Traffic Monitoring
Traffic Monitoring provides deep visibility into the network flows passing through your edges. This page covers two complementary capabilities: IPFIX/Flowprobe flow analytics and Suricata IDS/IPS threat detection.
IPFIX / Flowprobe Analytics
IPFIX (IP Flow Information Export) uses the VPP Flowprobe plugin to capture and export detailed traffic flow data from your edges.
Flow export must be enabled on each edge individually. To enable it, navigate to Edge > Configuration > Flow Export and turn on flow collection for the desired interfaces.
Flow Data
Each flow record captures:
| Field | Description |
|---|---|
| Source IP | The originating IP address of the flow. |
| Destination IP | The target IP address of the flow. |
| Source Port | The originating transport port. |
| Destination Port | The target transport port. |
| Protocol | The transport protocol (TCP, UDP, ICMP, etc.). |
| Bytes | Total bytes transferred in the flow. |
| Packets | Total packets in the flow. |
| Duration | How long the flow was active. |
Top Talkers
The Top Talkers view ranks source and destination pairs by bandwidth consumption. This helps you quickly identify:
- Which hosts are generating the most traffic.
- Whether a single host is consuming a disproportionate share of bandwidth.
- Unexpected high-volume flows that may warrant investigation.
Protocol Distribution
View a breakdown of traffic by protocol:
- TCP -- Web traffic, application data, file transfers.
- UDP -- DNS, VoIP, streaming media, VPN tunnels.
- ICMP -- Ping, traceroute, network diagnostics.
- Other -- Less common protocols (GRE, ESP, etc.).
The distribution is shown as both a chart and a table with exact byte and packet counts per protocol.
Traffic Trends
Historical bandwidth patterns are displayed as time-series charts, allowing you to:
- Establish baseline traffic levels for your network.
- Identify recurring patterns (e.g., backup windows, business-hour peaks).
- Spot anomalies that deviate from normal patterns.
Suricata IDS/IPS Alerts
Suricata provides Intrusion Detection (IDS) and Intrusion Prevention (IPS) capabilities on your edges, analyzing traffic against a comprehensive set of threat signatures.
Suricata is a feature-gated capability. It may not be available for all tenants. If you do not see the Suricata section in your monitoring view, contact your administrator to check whether this feature is enabled for your tenant.
Alert Severity Levels
Suricata alerts are classified by severity:
| Severity | Description |
|---|---|
| Critical | Immediate threat requiring urgent attention. Active exploitation or compromise indicators. |
| High | Significant threat that should be investigated promptly. Known malware signatures or exploit attempts. |
| Medium | Moderate risk. Suspicious activity that may indicate reconnaissance or policy violations. |
| Low | Minor concern. Potentially unwanted traffic or informational policy matches. |
| Info | Informational only. Normal traffic that matches a monitoring rule. |
Alert Details
Each alert includes:
- Signature -- The rule that triggered the alert, including its SID (Signature ID) and description.
- Source / Destination -- The IP addresses and ports involved in the flagged traffic.
- Timestamp -- When the alert was generated, displayed in your configured timezone.
- Classification -- The category of threat (e.g., "Attempted Information Leak", "A Network Trojan was Detected").
Alert Trends
View alert counts over time to identify:
- Spikes in alert activity that may correlate with an attack or misconfiguration.
- Persistent low-level alerts that may indicate ongoing reconnaissance.
- The effectiveness of security policy changes in reducing alert volume.
Alert trend charts can be filtered by severity level, allowing you to focus on critical and high alerts while suppressing informational noise.