Network Performance

1.  Navigate to Performance Monitoring > Network Performance.

The Overview page is displayed by default.

OVERVIEW

The Overview Dashboard provides a high-level summary of network activity, traffic distribution, protocol usage, and potential security threats. This is useful for to quickly assess the health of the network.

• Servers and Clients (bytes): Visual representation of data transfer between servers and clients.
• IP Versions and Protocols (bytes): network traffic based on protocols and IP versions of IPv4, TCP, UDP, and ICMP traffic.
• Threat Monitoring: Treemap Visualization of different threat categories in a network monitoring Highlights potential security threats and suspicious network activities. represents a specific type of network activity. Useful for network monitoring and security threat detection.The size of each block helps security teams prioritize threats by severity and occurrence. 
• Autonomous Systems (bytes): Classification of network traffic by autonomous system numbers. network traffic volume categorized by Autonomous Systems (ASNs). all traffic belongs to a "PRIVATE" ASN, meaning it comes from internal (non-public) IP ranges.
• Service Usage (bytes): network traffic by services and protocols. which services are consuming the most network bandwidth and detect unusual service activity.

Top-N 

The Top-N section in the Network Performance Monitoring module provides insights into the top-performing network entities based on various metrics such as clients, servers, throughput, and conversations. Talkers page is displayed by default. 

1.Talkers: Displays the most active network endpoints (clients and servers).

• Workstation & sever: Displays the total number of active client devices in the network & number of active servers handling network requests 
• Network Throughput: network throughput (bits per second) over time (every 60 seconds).Spikes indicate moments of high network activity.
• top client: displays the highest network-consuming clients based on traffic statistics.
• top server:  Identifies servers responsible for high network loads. Displays the top network servers handling requests.

2.Services: The Services Tab within the Top-N dashboard provides insights into the network services and protocols generating traffic in your network.

• Services & Layer-4 protocols: Displays the total number of detected services running on the network & the number of different Layer-4 protocols (Transport Layer) detected.
• Throughput Graph (bits/s):This graph visually represents network service traffic over time. Identify traffic spikes and correlate them with specific services.Detect any abnormal activity or unexpected spikes in certain services. Monitor service trends and detect overload or potential attacks.
• Top Services: the highest-consuming network services in terms of traffic.
• Top Layer-4 Protocols: Shows the most used transport protocols.

3.Apps: The Apps Tab within the Top-N dashboard provides insights into the network applications and top clients generating traffic in your network. It helps  to identify high-bandwidth applications and monitor workstation activity.

• Application & Workstations summary : displays  the total number of detected applications in the network and total number of active workstations detected, Provides a count of active client devices generating network traffic.
• Throughput Graph (bits/s):  Identify traffic peaks and correlate them with workstation activity. Detect sudden surges in network activity. Monitor overall network utilization trends over time.
• Top Clients: lists the highest-consuming client devices based on network activity.

4.Conversation: The Conversations Tab within the Top-N dashboard provides insights into network traffic between clients and servers, showing which endpoints are communicating, what services they are using, and the total data exchanged. This is crucial for network performance analysis, security monitoring, and troubleshooting.

• Conversations & Services: The total number of active network conversations This indicates the number of distinct network exchanges happening within the observed timeframe. The total number of services involved in the conversations which Helps track which services are actively being used in client-server communication.
• Throughput Graph (bits/s): represents the network throughput of conversations over time.
• Top Conversations: lists the most active client-server conversations in terms of traffic.
• Top Services: services used in active conversations and their associated data transfer metrics.

CORE SERVICES

The Core Services section in the Network Performance Monitoring dashboard provides real-time insights into the health and performance of critical network services. DNS is displayed by default. 

1.DNS: The DNS Monitoring Tab in Core Services provides insights into DNS query behavior, server performance, and client activity. It helps identify DNS resolution failures, slow responses, or suspicious query patterns. 

•  Requests & Responses: Total number of DNS queries sent by clients to DNS servers & Total number of successful DNS replies received from DNS servers.
• Server Request Charts: Displays the distribution of DNS queries across different servers. Helps identify which DNS servers handle most queries.
• Response Charts: Shows how DNS queries are being resolved by different servers. Monitors DNS server efficiency by comparing responses to requests. Helps detect DNS server failures (if some servers respond much slower or fail completely).

• Server Request Datatable: Shows which DNS servers are most frequently queried. Helps detect anomalous traffic patterns or excessive load on one resolver.
• Server Response Datatable: displays DNS responses from servers, showing how efficiently they are handling queries. Ensures that queries are being resolved properly by each DNS server. Helps detect DNS servers failing to respond to queries.
• Client Request Datatable: Displays the top client devices making DNS queries. Helps detect malware-infected devices generating excessive DNS requests.
• Client Response Datatable: Display the DNS responses received by clients.
• Flow Exporter: Displays the devices that collect and send network traffic statistics. Flow exporters help monitor DNS traffic trends and detect anomalies. The number of messages recorded indicates how actively the flow exporter is collecting data.

2.DHCP: The DHCP (Dynamic Host Configuration Protocol) Monitoring tab in the Core Services section provides real-time insights into DHCP traffic, client requests, server responses, and address lease activity. This helps to monitor IP allocation, detect DHCP failures, and identify misconfigurations.

DHCP statistics:

• Broadcast: Total number of DHCP discovery broadcasts detected in the network. DHCP clients send broadcast requests when looking for an IP address.
• Request: The number of DHCP requests made by clients for an IP lease. Clients typically request an IP lease after receiving an offer from the DHCP server.
• Response: The number of DHCP responses sent by the server. A healthy network should have DHCP responses that closely match client requests.
• Relayed: The number of DHCP messages forwarded by a relay agent. DHCP relays are used in multi-subnet environments where DHCP servers are located on a different network.
• DHCP Traffic Chart: displays DHCP traffic trends over time. Helps detect spikes in broadcast activity, which could indicate DHCP issues.
• Server Request & Response: shows Which DHCP servers are being queried . shows Which servers are responding to requests.
• Client Request & Response:  shows Which clients are requesting IP addresses. shows Which clients successfully receive responses.
• Flow Exporter: Flow exporters track network traffic trends and help detect issues.

3.RADIUS: The RADIUS (Remote Authentication Dial-In User Service) Monitoring tab in the Core Services section provides insights into authentication requests and responses, helping to monitor network authentication events, detect failed authentication attempts, and troubleshoot access issues.

• AUTH Requests: The number of authentication requests sent by network clients. Clients send authentication requests when they try to connect to the network using VPN, Wi-Fi, or other protected services.
• AUTH Responses: The number of authentication responses sent by the RADIUS server to clients. A healthy RADIUS system should have authentication responses for each request.
• RADIUS Traffic Chart: Helps detect spikes in authentication activity that may indicate brute-force attacks or failed login attempts.
• Server Request & Response Charts: Server Request Chart – Which RADIUS servers are receiving authentication requests. Server Response Chart – Which servers are responding to authentication queries.
• Server Request & Response Tables: displays Which RADIUS servers received authentication queries. How many authentication decisions (success/failure) were sent back to clients. 
• Client Request & Response Tables: displays Which clients (devices) requested authentication. Which clients successfully authenticated (received a response).
• Flow Exporter: Flow exporters track authentication traffic trends and help detect failures.

4.LDAP: The LDAP (Lightweight Directory Access Protocol) Monitoring tab in the Core Services section provides insights into directory authentication requests and responses. This helps to monitor user authentication, detect failed login attempts, and ensure directory services are operational.

• Request: Number of LDAP authentication requests received from clients. Clients send requests when they attempt to authenticate against Active Directory (AD) or another LDAP-based directory service.
• Response: Number of authentication responses returned by the LDAP server. LDAP responses indicate successful or failed authentication attempts.
• LDAP Traffic Chart: Helps detect spikes in authentication activity, which may indicate mass user logins or brute-force login attempts.
•  Server Request Chart – Which LDAP servers are receiving authentication requests.
• Server Response Chart – Which servers are responding to authentication queries.
• Server Request & Response Tables: Which LDAP servers received authentication queries. How many authentication decisions (success/failure) were sent back to clients.
• Client Request & Response Tables: shows Which clients (devices) requested authentication. Shows Which clients successfully authenticated (received a response).
• Flow Exporter: Flow exporters track authentication traffic trends and help detect LDAP failures or security threats.

5.NTP: The NTP (Network Time Protocol) Monitoring tab in the Core Services section provides insights into time synchronization requests, responses, and symmetrical communication patterns. This is critical for ensuring accurate timekeeping across network devices, security logs, and distributed systems.

• Request: Total number of NTP synchronization requests sent by clients. Clients send NTP requests to synchronize their clocks with time servers.
• Response: Total number of responses received from NTP servers.  healthy NTP system should have responses matching requests.
• Symmetric Count: Number of peer-to-peer (symmetric mode) NTP exchanges. Symmetric mode is used for time synchronization between NTP servers rather than client-server communication.
• NTP Traffic Chart: Helps detect abnormal time synchronization activity. Identifies potentially misbehaving or overloaded NTP clients/servers. Ensures consistent timekeeping across networked devices.
• Server Request Chart: Which servers are receiving the most NTP requests.
• Server Response Chart: Which servers are responding most frequently.

• Server Request Table: lists the NTP servers receiving the most synchronization requests. Identifies which NTP servers are being queried the most.
• Server Response Table: shows how many responses each NTP server has sent to clients. Ensures that NTP servers are responding properly to client requests.
• Client Request Table:  Identifies which clients are actively synchronizing their clocks. Ensures no devices are overloading the NTP server with excessive requests.
• Client Response Table: shows how many responses each client has received from NTP servers. Ensures that NTP clients are receiving valid responses to their synchronization requests.
• Symmetric Table: displays NTP symmetric mode synchronization between peer servers. Symmetric mode is used for synchronization between NTP servers, rather than client-server interactions.
• Flow Exporter: Flow exporters track NTP traffic trends and potential anomalies. Higher message counts indicate increased NTP traffic monitoring.

THREATS:

The Threats Monitoring   provides real-time threat intelligence by analyzing suspicious activities, malicious communications, and security risks within network traffic. This helps detect, track, and mitigate potential cyber threats targeting critical infrastructure.

1.IP Reputation: The IP Reputation focuses on tracking communications with malicious or suspicious IPs known for hosting cyberattacks, malware, or unauthorized access attempts.

• Flow Records: The number of network flow records involving malicious or suspicious IP addresses.
• Conversation: Number of distinct conversations involving high-risk IPs.
• IP Reputation Chart: represents network activity involving malicious IPs over time. Helps identify attack patterns, peak attack times, and specific types of malicious activity.
• Top IP Reputations: lists the top malicious IP addresses based on reputation scoring. Identifies which threat categories are the most active in the network.
• Public Threats: displays publicly known high-risk IP addresses interacting with the network.
• Server Threats: internal servers at risk due to malicious communication.
• Client Threats: tracks high-risk client devices interacting with malicious IPs. Identifies compromised or suspicious client devices that need immediate remediation.

2. DDos tcp: The DDoS TCP (Distributed Denial of Service - Transmission Control Protocol) Monitoring tab in the Threats Section focuses on detecting TCP-based attacks, such as half-open connections, flag-based attacks (X-Mas, Null, Urgent), and anomalous TCP session behavior.

• h-o(half open) session: Number of half-open TCP sessions in the network. Half-open TCP connections occur when attackers flood a target with SYN packets but never complete the handshake.
• h-o (half open)source: Shows the number of unique IP addresses involved in half-open connections. Helps identify attacker IPs involved in TCP-based attacks.
• x-mas flag: Number of TCP packets with X-Mas Flags detected. An X-Mas scan is a network reconnaissance technique used to evade firewalls and find open ports. It sends FIN, PSH, and URG flags set in the TCP header, making it behave differently in various network stacks.
• Null flags: Number of TCP packets with NULL Flags detected. A NULL scan is a stealth attack method where all TCP flags are set to 0.
• Urgent flags: Number of TCP packets with URG (Urgent) Flags detected. Urgent flags are normally used to prioritize certain TCP traffic.

3. DDoS Flood: The DDoS Flood (Distributed Denial of Service Flood)  in the Threats focuses on detecting high-volume malicious traffic floods that can overwhelm network resources and disrupt services. These floods can occur through UDP, ICMP, and other attack vectors.

• UDP Sources: Number of unique sources sending UDP flood traffic. UDP-based DDoS attacks involve flooding a target with large amounts of UDP traffic.
• UDP Bytes :Total volume of UDP flood traffic in bytes.
• UDP Packets :Total count of UDP packets contributing to the attack.
• ICMP Packets : Volume of ICMP flood traffic measured in bytes.
•  ICMP Sources :Number of unique IPs generating ICMP-based attack traffic.
• UDP Amplification (Public) :Lists victim IPs receiving amplified UDP traffic from exploited services.
• ICMP Messages (Public):Displays ICMP traffic sources and destinations for flood detection.
• ICMP Sources (Public):Identifies external IPs generating ICMP flood traffic.

4.RECON: The RECON (Reconnaissance) Monitoring Tab in the Threats Section focuses on detecting network scanning, port scanning, and ICMP probing activities. These activities are typically performed by attackers to identify open ports, active hosts, and vulnerabilities before launching attacks.

• Accessed Port (Public) :Tracks external port scanning activity on public-facing services.
• Accessed Port (Private):Identifies internal port scanning attempts within the private network.
• ICMP Destinations (Public):Displays external ICMP probe attempts targeting internal hosts.
• ICMP Destinations (Private):Monitors internal ICMP requests that may indicate lateral movement.
• Port Scan (Public) :Lists external sources attempting to scan internal servers and services.
• Port Scan (Private):Detects internal devices scanning ports on other internal hosts.

5.BruteForce: tracks unauthorized login attempts, excessive session requests, and potential brute-force attacks against remote access services like RDP (Remote Desktop Protocol) and SSH (Secure Shell). Attackers use brute-force techniques to guess passwords and gain unauthorized access to systems.

• CLI Session(Public):Tracks command-line interface (CLI) login attempts from public sources.
• CLI Session(Private):Monitors CLI-based login attempts within the internal network.
• RDS (Public):Displays the number of remote desktop service (RDS) sessions from external sources.
• RDS(Private):Tracks internal remote desktop (RDP) login attempts within the private network.
• CLI & Remote Desktop Sessions(Public):Lists external IPs attempting to access remote desktops or CLI services.
• CLI & Remote Desktop Sessions(Private):Identifies internal systems attempting CLI or RDP connections to other internal hosts.

FLOW:

The Flow  provides insights into network traffic behavior, tracking data flow between clients, servers, source-destination pairs, and Autonomous Systems (AS). It helps identify traffic distribution, detect anomalies, and optimize network performance by visualizing data flows in terms of bytes, packets, and flow records.

1.Client/server:

• Clients (Bytes):Displays total data consumption by client IPs in bytes.
• Clients (Packets):Shows the number of packets transmitted by client devices.
• Clients (Flow Records):Tracks flow sessions initiated by clients over time.
• Servers (Bytes):Displays total data usage by server IPs in bytes.
• Servers (Packets):Shows packet count handled by servers. 
• Servers (Flow Records):Tracks server-initiated flow sessions over time.
• Server/Client Flowchart:Visualizes traffic interaction between clients and servers.

2.Src/dst:

• Source (Bytes):Shows total data usage from source IPs.
• Source (Packets):Displays packets sent from source IPs.
• Source (Flow Records):Tracks flow records initiated by sources.
• Destination (Bytes):Shows total data received by destination IPs.
• Destination(Packets):Displays packets received at destination IPs.
• Destination(Flow Records):Tracks destination-based flow sessions.
• Source/Destination Flowchart: Visualizes how data moves between source and destination IPs.

3.AS:

• Source AS (Bytes):Displays total data sent from different source Autonomous Systems (AS).
• Source AS (Packets):Shows packet distribution from various source AS networks.
• Source AS (Flow Records):Tracks flow session records originating from source AS.
• Destination AS(Bytes):Displays total data received by different destination Autonomous Systems (AS).
• Destination AS(Packets):Shows packet distribution toward different destination AS networks.
• Destination AS (Flow Records):Tracks flow session records terminating at destination AS.
• Source/Destination Flowchart:Visualizes interactions between source and destination AS.

GRAPH

This provides a visual representation of network interactions, mapping relationships between Autonomous Systems (AS), Client-Server pairs, and Source-Destination traffic flows. It helps identify patterns, detect anomalies, and optimize network structure by illustrating how different entities communicate over the network.

1.AS(Autonomous System): Displays network relationships between different Autonomous Systems (AS). Represents individual AS entities participating in data exchange. Shows communication links between AS nodes.

2.Client/server: Maps interactions between client and server nodes. Client Nodes Represents devices initiating network requests. Server Nodes Displays devices responding to network requests. Client-Server Edges  Illustrates data exchange pathways between clients and servers.

3.Src/Dst: Visualizes traffic flow between source and destination IPs. Source nodes Identifies originating points of network traffic. Destination nodes Displays targeted destinations for traffic. Src-Dst Edges Connects source IPs to their respective destinations.

Geo IP

Visualizes network traffic based on geographical locations of clients, servers, sources, and destinations. It helps identify traffic origins, detect anomalies, and analyze global communication patterns through real-time mapping and data aggregation.

• Client Countries (Flow Records):Displays client network activity based on country locations.
• Client Cities (Flow Records):Tracks client IP interactions by city-level resolution.
• Client Time Zones (Flow Records):Shows distribution of client traffic across global time zones.
• Server Countries (Flow Records):Displays server locations based on country mapping.
• Server Cities (Flow Records):Tracks server endpoints categorized by city locations.
• Server Time Zones (Flow Records):Maps server interactions across different time zones.
• Geo IP Map:Visualizes real-time network communication on an interactive world map.

2.Src/Dst:

• Source Countries (Flow Records) – Displays traffic sources categorized by country.
• Source Cities (Flow Records) – Tracks originating IPs based on city location.
• Source Time Zones (Flow Records) – Shows source-based traffic behavior across time zones.
• Destination Countries (Flow Records) – Displays endpoints categorized by country.
• Destination Cities (Flow Records) – Tracks destination IPs by city mapping.
• Destination Time Zones (Flow Records) – Maps destination traffic flow across global time zones.
• Geo IP Map – Shows source-to-destination traffic flow using an interactive visualization.

AS Traffic

visualizes network traffic at the Autonomous System (AS) level, providing insights into which ISPs, cloud providers, and organizations are involved in network communication. This helps in tracking data flow patterns, identifying suspicious traffic sources, and optimizing network performance.

1.Client/Server:

• Client AS (bits/s):Displays bandwidth usage by different client Autonomous Systems over time.
• Client AS (pkts/s) :Shows packet transfer rates for client Autonomous Systems.
• Server AS(bits/s):Visualizes incoming traffic rates for various server Autonomous Systems.
• Server AS (pkts/s):Tracks packet transfer rates for server Autonomous Systems.

2.Src/Dst:

• Source AS (bits/s):Displays bandwidth consumption of source Autonomous Systems.
• Source AS (pkts/s):Monitors packet rate trends from various source ASNs.
• Destination AS(bits/s):Tracks bandwidth usage by different destination Autonomous Systems.
• Destination AS(pkts/s):Displays packet transfer rates for destination Autonomous Systems.

EXPORTER

provides insights into traffic flow data collected from various network devices such as routers, switches, and firewalls. These exporters send flow data to a collector for analysis of network performance, security threats, and bandwidth utilization.

1.Traffic:

• Ingress Interface(bits/s):Displays incoming bandwidth usage per second on monitored interfaces.
• Ingress Interface(pkts/s):Tracks incoming packet rates per second on network interfaces.
• Egress Interface(bits/s):Displays outgoing bandwidth usage per second for devices.
• Egress Interface(pkts/s):Tracks outgoing packet rates per second for better traffic analysis.

2. Metrics:

• Observed Traffic(Records):Displays total flow records, bytes, and packets collected by exporters.
• Observed Traffic(Flow Records/s):Graph showing flow records per second over time.
• Observed Traffic(Bits/s):Displays bandwidth consumption trends (Mbps) over time.
• Observed Traffic(Pkts/s):Monitors packet transmission rates per second.

TRAFFIC DETAILS

Provides deep insights into network traffic attributes, protocol types, and locality to analyze network performance, security threats, and usage patterns. It enables detailed tracking of Layer-3 and Layer-4 protocols, traffic locality, and flow characteristics.

1.Attributes:

• Layer-3 Count Displays the number of detected Layer-3 protocol types in traffic.
• Layer-3 Protocols:Shows protocol distribution between source and destination.
• Layer-3 Protocols(Bar):Analyzes top source and destination IPs using Layer-3 protocols.
• Layer-3 Protocols (Flow Record):Monitors protocol-based flow records over time.

2.Types: Displays the observed network entities, distinguishing between workstations, servers, services, and applications. This helps in understanding how different components in the network are interacting and consuming bandwidth.

• Workstations - Displays the total number of active workstation devices communicating in the network.
• Servers - Shows the count of servers participating in network traffic.
• Clients (Flow Records) - Pie chart representation of different clients generating network traffic.
• Servers (Flow Records) - Pie chart representation of different servers handling network traffic.
• Clients (bits/s & pkts/s) - displaying the network traffic in bits per second and packets per second for client devices.
• Servers (bits/s & pkts/s) -  representing network traffic (bits/s & pkts/s) from server devices.
• Services - Displays the number of different services active in the network.
• Applications - Displays the number of different applications generating network traffic.
• Services (Flow Records) - showing different services communicating within the network.
• Applications (Flow Records) -  displaying different applications generating network activity.
• Services (bits/s & pkts/s) – shows traffic in bits/s and packets/s for different services.
• Applications (bits/s & pkts/s) - shows network usage in bits/s and packets/s for various applications.

3. Locality: The Locality section in Traffic Details provides insights into the geographic distribution of network traffic, showing the number of distinct locations (Localities) and Autonomous Systems (ASNs) involved, along with flow distributions through pie charts and time-series graphs for bits per second and packets per second.

FLOW RECORDS

provides detailed insights into network traffic, tracking the total number of flow records, active conversations, and a MaxScore metric for traffic risk evaluation.

1.Client/Server: The Client/Server  displays the bidirectional network communication between clients and servers, showing flow details like host interactions, domain names, port usage, and traffic volume in bytes and packets.

2.Src/Dst: Displays detailed insights into network flows, showing communication between source and destination domains, associated ports, transmitted data volume, and packet counts, helping to analyze traffic patterns and identify anomalies.

JITTER & LATTENCY

provides insights into network performance by tracking variations in packet delay (jitter) and overall latency for different destinations. It helps in diagnosing network congestion, performance issues, and service quality degradation by analyzing the stability and responsiveness of communication between endpoints.

The Jitter & Latency displaying network performance metrics. The Jitter HTTPS graph visualizes fluctuations in delay for various destinations over time. the Jitter Table lists destinations with their respective jitter values, helping identify endpoints experiencing inconsistent delivery. The Latency Table details source-to-destination connections with their measured latency, highlighting potential slow-performing routes.

The Latency HTTPS graph represents latency trends, helping in pinpointing spikes or degradation over time. Together, these elements offer a comprehensive view of network performance, aiding in proactive monitoring and troubleshooting.

OSI DETAILS

provides insights into the devices and network elements categorized based on the OSI (Open Systems Interconnection) model. This helps in network diagnostics, asset tracking, and device monitoring by displaying critical details such as device names, product types, manufacturers, private IP addresses, MAC addresses, and OS information.

Layer 1: Displays physical devices within the network, listing attributes such as device name, product type (e.g., camera, switch, router), and manufacturer (e.g., Cisco Meraki). This layer focuses on hardware inventory management.

Layer 2: Focuses on data link layer information, listing private IP addresses, MAC addresses, and OS types for each device. It provides a deeper insight into device-level connectivity, ensuring accurate mapping of devices to network infrastructure.