What is the difference between Top Talkers and Top Connections?
Is there any purpose of dividing the traffic into these two?
I found that only up to 100 items are displayed in each page. Can I see more items?
And can I check or export all collected raw data?
Article Comments
Hello,
Thank you for your KB post.
The "Top Talkers" toplist shows the bandwidth usage between two addresses.
The "Top Connections" toplist additionally shows the source and destination ports and the protocol.
The toplists, e.g. "Top Connections" from the NetFlow sensor, are showing by default top 100 connections (100 connections making the most traffic).
So in the toplist you can see IP addresses for top 99 connections plus one entry called "Other". All connections that belong to the monitored traffic, but that are making less traffic than top 99 connections, are aggregated to "Other".
If "Other" is often in the top 5 of a particular toplist, you could try to either increase the number of entries for this list, or shorten the period which the toplist covers (or try both). You can change this in toplist settings for the corresponding toplist. Please be aware however, this means a higher demand of resources, especially if you change these settings for multiple toplists.
In the sensor settings, there is an option "Stream Data Handling", which you can use to store all stream data, or to store stream data only for the "Other" channel. Please use this option with caution, only for a short time, as it can create huge data files.
Best regards
Feb, 2021 - Permalink
Hello,
Thank you for your KB post.
The "Top Talkers" toplist shows the bandwidth usage between two addresses.
The "Top Connections" toplist additionally shows the source and destination ports and the protocol.
The toplists, e.g. "Top Connections" from the NetFlow sensor, are showing by default top 100 connections (100 connections making the most traffic).
So in the toplist you can see IP addresses for top 99 connections plus one entry called "Other". All connections that belong to the monitored traffic, but that are making less traffic than top 99 connections, are aggregated to "Other".
If "Other" is often in the top 5 of a particular toplist, you could try to either increase the number of entries for this list, or shorten the period which the toplist covers (or try both). You can change this in toplist settings for the corresponding toplist. Please be aware however, this means a higher demand of resources, especially if you change these settings for multiple toplists.
In the sensor settings, there is an option "Stream Data Handling", which you can use to store all stream data, or to store stream data only for the "Other" channel. Please use this option with caution, only for a short time, as it can create huge data files.
Best regards
Feb, 2021 - Permalink