Observer GigaFlow

Table of Contents

Legal

Notice

Copyright

Terms and Conditions

Glossary

Introduction

This Document

How-To Guide

Reference Manual

GigaFlow Wiki

About GigaFlow

How-To Guide for GigaFlow

First Steps

Install GigaFlow on a Windows Platform

Log In and Provision GigaFlow

Logging In

Give the Server a Name

Assign Disk Space

Enable Call Home Functionality

Install License

Enable Blacklists

Enable SNMP

Enable and Test First Packet Response

Conducting Searches in GigaFlow

Search for Security Events Associated with an IP Address

Conduct a Search and Apply a Macro (or Script)

Search for a MAC Address

Search for a Username

Search for a Network Switch

Apply a Macro (or Script) to a Switchport

Diagnostics and Reporting

Explore Bandwidth Usage by Interface and Application

Identify Bandwidth Usage by User

Use First Packet Response to Understand Application Behaviour

Determine if Bad Traffic is Affecting Your Network

Create a Script

Create a Traffic Group

Create and Use a Profile

Create an Integration

Alerts and Events

Respond to a Blacklist Email Alert

Determine the Importance of an Event

Investigate a SYN Anomaly

Configuration and System Set-up

Working with Clusters of GigaFlow Servers from Viavi Apex

Overview

Configure the Cluster

Search the GigaFlow Cluster

Encryption and GigaFlow Clusters

FAQs and Troubleshooting

Which Web Browers Are Supported by GigaFlow?

What Server Specification Do We Need?

Flows and Server Sizing

Disk Throughput for Flow Writing to Database

Disk I/O for Flow Writing To Database

Disk I/O for Flow Reading from Database

Disk Sizing

RAM Sizing

CPU Sizing

Experimental Results

Does GigaFlow have an API?

Does GigaFlow Require a Client?

Reference Manual for GigaFlow

Log in

User Interface Overview

Layout

Left Menu Items

Top Menu Items

Features

Documentation and Help

Refresh Button

Timeline Graphs

Colors

GigaFlow Search

Overview

Search Scope

Searching by IP Address

Searching by MAC Address

Searching by Username

Searching for a Specific Network Switch

Graphical Flow Mapping

Dashboards

Server Overview

Summary Devices

Events

Summary Interfaces

Reporting Period

Device and Interface Overview

Forensics DB

Device Overview

Top 10 Applications This Hour

Top 10 Source IPs This Hour

Top 10 Destination IPs This Hour

Summary Devices

Summary Interfaces

Device Details

Attributes and Tools

Events Graph

All Interfaces CSV

Interface Overview

Interface Details

Attributes and Tools

Summary Interface Total Traffic

Summary Interface In

Summary Interface Out

Summary Interface In Packets

Summary Interface Out Packets

Summary Interface In Flows

Summary Interface Out Flows

Traffic Group Overview

Top 10 Applications This Hour

Top 10 Source IPs This Hour

Top 10 Destination IPs This Hour

Events

Threat Map

Events (Main)

Profiling

Realtime Overview

Profiling Events

Reporting Period

Profiles

Severities

Event Entries

Flow Details

Filtered Views

(Existing) Traffic Groups

Overview

Existing Traffic Groups

Reports

My Current Queries

My Complete Queries

All Complete Queries

Canceled Queries

Cluster Search

DB Queries

Forensics

Example

Reporting Period

Direct Filtering Syntax

First Packet Response Reports

Saved Reports

System Wide Reports

SYN Forensics Monitoring

Device Connections

MAC Address Vendors

SQL Reports

Working with SQL Queries

Adding a SQL Query

User Events

Configuration

Attributes

GEOIP

Infrastructure Devices

Existing Device

New Device

New Bulk Device

Actions

Device SNMP Mapping

Add an Infrastructure Device

Detailed Device Information

SNMP Settings

Attributes and Tools

Storage Setting

Other Settings

Configuration/Profiling

New Flow Object

New Profiler

Existing Profilers

Existing Defined Application

New Defined Application

Reporting

General

Forensics Reports

Existing Report Links

New Report Link

Server Subnets

Server Subnets

Servers

Devices

Traffic Groups

New Traffic Group

Bulk Load Traffic Groups

Existing Traffic Groups

SNMP Discovered Subnets

System

Alerting

Syslog Alerts

Mail Alerts

Event Scripts

GigaFlow Cluster

This Server

New Cluster Server

Search the GigaFlow Cluster

Encryption and GigaFlow Clusters

Global

General

LDAP

SSL

Import/Export

SNMP V2 Settings

SNMP V3 Settings

Log Setting

Proxy Setting

MAC Vendors

Mail Settings

Storage Settings

Data Retention and Rollup

Integrations

Licenses

GigaFlow License

3rd Party Licenses

Cleartext Communication

Call Home Send

Call Home Response

Call Home Errors

Receivers

Existing Ports

New Port

Netflow Processing Threads

Port Threads

Syslog Parsers

All Patterns

Default Patterns

Exceptions

System Health

Memory

Disk

CPU

All

Historical

System Status

Log File Viewer

Memory

Stats

DB Connections

DB Locks

Named Tables

Prepared Tables

Users

Existing Users

Existing User Groups

New Local User

New User Group

Existing Portal Users

New Portal User

Existing LDAP Groups

New LDAP User

New LDAP Group

New Data Access Group

Existing Data Access Groups

Data Access Groups

Existing Data Access Group

Watchlists

Blacklists Available

New Blacklist Source

Blacklist Actions

Whitelist Items

Locally Defined Blacklists

Appendices

Forensic Report Types

Application

ASs by Dst

ASs by Source

ASs Pairs

Address Pairs

Addresses As Sources And Dest Port By Dest Count

Addresses By Dest

Addresses By Source

All Fields

All Fields Avg FPR

All Fields Max FPR

Application Flows

Application Flows With User

Applications With Flow Count

Class Of Service

Duration Avg

Duration Max

FW Event

FW Ext Code

Interface Pairs

Interfaces By Dest

Interfaces By Destination Pct

Interfaces By Source

Interfaces By Source Pct

MAC Address Pairs

MAC Addresses By Dest

MAC Addresses By Source

Ports As Dest By Dest Add Popularity

Ports As Dest By Src Add Popularity

Ports As Src By Dest Add Popularity

Ports As Src By Src Add Popularity

Ports By Dest

Ports By Source

Posture

Protocols

Servers As Dest With Ports

Servers As Dst Address

Servers As Src Address

Servers As Src With Ports

Sessions

Sessions Flows

Sessions With Ints

Subnet Class A By Dest

Subnet Class A By Source

Subnet Class B By Dest

Subnet Class B By Source

Subnet Class C By Dest

Subnet Class C By Source

Subnet Class C Destination By Dest IP Count

Subnet Class C Source By Source IP Count

TCP Flags

Traffic Group By Dest

Traffic Group By Source

Traffic Group Pairs

URLs

Users (Report)

TCP Flags

Observer GigaFlow Documentation

Documentation > How-To Guide for GigaFlow > Alerts and Events > Investigate a SYN Anomaly

Investigate a SYN Anomaly

See Reports > System Wide Reports > SYN Forensics Monitoring in the Reference Manual.

GigaFlow monitors all TCP flows where only the SYN bit is set. In normal network operations, this indicates that a flow has not seen a reply packet while active in a router's Netflow cache.

A lonely SYN can be an indicator that:

Routing was asymmetric. Perhaps the reply returned via a different router.
Reply traffic was blocked.
Servers were not responding for some reason.
Something was probing the network.

To view objects that are behaving anomalously, navigate to Reports > System Wide Reports > SYN Forensics Monitoring

You will see a summary of all the internal sources listed in order of the number of destination objects associated with each internal source.

Click the Drill Down icon for more information about each IP address.