5.2. Default dashboards
Trisul ships with a bunch of default dashboards which you will be seeing as soon as you first log in. This page describes each of them.
Dashboard modules help
Hover your mouse over the ‘?’ icon to get a description of the module.
5.2.1 Current Hosts
A live view of current host activity. Internal hosts are shown on the left side and the external hosts on the right side. Hosts are automatically classified as internal or external based on the Home Networks. Under the screenshot you can find a description of each module.
The Hosts dashboard consists of the following modules
|Inbound Vs Outbound||Inbound vs outbound traffic relative to your home network|
|Active Flows||Number of active flows|
|Top Internal Hosts – Total||Top Internal Hosts by Total traffic, you can click on “More” to see more|
|Top External Hosts – Total||Top External Hosts by Total traffic|
|Top Internal Hosts – IN||Top Internal Hosts by with most received traffic (downloaders)|
|Top External Hosts – IN||Top External Hosts by with most received traffic (downloaders)|
|Top Internal Hosts – OUT||Top Internal Hosts by most sent traffic (uploaders)|
|Top External Hosts – OUT||Top External Hosts by most sent traffic|
|Top Internal Hosts – Connections||Top Internal Hosts by most “Active Connections”. The numbers indicate a count of currently active connections (flows) for that host|
|Top External Hosts – Connections||Top External Hosts by “Active Connections IP”|
5.2.2 Current Apps
The Apps dashboards show a live view of the applications currently active in your network. The left column contains the current bandwidth being used by each application and the right column contains the total transferred over the past 6 hours. You can change the time interval using the time window dropwdown.
The modules in it are
|Application Trends||Top applications into and out of your network. This is a trend report that only shows the toppers traffic trends.|
|Live Apps By Total||Bandwidth used by the Top-K applications – total traffic|
|Live Apps By Connection||Top applications by concurrent connections. These are IP connections – UDP/TCP/ICMP etc|
|Live Apps Into Network||Bandwidth used by Top-N applications downloading data into your home network|
|Live Apps Outof Network||Bandwidth used by Top-N application uploading data out of your home network|
|Apps By Total||Volume (GB) transferred by top-K apps|
|Apps By Connection||Apps by connections over the time|
|Apps By Volume Incoming||Volume of data (GB) per App downloading data into your home network|
|Apps By Volume Outgoing||Volume of data (GB) per App uploading data out of your home network|
5.2.3 Live network summary dashboard
Automatically updated overview of network summary activites.
Monitor live the following in easy charts with Click Through to more drilldown.
- total 24-hr bandwidth with yesterdays chart for comparison
- alert counts, total volume
- topper hosts, apps, external hosts
- system performance,
- security alert trends
Shows Top Internal Hosts, External Hosts, and Apps in 1-min real time.
Modules in the Live Overview dashboard
A top level overview of network activity.
|Total Bandwidth Seen||Total Bandwidth currently being used|
|Trisul Server Health||Probe database and system status|
|Current Top Host Chart||Top host by total traffic in a pie chart|
|Current Top Host-List View||Top hosts by total traffic|
|Current Top Apps Chart||Top Apps by total traffic in a pie chart|
|Current Top Apps-List View||Top Apps by total traffic|
A view of network activity from a security viewpoint. This dashboard is most useful when you have connected Trisul to an IDS feed.
|Alert Types||A trend of recent alert types seen over a time interval|
|Alert Types and volumes||An experimental bubble visualization of alert activity|
|Total Bandwidth Seen||Total bandwidth for reference purposes|
|Alert Activity||Alert volume (alert/min) seen|
|Intrusion Detection Alerts||Top IDS alerts as detected by Snort/Suricata|
|Aggregated Alerts||Number of IDS alerts seen in the time period aggregated by alert type|
|TCP Activity||Number of TCP, SYN/SYN ACK, per minute seen over the time interval|
|ARP Flood Activity||ARP bandwidth seen over time|
|ICMP Flood Activity||ICMP activity over time. A flood can be detected as an abnormal spike|
|Recently Fired Alert Types||Alert types seen in the most recent interval|
|Recently Fired Alert Classes||Alert classes seen in the most recent interval. This maps to the alert classification as done by Snort.|
|Recent Attackers||A list of top hosts from which IDS alerts have originated as attacks.|
|Recent Victim Host||A list of hosts which IDS alerts indicate have been victims of attacks. Note that this does not mean they were breached, but only that the hosts were being attacked.|
|TCP Originators||Top TCP connections originators|
|TCP Targets||Top TCP targets|
Shows most significant currently active IP flows. This is based on Flow Trackers a special type of streaming analytics snapshot used in Trisul. The following classes of flows are displayed.
|Top Flows by Volume||Top N flows transferring most number of bytes|
|Top OUT flows||Top N flows uploading data out of your home network|
|Top Long Lived Flows||Top N long duration flows. This could indicate remote desktops, SSH logins, that are not transferring much data but are nevertheless suspects for exfiltration.|
|Top IN flows||Downloading data into your home network|
|Top TCP Upload flows||Top TCP Flows uploading data out your home network. The difference between this and the Top UPLOAD Flows is this group measure actual Payload transferred via TCP , the first one includes all payloads+ retransmissons+TCP/IP headers.|
|Top DOWNLOAD flows||Top TCP Flows downloading data into your home network. Payload based|
Flows tracked include TCP/UDP/GRE/IPSEC/ and all flows at IP Layer.
5.2.6 ASN Monitoring
Monitor traffic by ASN. Helps you with planning peering relationships with Autonomous Systems at Gateway points.
Monitor Total volume per AS
Monitor Time series traffic profile per AS
The Autonomous System traffic is monitored using two mechanisms
- From packets
- using a built in database of AS IP Prefixes
- From netflow
- from border routers peering AS BGP information
5.2.7 Country Location based Traffic monitoring
Monitor traffic uploaded and download on a per-Country basis. The Country Code can also be added to every single flow using Automatic Flow Taggers The included statistics are Top-K, Time Series Traffic Profile for planning and trending, and Bottom-K for outlier and security applications. You can even map the traffic down to the City/County level.
Traffic upload and download
Keep track of which countries give most traffic , flows, Top-N, Bottom-N and Time series trending supported.
You can put in your Google API key to plot the top traffic sources and destinations on a Geographical map as well. To enter your Google API
5.2.8 Real Time Alerts
A real time visualization of IDS alert activity. Note this is true realtime using WebSockets PUSH. The dashboard is described in detail in IDS Alert Stabber
Real Time Stabbers are a Trisul feature that allow the Trisul Probe network to directly push events on to the browser.
|Options Toolbar||Allows you to select options for Pivot (which field to pivot), Timeframe, and Scaling|
|Bubbles by Signature||An interactive visualization showing alert activity over time|
|Alerts as they come in||Recently pushed raw alerts|
|Aggregated alerts||Alerts types aggregated by time|
5.2.9 Real Time Traffic
A real time 1-second view of network traffic. This dashboard uses the underlying Real Time Stabbers framework. The stats are pushed directly to the browser from the Probe network, so the data is typically 1-2 seconds real time.
|IN/OUT bandwidth||Real time In vs Out network bandwidth usage. In/Out are relative to the Home Network you have configured.|
|Total Bandwidth||Total bandwidth seen|
|Top Internal Hosts||Currently active Internal Hosts|
|Top Applications||Currently active top applications|
Real time stabbers
You can watch any metric , Top-K, or Flows in real time using the Real Time Stabbers
5.2.10 Active Keys Monitor
A live view of the number of active keys in all counter groups. The purpose of this dashboard is to give you a one-page idea of the cardinality of your network from various different angles. For example : Do you know how many external hosts you have active over time?
For each counter group the following information is displayed
|Name||Counter group name. Clicking will take you to the “Long Term Charts” page showing the active keys|
|Sparkline||Number of active unique keys over the past 24 hrs . Use this to detect any abnormalities|
|Active Keys||Total number of keys currently active|
|New Keys||New Keys seen in last time interval|
|Water marks||Hi and Lo Water marks for the counter group|
5.2.11 System Performance
A very important dashboard to help you keep tabs of your Trisul Probe performance. The metrics shown here are not related to the network but to the Trisul Probes themselves.
|Global Flush Time||How much time it took for a streaming snapshot interval to finish. You may see “GlobalFlush-1” “GlobalFlush-0” etc. These represent the number of parallel streaming pipelines we have.|
|Memory Usage||Memory used by the system and the memory used by Trisul Probe instance|
|Packets Dropped||Packets dropped by each front-end parallel streaming pipeline. For example : Each AF_PACKET fanout would instantiate a separate parallel streaming engine. The total packets dropped is a sum of all the items shown|
|Packets processed||Number of packets processed by each streaming frontend pipeline|
|Packets drop percent||Represents the total dropped packets/total packets processed|
|Disk I/O||Read and Write I/O rates. When you have the Packet Ring enabled this can be useful measure disk load|
|Disk Bandwidth||A very useful statistic. Tells you at how much Mbps is the data throughput to disk. In a steady state with full packets enabled, a 100Mbps traffic monitor would also result in a 100Mbps disk bandwidth|
5.2.12 More dashboards
There are dozens of other dashboards like this and you can create your own. Clicking on the “Show All” menu item brings up a list of all dashboards. You can check them out one by one.
The intent of this page is to give you an idea of the default dashboards we have pinned to the menu out of the box.
See also Some interesting dashboards