| ourmon intro | main page | no-refresh page | radar page | help | download/sourceforge project page | app notes/bugs/distro info |
| basic net info | dns | bpf-protocols | bpf-errors | topn reports | topn | tcpsyn | tcpworm | icmperrors | udperrors | topn-ports | scanning | weekly event logs/summarizations |
|
|
|
|
|
|
|
|
|
|
|
Major IP Protocols pkts/sec:
|
|
L2 unicast/multicast/broadcast bits/sec:
|
|
|
L2 packet size distribution pkts/sec:
|
|
dns query stats
|
dns bpf stats
|
|
dns queries vs query errors
|
dns basic error breakdown
|
PSU specific BPFS:
|
cross DMZ traffic (OIT/MCECS) vs Inet:
|
traffic with other OUS institutions:
|
|
major bignets on campus
|
wireless nets
|
|
subnets1
|
subnets2
|
|
subnets3
|
subnets4
|
|
subnets5
|
subnets6
|
|
subnets7
|
subnets8
|
|
hosts1
|
|
news versus web traffic plus remainder:
|
|
|
estimate of p2p traffic based on BPF/ports:
|
campus email TCP connection count:
|
VPN traffic
|
|
total campus ICMP unreachable errors:
|
total campus TCP control packet counts:
|
RRDTOOL graph of topn ip basic flow counts (flows/sec):
|
RRDTOOL graph of topn hash inserts (inserts/30 sec):
|
top talker (top_n) flows based on IP source (info)
Top N IP flows(expand)The syn scanner filter includes many features including the port signature report and a more detailed version of the port report found below called the "tcpworm.txt" report. We also show the RRDTOOL "worm" activity graph, which shows the total count of TCP syn-sending IP sources that have exceeded a certain baseline threshold. This graph is used to indicate the existance of large (often botnet-controlled) attacks. After that one finds a graph that shows the average work weight for the network as a whole (all hosts), worms, and P2P apps. Last we show the topn_syn histogram which displays the top syn sending hosts. Here is the port signature report (portreport.txt) and its longer cousin (tcpworm.txt).
The following graph uses a weighted scheme to show which particular IP source is generating UDP packets which cause the most ICMP errors. It has two forms: first you may view the information as an ASCII report which has more details. This report is called the udp port signature report . Second, you may view the information in the histogram graph below.
top/current UDP error generators (info)
Top N UDP errors(expand)Here we have top talker histograms showing scanning activity. These graphs are all 1 source to many destinations. There are four types as follows:
One IP src to many IP destinations:Note that the current daily summarization is run hourly "today". Previous days represent the midnight final summarization and thus are daily reports. IP/UDP/ICMP flows are bits/second. Syns are counted per sample period, and sorted by max syn count with total syn count, fin count, and resets shown. The "flow id" for syns is simply an ip address.
| all worms today (run hourly) | yesterday (run daily) | today - 2 days | today - 3 days | today - 4 days | today - 5 days | today - 6 days | today - 7 days | today - 8 days |
| front-end events for today | yesterday | today - 2 days | today - 3 days | today - 4 days | today - 5 days | today - 6 days | today - 7 days | today - 8 days |