Viewing Network Activity; Interpreting The Graphs - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1 Manual

28 M Y
ANAGING OUR
Viewing Network
Activity
Interpreting the
Graphs
N A
ETWORK CTIVITY
• Toggle Auto Refresh - Allows you to enable or disable the automatic graph
refresh. When disabled, the count down timer is not displayed on the graphs.
By default, the automatic refresh is enabled.
The graphs are the main components on the Network Surveillance interface. The
graphs are a graphical representation of your network objects; peak and valleys
that appear depict high and low volume traffic.
This section provides information on viewing network activity including:

Interpreting the Graphs

•
Changing the View
•
Investigating Traffic Using TopN
•
• Investigating Flows
Whether monitoring or investigating specific traffic using the Network Surveillance
interface, the type of traffic you wish to monitor or investigate must always appear
on the graphs. For example, if you wish to investigate traffic that was presently
active during the 3 a.m. time frame, you must adjust your graph to visually
represent the traffic from that time frame to continue your investigation.
The network activity that is displayed on the STRM graphs is determined by the
Global View that is currently selected. Global Views are configurable views that
capture and display your network activity. Each view filters traffic and displays the
data from many perspectives. You can display your network activity from any
Global View and navigate to the Full Networks View to show the same data from
the network perspective. When viewing the network perspective, you can navigate
to another view.
Note: By default, the Network Surveillance interface refreshes every 3 minutes
(180 seconds). The counter on the top right of the interface indicates the time to
refresh.
When selecting a view, only the traffic that matches the pre-defined view
properties is visible on the STRM graphs. You can determine your network's
activity by the colors that appear on the inbound and outbound graphs. Network
traffic is divided and classed into sub-components; each sub-component is
assigned a color. Network activity is identified by the colored layers that appear on
your graphs.
The traffic layer often has peaks and valleys depicting the behavior of high and low
volume traffic. If more than one type of traffic is currently active, such as
Peer-to-Peer (P2P) and File Transfer Protocol (FTP), both layers appear on the
graphs in stacked formation. Normal traffic is easily identified and abnormal activity
becomes obvious by the stacked colored layers that appear on your graphs.
STRM Users Guide