for each
bandwidth range.
Field Description
Attribute The attribute value of the subscribers in the histogram.
Value
Bandwidth The bandwidth range consumed by the subscriber.
Range
# of The number of subscribers with total transmitted bandwidth within the bandwidth range, for the specified time period.
Subscribers
% of The number of subscribers shown as a percentage of the total subscriber count.
Subscribers
Total TX The sum of transmitted bandwidth for all subscribers in the bandwidth range.
Bandwidth*
% of The bandwidth value shown as a percentage of total bandwidth across all bins.
Bandwidth*
Avg Bytes/ The average bytes consumed per subscriber in the bandwidth range, calculated as Total TX Bandwidth / # of Subscribers.
Sub*
Avg BW/Sub* The average bandwidth rate per subscriber in the bandwidth range, in bps. This is calculated as 8 bytes * Total TX
Bandwidth / # of Subscribers / seconds in the reporting period.
* If this data does not appear, this feature is not available in your version of the SPB. Please contact Sandvine Customer Support for
more information.
Note: A subscriber is included in a subscriber count, as long as there is a non-zero byte count recorded
for that subscriber at any time during the reporting interval. However, often subscribers with very low
byte counts may actually be inactive; the data may be associated with offline activities. If you see a
disproportionate number of subscribers in the first bucket, and wish to exclude inactive subscribers, then
it is recommended that you switch to the Custom Bin Sizes option and change the lower value of bin 1
from 0 to a larger value.
by Subscriber Attribute 175
Trend Analysis
Average Bandwidth
Overview
Use the Average Subscriber Bandwidth report to determine the average total, transmit, and received subscriber bandwidth usage in your
network. The report contains the following chart:
• Average Bandwidth - Overlay area chart showing the amount of average total, received and transmitted bandwidth
consumed by all subscribers. This is measured as the average bitrate (bits per second) over time.
Configuring the report
Select a time period and the clusters you wish to monitor.
You may wish to show each traffic flow in its own chart. To do so, in the "Presentation" tab, select "Traffic Flow" in the "Iterate Results By"
select box.
Note: The average received and transmitted bandwidth is calculated from the total overall number of
unique subscriber seen in the interval, and not from the subset of subscribers who had non-zero
received or transmitted bandwidth.
Note: This report will only include subscribers marked as top talkers who have detailed protocol
statistics being collected.
Streaming Video 178
Streaming Video
Subscribers Over Time
Overview
This report shows the peak number of subscribers with streaming video traffic over time, measured in the number of subscribers.
Configuring the report
1. Select the cluster and element.
2. Select a start date and end date for the reporting interval.
Interpreting the report
• Use this report to estimate the total number of subscribers consuming streaming video traffic over time
By default, the top 25 providers are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.
By default, the top 25 providers are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.
By default, the top 25 providers are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.
Websites
Top Websites by Bandwidth over Time
Overview
This report contains an area chart showing the bitrate of the top websites over time, measured in bits/sec.
Configuring the report
1. Select the cluster and element.
2. Select a start date and end date for the reporting interval.
By default, the top 25 websites are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.
By default, the top 50 websites are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.
By default, the top 50 websites are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.
By default, the top 50 websites are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.
Client Device
Bandwidth by Client Device
Overview
This report shows upstream and downstream bandwidth by client device over time.
Configuring the report
1. Select the cluster and element.
2. Select a start date and end date for the reporting interval.
3. Select the client devices to include in the report.
4. Select the protocols to include in the report.
Interpreting the report
• Use this report to see how the bandwidth used by one or more client devices is trending over time.
• Note that this report is only based on HTTP traffic analysis. Other traffic associated with the device is not represented in this
report.
By default, the top 25 devices are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N"
value.
This report will show the sum of all devices for the selected protocols. To show the devices broken out by each protocol, go to the
"Presentation" tab and select "Protocol" and "NbiClientDevice" in the "Consolidate Data By" entry.
By default, the top 25 protocols are shown for each device. This number can be changed by going to the "Presentation" tab and changing
the "Top N" value.
AS Path
Top Next Hop AS
Overview
This report shows the top autonomous systems used as a next hop, measured in bytes.
Configuring the report
1. Select the cluster and element.
2. Select a start date and end date for the reporting interval.
By default, the top 25 ASs are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N" value.
Top Origin AS
Overview
This report shows the top autonomous systems used as an origin AS, measured in bytes.
Configuring the report
1. Select the cluster and element.
2. Select a start date and end date for the reporting interval.
By default, the top 25 ASs are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N" value.
By default, the top 25 ASs are shown. This number can be changed by going to the "Presentation" tab and changing the "Top N" value.