<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: Toplists

Packet Sniffer and xFlow (NetFlow, jFlow, sFlow, IPFIX) sensors can not only measure total bandwidth usage, they can also break down traffic by IP address, port, protocol, and other parameters. The results are shown in so-called Toplists. This way, PRTG is able to tell which IP address, connection, or protocol uses the most bandwidth.

PRTG looks at all network packets (or streams) and collects the bandwidth information for all IPs, ports, and protocols. At the end of the Toplist period, PRTG only stores the top entries of each list in the database.

Only Top Entries are Stored

Storing all available analysis data in a database during the analysis process would create a huge amount of data. The data would be very slow to transfer between probe and core and to retrieve the data would also be too slow. By only storing the top 100 entries for short periods of time, it is possible to reduce the amount of data to a minimum while still being able to identify devices with huge bandwidth usage.

Toplists Overview

Toplists are available for xFlow, IPFIX, and Packet Sniffer sensors only. Toplist graphs are displayed on the sensor's Overview tab. By default, there are three different, predefined Toplists for each sensor:

  • Top Connections: Shows bandwidth usage by connection.
  • Top Protocols: Shows bandwidth usage by protocol.
  • Top Talkers: Shows bandwidth usage by IP address.
     
Toplist Top Protocols for a Packet Sniffer Sensor

Toplist Top Protocols for a Packet Sniffer Sensor

  • Click one of these items to view a distribution chart and a list of source IP and destination IP and port, protocols, or kinds of traffic in different channels, for example. What kind of information is available depends on the list you select.
  • Click an entry in the Toplist periods list on the left side to view data for a certain time span. By default, a time span of 15 minutes is set. You can also manually define the start and end time of the Toplist period that you want to view. Use the date time picker to enter the date and time. Additionally, several table list options are available.
  • To print a Toplist, click the Print This Toplist button to view a printer-friendly version. Use the print option of your browser to send it to your printer.
  • Click the Sensor Overview button to return to the current sensor's Overview tab. For a quick selection of other Toplists of the current sensor, click one of the Toplist icons at the top of the page.
  • You can add or delete new Toplists, or edit existing Toplists on the sensor's Overview tab.

Add

Click the Add Toplist button on the sensor's Overview tab to create a new Toplist. The available options are the same as for editing a list.

Edit

Click the small gear icon of a Toplist tile on the sensor's Overview tab to modify it.

Toplist

Name

Enter a meaningful name to identify the Toplist.

Type

  • Top Talkers (Which IPs use the most bandwidth?): Shows bandwidth usage by IP address.
  • Top Connections (Which connections use the most bandwidth?): Shows bandwidth usage by connection.
  • Top Protocols (Which protocols use the most bandwidth?): Shows bandwidth usage by protocol.
  • Custom (Create your own Toplist): Create your own Toplist by selecting criteria below.

Toplist Fields

This field is only visible if you enable Custom (Create your own Toplist) above. Select the fields that you want to add to the Toplist by adding a check mark in front of the respective field name. The available options depend on the sensor. They are different for Packet Sniffer, NetFlow v5, v9 (and IPFIX), and sFlow.

icon-i-roundFor performance reasons, only select the fields you really want to monitor.

icon-book-arrowsFor more information, see section Performance Considerations below.

Period (Minutes)

Define the interval in minutes for the Toplist. Enter an integer value. Toplists always cover a certain time span. Once a time span has passed, the top results are stored and a new Toplist is started.

icon-i-roundTo avoid load problems on your probe system, do not set this interval too long. The default setting is 15 minutes.

icon-book-arrowsFor more information, see section Performance Considerations below.

Top Count

Define the length of your Toplist. Only this number of entries is stored for each period. Enter an integer value.

icon-i-roundTo avoid load problems on your probe system, set this value as low as possible. The default setting is 100 to store the top 100 entries for each period.

icon-book-arrowsFor more information, see section Performance Considerations below.

Reverse DNS

Define if you want to do a reverse Domain Name System (DNS) lookup for IP addresses stored in the Toplist:

  • Reverse DNS lookup for IPs: Determine the domain name associated with an IP address and show it in the Toplist.
  • No reverse DNS lookup (faster): Show IP addresses only. Choose this option to increase performance.

Probe/Core Data Transfer

Define how the probe sends the Toplist data set to the PRTG core server:

  • According to sensor interval (default): Send data in the scanning interval defined in the settings of the sensor for which you create this Toplist. This can create a lot of bandwidth and CPU load with many Packet Sniffer sensors, complex traffic, or long Toplists.
  • Wait until Toplist period ends (less CPU and bandwidth usage): Send data once a Toplist period has finished. This creates less bandwidth usage and CPU load, but you cannot see the current Toplist in the web interface, only Toplists with finished periods.

icon-book-arrowsFor more information, see section Performance Considerations below.

Memory Limit (MB)

Define the maximum amount of memory in MB that the probe uses for collecting the different connection information. Every Toplist adds its amount to the probe's memory consumption. Increase this value if the number of captured connections is not sufficient. Enter an integer value.

icon-i-round-redSave your settings. If you change tabs or use the main menu, all changes to the settings are lost.

Delete

Click the Delete button of a Toplist tile in the sensor overview to delete it. Confirm with Delete to delete the Toplist.

Details

Click the Open in New Window button of a Toplist tile in the sensor overview to show details of a Toplist in a new window

Performance Considerations

If you create Toplists for data lines with considerable usage (for example, steady bandwidth over 10 Mbit/s) or if the traffic is very diverse (for example, many IPs or ports with only little traffic each) consider the following aspects:

  • The probe gathers all information needed for the Toplist in RAM during each period. Only the top 100 entries are transferred to the core. Depending on the Toplist type and the traffic patterns, the required memory can grow into many megabytes.
  • Choose periods that are as short as possible (especially important when traffic is highly diverse) to minimize memory usage.
  • Memory requirements can grow almost exponentially with each field used in the Toplist definition (depending on the traffic pattern). Avoid complex Toplists for high and diverse traffic. For example, Top Connections (5 fields) needs a lot more memory than Top Talkers (1 field).
  • If you experience high bandwidth usage between core and probe, try the Wait until Toplist period ends option in the Toplist settings.
  • If you experience Data incomplete, memory limit was exceeded messages, try to increase the memory limit in the Toplist settings but keep an eye on the memory usage of the probe process.
  • To increase the performance of a Toplist, disable the reverse DNS lookup.

Notes

  • When working with Toplists, be aware that privacy issues can come up for certain configurations of this feature. Using Toplists, you can track all single connections of an individual PC to the outside world and you, as the administrator, must make sure it is legal for you to configure PRTG like this.
  • Keep in mind that Toplists can be viewed through the web interface. You may not want to show lists of domains used in your network to others, so restrict access rights to sensors that have Toplists.
  • Note that diagrams, for example for top connections, are not meant to be used for detailed analysis. Instead, they should indicate if there is an uncommon, bigger change in this Toplist.

More

PRTG Manual:

 

Ajax Web Interface—Advanced Procedures—Topics

Other Ajax Web Interface Sections

Keywords: Flow,Flow Toplists,Packet Sniffing,Packet Sniffing Toplists,Toplists