<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: Toplists

Packet Sniffer and xFlow (NetFlow, jFlow, sFlow, IPFIX) sensor types can not only measure the total bandwidth usage, they can also break down the traffic by IP address, port, protocol, and other parameters. The results are shown in so-called Toplists. This way PRTG is able to tell which IP address, connection, or protocol uses the most bandwidth.

PRTG looks at all network packets (or streams) and collects the bandwidth information for all IPs, ports, and protocols. At the end of the toplist period, PRTG only stores the top entries of each list in its database.

Only Top Entries are Stored

Storing all available analysis data in a database during the analysis process would create a huge amount of data, which would be very slow to transfer between probe and core and also retrieving data would be too slow. By storing only the top 100 entries for short periods of time it is possible to reduce the amount of data to a minimum while still being able to identify devices with huge bandwidth usage.

Toplists Overview

Toplists are available for xFlow, IPFIX, and Packet Sniffer sensors only. Toplist graphs are displayed right on the sensor overview page. By default, there are three different toplists predefined for each sensor:

  • Top Connections: Shows bandwidth usage by connection.
  • Top Protocols: Shows bandwidth usage by protocol.
  • Top Talkers: Shows bandwidth usage by IP address.
     
Toplist Top Protocols for a Packet Sniffer Sensor

Toplist Top Protocols for a Packet Sniffer Sensor

  • Click one of these items to view a distribution chart and a list of source and destination IP and port, protocols, kind of traffic in different channels, for example. What kind of information is available depends on the list selected.
  • Click an entry in the Toplist periods list on the left side to view data for a certain time span. By default, a time span of 15 minutes is set. You can also manually define start and end time of the Toplist period you want to view. Use the date time picker to enter the date and time. Additionally, several table list options are available.
  • To print a Toplist, click the Print This Toplist button to view a printer-friendly version. Use the print option of your browser to send it to your printer.
  • With Sensor Overview you can return to the current sensor's Overview tab. For a quick selection of other Toplists of the current sensor, click one of the Toplist icons at the top of the page.
  • You can add or delete new Toplists, or edit existing ones on the sensor's Overview tab,

Add

Click the Add Toplist tile in the sensor overview to create a new Toplist. The available options are the same as for editing a list.

Edit

Click the small gear icon of a Toplist tile in the sensor overview to modify it.

Toplist

Name

Enter a meaningful name to identify the toplist.

Type

  • Top Talkers (Which IPs use the most bandwidth?): Shows bandwidth usage by IP address.
  • Top Connections (Which connections use most bandwidth?): Shows bandwidth usage by connection.
  • Top Protocols (Which protocols use the most bandwidth?): Shows bandwidth usage by protocol.
  • Custom (Create your own Toplist): Create your own list by selecting criteria below.

Toplist Fields

This setting is only available if you select a custom type above. Select the fields you want to add to the Toplist by adding a check mark in front of the respective field name. The available options depend on the type of sensor used. They are different for Packet Sniffer, NetFlow v5, v9 (and IPFIX), and sFlow.

icon-i-roundFor performance reasons, only select the fields you really want to monitor. Please see Performance Considerations section below.

Period (Minutes)

Define the interval for the Toplist in minutes. Please enter an integer value. Toplists always cover a certain time span. Once a time span has passed, the top results are stored and a new Toplist is started.

icon-i-roundTo avoid load problems on your probe system, please do not set this interval too long. Default setting is 15 minutes. Please see Performance Considerations section below.

Top Count

Define the length of your Toplist. Only this number of entries will be stored for each period. Please enter an integer value.

icon-i-roundTo avoid load problems on your probe system, please set this value as low as possible. Default setting is 100 to store the top 100 entries for each period. Please see Performance Considerations section below.

Reverse DNS

Define if you want to do a reverse Domain Name Service (DNS) lookup for IP addresses stored in the Toplist. Choose between:

  • Do a reverse DNS lookup for IPs: Determine the domain name associated with an IP address and show it in the Toplist.
  • Do no reverse DNS lookup (faster): Show IP addresses only. Choose this option to increase performance.

Probe/Core Data Transfer

Define how the probe sends the Toplist data set to the core server. Choose between:

  • According to sensor interval (default): Send data in the interval defined in the settings of the sensor for which you create this Toplist. This can create a lot of bandwidth and CPU load with many sniffer sensors, complex traffic, or long Toplists.
  • Wait until Toplist period ends (less CPU and bandwidth usage): Send data once a Toplist period has finished. This will create less bandwidth usage and CPU load, but you cannot see the current Toplist in the web interface, only Toplists with finished periods.

For more information, please see Performance Considerations section below.

Memory Limit (MB)

Define the maximal amount of memory in MB that the probe will use for collecting the different connection information. Every Toplist adds its amount to the probe's memory consumption. Increase this value if the number of captured connections is not sufficient. Please enter an integer value.

Click Save to save your settings. If you change tabs or use the main menu, all changes to the settings will be lost!

Delete

Click the small trashcan icon of a Toplist tile in the sensor overview to delete it. Confirm with Delete to delete the list.

Details

Click on the windows symbol to show details of a Toplist.

Performance Considerations

If you create Toplists for data lines with considerable usage (for example, steady bandwidth over 10 Mbit/s) or if the traffic is very diverse (for example, many IPs or ports with only little traffic each) please consider the following aspects:

  • The probe gathers all information needed for the Toplist in RAM memory during each period. Only the top 100 entries are transferred to the core. Depending on the Toplist type and traffic patterns, the required memory can grow into many megabytes.
  • Choose periods that are as short as possible (especially important when traffic has a high level of diversity) to minimize memory usage.
  • Memory requirements can grow almost exponentially with each field used in the Toplist definition (depending on traffic pattern). Avoid complex Toplists for high and diverse traffic. For example, Top Connections (5 fields) needs a lot more memory than Top Talkers (1 field).
  • If you experience high bandwidth usage between core and probe, try to choose the Wait until Toplist period ends option in the Toplist settings.
  • If you experience Data incomplete, memory limit was exceeded messages, try to increase the memory limit in the Toplist settings but keep an eye on the memory usage of the probe process.
  • To increase the performance of a Toplist, disable the reverse DNS lookup.

Notes

  • When working with Toplists, be aware that privacy issues can come up for certain configurations of this feature. Using Toplists you can track all single connections of an individual PC to the outside world and you, as the administrator, must make sure it is legal for you to configure PRTG like this.
  • Keep in mind that Toplists can be viewed through the web interface. You may not want to show lists of domains used in your network to others, so restrict access rights to sensor types having Toplists.
  • Note that diagrams, for example, for top connections are not meant to be used for detailed analysis. Rather they should indicate if there is an uncommon bigger change in this Toplist.

More

 

Ajax Web Interface—Advanced Procedures—Topics

Other Ajax Web Interface Sections

Related Topics

Keywords: Flow,Flow Toplists,Packet Sniffing,Packet Sniffing Toplists,Toplists