7.2. Flow Trackers
A flow tracker is used to capture and save snapshots of top flows matching a range of criteria.
The Trisul database can potentially end up with hundreds of millions of flows every day. Using flow trackers you can perform quick topper analysis of the flow database over large timeframes.
A common use case of Flow Trackers is to track the so called ‘Elephant flows’. Those are flows transferring a huge volume of data. But as you shall see below this is not the only type of tracker. Flow trackers are also necessary for you to use flow tracker alerts.
7.2.1 Built in trackers
The following flow trackers are built in. You may create your own on top of it.
|Highest volumes transferred into of your home network
|Highest volumes transferred out your network
|Highest TCP Payload transferred into your home network. Does not include TCP handshake packets
|Highest TCP Payload volume transferred out of your network. Does not include TCP handshake packets
|Flows involving specific hosts or subnets or applications
|Flows not involving specific hosts or subnets or applications
7.2.2 Custom Trackers
You can create custom flow trackers by specifying which IP ranges or Port ranges you want to track. There are two types of customized trackers.
- Key based : Track top flows by filtering IP Address, Subnets, Ports, or Port Ranges
- Volume based : Track flows within a range of bytes transferred. This option lets you track flows that transfer a range of bytes say between 500 and 1000 bytes. This has application in very specific security scenarios and you cannot combine it with port and IP based filters.
Configuring Custom Trackers
To configure flow trackers.
Select Tools → Flow Trackers → Manage
Fill up the fields
TCP Sessions is the only option allowed by default.
You have to select a base tracker type which you want to customize. The following table describes the available options.
|What it means
|Based on keys
|Specify IPs or Ports in the Config String field. Only flows involving the ranges will be tracked.
|Based on Negated keys
|Same as above but flows NOT involving the ranges will be tracked
|Based on total bytes
|Total bytes transferred. You can specify a volume constraint to track flows transferring a range of bytes. You cant use a port or IP range filter for this option
|Based on upload
|Total bytes uploaded from host within Home Network to outside the Home Network. You can specify a port or IP range filter to narrow down which flows will be considered for this
|Based on download
|Total bytes uploaded from host within Home Network to outside the Home Network. Filter allowed.
|Based on upload payload
|Total TCP Payload bytes downloaded. This does not include the IP and TCP and other headers. Filter allowed.
|Based on upload
|TCP Payload bytes uploaded. Filter allowed.
A short name for the tracker.
A filter string that allows you to specify what subset of flows you want to consider.
|For type “total bytes”
lower,100,500 track flows between 100 and 500 bytes, prefer the lower side.
higher,500,2000 track flows between 500 and 2000 bytes, prefer the higher side
|All other tracker types
|A filter string (See below)
Filter string format
|Flows involving 192.168.1.8
|Flows involving 192.168.1.8 OR 192.168.1.33
|Flows in subnet 192.168.1.x
|Using hostname instead of IP
|Port 80 and Port 443
|Port 2000 to 6000
|Not from 192.168.1.8
|Not between 192.168.1.8 and 19
|the ! character
|Use in front of any filter to negate
Not on volume based trackers
The main application for tracking flows transferring low payload is in specific security scenarios. In case you are interested in this type of tracker here is some additional information.
|Track flows transferring lower volumes in the range x and y
|Track flows transferring higher volumes in the range x and y
Say you have configured flow trackers to track 100 flows, and there are 150 flows in the range 100 to 200 bytes. upper,100,200 will count the higher of the 150 flows and lower,100,200 will count the lower 100 of the 150 flows.
7.2.3 Changing parameters
The default setting is Trisul tracks 100 flows per tracker every 300 seconds. You can change it by clicking on “Edit…” and changing the parameters
|Commit Interval Seconds
|Granularity of storage. Default 300 seconds
|How many flows should be stored every interval. Default 100
Select Tools → Flow Tracker
7.2.5 Alerting on flow tracker activity
See Flow Tracker Alert section.