
Feedback
Search
Index
Contents
What's New?
Home
PolicyCenter Home
Overviews
Recommendations
Tasks
	Setup
	Classification
	Traffic Tree Mgmt.
	Monitoring
	Partitions
	Policies
	Graphs & Reports
		Top Ten Pie Chart
		List Top Ten Classes
		Create a Graph
		Graph Statistics
		Link Utilization
		Graph Multiple Classes
		Perform Host Analysis
		Show Real-Time Graphs
		Save Graphs
		Save Reports
	Measurement
	Event Notification
	Response Time
	Administration
	Customer Portal
	Adaptive Response
	Direct Standby
	Watch Mode
	Auto-deployment
	PolicyCenter Units
	PolicyCenter Config.
	PolicyCenter Admin.
Reference
Product Information
Documents

Perform Host Analysis

Note: This feature is enabled by a software plug-in, available at no charge to users with a current customer support contract.

The Host Analysis reporting plug-in allows you to gain insight into host and flow activity on your network. With this plug-in, you can display information formerly available only in the command-line interface using the hostdb info and traffic flow commands. Specifically, you can:

List bandwidth utilization and flow information for hosts on the network. This list can consist of inside hosts, outside hosts, active hosts, or all hosts, and can be sorted by bandwidth utilization, new connections, failed connections, or host IP address.
Find flows for a particular IP address, port number, or protocol. For each flow, the list provides the IP addresses of the conversation pair, the class name into which PacketShaper classified the flow, and the protocol of the flow.
Drill-down to find out detailed flow information for a suspicious host (for example, one that is using excessive bandwidth or creating an inordinate number of connections or failed connections).

The plug-in offers two tables that display a host's activity:

Host Analysis Table
Flow Analysis Table

Host Analysis Table

The Host Analysis table displays information about hosts that have communicated through the PacketShaper ( show screen).

Enter information and make selections in the Host Criteria section to retrieve information about hosts into the Host Analysis table.

1. Specify the # of results to display. Default is 99.

2. Specify the IP address of the target host to limit the results to a specific host. Default is blank (retrieves all hosts).

3. Specify the Subnet mask to limit results to a specific subnet. Default is blank (retrieves all subnets).

4. Select a Range to limit the results to a particular type of activity:

Inside only: displays hosts located on the inside of the Packeteer unit
Outside only: displays hosts located on the outside of the Packeteer unit
Unknown: displays only those hosts whose location relative to the PacketShaper is unknown
Active only: displays currently active hosts
Last 5 min.: displays all hosts with activity within the last five minutes (default)
All: displays all hosts that have communicated through the Packeteer unit

5. Choose to Rank By results by:

Bandwidth: orders hosts by bandwidth used
New Conn.: orders hosts by number of new connections
Failed Conn.: orders hosts by number of failed connections
Host IP: orders hosts by ascending IP address

6. Click get hosts to retrieve data into the Host Analysis table.

Notes:

To restore the Host Criteria to their default settings, click reset.
Each time you click get hosts, the results are saved on the Packeteer unit. You can access the results from recent host queries by making a selection from the Previous Host Commands drop-down list, located above the Host Analysis table.
To clear all data from the Host Analysis and Flow Analysis tables, refresh the browser window by clicking Refresh on the browser's toolbar or by pressing F5.

The following table describes the data displayed in the Host Analysis table.

Column	Description
Host IP	IP addresses of hosts that have communicated through the PacketShaper When Get Flows is enabled (default), clicking a host's IP address populates the Flow Analysis table with information about traffic flows for the specified host.
Side (in/out)	Indicates the location of the host (inside or outside) relative to the PacketShaper.
# of Conn.	The number of connections that were active when the get hosts button was clicked
Bandwidth Utilization (bps)	The current, average, and peak bandwidth utilization of the host, as measured in bits per second (bps). Current bps: the current rate for the host Average bps: the one-minute moving average for the host's rate Peak bps: the highest rate the host's connection has reached. This is the sum of the inbound and outbound traffic, relative to the host.
New Conn. per Minute	The number of new connections per minute. Depending on the application, a host can act as either a Client or a Server. Client: The number of new client application connections per minute made by this host Server: The number of new server application connections per minute made by this host Failed: The number of failed connections reported by the host

Flow Analysis Table

The Flow Analysis table displays traffic flow information for TCP connections and/or UDP sessions ( show screen).

Retrieve Current Flows

Enter information and make selections in the current tab on the Flow Criteria section to retrieve information about current flows (that is, flows that have been active within the past 60 seconds).

1. Specify the IP address of the target host to limit the results to a specific host. Default is blank (retrieves flows for all hosts).

2. Specify the Class name to limit results to a specific class, such as Inbound/Default. Default is blank (retrieves flows for all traffic classes).

3. Specify a Port number to limit results to flows on a specific port. For example, enter 80 to retrieve only HTTP flows.

4. Specify the exact Service name to limit results to flows of a specific service, such as HTTP.

5. Specify the # of results to display. Default is 999.

6. Select the Active checkbox to display only active flows. Default is checked.

7. Select the TCP checkbox to display only TCP flows. Default is checked.

8. Select the UDP checkbox to display UDP flows in addition to TCP flows. Default is unchecked (UDP flows not displayed).

9. Click get flows to retrieve data into the Flow Analysis table.

Tip: To view flows for a specific host, click the host's IP address in the Host Analysis table.

Retrieve Recent Flows

In addition to viewing current flows, you can also view recent flows (that is, flows that occurred in the last hour but that are not currently active).

1. Click on the recent tab on the Flow Criteria section of the Flow Analysis table.

2. Specify a class name, IP address, or DNS name as the Target for flow retrieval.

3. Click get flows to retrieve data into the Flow Analysis table.

Notes:

Each time you click get flows, the results are saved on the Packeteer unit. You can access results of recent flow queries by making a selection from the Previous Flow Commands drop-down list, located above the Flow Analysis table.
To restore the Flow Criteria to their default settings, click reset.

The following table describes the data displayed in the Flow Analysis table.

Column	Description
Inside Host	Displays information about the inside host of the flow IP Address: the IP address of the inside host. Click the IP address to view all flows on that inside host. Port #: the port number of the inside host used by the flow. Click the port number to view all flows on that port.
Classes	Displays the inbound and outbound traffic class for the traffic flow
Outside Host	Displays information about the outside host of the flow IP Address: the IP address of the outside host. Click the IP address to view all flows on that outside host. Port #: the port number of the outside host used by the flow. Click the port number to view all flows on that port.
Service	The service associated with the traffic flow. Click the service name to view all flows for that service.