0% found this document useful (0 votes)

239 views354 pages

SL Traffic Reporting and Analysis Course 2.0 R9.5.0.0

Uploaded by

Roberto Torres

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

239 views354 pages

SL Traffic Reporting and Analysis Course 2.0 R9.5.0.0

Uploaded by

Roberto Torres

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 354

December 2021

Version 9.5.0.0
Unit 1 Sightline Visibility
Overview
Sightline Visibility Course

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 1

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-1
In this module you will...

• Do the introductions

• Review the training agenda

• Define what Sightline visibility is

• Discover how Sightline builds an understanding of your network

• See use cases and Sightline reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 2

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-2
Introduction &
Training Agenda

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 3

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-3
Let’s Get to Know Each Other!
Introduce yourself

• Instructor introduction

• Student introductions

• What are your job responsibilities?

• When/how do you use Sightline?

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 4

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-4
Our Training Agenda
Training Activities

Unit 2
Unit 1 Unit 3
Sightline
Sightline Visibility Network Visibility
Reporting
Overview and Reporting
Overview

Unit 5
Unit 4 Unit 6
Capacity Planning
External Visibility BGP Reliability
and Congestion
and Reporting and Reporting
Reporting

Unit 8 Unit 9
Unit 7
Traffic MO Multi Dimensional
OTT Reporting
Reporting Reporting

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 5

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-5
What is Sightline Visibility?

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 6

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-6
Making Sense of Traffic
Sightline workflow

SEE THE BIG PICTURE, CORRELATE AND ANALYZE

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 7

Traffic volume shows value in connectivity

• The more traffic volume users generate, the more value they receive
• Correlating volume with various aspects or dimensions of traffic to reveal the meaning of
the traffic and its value and the impact to your network
• For many network operators the network is the business, so understanding your network
health is imperative to the business' health

Arbor visibility enables end-to-end coverage to achieve the totality of volume

• See the big picture, from edge-to-edge, from border-to-access layer, and be able to show
network-wide totals
• Correlation of aspects or dimensions shows the proportion of total volume due to that
aspect (eg: 65% of the total is Netflix during this time period)

Our goals in providing network visibility and traffic analysis as core value to network
operators
• Achieving Excellence in Nework Operations and Service Availability
• Gaining the knowledge to act with customer analytics and business insights

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-7
Traffic Insights
Purpose

What is the makeup of the data?

How much
Where is it traffic? Where is it
coming from? going?
How is this changing over time?

Problem areas → Find and predict

Which interfaces Which

are most used? applications? Congestion → Take corrective action

Monitor utilization of critical resources

What is the Top customer

busiest time? use? Perform effective traffic engineering

How much usage What is the Lower transit expenses

per peer? IPv6 use?

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 8

There are various scenarios and requirements for when to use Sightline traffic reports. It is not
only for DDoS purposes.

• Understand your networks, network health and traffic flows

• Derive actionable deployment-wide operational and business insights – not just data
• Optimize existing services and identify new ones

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-8
Scenarios
From the real world

• Network Operations
Growth of social media traffic since January by 27%
• Enterprise Security
Abnormalities and threat details
• IT
Traffic increase on systems supporting remote work of 74%
• Network Planning
A new opportunity is discovered for direct peering to save transit cost
• Application
Growth of conferencing apps over the last month by 137%

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 9

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-9
How Sightline builds an
understanding of your network

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 10

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-10
A Typical Service Provider Network

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 11

Sightline provides network wide visibility.

A typical service provider network has transit providers (ISP), Internet Exchange Points (IXP),
customers, internal resources such as DNS, WEB, Cache servers etc.
Smaller enterprise networks may not have various upstream provider options but do have
internal resources (WEB, DNS etc.).
Sightline reports give you insight about your network's relationships with other networks,
applications, customers etc.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-11
What is the Concept of “Network”?
• A core concept for traffic and
routing reporting in Sightline
• Is defined by a “boundary”
that:
– Defines the border between
your network and the rest of
the internet, and as such:
– Behaves as an immutable
managed object that
represents all your network’s
traffic from/to the internet

EXTERNAL BOUNDARY = GLOBAL BOUNDARY = NETWORK BOUNDARY

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 12

Network traffic is determined via the network boundary. The network boundary is the border
between your network and the rest of the internet. This boundary is used to determine
when and where traffic enters your network.
The external boundary (interfaces), global boundary, and/or network boundary are all the same
terminologies.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-12
How Sightline Builds the “Network”?

Monitored routers export real time FLOW data to

Sightline

Sightline performs BGP peering with

monitored routers

Sightline polls monitored routers via SNMP

Sightline classifies router boundary

interfaces as ‘External’ to define the
network’s boundary

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 13

Flow is the main technology Sightline uses to receive data from routers.
BGP neighborship between routers and Sightline is also required to correlate Flow and BGP
data for the traffic reports.
SNMP information provides interface discovery to help to create network boundary.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-13
Technologies
What builds the data

FLOW BGP SNMP

Key data source
Tracks interface Sightline
Provides ID, name,
for monitoring
and analyzingin Frequency
Increase
reachability
and data in Speed
Increase
description
Decrease in duration
Visibility
and speed
network traffic path information
for reporting Enables precise
Builds historical
validation of flow
traffic database
data

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 14

Building data with flow

Flow provides Sightline with layer 1-4 information for the flows that traverse a network.
Sightline extracts the data it needs from the flow packets and bins the data to custom
databases.
Building data with SNMP
Sightline polls the monitored routers that use SNMP versions 1, 2(c), or 3. SNMP gathers
contextual information, such as interface descriptions and speed information, but it also
gauges report accuracy. You can use the Sightline UI to compare the flow records and
SNMP counters per interface in real time.
Building data with BGP
In addition to gathering flow information, Sightline peers with routers in the network to
collect BGP information. Sightline correlates the BGP routing information from each router
with the flow records received from that router. Sightline then uses this information to
determine how much traffic is going through BGP peers, communities, prefixes, ASNs
(both original and transit), AS Paths, nexthops, and a variety of other BGP attributes.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-14
Visibility Use Cases and Sightline
Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 15

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-15
Operator Challenges
Common questions and requirements
• Which peer is mostly used?
• Traffic by ASN origin
• Traffic breakdown by BGP community
• Compare IPv4 versus IPv6
• Traffic by prefix on a specific interface or router
• What are the top IPs the customer is communicating with?
• Social media traffic trend for an interface, router, customer etc.
• Traffic by packet size, protocol, port number etc.
• Applications by interface, customer, router etc.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 16

Which of my peers is being used the most?

My network is communicating with which origin ASNs?
I want to see my network traffic breakdown by BGP community.
I want to compare IPv4 vs IPv6 usage in my network.
I want to see interface or router traffic utilization broken down by BGP prefix.
A customer is communicating with which IPs (hosts) on the Internet or what is the mostly used
IPs in the customer network?
I want to see social media traffic usage on specific routers or interfaces.
I need a traffic distribution report by packet size, IP protocol, port numbers for customers,
peers, interfaces etc.
What applications are being used by routers, interfaces, customers, peers etc?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-16
Benefit Realization from Sightline
How to save money
Background
Downstream ISP is using Sightline
⚠Transit traffic volume increased by 18%

Sightline Traffic Visibility

• Clearly identified biggest contributor on transit links

Solution
✓ New CDN pays for an on-net cache
✓ The MMO game now peers at operator’s IXP (Internet Exchange Point)

Transit traffic reduced to < 35%; gaming and streaming performance improved

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 17

An ISP is using Sightline and notices an 18% traffic volume increase in its transit links.
Sightline can provide you a breakdown of the transit links’ utilization historically, so customers
have an idea of which links are being used for which applications.
After discovering which application triggered the traffic increase, more internal discussions
concluded that last month some streaming services changed CDN (Content Delivery
Network).
As a result of the CDN change, new MMO (Massively Multiplayer Online) increased transit
traffic significantly.

MMO Game: A massively multiplayer online game (MMOG, or more commonly, MMO) is an
online game with large numbers of players.

The MMO Game provider welcomes installing cache servers in the ISP network.
Caches both reduces traffic for MMO games on the transit links and increases gaming quality.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-17
Sightline Reports Custom
Reports
Accessing Data
Tools

Pre-Defined
Reports

Dashboards
Advanced API,
Reporting Scripting

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 18

You have multiple ways to access Sightline traffic reports and data. Pre-defined reports are
located in the Sightline main menu that gives you access to most of the Sightline reports.
Sightline also has various tools to discover traffic for special purposes such as Peering
Evaluation, AS Explorer, Peering Traffic Exchange etc.
You can combine multiple traffic reports in customer reports and run these periodically and
even send notifications or emails to related groups.
Managed objects have dashboards that provide you rich information about the traffic they are
carrying.
If you need traffic reports that do not exist by default, these can be created.
Any data you see on the user interface can be accessed via API and you can use it
programmatically for your own purposes.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-18
Summary

• The visibility from Sightline's perspective was discussed

• We learned how Sightline builds a view of your network

• The technologies Sightline uses when creating reports were seen

• Sightline traffic report use-cases were discussed

• We discovered the methods to access Sightline traffic reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 19

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-19
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 20

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 1-20
Unit 2 Sightline Reporting
Overview
Sightline Visibility Course

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 1

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-1
In this module you will...

• Work with Sightline Pre-defined and Custom Reports

• Work with Sightline Explore Reports

• Learn Sightline report page settings and conventions

• See how to create Custom Reports based on your needs

• Learn how to read reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 2

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-2
Sightline Reports Overview

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 3

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-3
Pre-defined Reports

Sightline provides 350+

pre-defined reports.
• They provide fast query Reports are categorized as but not limited to:
results
Network Reports Fingerprint Reports
• Traffic data is updated
(binned) in 5-minute
Application Reports Customer Reports
intervals and further
aggregated over time
Peer Reports Profile Reports
• Traffic data is stored for
up to 3 years Interface Reports Router Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 4

Sightline provides more than 350 pre-defined reports. These are fixed reports, so Sightline can
provide fast query results.

Besides the pre-defined reports, you can also create custom reports. These can be scheduled
or run on an ad-hoc basis.

Traffic data is stored in a round-robin database at 5 minute intervals and data points get
aggregated over time depending on the report time period chosen.

All data is stored in Coordinated Universal Time, also known as UTC. Reports are
automatically adjusted to User Time Zone Settings.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-4
Custom Reports

Custom Reports allow you to create customized reports and to schedule report
generation, either on a recurring basis, or you can run them ad-hoc.

Custom Reports can be built and executed in different ways:

Wizard Report Classic XML Report SOAP API Rest API

Sightline Reporting External Reporting

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 5

In addition to the predefined reports, users can also create Custom Reports according to their
needs. Reports are divided into:

Sightline reporting including Wizard Reports and Classic XML Reports

External reporting that uses a SOAP API or Rest API to create and download the Custom
Reports. They can be processed or integrated into existing customer reporting portals etc.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-5
Working with Pre-defined Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 6

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-6
Pre-defined Reports Features

• User friendly
• Selectable time frame
• Graph elements are user selectable
• Pre-calculated data from collectors
• Provides two facet traffic reporting
• Sightline + Insight allows multi-facet
reporting

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 7

Pre-defined traffic reports are:

- Easy to use
- Provide selectable time frames with predefined and customized settings
- Graph elements can be enabled or disabled
- Data in the table is built on request by appliance
- Sightline provides two facet traffic reporting
- With Insight it allows multi-facet reporting

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-7
Pre-defined Reports Display Information
Report Name - Provides
information on one or two
dimensions that are
currently displayed

+ Out Part - Data above the

center line represents
outgoing/sent traffic (TX)

- In Part - Data below the

center line represents
incoming/received traffic
(RX)
Traffic for Network in relation to Routers

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 8

The report name provides information on the dimension(s) used, for example Network in
relation to Router, or Network in relation to Interfaces. In the stacked graph, the portion above
the center line represents outgoing traffic, and the portion below the center line represents
incoming traffic.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-8
Pre-defined Reports Graphed Items
Select or deselect the items
to use in your report

Click on Update button to

apply the selections

- Graph data
- Sum of selected items

To compare selected “Sum

of selected items” to the
Network Total graph

- Select the Network Total

checkbox
- Click Update
Change displayed Items

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 9

The table provides traffic information for each monitored item. If there are more than 5 items,
Sightline selects the Top 5 items by default. The maximum number of items for which Sightline
can draw graphs is limited to 10. You can select or deselect items in the table to reduce or
enhance visibility in the graph. To apply changes, press the Update button.

If you want to compare your selected item with the Total Traffic, you can enable the Network
Total which provides a line in the graph for the total network traffic IN and OUT.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-9
Pre-defined Reports Period - Today

Timeframe: Today
• Provides a quick view on
the current usage
• Helpful to investigate
high usage within the
last 24 hours
• Not useful for capacity
planning or forecast /
trends
• Data displayed for
“Today” has a 5-minute
granularity
Time Selection: Today (24h ago from now)

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 10

You can change the “Time” period which is covered by any of the reports.

By default, Sightline selects “Today” as the displayed period, which provides graph and table
data for the last 24 hours from the time the report is executed.

It is useful to give a quick overview on todays utilization, but not very helpful for capacity
planning or to build forecasts/trends. These should always use a much longer period if time (≥
month).

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-10
Pre-defined Reports Period - Yesterday
Timeframe: Yesterday
• View of traffic for the 24
hours of the previous
day
• Similar use as the Today
timeframe - useful to see
5-minute traffic spikes
• Not useful for capacity
planning or forecast /
trends
• Data displayed in this
report has a 5-minute
Time Selection: Yesterday (Full 24h from previous day 00:00 – 23:59) granularity

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 11

The “Yesterday” period covers the full 24 hours of the previous day, from 00:00 to 23:59 UTC
(default) or the user’s specified time zone.

This period is useful to spot peaks in your network but as with the “Today” period, it should not
be used to plan your capacity because it provides only a short-term view.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-11
Pre-defined Reports Period – This Week
Timeframe: This Week
• Covers traffic from the
last 7 days / 168 hours
• Useful to see typical
weekly usage and to
identify changes or
recurring peaks
• Data using this
timeframe has a
granularity of 30 minutes
- Short-lived peaks are
not visible
Time Selection: This Week (7 days ago from now)

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 12

The “Week” period covers 7 days ago from the time the report is executed.

This period provides information on typical weekly usage, and it can spot changes in the traffic
or recurring peaks, eg:
Customer high traffic on Monday to Friday, Saturday and Sunday less or no traffic, normal
office hours traffic etc.

The data granularity is 30 minutes. This means the system creates an average out of six five-
minute samples. Short peaks will not be visible.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-12
Pre-defined Reports Period – This Month
Timeframe: This Month
• Provides traffic data for
the last 28 days
• Useful to see changes
over a longer period and
to identify hotspots
• Data using this
timeframe has a 120-
minute granularity

Note: This Month refers

always to a fixed value of
Time Selection: This Month (28 days ago from now)
28 days

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 13

The “Month” period spans over the last 28 days.

Important: 1 week equals 7 days. 1 month has 4 weeks so this is always a fixed value of 28
days.

Useful to see changes over a longer period and to identify hotspots; can be used to plan
capacity.

Data granularity is 120-minutes. Sightline takes four 30-minute samples and builds the
average. Short peaks which can exhaust your capacity could be missed.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-13
Pre-defined Reports Period – This Year
Timeframe: This Year
• The Yearly view provides
information on changes
over last 52 weeks
• Helpful to see trends /
changes over a longer
period
• This timeframe provides
a granularity of 24 hours
- Not helpful to identify
short lasting peaks or
changes
Time Selection: This Year (last 52 weeks)

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 14

The “Yearly” period provides a view on the last 52 weeks, which is helpful to see trends and
major changes over a longer period. Because this view provides a granularity of 24 hours, or
traffic for one day, it may not be helpful for capacity planning as peaks in traffic during the day
will be smoothed over.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-14
Pre-defined Reports Period – Custom
Custom time period

Use phrases to identify pre-configured ranges:

Start: 60 minutes ago End: now
Start: 1 month ago End: now
Start: 24 hours ago End: 12 hours ago
Start: 10 weeks ago End: 1 week ago
Start: 1 month ago End: now

• Use the Calendar icon to select • These define exact Start and End times to search for
Start and End Times specific events
• Click the Update Button to apply • Click Update to apply changes.
changes

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 15

The “Other” time period allows you to specify a Start and End time from the calendar or use
phrases as shown in the example. You can enter phrases such as 4 hours ago and last 3
hours.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-15
Pre-defined Reports Period using Zoom
Zoom into the graph
something happened here • Pick a range to zoom
into the report
• Data gets updated
immediately
• 5 Minutes is the
shortest Period
• Peaks can be missed
• Deselect (hide) items
to focus on what is
important for your
report
Zoom into the Graph

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 16

You can use the zoom function to drill into specific areas of your reporting graph. Once you
have selected the zoomed time range in your graph, Sightline will update graph and table
immediately. To narrow down your report, you can deselect the reported items. The table gets
updated after pressing Update button.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-16
Report Data Granularity
Data granularity changes over Time

Time period Granularity Maximum age of data

Today 5 minutes 14 days
Yesterday 5 minutes 14 days
2 days ago 5 minutes 14 days
1 week 30 minutes 8 weeks
4 weeks 120 minutes 6 months
52 weeks 24 hours 3 years
Other varies varies

Example: If you select Today for the time period, the report includes data for the previous 24 hours
with a 5-minute granularity. If you select a start time of 10 days ago and a stop time of now, Sightline
returns samples with a 30-minute granularity.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 17

Sightline stores all data for traffic reports in a round-robin database. This table shows how
Sightline returns data based on the time period of a report and how long Sightline stores the
data.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-17
Pre-defined Reports Graph Type - Stacked
Stacked is the default view and it provides IN and OUT traffic simultaneously
• Helpful to view Total Traffic over all selected items to spot major contributors
• Changes to the selection requires a click on the Update button

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 18

The default graph type for traffic reports is a stacked graph, it provides IN and OUT traffic
simultaneously.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-18
Pre-defined Reports Graph Type - Bar
Provides traffic for IN, OUT or Total separately
• Allows a better comparison of traffic distribution

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 19

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-19
Pre-defined Reports Graph Type - Pie
Graph Types – Pie Graph
Provides separate information for IN, OUT and Total
• Gives a percentage overview for each graph
• Useful if you have no more than 5 items you want to compare
• Maximum of 10 items can be plotted

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 20

As for the bar graph, the pie graph provides a traffic view for IN, OUT and Total. It gives a
percentage overview for each selection. This is useful if you have no more than 5 items you
want to compare. A maximum of 10 items can be selected.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-20
Pre-defined Reports Traffic Calculation - Current
Displays the values of the most recent 5-minute sample
• Only available if the Today time period is selected
• Not applicable for reporting or capacity planning

Current Out/Sent Traffic

Current In/Received Traffic

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 21

Each report can provide different traffic calculations which take effect on the data. The graph is
updated when you select one of the four calculation options. The Current calculation shows
data based on a the most recent 5-minute sample. The Current calculation is only visible and
selectable if the time period is specified as Today. The Current calculation is not useful for
reporting or capacity planning.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-21
Pre-defined Reports Traffic Calculation - Average
Displays the average of all samples for the selected time period
• Useful to see typical utilization over a longer period - 1 week / 1 month
• The network should be able to transport the average traffic without any bottlenecks

Average Out/Sent Traffic

Average In/Received Traffic

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 22

The Average calculation provides the average for all samples for the selected time period.
Average is useful to see typical utilization over a longer period, like 1 week or 1 month. The
network should be able to transport the average traffic without any negative impact.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-22
Pre-defined Reports Traffic Calculation - Max
Displays the maximum of all samples for the selected time period
• Separately for IN and OUT values
• Helpful to identify peaks and bottlenecks in the network

Max Out/Sent Traffic

Max In/Received Traffic

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 23

The Max calculation displays the maximum of all samples for IN and OUT separately. Because
of the nature of traffic flow, the time of the observed maximum incoming traffic can differ from
the time of the observed maximum outgoing traffic. The Max calculation is used to identify
traffic peaks and bottlenecks in the network.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-23
Pre-defined Reports Traffic Calculation – PCT95
• A common method to calculate bandwidth usage for customer/peering reports
• A fair method due to it more closely reflecting the required capacity of resources

PCT95 Out/Sent Traffic

PCT95 In/Received Traffic

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 24

The 95th percentile or PCT95, is a common method used to calculate bandwidth usage for
traffic accounting and service level agreements (SLAs). Use PCT95 for customer and peering
reports. It is a fair method because it closely reflects the required capacity of resources. The
next slide illustrates how the 95th Percentile data is calculated.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-24
How is 95PCT built?
Traffic above the red line is ignored
Measured Data Sorted Data
160
160

140
140

120
120

100
100
This is the 95th Percentile (95PCT)
80 80

60 60

40 40

20
20

0
0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

Let's assume we have a graph like the one Data values are sorted and ranked and the 95th
above. For the sake of simplicity, we take 100 percentile value is taken. This is a common method
measure points. Traffic is varying and we have used for capacity planning and billing IP transit
some peaks and troughs. utilization.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 25

For 95 Percentile, measured data values are sorted and ranked. Assuming we have 100 data
points, the system draws a notional line at the 95th value. The highest 5% of traffic is not used
for calculation.

The 95th percentile says that 95% of the time, the usage is at or below this amount.
Conversely, 5% of the samples may be bursting above this rate.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-25
Working with Explore Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 26

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-26
Explore Traffic – New Style of Reports

• User friendly
• Modern style and technology
• Quick responding
• Reports are built by browser
• Removes load from
appliances

Pre-defined reports are being

mapped to the Explore page –
some predefined reports have
already migrated

If a pre-defined report
has migrated, you will be
redirected to the Explore Traffic
page with the correct filter(s)
applied

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 27

Starting with Sightline 9.3, pre-defined reports began to migrate into latest generation reports.
If a selected report has already been migrated, it will be redirected to the Explore Traffic page.
Latest generation reports are built by the browser, they are much faster to build which gives a
better user experience.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-27
Explore Reports – Using Filters

Now with the ability to add multiple values

FILTER1 (Mandatory): select your primary point of view

FILTER2 (Optional): depending on FILTER1 selection you can define more precise criteria

Values (Optional): multiple selections are possible Update is required

Changing any of the Settings on Filter / Time Period / Units are reflected in Graph and Data
values once Update Button is pressed.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 28

The Explore Traffic page has two filters. Depending on which Type is selected in Filter 1, there
are additional options available for Filter 2. In contrast to pre-defined reports, values for each
filter can be selected to narrow down the report.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-28
Explore Reports – Using Time Selector
• The time selector is similar in
use as previously described
• Selecting a pre-defined time
period displays corresponding
Start and End Date
• Select Done and Update to
apply your selection

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 29

As with the standard reports, Explore Reports allows the Time Period to be specified by
selecting a predefined period or selecting them from a calendar. Graph and traffic data are
updated with the Update button.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-29
Explore Reports – Zoom into the Graph
Select the time range to zoom. Date and Time is updated and displayed in the Time field
The Update button color will change to green, click Update and the graph refreshes

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 30

As with pre-defined reports, you can also zoom into any time within the graph. Make sure to
click the Update button to refresh the graph and table details.
Please note that the shortest time frame for which Sightline provides data is 5 minutes.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-30
Explore Reports – Detailed Graph Settings
Hover the mouse over any point in the graph to view detailed traffic data for the selected
items

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 31

In the Explore page, hover over the graph with the mouse. Detailed information for that time,
for all selected Items, is displayed.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-31
Explore Reports – Changing Data Calculation
• Changing the graph calculation updates the resulting data values immediately
• Current calculation is renamed to Last

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 32

Changing the calculation method, Last (Current), Average, Max, PCT95, and Total,
immediately updates the table below.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-32
Explore Reports – Change Tracked Items
Changing the tracked item will immediately update the graph and data view without
clicking Update

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 33

If you select or deselect items in your report, the graph and table will automatically update.
There is no need to press the Update button.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-33
Explore Reports – Stacked Graph

• Default view and provides IN + OUT traffic simultaneously

• Change direction: IN, OUT and IN + OUT

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 34

The default graph type for traffic reports is the Stacked Graph. It shows IN and OUT traffic
simultaneously, and the view can be changed between IN, OUT and IN + OUT. For stacked
graphs, note the following information:

• Data above the center line represents outgoing traffic, and data below the center line
represents incoming traffic
• Sightline converts all data to the configured time zone that is selected in the current user
profile
• The Total row, the last row of the data table, displays the total traffic of the target object

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-34
Explore Reports – Line Graph

• Draws a line for each selected Item

• Focuses on IN or OUT direction
• Provides a better comparison of traffic than stacked

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 35

The Line Graph draws a line for each reported item and it is related to the monitored traffic.
It provides a better view on traffic per item, compared to a Stacked Graph.
You can also change between IN, OUT and IN + OUT reporting.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-35
Explore Reports – Bar Graph

• Allows selection of direction IN, OUT or IN + OUT

• Allows better comparison of traffic distribution
• Graph is updated immediately

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 36

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-36
Explore Reports – Pie Graph

• Useful if you have no more than 5 items to compare

• Maximum of 10 items can be drawn
• Gives a proportional overview on distribution

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 37

As for the bar graph, the Pie Graph provides graphs for IN, OUT and IN + OUT (Total). It gives
a proportional overview on distribution which is useful if you have no more than 5 items to
compare. A maximum of 10 items can be drawn, but the more items selected, the harder the
graph is to read.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-37
Explore Reports – Relationships Graph

• Provides a Sankey Diagram with a direct view of traffic distribution

• Visualize the volume of traffic moving between the two filters

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 38

The Sankey Diagram gives a view on the traffic relationship between Filter1 on the left side
and Filter2 on the right side. This type of diagram is also used in Insight.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-38
Additional Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 39

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-39
My Sightline Page
The My Sightline dashboard contains different customizable modules that display
the interesting content for the user. The dashboard modules can be added or
removed as required.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 40

The My Sightline page provides multiple details about the monitored network. It provides a
Network Summary graph which shows the measured traffic from your monitored routers.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-40
My Sightline Page Gadget – Network Summary
Provides a quick graphical overview of network traffic for the past 24h
N2
N3

N4
N1

Graphs: total = All measured network traffic

in_offnet = Traffic that enters the network through a BGP boundary
out_offnet = Traffic that leaves the network through a BGP boundary
backbone = The total traffic that passes through the backbone and does not leave the network
multicast = The total multicast traffic that enters your network
dropped = Amount of traffic which was dropped by your network
in = The total traffic entering the network through a selected object
out = The total traffic leaving the network through a selected object
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 41

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-41
My Sightline Page – Module Customization
Click on the Gear Wheel
to Edit the Module Settings

• Adjust the Network Summary on My Sightline Page

• Display or hide traffic information (changes are non-persistent)
• The Y-Axis adjusts to fit the displayed traffic providing a comprehensive view
• Customize your My Sightline Page settings by using the Module Settings and make it persistent
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 42

Select or deselect the different graphs which will be non-persistent and reset once you leave
the page. Or click on the gear wheel and select or deselect the details to make them persistent
for the current user account.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-42
Using Dashboards
• Provides at-a-glance
details for various
reports but not all

• Use the More

Reports tab to get
detailed visibility from
different aspects,
which refer to the pre-
defined report type

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 43

You can use the various Sightline dashboards to view a summary of the selected report type –
in this example we see the Customer Dashboard. This dashboard provides at-a-glance details
for various reports.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-43
More Reports Tab

• Displays links to
and descriptions of
other reports that
may be of interest
to you

• Click on a report to
navigate to it

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 44

From the More Reports Tab you can jump into other reports which are all in relation to the
report type you have selected.
In this example we have selected the Customer Dashboard and if we use any of the reports
in the More Reports tab, a new report page in relation to Customer will open.
For example, select Cities and the Explore Page with Filter1 = Customer and Filter 2 = Cities
will open.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-44
Working with Custom Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 45

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-45
Custom Wizard Report
• Create custom wizard
reports for different
perspectives of your
network’s traffic.

• Create reports based

on your needs

• Can run on a
scheduled basis and
sent to a
preconfigured
notification destination
on completion
Administration > Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 46

The Configure Reports page (Administration > Reports) allows you to search for, configure,
and view custom traffic reports.

You can use the Configure Reports page to create custom wizard reports about different
perspectives of your network’s traffic.

You can configure classic XML reports using the Configure Reports page. These reports allow
you to generate and export raw XML data with your customized DoS information to integrate
with other reporting tools.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-46
Custom Classic XML Report
Administration > Reports
• Generate and export raw
XML data with your
customized information to
integrate with other
reporting tools.

• Can run on a scheduled

basis

• Output formats:

- HTML
- XML
- CSV
- EXCEL-XML
- PDF

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 47

The Configure Reports page (Administration > Reports) allows you to search for, configure,
and view custom traffic reports.

You can use the Configure Reports page to create custom wizard reports about different
perspectives of your network’s traffic.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-47
Reading Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 48

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-48
Reading Reports - Network N2
N3

N4
N1

Q1: What is shown in this report and what is the relation ?

Reports > Network > Summary

A: Network Summary for : Total, IN (received), OUT (sent) and Multicast Traffic

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 49

This report shows Network Summary traffic (one dimension). We can find this Report at
Reports > Network > Summary.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-49
Reading Reports - Customer N2
N3

N4
N1
A
er
om
st
Cu

Q2: What is shown in this report and what is the relation ? B

er
om
st
Cu

Reports > Customers > Summary

A: The Graph provides Traffic Summary for a selected Customer – Time period Yesterday
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 50

This report shows Customer Summary traffic for selected customer MSU.
Graph and data values provide information for Time Period Yesterday, the full 24h of the
previous day.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-50
A
IX

Reading Reports - Peer

B
C IX
P
IS N
IX

B
P F
IS P
IS
N2
N3
A
P
IS

N4
N1

Q3: What is shown in this report and what is the relation ? IS

P
D

Why we see this

gap ?

Reports > Peers > Summary

A: The graph provides Traffic Summary for a selected peer – Time Period last 7 days from now
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 51

In this graph we see a Peer Summary report for Peer_ISP_F; Time Period This Week (7 days
ago from now).

We have a gap on the right side because this week graph has a granularity of 30 minutes and
graph information is updated every 30 minutes.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-51
Reading Reports – Network Customers N2
N3

N4
N1

A: This graph shows Network Traffic in relation to configured Customers

The Time Period used is This Month (28 days ago from now)
Packets per second is the selected Unit Type
You can access it through Reports > Network > Customers

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 52

What is shown in this graph?

Network Traffic in relation to configured Customer Managed Objects. We can access this
graph through: Reports > Network > Customers. The Time Period is This Month (28 days ago
from now as the start point). Selected Units is Packets per Second.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-52
Sightline Reports – Share as Email
You want to send the shown report as email

Sending the page as email will create a PDF which contains the
If you click on the icon, you can send the same content as the shown page. This works on any page.
shown report as email.
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 53

You can send the report page as a PDF directly from the page itself. This is useful to provide a
quick report to the requester.
You must have a valid SMTP server configured.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-53
Sightline Reports - Download

You want to download the shown report

If you click on the icon, you can

download the shown report as:

Fixed Format. Same as page view

Extensible Markup Language

Human and machine-readable

Comma Separated Values

Can be opened directly in Excel

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 54

You can download reports in different formats.

PDF is a fixed format and has the same content as the page view.
XML, CSV and Excel-XML formats allow you to integrate or process the data with your own
tools. e.g. customer report dashboard or billing system etc.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-54
Sightline Reports - Help
? Use the Online Documentation

If you need more Information you can

hover over the Information Icon

Most of the reports provide detailed information on

what the graph is representing and what is used as
a reference point.
If you click on the icon Sightline
opens the Online Documentation. This
option is context sensitive.
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 55

You can use the information icon available on most Sightline pages to get quick information
about that page.
If you want to consult the System User Guide you can use the question mark icon and this will
open the User Guide in a context sensitive manner.
Explain context sensitive manner. ie the help for the particular graph.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-55
Knowledge Check
Reporting Overview
Q1: What is a useful calculation selection for Q3: What is the update (binning) Interval for
capacity planning? traffic reports?
a) Average a) 30 Seconds
b) Current b) 1 Minute
c) Max c) 5 Minutes
d) Total
Q2: When is 95PCT calculation used? Q4: What is the the maximum number of
facets which can be used for traffic reports in
a) Peering Capacity Planning
Sightline without Insight?
b) Paid Peering Billing
a) 1
c) Backbone Capacity Planning
b) 2
d) Customer Billing
c) unlimited

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 56

Solution: Q1 = A ; Q2 = B + D ; Q3 = C ; Q4 = B

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-56
Summary

• Operating Sightline Pre-defined and Custom Reports

• Working with Sightline Explore Reports

• How to make sense of report page settings and results

• How to create your own reports and customize report modules

• How to read and comprehend Sightline reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 57

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-57
Lab Exercise
Lab 1: Sightline Reporting Overview
• Online Lab Access: https://portal.ne.netscout.com/
• Environment: Sightline
• Credentials: Provided by the Instructor
• Time to Complete: 45 minutes
• Lab Objectives:
– Compare Predefined Reports and Explore Reports
– Create specific Reports from the Explore Traffic Page
– Create and Share a Report
– Work with the Online Help

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 58

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-58
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 59

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 2-59
NETSCOUT – Arbor Sightline
Traffic Reporting and Analysis 2-60
Unit 3 Network Visibility and
Reporting
Sightline Visibility Course

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 1

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-1
In this module you will…

• Explore the basics of network reporting on Sightline

• Learn graph and traffic data layout

• Use reports to answer questions about your network

• Explore the report dashboards

• Compare pre-defined reports to Explore reports

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-2
Network Reporting Overview

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 3

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-3
Network Reports
Understanding Network Traffic Reports

Network traffic reports

provide details of traffic
N2
sent and received by N3

the monitored network.

It includes bi-directional
traffic crossing the
network from N4
N1
Customers, Peers,
Services etc.

The network is defined

by the Boundary where
Sightline counts
network traffic.
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 4

Network reports are based on traffic IN and OUT of the network.

It can be Customer, Services or Peering traffic.
The network is defined by the Boundary. Here Sightline counts Traffic IN and OUT.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-4
Understanding the Graphs

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 5

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-5
Traffic Directionality
Question: Which type of network is shown below?
Traffic directionality can offer pointers to the type of network or service

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 6

The Network Summary page provides an overview on the total traffic entering and leaving the
network. Additionally it shows the combined Traffic IN + OUT and multicast traffic.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-6
Is the Network Consuming or Delivering Network?
To answer this, we need to understand the graph result

+ Out = Sent by your Network

- In = Received by your Network

Top 5 selected by default

Ordering based on % Total,
can be changed

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 7

Most reports provide traffic data for Top 5 Applications, Customer, Interface, Router…

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-7
Further Information
What else can be found in the reports?
Have a closer view of the Network Applications report Sometimes it´s a good
practice to change Units
from bps to pps.

It's not always the Top

Applications that have
the highest packet rate.

The other TCP / other

UDP refers to traffic
What does other TCP/UDP mean ? seen for protocols/ports
not defined in the Name
Mappings list.
To set define your own Name/Number Mappings go to
Administration > User Interface > Name/Number Mappings
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 8

The Applications Report will help you to view traffic for known applications. It references the
Name Mappings List which can be viewed and changed under Administration > User Interface
> Name/Number Mappings.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-8
Using Reports to answer your
Questions

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 9

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-9
Reports – Top Routers
Which router has the highest traffic throughput?
Based on the answer in the previous slide can you identify if the top router is
receiving or sending traffic from/to external networks?

The Network Routers report

provides information on the
amount of traffic sent and
received by each router.

Default order is based on

the sum of IN + OUT.

If more than 5 routers are

monitored by Sightline, this
report selects the Top 5
routers.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 10

The Network Routers report shows traffic from every router which is sending or receiving traffic
from/to external networks.

If Sightline sees external traffic from more than 5 routers it will select the top 5 by default. You
can modify the selection to focus on the routers you are most interested in. Once changed, you
have to press Update to refresh the graphs.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-10
Reports – Top Interfaces
Can you confirm that the top router has also the top interface?

This report shows top

interfaces for received and
sent traffic.

This report uses the so-called

Network Boundary to
understand if traffic is received
or sent from your network
perspective

Because Sightline uses SNMP

to gather router Information,
we provide Interface Name
and Description
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 11

Like the Network Router report, Network Interfaces shows each interface on which Sightline
has seen traffic received or sent to/from the network. It preselects the top 5 interfaces by
default.

You can change the selected interfaces you want to focus on. You need to press Update to
refresh the report.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-11
Reports – Top Countries
Where is your traffic coming from or going to?

Sightline has a built-in IP

Location mapping
database.

This report provides the

traffic broken down by the
external country of origin.

Additionally, it can contain

traffic information for:
• Anonymous Proxy
• Satellite Provider
• Europe (EU)
• Asia-Pacific (AP)

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 12

The Network Countries report provides you information on traffic by external country.
Besides countries it can also contain the following Information:
• Anonymous Proxy = Traffic from known Anonymous Proxies
• Satellite Provider = Represents Satellite Providers
• Europe (EU) and Asia-Pacific (AP) = this location appear when the end user location is
unclear e.g:
A corporate proxy that is located in Paris, France could be listed as Europe if the actual users
connect from different parts of Europe. Because the traffic originates from various places in
Europe, “Europe” is used for the country and not France.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-12
Reports – Regions/Cities
What are the top regions and cities?
Besides country reports you can get reports for top regions and cities

Gives an overview on
traffic split by region
and city.

Can be used to plan

network expansions.

Can help to
optimize network and
service performance.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 13

Traffic is counted for this report if it crosses the global network boundary.
Regions and City data is obtained through network boundary data. If a city is not within your
network boundary, then Sightline cannot obtain data about it.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-13
Real World Example #1
You get asked to provide report for top origin networks
First, you need to ask which report can provide the answer?
Hint: You want to see which network (ASN) is receiving or sending most traffic

Provides a list of networks

receiving or sending
traffic.

Top 5 ASN preselected by

default based on
Total (In + Out).

This report does not

require managed object
configuration.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 14

In this example you want to answer a question on top Origin Networks. This Report is related
to External Networks with which your network exchanges traffic.
Reports > Network > BGP > ASNs Origin
This report shows traffic exchanged between your network and external networks based on the
Origin AS Number.
This report does not require managed object configuration.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-14
Real World Example #2
Your manager asks for a report on top customers using your network
Where can you find this predefined report?

Is this customer using your

network to send or receive
traffic?

Which time period would

you choose to create your
report?

Requires a configured
Customer managed object.

Reports > Network > Customers

As another example, we need a report which shows the top customers using your network.
This predefined report will show you the customers receiving or sending the most traffic. You
must have managed objects configured for each customer.
As a time period you should use at least one week otherwise you can miss changes. Some
customers may have specific peak times or days.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-15
Real World Example #3
Your sales team asks about customers using IPv6
IPv6 Summary Report is a good point to start

Where do I find this

report?

Is this customer using

your network to send or
receive traffic?

Are the top

customers for IPv6 also
top for IPv4?

Reports > IPv6 Summary > IPv6 Transition

The IPv6 report under Reports > IPv6 Summary > IPv6 Transition shows you which customer
managed objects have IPv6 traffic and compares it to the customer´s total traffic.
The report requires configured managed objects and traffic needs to cross the interface
boundary.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-16
Working with the Report Dashboard

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 17

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-17
Network Reports Dashboard - Summary
Working with the Dashboard
The Summary tab displays a
graph of your network’s
traffic, and a graph of the
high and medium importance
alerts* that Sightline has
generated in the past 24
hours.

Fixed time period - not

changeable

*Alerts are not a topic of the

Network Visibility and
Reporting course content
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 18

The Dashboard page gives you a quick overview on different reports.

On the Summary tab you will get the Network Summary report with a fixed time period. If you
want to change the time period, you have to use Reports > Network > Summary.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-18
Network Reports Dashboard - Traffic
Top Traffic Reports

The Traffic tab displays a

snapshot of the top external
resources and traffic
characteristics on your
network.

You can use the View All

option to get redirected to the
predefined traffic report for
each resource.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 19

The Traffic tab shows a snapshot of External Resources and Traffic Characteristics. All
information is related to the past 24 hours.
If you use the View All link you get redirected to the predefined Network Reports.
• Top Peers: Reports > Network > Peers
• Top Origin ASNs: Reports > Network > BGP > ASNs Origin
• Top External Countries: Reports > Network > Countries
• Top Applications: Reports > Network > Applications
• Top Fingerprints: Reports > Network > Fingerprints

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-19
Network Reports Dashboard – Network Change
Network Change
The Network Change tab provides information on network traffic over the last 2 years

24 hours 5 minutes +/- change in In comparison to

granularity granularity percentage 2 years change

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 20

Network Change shows how network traffic has changed over the last 2 years.
All values are an average.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-20
Network Reports Dashboard – Network Resources
Network Resources
The reports below are quick links to predefined Network Reports

Reports > Network > Peers

Reports > Network > Routers
Reports > Network > Interfaces
Reports > Network > Profiles
Reports > Network > Customers

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 21

This screen shows you the available short cuts related to Network Resources reports. Each
short cut redirects you to the predefined report which is located under Reports > Network….

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-21
Network Reports Dashboard – More Reports
More shortcuts to other available predefined reports
BGP Traffic Information IP Information Other
• ASN (All) • ICMP • BGP Instability
• ASN (Origin) • IPv4 TCP Apps • Arbor Flow
• ASN (Peer) • IPv4 UDP Apps • BGP Instability Alert
• AS Path • Packet Size • BGP Navigator
• BGP NextHop • Protocol • Explore Forensics
• BGP Prefix • Explore Forensics IPv6
• Communities IPv6 • Explore Traffic
• IPv4 vs. IPv6 Comp. • Flow Tuning
Services and Applications • IPv6 Summary • Interface Status %name%
• Applications • IPv6 TCP Apps • IPv6 Transition
• DSCP • IPv6 UDP Apps • OSPF Link State Database
• Type of Service • Summary
• Type of Service (DTRM) Geographic Information • System Loggin for %name%
• Type of Service (IP Precedence) • Cities • Traffic by AS Pairs
• Countries
• Regions
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 22

In addition to the Network Reports, we have quick links available for all listed reports.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-22
Exploring Network Trends

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 23

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-23
IPv6 Traffic – Summary
Summary tab
The IPv6 Transition report provides you a view on the current IPv6 traffic on your network

On the Summary tab

you can view IPv6 traffic
based on the selected
time period.

It also contains
information on the
number of customers
and peers using IPv6.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 24

Besides IPv4 reports and statistics, Sightline provides a view based on IPv6 traffic.

On the Summary Tab you will find the total IPv6 traffic in your network which contains native
and tunneled IPv6 traffic like Teredo.

Current IPv6 traffic and IPv6 share of all network traffic provides only data if the time period is
set to today or yesterday.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-24
IPv6 Traffic – Trend analysis
6-month growth
The IPv6 Transition report provides you a view on the current IPv6 traffic on your network

The 6 Month Growth tab

compares IPv6 and total
network traffic.

It shows 6-month growth

based of the last 6 months
and uses daily average
values to draw the
projection line.

The red dots indicate 1, 3

and 6 months.
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 25

6 Month Growth gives you an understanding on how IPv6 traffic is changing compared to your
overall traffic. This can help you to plan your IPv6 capacity in your network like peering or
transit expansions etc.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-25
IPv6 Traffic - Contributors
Internal and external contributors
Besides IPv6 total traffic and growth it provides reporting on:

Which of my customers are

using IPv6 compared to
IPv4?*

Which of my peers are using

IPv6 compared to their total
traffic?**
*requires customer managed object
**requires peer managed object
Configuring managed objects is not
part of this course.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 26

If you want to see which customer or peers are using IPv6 you can use the Peers Using IPv6
tab. The graph always shows the peak traffic, where the values table has different displays
depending on the selection: Average, Max or PCT95. By default Sightline shows the average
values.

Please note, this report requires that you have configured customer and/or peer managed
objects. Configuring managed objects is not part of the Sightline Visibility Course.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-26
Network Reports
Compare IPv4 vs. IPv6
This report shows the same view as the IPv4 vs IPv6 comparison report on the dashboard
4 different graph types
available:
• Stacked (default)
• Bar
• Pie
• Relationships

For some graph types,

you can change the view
on direction between:
• In
• Out
• In + Out
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 27

This report compares your total IPv4 with your total IPv6 traffic.
You can change the graph type to get a better visibility. By default, Sightline uses the Stacked
graph. Depending which type you choose, you can also change the direction between In, Out
or In+Out.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-27
Comparing Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 28

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-28
Comparing Reports – Network Routers
Network Routers
The next two slides show reports that appear to display the same detail, but…

The Network Routers report

provides received and sent
traffic by your routers.

It is measured on each
interface which connects
your network to external
networks.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 29

The Network Routers report provides a view of traffic from all routers which have interfaces
connected to external networks (the boundary).
Traffic is measured and reported on all interfaces connected to external networks.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-29
Comparing Reports - Explore
Explore Traffic – Router
Take a closer look at the numbers for In and Out, what can you see here?

This report provides

total traffic In and
Out from each
monitored router.

Unlike the Network

Routers report it
shows:
backbone,
customer and
peering traffic.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 30

The Explore Traffic Router report shows traffic IN and OUT for all monitored routers, but also
those which only transport internal traffic like backbone or other service routers.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-30
Comparing Reports – Network Interfaces
Network Interfaces
The next two slides show reports that appear to display the same detail, but…

The Network Interfaces

report provides received
and sent traffic by router
interfaces.

It is measured on each
interface which is part of the
network boundary.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 31

The report shown lists all interfaces which are part of the network boundary.
The network boundary defines where your network connects to other networks.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-31
Comparing Reports - Explore
Explore Traffic – Interfaces
Take a closer look on the top 5 selected, any difference?
This report provides
total traffic In and
Out from each
monitored router
interface.

It includes
backbone
interfaces as well
as peering
interfaces. It shows
100 items.

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 32

The Interface report on Explore Traffic shows all router interfaces without taking the network
boundary into consideration. This report shows 100 interfaces in comparison to just 17
interfaces on the previous slide.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-32
The My Sightline Page

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 33

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-33
Network Reports
My Sightline
In most cases this is your start page if you connect to Sightline Statistics and Network
Summary information
refers to the last 24
hours. Can be adjusted
for Network Summary.

My Sightline is the start page if you do not refer to a specific link/page.

It provides a summary view on your network traffic and some security aspects. You can also
customize this page to show what is important for you.
You can enable or disable graph views. One of the most important graphs is the in_offnet and
out_offnet traffic graph.
Offnet is an important consideration because the service provider must either pay for it (transit
traffic for example) or use its resources to support it (settlement free peering for example).
Offnet traffic enters the network from a non-customer or exits the network to a non-customer.
An offnet flow must match a BGP route.
If you use the View Network Summary link, you will be redirected to the predefined Network
Summary report which has fixed graphs.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-34
Knowledge Check
Network Visibility and Reporting Overview
Q1:What is the default graph Type on Explore Q3: How many top objects are selected by
Traffic reports? default?
a) Bar a) None
b) Pie b) 1
c) Relationships c) 5
d) Stacked d) 10
Q2: What are the default Units selected for Q4: Where is Sightline counting traffic for
reports? network report?
a) bps a) On every router
b) pps b) On every switch
c) Bps c) On every interface
d) On every boundary interface
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 35

Solution: Q1 = D ; Q2 = A ; Q3 = C ; Q4 = D

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-35
Summary

The basics of network reports

Understanding graphs and traffic data displayed in the reports

How to use reports to answer your questions

How to compare predefined reports with Explore reports

How to make sense of the ‘My Sightline’ page

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 36

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-36
Lab Exercise
Lab 2: Network Visibility and Reporting
• Online Lab Access: https://portal.ne.netscout.com/
• Environment: Sightline
• Credentials: Provided by the Instructor
• Time to Complete: 45 minutes
• Lab Objectives:
– Understand Network Interface Reports
– Create Network Reports based on Countries
– Work with the Network Dashboard
– Use the Network IPv6 Transition Reports
– Change Settings on My Sightline Page

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 37

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-37
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 38

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 3-38
Unit 4 External Visibility and
Reporting
Sightline Visibility Course

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 1

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-1
In this module you will...

• Explore concepts of external network visibility

• Learn Sightline peer concepts and explore peer reporting

• Explore Sightline BGP relationships and reporting

• Define transit traffic and explore Sightline transit reporting

• Navigate Sightline peer traffic exchange tools

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 2

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-2
External Network Visibility

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 3

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-3
Why We Need External Network Visibility

• The Internet is huge

• It is constantly evolving
• It interconnects different networks
• Your network is one of the many
on the Internet
• Your network is your business
• External network visibility is a
view of your network’s
communication with the rest of
the world

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 4

The Internet is the global system of interconnected networks. The global Internet consists of
tens of thousands of interconnected networks run by service providers, individual companies,
universities and governments. Your network is one of the networks on the internet. Monitoring
your network’s communication with the rest of the internet is called External Visibility.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-4
Comprehensive External Network Visibility

• Helps you to drive new investments

• Increases efficiency

• Enhances end-user experience

• Improves security

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 5

The Internet is still evolving. And not just its infrastructure. How we use it and where we use it
are also continuously changing. What might the Internet look like in 10 years? What are some
of the biggest challenges we face, and how can we ensure the continued development of an
open Internet for everyone, everywhere?
Internet is also a business. Your organization needs business Internet connectivity that's fast,
reliable, and high-quality, at a cost you can afford.
That is why visibility within or outside of your network is important.
Visibility helps you to drive new investments. You must be able to understand how every bit of
data moves across your network if you hope to make the types of improvements and
investments necessary to improve performance.
Visibility increases efficiency and enhances end-user experience. Once you gain granular
insights into your entire network, it will open an ability to understand how each application,
endpoint, user and service impacts your overall network performance, availability, and
connectivity. This allows you to make intelligent decisions about how to filter traffic, what needs
to be monitored, and where you need to make additional investments to shore up performance
and reduce downtime.
Visibility improves security. You can only secure what you can see. Without the proper
visibility, it can be impossible to identify and patch vulnerabilities in the network to prevent
attacks or quickly respond when attacks do occur.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-5
My Network Connection to the External World

• Each network has partners

• Partners provide internet or
content access to each other
• This concept is called Peering
• It is a business relationship
• In summary, my peers
connect me to the external
world

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 6

Each network has partners for special purposes.

Partners provide internet or content access to each other’s networks. The Internet consists of
over 25,000 autonomous systems that independently route traffic. Partnering allows networks
to interact and exchange traffic, allowing traffic to flow from one end user, over the Internet, to
another end user.
This concept is called Peering. It is a business relationship. Companies reciprocally provide
access to each others' customers. Peering is typically a free arrangement, with each side
deriving about the same value from the reciprocal arrangement. If there is not equal value,
sometimes one party or the other pushes for a Paid Peering relationship.
In summary, my peers connect me to the external world.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-6
Sightline Peer Reporting

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 7

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-7
Peers and the Sightline Peering Edge

Peers are beyond your network edge

Sightline reporting provides:

• Peer traffic visibility
• Analysis of peer relationships
• Analysis of potential peering opportunities
• Capacity planning of peer interfaces
• Visibility into traffic that crosses the
network boundary

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 8

Peers are beyond your network edge. Peers are how we connect to get traffic to and from the
Internet.
Peer traffic visibility provides you the list of peers and interfaces, where traffic is coming from
for that peer, where it goes, which applications are being used via this peer etc.
Peer traffic visibility also helps you to analyze peer relationships and see which customers or
my other resources are using my peer. You can plan peerings regularly.
You can examine potential peering opportunities by using Peering Reports to save money.
You can do capacity planning of peer interfaces and invest, and plan your network by using
peer traffic usage. New interfaces, expansions, configurations can be concluded.
Peer visibility on your network boundaries (external communication) can also be concluded via
peering reports.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-8
A Peer in Sightline
SOCIAL
MEDIA STREAMING
• Is another BGP domain INTERNET
• Has its own ASN
• Is directly connected
• Exchanges traffic My My SEARCH
ISP Network
• Gives mutual benefits Network ENGINE

Sightline also provides ATLAS MO for the Over-the-Top (OTT) Services

INTERNET SOCIAL MEDIA SEARCH ENGINE VIDEO STREAMING

SERVICE PROVIDERS NETWORKS NETWORKS NETWORKS

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 9

A peer is another BGP domain. Once you’ve been approved to peer with a network, you must
configure your router’s peering settings to talk to a specific ASN using Border Gateway
Protocol (BGP).
A peer has its own ASN. To enter into a peering agreement with most Internet service
providers, you must have at least a publicly routed ASN.
A peer is directly connected. When peering is negotiated, a physical connection is required.
Peers exchang traffic. Both parties directly hand off traffic between each other’s resources.
Peering is of mutual benefit. This 'mutual benefit' is most often the motivation behind peering.
ISPs, social networks, search engine networks and video streaming networks can be
considered as peers in Sightline. These networks share content with you or help you to access
certain resources.
Sightline also has the concept of AIF Managed Objects for OTT resources which are
downloaded dynamically via AIF. An AIF MO is not considered a peer, rather a means to
monitor Over the Top services which are discussed separately in another Unit.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-9
My Peers
• Examples of peers are circled
using different colors
• Peers are managed objects
– Each peer is configured as a
managed object
– They are configured manually
– An ASN or interface can be
used to identify peer traffic

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 10

Sightline has managed objects of different types. You need to create managed objects to
monitor resources in Sightline.
To monitor your peers, you must configure peer managed objects accordingly, one for each of
your peers.
To match peer traffic, either an ASN or interface match can be used. Interfaces connect my
network to the peer network and the ASN is the peer’s network ASN.
Peers in the diagram are circled with different colors.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-10
My Peers (cont.)
• Who are my peers?
• Who are my top
peers?
• View per-peer traffic
through the network
• Reports > Peers >
Compare Peers
– All peers in one
graph
– List your peers
– Compare peer
usage
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 11

Reports > Peers > Compare Peers

This report shows the list of all manually configured peer managed objects with their traffic
information. You can see each of your peer’s traffic for IN and OUT directions.
IN and OUT values are from the peer perspective. IN values should be considered traffic
towards your peer. OUT values should be considered traffic from your peer.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-11
Single Peer Traffic
• How much and what
types of traffic do I
have with a specific
(or selected) peer?
– Focus on required peer
– Traffic for a single peer

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 12

You may also need to focus on your specific peer traffic details. The summary report shows
you the selected peer’s traffic details.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-12
Single Peer Traffic (cont.)
• Reports > Peers >
Summary
– Selected peer’s
traffic
– Backbone and
dropped traffic
information

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 13

Average, Max and 95th Percentile values for the selected time period for the selected peer is
reported. Backbone shows the traffic passing through backbone interfaces for this peer.
Dropped shows the traffic dropped for this peer.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-13
Peer Traffic by Routers

• Identify peer traffic

breakdown by router
– Understand busiest sites
– Useful for traffic load-
balancing rtr-sdy-1

– Good resource to
understand your peer rtr-jnb-1

usage at different rtr-ams-1

geographical locations

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 14

Report shows all the traffic for the selected peer broken down by routers. Routers also identify
location and site, so by using Peer By Routers report you can see your peer’s traffic
breakdown by location and site.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-14
Peer Traffic by Routers (cont.)

• Reports > Peers >

Routers
– Peer traffic by
routers
– From the peer
perspective
• In: Into the Peer
• Out: Out of the Peer

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 15

This report values are from peer perspective. In Sightline reports, first item (peer in this case)
is called a perspective. Peer by router report can be used for traffic load-balancing purposes to
identify the busiest routers and move traffic from one router to another.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-15
Peer Interfaces

• Identify interface-
wise peer utilization
– Capacity analysis
– Investing plans
– Peak usage time for
the peer Interfaces ae3.22

irb.1922 irb.21

irb.164

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 16

Let us continue to analyse your selected peer’s traffic.

In addition to routers as we saw on the previous slide, the peer traffic by interface report gives
us more specific information. Peer by interface report can also be used for capacity analysis to
find utilized interfaces to add more capacity or load-balance traffic.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-16
Peer Interfaces (cont.)

• Reports > Peers >

Interfaces
– Peer traffic by interfaces
– From the peer
perspective
– Useful for traffic load-
balancing
– Layer 3 interfaces

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 17

Only Layer 3 interfaces are reported because Netflow is only exported from L3 interfaces. Let’s
assume that you have 2 physical interfaces, and they are bundled as 1 logical interface.
Because the IP is assigned to the logical interface, the logical interface is listed on this report
instead physical interfaces.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-17
Peer Traffic by Customer

• The selected peer traffic

is utilized by which
customers?
– You may pay your peers
– How much is this customer
costing me?
– Optimize service to
customers
– Are there performance
concerns?

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 18

Let's further investigate peer usage. You have customers paying you for the service you
provide to them. You may also pay for your peering relationship (Transit or Settlement Free
Peer), or at least dedicate resources to manage and operate your peering environment.
Internal usage of your peer traffic makes sense to improve quality, develop resources and for a
better service to your customers.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-18
Peer Traffic by Customer (cont.)

• Reports > Peers >

Customers
– Peer traffic by
customer managed
objects
– Manually created
customer managed
objects

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 19

Peer Traffic by Customer provides you the list of customers that are using your peer’s traffic.
Customer means the manually created Customer managed objects in this case. IN shows the
traffic destined to the selected peer and sourced from the listed customer. OUT shows the
traffic sourced from the selected peer and destined to the listed customer. These calculations
are done by looking at source and destination IP information of the incoming Netflow packets,
interfaces (peer interface) etc.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-19
Peer Traffic by Internal Resources

• Profile managed objects

– Internal resources
• DNS servers, web servers
etc.
– Which non-customer
resources in my network
are using the selected
peer’s traffic?

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 20

In addition to customers, you have other resources in your network. These could be DNS
Servers, data centers, downstream ASNs (customers have their own ASN) etc.
These resources are being monitored with Profile managed objects (another type managed
object like Customer and Peer). Monitoring these resources is also important for a better
visibility of your peer’s internal usage.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-20
Peer Traffic by Internal Resources (cont.)

• Reports > Peers >

Profiles
– Peer traffic by Profile
managed objects
– Profile managed
objects are created
for WEB, DNS and
CACHE resources in
this example

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 21

This report shows the selected peer traffic utilization by Profile managed object. Profile
managed objects in this example are WEB, DNS and CACHE servers in your network.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-21
Sightline BGP Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 22

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-22
Intelligence Comes from BGP
• Sightline
– BGP aware
– Correlates Netflow and BGP
– BGP attributes reporting rtr-syd-1

• Router rtr-ams-1

– Sends entire BGP table

ASN Prefix Community AS-Path Nexthop

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 23

We have seen peer traffic breakdowns at the network edge (router, interfaces) and internal
resources (customer, profile) so far.
Now we will focus on peer traffic breakdowns by external traffic (the Internet side).

Sightline is BGP aware and each monitored router in your network should establish BGP
sessions with Sightline. Each monitored router sends its entire route table to Sightline.
Sightline correlates incoming Netflow data and BGP table attributes to provide rich reports.
This is one of the most valuable features in Sightline.
The BGP route table contains all BGP information such as as-path, community, nexthop and
prefixes. This is all used by Sightline to make it capable of binning traffic for BGP attributes.
For example, how much traffic for my peer originated from ASN X? As there is a BGP peering
relationship, any changes in the BGP network will be reflected to Sightline. This means reports
for BGP attributes will be always up to date.

Binning is grouping data into chunks or "bins" usually defined by time periods. For example,
traffic for the last 24 hours.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-23
BGP Longest Match Rule
• Netflow provides:
– Source and destination IP info
• Sightline stores:
– Matched source and destination IP R1 Route Table
R1 Flow 2.2.2.0/24 … BGP Attr.
– Corresponding router source: 1.1.1.0/23 … BGP Attr.
1.1.1.1 1.1.1.0/30 … BGP Attr.
– Route table destination: 2.2.2.2/16 … BGP Attr.
.
2.2.2.2
• Report directionality:
.
.

– IN: by looking at destination IP

– OUT: by looking at source IP

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 24

Here is how Sightline bins BGP attributes data.

• When Netflow packets come to Sightline for further processing:
o Source and destination IPs in the Netflow packets are matched against the route table
of the corresponding router
o Corresponding router means: if Netflow comes from Router A, we look at Router A’s
route table
o Once IPs are matched against a route, its BGP attributes are binned for the related
report
o Matching rule is the longest match. It means we always prefer more specific matches
and use this entry's BGP attributes
• IN and OUT directions are also discovered by looking at Netflow source and destination IP
information
o If source IP is matched against a managed object, we say it is OUT from the managed
object
o If destination IP is matched against a managed object, we say it is IN to the managed
object

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-24
Peer BGP ASN Origin
APPLE-ENGINEERING APPLE-AUSTIN

INTERNET
• How the ASN Origin report INTERNET
helps
– Load-balancing of traffic over
peers - Network Operations
– New investments
opportunities - Network
Planning
– Tracking of attacks - Security

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 25

One of the commonly used reports in Sightline is the ASN Origin report. ASN Origin means the
ASN from where the traffic initially comes from.
The communication between the origin of the traffic and selected peer is shown in this report.
By knowing which ASN utilized my peer resources, you can do load-balancing between
different peers, routers, interfaces etc.
According to this information you can add new peerings for the originated ASN or add more
capacity to the peer resources.
You can also know which origin ASNs you are communicating with during peace time. This is
very useful in case of any attack that has different origin ASN traffic.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-25
Peer BGP ASN Origin (cont.)
• Reports > Peers >
BGP > ASNs Origin
– ASNs are derived
dynamically from
the BGP table
– Internet side ASNs

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 26

ASNs are derived from the BGP table dynamically, so once a peer starts communicating with a
new ASN it will appear in the reports.
The ASNs in this case are the Internet side ASNs and not customer or downstream ASNs.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-26
Peer BGP Prefixes 17.248.184.0/21

17.253.24.0/23

• How can prefix-based

BGP reports help?
– Traffic steering
– Security
– More granularity
• Use of route policies to traffic steering
direct traffic
17.248.184.0/21

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 27

BGP Prefixes are another useful report in Sightline.

Instead of a breakdown by an entire ASN, the prefix report is much more granular and gives
prefix-wise traffic utilization for the selected peer.
After validating using Sightline reports, you can direct a specific prefix’s traffic to other peers
using route policies.
In this diagram, it is concluded that Peer_IXP traffic is about 99% utilized and some prefixes
need to use another peer.
By considering customer, application and other factors, network operations teams may decide
to move the prefix 17.248.184.0/21
• To change Incoming traffic: the announcement for this prefix is withdrawn from Peer_IXP
(or by manipulating other BGP attributes) and advertised to Peer_ISP_D
• To change Outgoing Traffic: the local preference for the Peer_ISP_D for the selected
prefix can be increased (several other methods are applicable)
Finally, all traffic for 17.248.184.0/21 is directed from Peer_IXP towards Peer_ISP_D

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-27
Peer BGP Prefixes (cont.)
Reports > Peers > BGP > Prefixes

Internet side prefixes

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 28

Internet side prefixes (originated from another ASN on the internet) is reported for the selected
peer.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-28
Peer Traffic by Country

• Sightline has a
Geolocation database
• Country-wise peer
reports can help
– Use for peace time
versus attack time
comparisons
– Traffic distribution by
country

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 29

Apart from dynamic BGP reports, Sightline has a GeoIP database. The GeoIP database
provides you country, city, and regional breakdown for the resources.
It is very useful to know which countries you are communicating with during peace time to
understand anomalies when attacks occur.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-29
Peer Traffic by Country (cont.)

• Reports > Peers >

Countries

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 30

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-30
Other Customer Requirements
The Internet is huge and customers Customers also need to know where the traffic goes
mostly need information that is external to after passing their network,
to their network in the opposite direction

• BGP attributes on the Internet side • Other side of BGP attributes

• BGP prefix report – Instead of Internet side
– Prefixes on the Internet side – This is called transit reporting
– Prefixes not within your network

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 31

BGP attributes reporting is one of the most widely used reports in Sightline. We mostly focus
on BGP reports showing us a breakdown of the Internet side traffic.
This is an important requirement for customers because they need to understand where they
are communicating with the Internet.
It is useful to know Internet side reports for operational and security purposes.
Customers are also interested in how traffic is distributed in their networks. Where does traffic
go to? Which of my customers and internal resources are using traffic?
We call these reports “Transit Reports” and we will cover these in the next section.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-31
Lab Exercise
Lab 3

• Environment Used: https://portal.ne.netscout.com

– Instructor will provide usernames and passwords
• Estimated Time to Complete: 30 minutes
• Lab Objectives:
– List your network peers
– Find the busiest peer
– Find the busiest peer’s busiest interfaces
– Show peer traffic usage breakdown
– Traffic Steering

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 32

• List your network peers

• Find the busiest peer in terms of total traffic utilization
• What is the average, max and 95th percentile value of the traffic destined to biggest peer for
the last month?
• What is the busiest interface of the busiest peer?
• Which customer is using Peer_IXP traffic mostly?
• Your network uses Peer_ISP_D to communicate with which ASNs in Internet?
• Peer IN traffic reached it's maximum level and I would like to find the prefix using maximum
traffic to use another peer when destined to it. For which prefix do I need to change routing
policy?
• What are the Top 3 countries Peer_IXP traffic is originated?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-32
Sightline Transit Reporting

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 33

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-33
What is Transit Traffic?

• When your network is

neither the source nor the
destination for the traffic

• A business for an ISP – IP

transit service
– You can sell your IP transit
service to your enterprise
customers, regional
providers etc.
– You also pay for transit

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 34

Your network is neither source nor destination for the traffic. As the wording indicates, traffic is
transiting your network.
Your network is providing Internet or content access to others. It is a service by which
networks have access to the rest of the Internet via BGP.
It is called an IP transit service. In contrast to peering, where networks exchange only their
own customer routes (on a mutual benefit and cost neutral basis), IP transit is a commercial
service whereby one network provides access to the entire Internet routing table (or a subset
thereof), in return for payment.
You can sell your transit service to customers.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-34
Why Transit Traffic Reporting is Important

• IP transit is a
metered service
• Who is using my
network for
transit?
• Transit traffic
reporting helps
improve the
quality of a
service offering

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 35

IP transit is a metered service. Customers pay for the IP transit service. Often metered using
the 95th percentile traffic sampling technique.
You need to know who is using your network and for what purposes so you can improve your
operation, market and quality.
IP transit can include Service Level Agreements (SLAs). With SLAs, the user experience can
be guaranteed. To offer an SLA, the ISP must be able to determine the level of service that
they can consistently deliver to their customers.
For an international IP transit provider, visibility into the network’s traffic is seen as critical in
gaining much-needed details into customer and prospective customer traffic. This invaluable
information could be used to drive investments in additional capacity for existing PoPs, or to
justify adding new PoPs.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-35
Transit Reporting Logic
Standard Reports BGP Attribute
• Pre-defined transit reports INTERNET SIDE Reports > Customers > BGP > ASNs Origin
and tools
• Different logic
– Different for only BGP Customer A
attributes reporting
– Reports the “other” side of
BGP attributes

Transit Reports BGP Attribute

OTHER SIDE

Reports > Customers > BGP (Transit) > ASNs Origin ASN B

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 36

Sightline also provides transit reports. Transit reports are pre-defined just the same as
standard reports.
Transit reporting uses different logic than standard reports. This logic is only for BGP attributes
reporting.
As previously discussed, standard BGP attribute reports deal with BGP attributes for the traffic
breakdown at the Internet side.
Transit reports BGP attributes provide you with a breakdown for the traffic of the “other side”.
“Other side” can be considered internal resources and customers (not Internet side).
When traffic is destined to a managed object located In your network, standard reports looks at
the source IP to derive Internet side BGP attributes, and transit reports look at destination IP to
derive other side BGP attributes.
When traffic is sourced from a managed object (assuming this managed object is in your
network), standard reports looks at destination IP to derive BGP attributes (Internet side) and
transit reports look at source IP to derive BGP attributes (other side).

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-36
Transit Reports for Various Sightline Resources

Peer

Profile
Interfaces

Customer
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 37

Transit reports are available for managed objects and interfaces in Sightline. Customer, profile
and peer managed objects and interfaces have transit reports enabled by default.
You can see in the diagram what type of managed objects can be used to monitor which
resources in your network.
“Customer” is any of your customers that has a downstream ASN or is located in your network.
“Profile” is any internal or external resource or anything you would like to monitor via Sightline.
“Peer” is your peers – your connection to the external world. “Interfaces” are the only external
interfaces (upstream connections) and are capable of transit reports by default. This is
configurable for other interfaces as well.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-37
Transit Reports Naming Convention

Standard Report Name Transit Report Name

• AS • Remote AS Explore
• AS Origin • Remote AS Origin Traffic
• Community • Remote Community
• NextHop • Remote NextHop

Reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 38

Sightline has access to reports in two places – the Reports Menu (Reports > Customers) and
the Explore Traffic page.
The Explore Traffic page has 2 filters - you select at least 1 filter (2 filter combines filter 1 and
filter 2) and it will provide you the same data as Reports.
The Explore page provides access to all reports.
Understanding the naming convention in the Reports menu and Explore page for transit
reports is useful. There is a naming convention for the Explore page in that any transit report
starts with Remote. It means "other side". Customer > BGP > ASNs Origin (standard) can be
converted to Filter1:Customer Filter2:Remote AS in transit reports.
Both pages fetch data from same resources so they are presenting the same information.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-38
Transit Report Typical Use-Cases

• Is someone using my network as transit?

• I need details of the traffic using my network
as transit (ASN, Community, Prefix etc.)
• Is my customer maintaining the traffic level
agreements?
• Is my customer providing a transit service?
• Monitor the Load-Balance of network traffic
by using transit reports
• Am I using my peers efficiently?
IP TRANSIT
Visibility
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 39

Let's look at Transit Reports use cases before covering Transit Reports examples.
• Is someone using my network as transit?
o Is my network allowing traffic to travel through to its final destination. Regardless of
how your business or product accesses the Internet, you will need to utilize IP
transit in some capacity
• I need details of the traffic using my network as transit (ASN, Community, Prefix etc.)
o Which ASNs and prefixes are using my network as transit and for which purpose?
• Is my customer maintaining the traffic level agreements?
o Meter your customer’s transit usage and have a rich visibility of its transit traffic
• Is my customer providing a transit service?
o Are there any other ASNs behind my customer? And does my customer provide a
transit service to them?
• Monitor the Load-Balance network traffic by using transit reports
o By having various BGP attribute reporting, you have several options to divert,
withdraw, re-announce and update your network announcements
• Am I using my peers efficiently?
o Am I using my peers traffic on purpose? I am reaching to my peer from other peers?
o Are there any new peering possibilities?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-39
Peer Remote Communities

• BGP community
– Used to categorize
business, services etc.
• How remote communities
report can help
– Troubleshooting and 237:20940

capacity planning
– Service offerings to
customers
237:12

237:2882

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 40

Let's start Transit Reports with peer by BGP communities. As you know BGP communities are
useful for network operation. They can be used to control routing policy or tag, monitor and
track specific traffic.
Because this is Transit Reporting, we are interested in how my network is being used by
others.
Peer X Remote Communities report provides us with a peer traffic breakdown by BGP
communities which is at the other side of my network.
I can get an idea of where traffic goes to after passing my network and sourced from a peer.
Where is the traffic sourced from, passing my network and destined to peer?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-40
Peer Remote Communities (cont.)

• Reports > Peers

> BGP (Transit)
> Remote
Communities
– Breakdown of
your selected
peer traffic by
BGP
communities

BGP communities

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 41

This report is useful to understand internal resources and customers utilizing your peers'
traffic. You can understand what type of traffic utilizes a peer.
Use this report to offer new services to these customers and also add more capacity and plan
ahead.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-41
Customer Remote ASN

• How Remote ASN

reports help
– Is my customer
• maintaining the
traffic SLA?
• acting like an
Internet transit
provider?
WAYNENET

MERIT-AS26

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 42

Another transit report we will look at is Customer by Remote ASN. Customer X Remote ASN
report provides us a breakdown of your customer’s traffic by ASN Origins behind your
customer. This gives a clear picture of the origin of traffic my customers send to my network or
the destination of the traffic I am sending to the customer.
Why?
• Is my customer sending me traffic as we agreed before? What are the traffic levels? 95th
percentile calculation etc.
• I can understand if my customer has other ASNs behind and is providing transit service to
others. Does our agreement allow my customer to send traffic to my network for other
ASNs ?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-42
Customer Remote ASN (cont.)

• Reports >
Customers > BGP
(Transit) > ASNs
Origin
– Breakdown of traffic
by ASN origins
behind your
customer

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 43

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-43
Interface Remote Peer

• How Remote Peer reports

help
– SLA
– Performance
– Troubleshooting
– Security

ASN 11164

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 44

Another resource we can use in transit reports is the Interfaces (external, upstream) in my
network. Interface X Remote Peer report provides the traffic breakdown by neighbor ASNs
behind my network for the selected interface. Traffic goes to which neighbor ASN (Peer ASN)
for the selected interface when traffic is ingress to the interface and the traffic sourced from
which neighbor ASN when it is egress for the selected interface.
By knowing this, you have ability of reporting on who is using your interface’s resources
• SLA: You can get reports that help maintain your SLAs
• Performance: Invest, expand your interfaces and increase your network’s performance
• Troubleshooting: You have much more visibility over the interface. Let's say the interface is
at 100% utilization and you discovered most of the traffic goes to a customer that has its
own ASN
• Security: During an attack, you can understand which ASNs are destined mostly

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-44
Interface Remote Peer (cont.)
• Reports > Interfaces
External Interface
> BGP (Transit) > Traffic by Peer AS
ASNs Peer (after my network)

– Neighbor AS
numbers utilizing
the selected
interface

Peer AS numbers that are

transiting my network via the
selected interface

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 45

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-45
Sightline Reporting Tools

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 46

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-46
Peering Traffic Exchange Reports

• Is another advanced reporting

tool
• More data on a single report and page
• Helps view both standard and
transit reporting on the same • See big picture for a Peer and dig into
page • Source Analysis
– Derived via standard logic
• Destination Analysis
– Derived via transit logic

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 47

We have discovered individual reports so far for each resource (peer, customer etc) for both
standard and transit logic. Sightline also provides you some tools that present you with
information from various reports on the same page.
Peering Traffic Exchange report provides you both in the single page
• Peer's interfaces
• Peer's BGP attributes
It is more data than individual reports and makes troubleshooting easier.
There are two types of Peer Traffic Exchange Reports
• Peer's interfaces utilization breakdown by source ASN – Source Analysis (STANDARD
LOGIC)
• Peer's interfaces utilization breakdown by destination ASN – Destination Analysis
(TRANSIT LOGIC)

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-47
Peering Traffic Exchange Reports Definition
• Pre-defined reports ASN A ASN B

• A tool for peer interfaces’ traffic INTERNET

investigation Peer’s Traffic Exchange

Source Analysis
• Discover possible peering PEER

opportunities
Peer Interfaces

• Only for the traffic OUT of the

peer
• Three types of reports My Network
Peer’s Traffic Exchange
– Source Analysis Destination Analysis
– Destination Analysis
– Source, Destination Analysis ASN C ASN D

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 48

Let's discuss how Peering Traffic Exchange reporting works. It is pre-defined as a tool. Its main
purpose is to investigate usage details of the peer interfaces. Which Internet side and other
side ASNs are using my peer traffic.
By knowing ASN details on the peering interfaces, you can look for potential other new peering
opportunities. I am seeing most of the traffic for my peer comes from ASN A. Is it possible to
do direct peering with ASN A?
The report only looks at traffic Out of the Peer and destined to my network.
Three report options - Source Analysis, Destination Analysis and Source, Destination Analysis
(provides both source and destination ASNs for your peer interfaces on the same page).

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-48
Peering Traffic Exchange Reports Elements

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 49

This is what the Peering Traffic Exchange Report looks like. There are two panes. The left
pane lists the selected peer’s interfaces. The right pane lists ASNs according to the report type
(source or destination or both). Selecting or deselecting interfaces on the left pane changes the
results on the right pane.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-49
Peering Traffic Exchange – Source Analysis

• How can source

analysis help?
– Which ASNs behind my
peer utilize my peer
interfaces?
– Discover new peering
et5/1/0.0
opportunities,
investment etc.
BOXNET et5/3/0.0

ATT-INTERNET4

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 50

Let's focus on Peering Traffic Exchange Source Analysis. It is like the Interfaces > BGP >
ASNs Origin report.
Its main purpose is to understand where traffic originated from when it comes to my network
via my selected peer’s interfaces. By using this information, you can conclude new peering
opportunities, agreements, traffic steering.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-50
Peering Traffic Exchange – Source Analysis
• Reports > Peers >
Peering Traffic
Exchange >
Source Analysis
– Lists only source
ASNs
– Figure out
possible peering
candidates

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 51

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-51
Peering Traffic Exchange – Destination Analysis
MERIT-AS-26

• How can destination WAYNENET

analysis help?
– Understand utilization
on the peering
interfaces
– Provide data to identify
and move loaded irb.164
prefixes to another
peer or other interface irb.1922

– Incoming traffic path

changes

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 52

My network operation team noticed that my peer interfaces are utilized in the IN direction. I
need to know where traffic goes to.
By selecting and deselecting peer interfaces, you can see traffic goes to which ASNs from
which interfaces and you can prefer that traffic from another peer.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-52
Peering Traffic Exchange – Destination Analysis

• Reports > Peers >

Peering Traffic
Exchange > Destination
Analysis
– Lists only destination
ASNs
– Prefixes from these
ASNs can be chosen
for traffic load-
balancing

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 53

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-53
Knowledge Check
Reporting Overview
Q1:Sightline Peer reporting provides visibility into Q3: What is transit traffic?
traffic that: a) your network is neither the source nor the
a) transits a customer’s boundary destination for the traffic
b) your network is the source and the destination for
b) is received across the local boundary
the traffic
c) is transmitted across the local boundary c) A router experiencing heavy congestion
d) crosses the network boundary d) An interface experiencing heavy congestion
Q2: A peer in Sightline: Q4: Why is transit traffic reporting important?
a) is the same BGP domain a) IP transit is metered service
b) has its own ASN b) Who is using my network for transit?
c) is indirectly connected c) Transit traffic reporting helps to improve the quality
d) must pay for service of a service offering
d) All of the above

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 54

Solution: Q1 = d ; Q2 = b ; Q3 = a ; Q4 = d

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-54
Summary

• External visibility for your network and why it is important

• Using peer reporting so you can identify who are your top network peers

• How Sightline correlates BGP and flow information and presents that data in
reports

• How Sightline helps you visualize the traffic transiting your network

• You used Peering Traffic Exchange Reports to view both standard and transit
reports simultaneously

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 55

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-55
Lab Exercise
Lab 3: Peer, BGP and Transit Reports

• Online Lab Access: https://portal.ne.netscout.com/

• Environment: Sightline
• Credentials: Provided by the Instructor
• Time to Complete: 60 minutes
• Lab Objectives:
– Use Peer reporting
– Discover BGP traffic reports
– Access transit reports
– Understand when to use which transit reports

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 56

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-56
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 57

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 4-57
NETSCOUT – Arbor Sightline
Traffic Reporting and Analysis 4-58
Unit 5 Capacity Planning and
Congestion Reporting
Sightline Visibility Course

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 1

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-1
In this module you will...

• Learn what Capacity Planning is

• Identify congested interfaces in your network

• Analyze traffic on congested interfaces

• Use Sightline reports to manage interface congestion

• Extract data needed for future network capacity planning

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 2

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-2
Introduction to Capacity Planning

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 3

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-3
Why is Capacity Planning Important?

• Network resources are valuable

• Optimize resource utilization

• Maintain high QoS standards

• Provide best user experience

• Identify future resource requirements

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 4

Nowadays service provider business is very competitive. Service providers are required to
offer the best user experience at the lowest available prices. To achieve this goal, it’s crucial to
maintain very efficient resource utilization, which is where the importance of Network Capacity
Planning can be demonstrated.
A well-planned network must take into consideration best practices of resource optimization
which directly affect QoS and the end user experience.
Capacity Planning is also important to provide estimated forecasts of future resource
requirements.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-4
What is Capacity Management?

• Monitoring of resource utilization

• Identification of potential
congestion points

• Traffic offloading/re-allocation
95%

30%

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 5

Capacity Management is another important term. Network operators need to keep network
resources closely monitored so they can identify potential areas of congestion within their
network and take actions to address these congestion points before causing service
degradation or even service impact in some situations.
Sightline traffic reports provide an elaborate capacity management toolkit which enables
network operators to easily monitor traffic utilization within their network, do in depth traffic
analysis which provides help in taking the correct decisions for traffic re-allocation and
optimization, and also to visualize pre and post changes traffic distribution.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-5
Capacity Planning Cycle

- Monitor Resource utilization Monitor

- Identify Bottlenecks

Forecast identify
- Manage Available resources

- Forecast Future resource requirements

Manage

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 6

A simple process flow of the primary tasks involved in Capacity Planning:

• Monitor resource utilization
• Identify potential bottle necks
• Manage capacity using available resources
• Forecast future resource requirements
In the following slides we will explore how Sightline can be used to facilitate all of these tasks.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-6
Identifying Network Congestion

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 7

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-7
About Interface Utilization Monitoring

• Monitoring gets complicated in

large networks with hundreds or
thousands of interfaces

• Sightline provides proactive

interface utilization monitoring

• Traffic alerts are triggered when

traffic exceeds or falls under
a specific threshold

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 8

One critical task of a network operator is to monitor bandwidth utilization on critical interfaces.
These can be on the peering edge, they can be backbone interfaces or traffic for a specific
service or for local caching nodes.
This might be manageable in small networks but in the case of huge service provider networks
with hundreds or even thousands of interfaces, a more intelligent way is needed.
Sightline solves this challenge by means of traffic alerts where thresholds can be defined per
interface or service by network administrators, so that traffic alerts are triggered if the traffic
exceeds those thresholds.
So for network operators instead of manually tracking every single interface, they will just need
to address those traffic alerts and take actions ASAP for those interfaces or services.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-8
About Traffic Usage Alerts

• Thresholds can be defined

globally for all interfaces or Alert if rate
exceeds 100Kpps
per specific interface
• Thresholds can also be
defined for managed
objects Alert if traffic
exceeds 95%

• Traffic Alerts are triggered

once the 5 Min traffic
utilization exceeds the
configured threshold value

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 9

The first type of traffic alert is an Interface Usage Alerts. Here a threshold can be defined
globally for all interfaces or on a per interface basis and network admins have the option to
configure a high or low threshold as explained below:
Over utilization threshold: an alert is triggered if the 5 Min interface traffic exceeds that value.
Under utilization threshold: an alert is triggered if the 5 Min interface traffic falls below that
value.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-9
Analyzing Interface Usage Alerts

• Once the 5 Min interface utilization exceeds the configured threshold, an Interface
Usage alert will be triggered showing the below parameters:
– Interface name
– Router name where the interface belongs
– Traffic rate, utilization percent and interface capacity

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 10

Network operators need to monitor their deployment for interface usage alerts. These alerts
raise a flag that an action should be taken for the alerted interface.
The alert provides all the details needed to do further analysis, like interface name, router
name, utilization value…etc.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-10
Analyzing Managed Object Threshold Alerts

• Once the 5 Min managed object utilization exceed the configured threshold, a
managed object threshold alert will be triggered showing the below parameters:
– Managed object name
– Traffic rate, utilization percent and the configured threshold

Note: Consult your System Administrator to get the current configured threshold values in your deployment

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 11

The second type of traffic alert is the managed object threshold alert. In this case a network
administrator can define a traffic threshold per managed object which is helpful to proactively
monitor the traffic rate for specific customer or service like DNS, Caches, webservers…etc.
The network administrator can then analyze traffic distribution for this service, take
optimization decisions or even request service expansion.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-11
Analyzing Traffic On Congested
Interfaces

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 12

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-12
Analyzing Interface Historical Utilization

Select report duration

• Use the interface
Choose correct router
summary report to see
the full utilization history
of the alerted interface
Select interface

• Navigate to Reports >

Interfaces >
Summary then select
the interface

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 13

The first step in analyzing interface usage alerts is to check the utilization history of the alerted
interface, using the interface summary report. A network administrator can get a quick view of
interface utilization over time.
By viewing utilization history you can then determine if the alert was valid and if that
interface needs an action to offload some traffic or it was just a temporary traffic spike.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-13
Comparing Interfaces Utilization

• Comparing interface
utilization of a specific
router helps in identifying
unbalanced traffic
distribution
• Navigate to Reports >
Interfaces > Compare
Interfaces then select a
router to view per
interface traffic
distribution

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 14

The network administrator can do further investigation by viewing an overall traffic distribution
at the router level. They can compare traffic utilization / distribution for every interface on a
specific router, and later take some decisions to balance traffic between interfaces or even
decide if that router may need additional interface expansions.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-14
Interface Detailed Statistics Reporting

• Detailed statistics provide

a very rich set of reports
per interface
• By default, interface
detailed statistics
reporting is only available
Per Interface
for external interfaces detailed reports
• Navigate to Reports >
Interfaces to see all
available reports for the
desired interface

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 15

Sightline provides a rich set of interface reports for very low-level traffic analysis, examples of
those reports are application/customers/profiles/peers/Top Talkers/packet
sizes/protocols….etc and much more.
By default these detailed reports are only available for external interfaces, but they can be
manually enabled for other critical network interfaces. But please be aware of your deployment
limits because interfaces with detailed statistics reporting enabled are limited per TRA. Always
follow the best practice guidelines to enable detailed reporting on required interfaces only.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-15
Using Interfaces SNMP Reports

• Sightline provides SNMP

counters traffic reports

• Navigate to Reports >

Interfaces > SNMP
Counters to see the
interface utilization based
on SNMP data

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 16

Sightline provides traffic reports based on SNMP data polled from the routers. By default
SNMP reports are available for interfaces where flow records are received via Netflow. This
behavior can be changed but needs a careful consideration. You may consult Arbor ATAC to
evaluate the situation if required.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-16
Managing Interface Congestion

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 17

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-17
Using Interface Top Talkers Reports

• Interface Top Talkers report

helps to identify top hosts
utilizing interface bandwidth
• Traffic associated with the
top talker hosts may be
reallocated using route
policies to reduce traffic
utilization
• Top talkers can
sometimes be bandwidth
abusers that can be blocked
easily.
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 18

In some situations, it’s very helpful to have an overview of the top internal hosts utilizing a
specific interface. Those hosts can be internal servers getting content from outside the network
or even internal customers with large data usage i.e bandwidth abusers that could affect
quality for other customers. A network adminstrator can make decisions for those hosts based
on the specific use case.
The top talkers report provides data for both IN and OUT direction for the reported hosts. You
can also filter on specific hosts to view their utilization over time to understand more about their
behavior.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-18
Managing Outbound Traffic of a Utilized Interface

• To affect outbound traffic, you need to manipulate incoming BGP routes

• Route manipulation is achieved on the router side using routing policies
• Sightline provides you with the required traffic visibility to decide what traffic
needs to be shifted and you can monitor traffic flow after applying the route policy
changes
• You can use the below Sightline reports to have insight on outbound traffic
distribution, so you can decide which prefix or AS can be adjusted
➢ Interface ASNs (All) (Reports > Interfaces > BGP > ASNs All)
➢ Interface AS Paths (Reports > Interfaces > BGP > AS Paths)
➢ Interface Prefixes (Reports > Interfaces > BGP > Prefixes)

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 19

Once a network administrator has identified a highly utilized interface, and in which direction
(inbound or outbound), the next step is to manage the traffic on that interface and direction to
free some capacity.
Traffic management is achieved at the router level by means of route policies, so here
Sightline will provide the tools needed to identify and visualize the routing and traffic changes.
Let’s have a look at both situations, starting with outbound traffic management.
Generally the direction of the traffic is always opposite to the direction of the routes received,
so in order to reroute outbound traffic from your network you will need to manipulate the
incoming BGP routes to prefer one path over another.
The challenge here is how to identify the routes that need manipulation in order to achieve this
goal, and here we can demonstrate the importance of Sightline BGP traffic reports.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-19
Interface ASNs Reports

• Reports > Interfaces >

BGP > ASNs All
– Interface traffic breakdown
by external AS numbers
– Using BGP route policies
you can move traffic
towards a specific AS to
another free interface
– What is the best BGP
attribute to use?

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 20

The Interface BGP ASNs reports help to segregate traffic of an interface per external AS
number. Here you can see the inbound and outbound traffic from/to those ASNs. Since we are
looking to re-route some outbound traffic from that interface we can use this report to choose
some external AS numbers with a considerable amount of traffic and by means of BGP route
policies we can manipulate the routes originated from those ASNs to make them preferred
over another interface which moves some outbound traffic to that interface.
Not only that, but after the network administrator applies this change from the router side, they
can use the same report for both old and new interfaces to make sure the desired amount of
traffic correctly moved between those interfaces.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-20
Interface AS Paths Report

• Reports > Interfaces >

BGP > AS Paths
– Interface traffic breakdown
by external AS paths
– Identifies full traffic path
through external ISPs
– Enforces traffic through
a specific path

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 21

Interface AS Paths is another useful report to gain more granular visibility over the full AS
paths used by the traffic on specific interface, so that network administrators have the flexibility
to choose one path over another, perhaps one closer to the content providers. Or prefer a path
through one transit upstream provider over another. So again, using BGP policies you can
match routes from one AS path and then apply the needed policy changes.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-21
Interface Prefixes Reports

• Reports > Interfaces >

BGP > Prefixes
– Interface traffic
breakdown by external
prefixes
– Using BGP route
policies you can move
traffic for specific
prefixes to another free
interface

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 22

In some situations, moving a whole AS from one interface to another may not be the optimum
solution. For example, the traffic for that AS may be too great for the new interface which will
just move the problem to another interface.
In this situation another good solution is to have visibility of the traffic per external IP prefix, so
moving traffic for some prefixes would provide more granular traffic control between interfaces.
The same report can help make the decision on which prefix can be shifted and to monitor the
traffic shift after applying the changes from the network side.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-22
Managing Inbound Traffic of a Utilized Interface

• To affect inbound traffic, you need to manipulate your own BGP prefix
announcement
• Sightline reports can help you identify traffic distribution for you own resources,
you can then use this to identify which prefix or service need reallocation
• Use below sightline reports to identify internal traffic distribution
➢ Interface Customer (Reports > Interfaces > Customers)
➢ Interface Profile (Reports > Interfaces > Profiles)
➢ Interface Communities (Reports > Interfaces > BGP > Communities)

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 23

Now let’s go through the options to manage inbound traffic of a utilized interface, using the
same logic. In order to manipulate inbound traffic, you will need to manipulate the outgoing
route advertisement.
So here the challenge would; be what are the correct routes that can be moved from one
interface to another?
Again, Sightline reports provide the required visibility on which internal resources are utilizing
the inbound traffic of an interface so that you can redistribute those resources among other
free network interfaces.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-23
Interface Customers Reports

• Reports > Interfaces >

Customers
– Interface traffic breakdown
by customers
– Shift traffic of specific
customer to another free
interface
– What is the correct BGP
attribute?

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 24

The Interface Customers report provides you with the interface traffic breakdown per internal
customer managed object, so in order to offload inbound traffic from that interface you can
choose a customer or group of customers and apply the required BGP policy changes to shift
them to another interface.
Below are some options that can be used:
• Stop announcing customer route on old interface and announce through new interface
• Or use AS Path prepending if redundancy is required
• Or use longest prefix match rule

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-24
Interface Profiles Reports

• Reports > Interfaces >

Profiles
– Interface traffic breakdown
by profile managed object
– Profiles can be used to
identify services
– Shift traffic of specific
profile/service to another
free interface

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 25

Profile managed objects are usually used to define internal services within the network, so by
using the Interface Profiles report you can gain some visibility on the services utilizing inbound
interface bandwidth.
Similar to customer managed objects you can also apply routing policy changes to move
the traffic of those services to other free interfaces.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-25
Interface Communities Reports

• Reports > Interfaces >

BGP > Communities
– Interface traffic breakdown
by BGP communities
– Communities can be used
to group traffic by location,
service, QoS…etc
– Use BGP route policies to
match communities and
affect route advertisement
to external peers

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 26

Service providers commonly use BGP communities to group prefixes by area or service or
even QoS profiles. If BGP communities are being used within your network then you can use
Sightline to view a traffic breakdown by BGP community.
BGP communities can later be used within BGP routing policies to change the advertisement
of all prefixes using a specific community. This provides more flexibility, so you don’t need to
track per prefix advertisement. You can use communities instead.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-26
Future Capacity Planning

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 27

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-27
Forecasting Future Resource Requirements

• Traffic forecasting is an essential

part of future capacity planning
• Traffic forecasts gives an estimate of
potential expansion requirements
• Traffic forecasts use long term
historical data to identify traffic
trends in the future
• You can use Sightline to extract
historical raw data for specific
interfaces, peers or services..etc

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 28

If traffic re-allocation is not an option due to lack of sufficient resources, then it is time to plan
your future resource requirements. Usually service providers will not wait until they reach full
network congestion on all interfaces, rather when defining the high utilization thresholds, they
consider some room for worst case scenarios. For example they use 75% instead of 95%.
Identifying the exact value of resources required within a future time period is a challenging
process. With the use of historical traffic utilization trends, data analysts can extract
approximate values for the required resources.
For this purpose, data analysts require this historical data in a raw data format. Sightline
provides assistance in this situation because you can easily extract the raw data of any report
in CSV format.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-28
Extracting Historical Data From Sightline

• Navigate to the report where you

want to extract relevant raw data
• On the upper right corner, you have
the option to extract the raw data in
various formats
• This data can be used by your data
analysts to calculate the required
traffic forecasts

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 29

Navigate to the desired report. For example, if you want the historical data for a peering
interface go to the report of that interface and download as CSV file.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-29
Knowledge Check
Reporting Overview
Q1: Capacity planning cycle for you network Q3: What is one thing you can do to manage
includes: interface congestion?
a) Monitoring customer resources a) View the Top Talkers report
b) Creating bottlenecks b) Manipulate the Top Talkers list
c) Managing customer complaints c) Disconnect your peers
d) Forecasting future requirements d) View the BGP prefixes report
Q2: Sightline interface utilization monitoring? Q4: Which report would help identify network
a) Is uncomplicated for large ISPs congestion?
b) Provides proactive interface utilization monitoring a) Reports > Alerts > Thresholds
c) Cannot trigger traffic alerts b) Reports > Routers > Top Talkers
d) Defines a traffic threshold limit for each of your c) Reports > Interfaces > Summary
peers
d) Reports > Network > Top Talkers
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 30

Solution: Q1 = d ; Q2 = b ; Q3 = a ; Q4 = c

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-30
Summary

• Capacity planning identifies potential areas of congestion within your network

• Viewed interface utilization to identify instances of congestion

• Analyzed the traffic details on congested interfaces

• Managed interface congestion by viewing various Sightline reports

• Extracted data needed for future network capacity planning

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 31

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-31
Lab Exercise
Lab 4: Capacity Planning and Congestion Reporting

• Online Lab Access: https://portal.ne.netscout.com/

• Environment: Sightline
• Credentials: Provided by the Instructor
• Time to Complete: 60 minutes
• Lab Objectives:
– Understand and analyze traffic alerts for interfaces/MOs
– Analyze traffic on a utilized interface
– Identify top talkers on a utilized interface
– Use Sightline to take inbound/outbound traffic engineering decisions.
– Use Sightline to extract raw data needed for forecast analysis

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 32

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-32
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 33

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 5-33
NETSCOUT – Arbor Sightline
Traffic Reporting and Analysis 5-34
Unit 6 BGP Reliability & Reporting

Sightline Visibility Course

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 1

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-1
In this module you will…

• Describe BGPs relevance for your Sightline deployment

• Validate your Sightline deployment and monitored router BGP status

• Investigate your network BGP instability

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 2

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-2
BGP Data Relevance

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 3

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-3
Relevance of BGP in Your Network
• BGP is the protocol of the internet.
It provides information on:

BGP BGP – External routing and route policies

BGP
BGP
BGP
– Inter-AS connectivity
BGP
– Reachability to external networks

• Accuracy and stability of BGP is

critical. Issues can trigger:
BGP

BGP
– Suboptimal routing
– Diminished network performance

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 4

Review of BGP in general:

• The Internet runs on BGP protocol
• Highly configurable and scalable protocol providing interconnectivity to other networks
• Interconnectivity to other ASN’s/networks (info on how traffic will flow in/out of your network)
• Routing table size/stability of these peers
• BGP failures in the network can impact traffic routing and introduce network performance
issues

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-4
Relevance of BGP Data in Your Sightline System
• Sightline uses BGP data from
monitored routers to provide:

– External network visibility

– Peer traffic visibility BGP
BGP
– Analysis of current peering relationships BGP
BGP
– Analysis of potential peering opportunities BGP

– Network capacity planning

– Non-transit and transit traffic reporting
Upstream peers for
my web traffic -
Peer distribution

• Flow data is enriched with BGP data to Is there transit traffic -

Source ASN for customer
ASN details
provide external visibility traffic -
AS path

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 5

Sightline uses BGP for enriching the dataset delivered by Netflow and SNMP
The BGP information is exchanged to Sightline from the monitored routers in the form of the
internal and external routing table
Using the information gleaned from the BGP routing tables, Sightline provides external visibility
reports for end-to-end traffic reporting
BGP derived reports on Sightline includes transit and non-transit reports

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-5
How BGP Enhances External Visibility Reporting
• Sightline supplements Netflow derived data from each router with BGP data from
the same router
• Resulting data set is the BGP annotated ‘Enhanced Flow’
‘Classic Flow + BGP = Enhanced Flow

19 Fields
Enhanced Flow Record Information
Source Destination Src Dst Proto In Out ToS Flags Bytes pkts
IP Prefix Nexthop AS Path Com IP Prefix Nexthop AS Path Com Port Port Intf Intf

From BGP

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 6

Sightline combines BGP and Netflow datasets to produce enriched annotated flow
The annotated flow contains additional fields comprising of all the BGP attributes
The enhanced flow data thus produced internally on Sightline, offers a detailed drill down into
the traffic seen in the network

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-6
Visibility Reports Derived via BGP
• The full set of external transit and non-transit visibility reports on Sightline are
derived from BGP data
Reports > Customers > BGP > ASNs Origin
Reports > Network > BGP > ASNs All

Reports > Network > BGP > ASNs All

Reports > Customers > BGP > ASNs Origin
Reports > Routers > BGP > ASNs Peer

Reports > Customers > BGP > ASNs Origin

Reports > Peers > Peering Traffic Exchange

Reports > Routers > BGP > ASNs Peer Reports > Routers > BGP/BGP Transit > ASNs Peer

to list a few…
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 7

The entire gamut of BGP based traffic reports rely on BGP dataset on Sightline, for its
functionality
Peer reports, network-level transit and non-transit reports, customer/profile ASN reports are all
produced from the annotated enhanced flow data set

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-7
How BGP Data Issues Affect External Visibility
• BGP errors = Enhanced Flow errors

‘Classic Flow + BGP = Enhanced Flow

19 Fields
Enhanced Flow Record Information
Source Destination Src Dst Proto In Out ToS Flags Bytes pkts
IP Prefix Nexthop AS Path Com IP Prefix Nexthop AS Path Com Port Port Intf Intf

BGP

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 8

No BGP or erroneous / incomplete BGP information can impact flow annotation. Lack of BGP
data leads to absence of BGP based enhancement to flow data

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-8
BGP Data Issues Affect External Traffic Reporting
• Issues with BGP data leads to unavailability and inaccuracy of external visibility
reporting

Reports > Network > BGP > ASN Origin Reports > Customers > BGP > ASNs Origin

Reports > Network > BGP > ASNs All

Reports > Customers > BGP > ASNs Origin Reports > Routers > BGP > ASNs Peer

Reports > Customers > BGP > ASNs Origin

Reports > Routers > BGP > ASNs Peer Reports > Peers > Peering Traffic Exchange

Reports > Routers > BGP/BGP Transit > ASNs Peer

BG
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 9

Issues with the BGP dataset – could be complete or partial failure of BGP, can affect the
reliability of external visibility reporting on Sightline
No BGP or erroneous / incomplete BGP information thereby subsequently impacts traffic
reporting and visibility especially for external traffic

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-9
BGP Considerations for Optimal Visibility
The BGP data from the monitored routers
must be:

✓ Available
▪ BGP peering sessions should be up/stable
✓ Accurate
▪ Full BGP routing table
✓ Reliable
▪ BGP data must be consistent and
trustworthy

Monitoring, fault detection and validation of BGP data on Sightline is critical

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 10

On the Sightline platform, the following aspects/characteristics of BGP data are extremely
critical:
• Availability/stability – Monitored routers must have well established and stable BGP peering
with Sightline
• Completeness – The BGP routing table must be received in full on Sightline
• Accuracy - Correct information must be received from router BGP tables
• Reliability – Reporting will be impacted if BGP received is unreliable
If the BGP info is inaccurate, we lose information on external visibility and cannot rely on the
reporting in the system.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-10
BGP Validation and Fault Detection

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 11

In this section, we will explore the available BGP fault detection and analysis tools on the
Sightline GUI
On completion of this section, the users should be more familiar with the approaches to
analyzing the deployment for BGP issues and how to resolve them

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-11
BGP Fault Detection and Validation on Sightline

• Sightline has in-built monitoring,

alerting, and reporting tools to
validate the availability,
completeness, and accuracy of
BGP data

▪ Regular validation of BGP data

received on Sightline is important
to ensure traffic reporting
accuracy and reliability

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 12

The Sightline platform has both alerting and reporting options to validate the availability and
accuracy of BGP data received from routers.
Since a good part of external visibility is obtained from BGP data, it is important the operators
regularly monitor the GUI for BGP events and alerts.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-12
Validation - Is BGP Data Available?
Are all router BGP sessions with Sightline established as expected?
• Validate using Indicates 1 of the 11 router BGP
▪ System > Status > Appliance Status sessions on Sightline is down.

Next step – Identify which Router session is down

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 13

One of the most important considerations is to validate that the BGP sessions are up and
running from all the peering routers that are provisioned as BGP peers to the TRA collectors.
Multiple sections of the GUI provides this information. A high-level view of the BGP session
status can be obtained from the per-appliance status page. From here, one can move on to
more specific analysis to identify the specific router that has BGP issues.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-13
Identify the Affected Router
Which router’s BGP session is down?
• Validate using
Identify which router’s BGP peering
▪ System > Status > Routers session is down

Next step – Check for alerts confirming the issue

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 14

The per-router status provides specific information on which router BGP session is currently
down along with the associated collector.
In addition to the BGP status, this page also provides information on the routes received from
each router. This would be a good starting point for investigating BGP down alerts on a per-
router basis.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-14
Validate Using Failure Alerts
Explore BGP alerts to confirm event
• Navigate to Use ‘Wizard’ to search for BGP events
▪ Alerts > System Error

Issue confirmed – Analyze and resolve BGP peering

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 15

BGP alerting provides notifications whenever a BGP peering session goes down. Use the
‘wizard’ button to search for alerts related to ‘BGP down’ type. Alerts provide the exact start
time and duration of the event in addition to the other details.
Use Wizard to search for other BGP Alerts such as:
• ac: Alert Class
• at: Alert Type
Some examples include:
• ac: Data
• at: BGP Down
Results: Displays the BGP peering sessions that are down.
• ac: BGP
• at: BGP Instability
Results: Displays the router instances that exceed the preconfigured BGP instability
threshold.
• ac: BGP
• at: BGP Route Hijack
Results: Displays instances of Sightline detecting a BGP route announcement from an
external ASN for a prefix within the defined local address space. This alert indicates either a
potential hijacking of local address space or a misconfiguration of the local address space.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-15
Validation - Is BGP Data Accurate?
Are the BGP peers sending full routing table to Sightline
• Validate using Number of active routes advertised by router
▪ System > Status > Routers to Sightline

• The number should match with the router’s BGP table, to confirm data accuracy

COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 16

Each router that peers with a TRA must be configured to send its full routing table to the TRA.
Full routing table helps the TRA to derive and report completely and accurately on external
traffic.
It is equally important therefore to validate whether all the routers configured as BGP peers
advertise their complete routing table to the Sightline platform. If the number of routes received
on the Sightline TRA is less than the actual number of routes in the router’s route table, it
becomes important to understand why it is so, and address the issue by changing the
configurations as required to have the router advertise its full routing table.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-16
Validation - Is BGP Data Reliable
BGP Instability - are BGP peers and route updates stable
• Look for BGP instability alerting using Use ‘Wizard’ to search for BGP instability
▪ Alerts > System Error

Max updates per 5 min crossing limits indicate instability

BGP Instability refers to any event that causes the BGP peering sessions to repeatedly or
frequently go down. This leads to abnormal route updates from the affected router. An unstable
BGP session is not desirable and can negatively impact the quality and accuracy of external
BGP based traffic reporting on Sightline.
Look for and analyze BGP instability events on the environment using the wizard menu of the
system error alerts menu. The BGP instability alerts are detected based on pre-configured
thresholds set by the administrator. The thresholds are evaluated on a 5-minute interval and
the administrator can set these thresholds based on the expected normal number of route
updates typically seen in the network.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-17
Validation Using BGP Instability Reporting
Is BGP instability across the network
• Investigate further using Reports > Network > BGP Instability - aggregate
statistics from all network routers
Longer timeframe
can spot genuine
anomalies

Spike/Max
values suggest
anomaly in BGP
updates –
Instability event

Intermittent spikes confirm BGP instability in network. Proceed to

per-router analysis
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 18

BGP Instability reports give detailed information and graphs related to instability events both
network-wide and per-router. Network-wide reports are a good place to start the drill down.
The report contains the following types of data (if observed):
• ANN announcement updates
• AADIFF routes implicitly withdrawn and replaced by an alternate route to the same prefix
(indicates forwarding instability)
• AADUP routes implicitly withdrawn and replaced by a duplicate of the original route
• TUP new, previously unseen prefixes being announced
• TDOWN routes being withdrawn
• UPDATES total number of BGP updates
• WWDUP duplicate withdrawn updates
• WITH total number of withdrawals

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-18
Validation Using BGP Instability Reporting
BGP instability Router wise
• Investigate using Reports > Routers > BGP Instability
Select peering router(s)

Spike/Max
values suggest
anomaly in BGP
updates –
Instability event

BGP instability on router confirmed. Go to next level

From the network wide perspective of instability, the investigation can move to the router-level
view. This report clearly identifies periods of spikes of BGP updates that can be a clear
indicator that there might be issues related to the overall stability of BGP peering from that
router. The analysis can now be focused on the router(s) exhibiting the instability issue.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-19
BGP Instability Drill Down
Router level exploration
• Probe further using Explore > Routing > IPv4 Analyze Instability
Choose the router and timeframe
associated with the instability

Focus on the top

ASN/Prefix
update numbers

Flapping Prefix/ASN(s) identified. Probe further to know why..

The ’Analyze Instability’ report provides a clear view of the factors contributing to BGP
instability on the selected router – information such as per ASN and per prefix updates can be
used to quickly understand what are the top contributors to the BGP instability behaviour on
the router. Once identified, the triggering elements can be reviewed with the router team to
troubleshoot and resolve.
The Explore BGP Routing Instability page (Explore > Routing > IPv4 Analyze Instability) has
several menus, that are explained below:
• Withdraw - The number of BGP withdrawals
• Announce - The number of BGP announcements
• Number of Unique Prefixes - The number of unique prefixes
Top Origin ASN section:
• ASN - The origin ASN
• Top Origin ASNs Number of Updates - The number of BGP updates for this ASN over the
timeframe
• Top Origin ASNs Percentage - The percentage of BGP updates in the timeframe that the
system applied to an ASN
Top BGP Prefixes section:
• Prefix - The BGP prefix
• Top BGP Prefixes Number of Updates - The number of BGP updates for a prefix over the
given time period
• Top BGP Prefixes Percentage - The percentage of BGP updates in the specified time
period that the system applied to a prefix

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-20
BGP Instability Drill Down
Prefix level drill down
• Investigate unstable prefix(es) using Explore > Routing > IPv4 Updates
Select the router and prefix
identified

Frequent changes in
BGP attributes for
the same prefix,
confirms issue

Root cause of BGP Instability identified. Report to router team to fix

Once the prefix(es) or ASN(s) contributing to BGP instability are identified, it now becomes
easy to query the updates corresponding to the identified prefix/ASN and display the entries
related to the instability events.
The Explore BGP Updates page (Explore > Routing > IPv4 Updates) allows you to view
announcements and withdrawals in a router’s BGP table. BGP event descriptions:
Event:
• A - Announced
• W - Withdrawn
PEER DOWN - The peering session with the specified router went down, causing all routes to
be withdrawn.
PEER UP - The peering session with the specified router came up.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-21
Knowledge Check
Reporting Overview
Q1: BGP issues can trigger? Q3: How does Sightline enhance external
visibility reporting?
a) Sub-optimal routing
a) By creating “Classic Flow” from NetFlow
b) External network peer visibility
b) By storing NetFlow for three years
c) Diminished network performance
c) By producing enhanced annotated flow
d) Transit and non-transit visibility reports
d) By adding fields of some BGP attributes
Q2: Which would allow you quickly validate your
BGP data? Q4: Using the Explore > Routing > IPv4 Updates
report you can?
a) System > Status > Interfaces
a) Identify if a router’s BGP session is down
b) System > Status > Appliance Status
b) View BGP peer and router updates
c) System > Status > BGP
c) Analyze unstable routers
d) System > BGP > BGP Instability
d) Investigate unstable IPv4 prefixed
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 22

Solution: Q1 = a + c ; Q2 = b ; Q3 = y ; Q4 = d

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-22
Summary

• BGP relevance for optimal Sightline external visibility reporting was described

• BGP data validation and fault detection methodologies explored

• Steps to investigate BGP instability across the network described

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-23
Lab Exercise
Lab 5: BGP Reliability and Reporting

• Online Lab Access: https://portal.ne.netscout.com/

• Environment: Sightline
• Credentials: Provided by the Instructor
• Time to Complete: 30 minutes
• Lab Objectives:
– Confirm if BGP is working towards all the routers
– Check if there are any BGP instability

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 6-25
NETSCOUT – Arbor Sightline
Traffic Reporting and Analysis 6-26
Unit 7 Over-the-Top Reporting

Sightline Visibility Course

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-1
In this module you will...

• Define Over-The-Top (OTT) and OTT services

• Get introduced to OTT elements of Sightline

• Discover Sightline OTT Reports

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-2
What are OTT services?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-3
OTT Definition
• Delivery of 3rd party applications
over the Internet
– Mostly streaming content
– Video, audio, messaging etc.
• “Over The Top”
– Over IP networks
• Circumvent traditional media
distribution channels
– On-demand
• Typically monetized

OTT is the delivery of 3rd-party applications over standard IP networks independent of any
last-mile provider ISP. OTT is opposed to dedicated legacy infrastructure (phone, radio,
television, …)
“Over The Top” means over the IP networks. The service is delivered “over the top” of another
platform, hence the moniker. It was initially named in reference to devices going “over the top”
of the cable box to give users access to content.
OTT services circumvent traditional media distribution channels such as telecommunications
networks or cable television providers. As long as you have access to an internet connection
— either locally or through a mobile network — you can access the complete service at your
leisure. It is typically monetized.
An OTT platform provider is an online solution that hosts live and on-demand content that is
broadcast over the internet.
OTT services are typically monetized via paid subscriptions.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-4
OTT Services
• Video
– Most common, high bandwidth
– Netflix, Hulu, Amazon, Disney+
• Audio
– Access to massive library
– Spotify, Amazon, YouTube, Gaana
• Voice
– Alternative to traditional phone
– Skype, Viber
• Instant Messaging
– WhatsApp, Telegram, Signal

The type of OTT service most users probably interact with most regularly is video OTT.
Services like Netflix, Hulu or Disney+HotStar are video OTT services, which provide users with
a number of programming options, both in terms of a licensed library of TV shows and films, as
well as original programming.
Another major OTT market is audio, with services such as Spotify now almost synonymous
with music streaming. Users can access a massive library of recording artists and podcasts via
an internet connection.
Similarly, voice OTT services, like Skype or WhatsApp, are increasingly common instead of
phone calls.
Remember text messages? Most users now use OTT messaging services like WhatsApp,
Telegram or Signal, which allow them to use their internet connection to share information.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-5
Why is OTT important to me?

• Rich content
– Unique, cheap
• On-demand access
– Watch whenever you
want
• Easy access
– Internet capable device
OTT Services have become mainstream, making identification
– Multiple capability
and classification simultaneously more important and even
• Growth potential more difficult.

– Trending

OTT provides rich content. If you’ve been on Netflix or Amazon Prime TV recently, you’ll notice
a lot of original content exclusively for those OTT channels. This exclusivity makes it easier for
consumers to access your content, and you also retain customer loyalty.
OTT has on-demand access. Not only do you have access to thousands of movies, TV series,
and documentaries at a reasonable price, but you also can watch them wherever and
whenever you like. More than ever, consumers are able to find exactly what they want to watch
and only pay for that content.
It is easy to access OTT services. Unlike traditional broadcasting, you don’t always need your
TV to get access to your favorite shows. All you need is a reliable internet connection and a
Wi-Fi capable device. Then download the necessary apps and register with the particular
service.
OTT is supported by multiple platforms such as your phone, PC, Smart TV, Video Console
etc.
There is a huge amount of growth potential. Lots of companies are entering the OTT space,
leading to a wide variety of options for consumers, and increasing quantities of ad inventory for
marketers. And with the trend pointing upwards, most media companies are compelled to join
the wave.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-6
Business Requirements

Management Product
Identify long term trends
Marketing
Understand user behaviors
New or enhanced services

Network Network
Planning Operations
Optimize network build-outs Reduce network down times
and investments

Empower ISP decision makers and operations - for the executive team, visibility of OTT
traversing the network is important, as Telcos have been fighting hard for over a decade to not
be seen as packet pushers or commodity traffic pipes. Knowing what services are used is
paramount to understand trends and identify new business models.
Similarly, visibility is key to product management. The business intelligence derived from user
behaviour analytics can help to better position and market broadband and enterprise
connectivity services.
Lastly, for network engineers, accurate metrics of the network utilization can vastly help in
network upgrades, impact analysis and future planning, but also for reducing downtime and
troubleshooting performance issues

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-7
OTT Delivery

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-8
Introduction of the Internet $0

• For a clearer OTT picture

Transit ISP Transit ISP TIER 1
• Tier-1 Networks
$$$ $$$
– Biggest networks
– Backbone of the internet $0
Regional
Regional

• Tier-2 Networks ISP ISP TIER 2

$$$ $$$ $$$ $$$ REGI
– Regional ISP ONAL
– Purchases IP transit from a ISP
Tier 1 network
$0
• Tier-3 Networks Access
ISP
Access
ISP
Access
ISP TIER 3
– Access ISP
$$$ $$$ $$$
Consumers

In this section we aim to explain how OTT services and networking has evolved in recent
years, starting with some background information about OTT and the way the Internet is
architected. Let's start with a rudimentary introduction of the Internet.
Tier 1 networks provide the backbone of the Internet and, unsurprisingly, are often called
backbone Internet providers. These providers have infrastructure such as the Atlantic Internet
sea cables, sometimes owning, leasing or just operating submarine connections. They provide
traffic to all other Internet providers, but not to end users. Without Tier 1 providers, Internet
traffic could not be exchanged between continents and countries.
Tier 2 networks are an ISP that peers, usually for free, with some other Tier 2 networks, but
rely on its transit connection to reach the whole of the Internet. Tier 2 usually have built and
deploy their own regional infrastructure.
Tier-3 networks can be considered access ISPs.
The picture shows us:
Tier-1 Sells Internet connectivity to Tier 2 Regional ISPs (peering with each other no money)
Tier-2 Sells Internet connectivity to Tier 3 Access ISPs (peering with each other money)
Tier-3 Owns the last mile (cable/fiber/dsl) and provides consumers/enterprises with Internet
connectivity

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-9
Internet Evolution
• Internet Exchange Points
TIER 1
– Physical infrastructure to exchange Transit ISP
Internet traffic
– Requirement CDN

• Need for higher throughput Regional Regional TIER 2

ISP ISP
• Facilitate peering of the Access Internet Exchange Point REGI
ISP ONAL
ISP
– Facilitated the emergence of
content delivery networks
Access Access Access
– CDN (Content Delivery Network) ISP ISP ISP TIER 3
– CDN benefits from free IXP and
access ISP more easily Consumers

Internet Exchange Points are an important milestone for Internet evolution that causes OTT
infrastructure to spread faster.
An Internet exchange point (IX or IXP) is the physical infrastructure through which Internet
service providers (ISPs) and content delivery networks (CDNs) exchange Internet traffic
among their networks (autonomous systems) and peer together.
To facilitate peering of the Access ISP, in need of higher throughput for their customers and
reduction of transit cost, Internet Exchange started to emerge. They are local facilities which
allow Access ISP to physically peer with each other, at no cost. Content Providers benefit from
free IXPs. Content Providers negotiate direct peering with Access ISPs.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-10
CDN Emergence
• Content Delivery Network (CDN)
– Content providers
– Requirement
• Subscribers consume more content (streaming,
video, gaming...)
• Subscribers need more bandwidth and lower
latency to access the services
• Geographically distributed
• Closer to the end user

A content delivery network (CDN) is a distributed servers that speed up the delivery of content.
Internet is for subscribers, and we are demanding more and more traffic. The development of
content delivery networks sought to deal with extreme bandwidth pressures.
CDN is a geographically distributed network of servers and their data centers that help in
content distribution to users with minimal delay.
As you see from the picture at right, CDNs speed up the delivery of web content by bringing it
closer to where users are. If you’re in London, and you watch a YouTube video, that video is
served to you from a London datacenter. A person in San Francisco, watching the same video,
gets it from a datacenter in San Francisco. Both users get fast local performance, and it’s a
CDN that makes it happen.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-11
OTT Delivery
CDN and OTT relationship

• OTT content is mostly delivered via CDN ✓ Large capacity public CDN offerings
✓ Attractive Pricing
• Multiple techniques and types
– Public CDNs
– Private CDNs
– Multi-CDNs
• OTT Visibility
– Which CDN delivers OTT content ?

There are 3 main types of CDNs

• Public CDNs have large capacity, attractive pricing and offer value-added services to
differentiate themselves (and compete with us).
• Private CDNs are what we have been seeing in the last 5 years is the emergence of the
private CDNs. You might have heard of Amazon CloudFront, but the Google Global Cache,
Facebook FNA and Netflix Open Connect are also strong players, slowly disrupting the
CDN market.
• Meta- or multi-CDNs use private delivery networks when possible but offloading to public
CDNs during demand surges. Example of Apple Meta-CDN during an IOS Update: Apple
private CDN, Akamai and Limelight used for Offload.
The related technical challenges are visibility and identification of those OTT services. Not only
being able to identify specific content providers (Netflix, Apple, Microsoft and so on…) when
the traffic is coming from a 3rd-party content delivery network, but also providing a
comprehensive view of that complex traffic when multiple CDNs are involved as we have seen
with the example of Apple.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-12
OTT in Sightline

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-13
OTT Visibility Requirement

In the past, traffic Today, a single company Over-the-Top (OTT)

analysis and might spread its offerings services have
engineering was based across multiple cloud now become
on criteria such as IP providers, regionally or mainstream.
address allocation or even globally (CDNs).
ASN info.
Sightline provides powerful and contextual OTT traffic visibility using ATLAS

In the past, traffic analysis and engineering based on criteria such as IP address allocation or
ASN was sufficient. For example: traffic from home users to Google, or governments, or banks
was clearly seen and reliably understood since those services were discrete and provided in-
house by those organizations. Network engineers and operators were able to easily
understand their traffic loads and routing and engineer their environments accordingly.
Today a single company might serve millions of customers, spreading its offerings across
multiple cloud providers regionally or even globally, and not even have a registered BGP ASN
or IP block allocation. The old methods may no longer suffice.
The challenge has become determining what services are being utilized when IP addresses or
ASNs are not providing enough insight. Therefore we must begin to correlate additional
resources with the IP connectivity to ascertain what is happening. Utilizing DNS provides a
significant insight into the nature of a connection. By correlating IP connectivity with DNS
requests, we can begin to more accurately and finely categorize this traffic as well as establish
user intention.
Additionally, Over-the-Top (OTT) services (predominantly streaming video such as Netflix and
HBO, which historically were delivered over cable and satellite mediums) have become
mainstream, making identification and classification simultaneously more important and even
more difficult.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-14
ATLAS - Definition
• Active Threat Level Analysis System
(ATLAS)
ATLAS
VISIBILITY + THREAT
– Threat analysis research infrastructure
– ATLAS Intelligence Feeds (AIF)
– ATLAS Data Sharing
AIF
• ATLAS Security Engineering Research FEEDS
Team (ASERT)
• AIF Feeds
– Threat
– Visibility Arbor Sightline
• AIF Managed Objects Provides deep insight into the application layer
delivering OTT traffic analysis

In addition to world-class products, NETSCOUT’s customers are also supported by a unique

threat analysis research infrastructure called Active Threat Level Analysis System (ATLAS),
as well as NETSCOUT’s ATLAS Security Engineering Research Team (ASERT) that are
world-class security researchers and analysts.
The ATLAS Intelligence Feed (AIF) is a collection of feeds that help keep Sightline and TMS
configurations ahead of ever-changing network threats and visibility challenges.
ATLAS data sharing is a data sharing program between ASERT and the worldwide Arbor
community. Sightline and TMS deployments that participate in this program get pervasive, 24/7
visibility into trending threats and attacks throughout the Internet.
Sightline uses HTTPS to download AIF feed updates.
Sightline has threat and visibility related feeds.
AIF Managed Objects (AMOs) are part of the visibility feed. AIF managed objects are profile
managed objects that match traffic for over-the-top (OTT) services such as video streaming,
gaming, and VoIP.
Arbor Sightline provides deep insight into the application layer, delivering OTT traffic analysis
across complex networks.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-15
AIF Managed Objects
AMOs are Sightline MOs
received through the AIF

• AIF managed objects

(AMO) ATLAS
VISIBILITY + THREAT
– Profile managed objects
– Matching OTT traffic
– Managed by ATLAS team AIF
– Automatically updated FEEDS

and added
• Two types matching Arbor Sightline
– IP based
– DNS based

AIF managed objects are profile managed objects that match traffic flows for over-the-top
(OTT) services such as video streaming, gaming, and VoIP.
The ATLAS team configures the match settings for AIF managed objects based on ATLAS
traffic data for OTT services. When the ATLAS team changes those match settings or makes
new AIF managed objects available, your deployment automatically receives the latest AIF
managed object configurations at the next update.
There are two types of matching in AIF managed objects:
• CIDR blocks are used by specific high-volume OTT service providers.
• The match settings for an AIF managed object can also include domains for dynamic DNS
matching.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-16
AMO Configuration
Administration > Monitoring > Managed Objects

• Automatically populated by
AIF Feed
– Non editable, no deletion
– Licensed
• No detection, alerting,
mitigation FEEDS

AIF managed objects are automatically populated by the AIF Feed and they cannot be edited.
If your deployment has the AIF for Sightline licensed capability, Sightline automatically
downloads AIF managed objects from the AIF server through the AIF managed object feed.
AIF managed objects are different from standard managed objects. They have no detection,
alerting or mitigation functionality.
You can go to Administration > Monitoring > Managed Objects to list all managed objects.
Then use tag:ATLAS filtering to list only AMOs.
All AIF managed objects have the profile and ATLAS tag applied and are read-only. They can
also have other tags depending on the OTT traffic that they match, such as CDN and public
cloud. You can use tags to help you search for AIF managed objects.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-17
IP Based AMO

• Match traffic with CIDR

Blocks ATLAS
VISIBILITY + THREAT
• More granular
– Infrastructure granularity
– Services granularity
• Captures more traffic
FEEDS

– Classic Sightline report

ASN Origin sometimes
does not capture all traffic

Let's start with AMO types. IP Based ATLAS managed objects usually represent large
infrastructures identified by ASN, IP Block or Whois/RIR database.
AMOs are more granular, you can have infrastructure granularity such as Amazon ASN Origin
versus Amazon infra (EC2, CloudFront, S3 AMO which are all behind the same Amazon ASN
Origin). You can have services granularity such as “EPIC Games” (IP AMO) servers which are
behind the Amazon ASN.
AMOs capture more traffic than classic Sightline reports in some cases. For example,
AKAMAI-ASN1 (AS20940) doesn’t include Edge Servers hosted by the operator’s ASN with IP
Block registered under Akamai Org.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-18
DNS Based AMO
MO Dynamic DNS Matching Configuration

• Dynamic DNS matching

managed objects
ATLAS
– Downloaded via AIF (AMO) VISIBILITY + THREAT

• More users and connections

are seen using this DNS name
or prefix
• Using DNS, we are even able FEEDS
to identify multiple services
which may reside behind the
same IP
NETSCOUT InfiniStream® (ISNG)
is required for Dynamic DNS Matching

Another AMO type is DNS based. As we mentioned before it can be downloaded via AIF Feed
and they are immutable. But they can also be configured manually to track OTT content which
is not provided via AIF.
DNS based AMOs require the Dynamic DNS Matching feature. This matches traffic for
frequently changing service IP addresses for the domains.
The screenshot is from an ATLAS managed object with dynamic DNS matching configured.
This is automatically downloaded by Sightline.
The dynamic matching feature can be used to manually configure managed objects to match
OTT traffic.
To receive real-time DNS data for dynamic DNS matching, your Sightline leader must be set
up to communicate with one or more NETSCOUT InfiniStream® (ISNG) appliances in your
network. ISNG sends DNS to IP mapping information to Sightline. Sightline has the ability to
match using domain names.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-19
OTT Reports

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-20
Access to the OTT Reports
Filter using tags

• Two ways to access OTT

reports:
– Reports > Profiles VISIBILITY + THREAT

– Explore Page

Option1: Select AMO AMO listed All AMOs

with tag Gaming
– Filter1:Profile
– Use tags on the search box

Option2: Use “Profile Tag”

– Cumulative traffic

There are two ways to access to the reports for managed objects:
• Explore > Traffic
• Reports > Profiles
We recommend using the Explore Traffic page in most cases, this has the Profile Tag search
function as well.
You should select Filter 1:Profile to access to the ATLAS managed object. Remember that all
AMOs are profile managed objects.
You can use tag filtering to find the intended AMO. Multiple tags with spaces between each is
a good way to filter as demonstrated in the screenshot.
AMOs that have the tag filter combination are listed. Then you can see traffic for this AMO, or
select Filter2 for a further breakdown.
It is useful to see cumulative traffic for the requested tag. If you select the Gaming tag, the
report will show you cumulative traffic on all managed objects with that tag. If there are two
AMOs with the Gaming tag, where AMO-1 has total traffic of 100Mbps and AMO-2 has total
traffic of 200Mbps, Profile Tag:Gaming will report 300Mbps.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-21
OTT Traffic
• What is the total OTT
traffic in my network?
– See the OTT usage
VISIBILITY + THREAT
trend in long-term
• Need for a cumulative
value for all AMOs
• Use “Profile Tag” filter
with “ATLAS” value

Represents all AMOs

Your network traffic utilization by all OTT services is important for planning purposes in the
long-term. You can see how much OTT traffic has increased for the last year etc.
Instead of listing each AMO, you can see a cumulative number for all AMOs by using a Profile
Tag with the ATLAS filter.
Alternatively, you could select each AMO (no more than 100) and calculate the cumulative
traffic value, but this is much more time consuming than simply using tags.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-22
OTT Breakdown
• Which OTT services are
being used in my network?
– Planning, operational
VISIBILITY + THREAT
requirements
– Example: 60% increase in
video conferencing
• Use “Profile Tag” filter
without any value

Let's say you need a list and traffic level for each OTT service in your network.
Reports > Profiles is not a useful option here because it will only list a single AMO rather than
the required list of AMOs and their traffic levels.
Also, if we select use Explore Traffic and Filter1:Profile without any value, it will provide us the
list of all profile managed objects, so this is again is not a useful option since the list may
include non-OTT traffic as well.
Explore > Traffic with Filter 1:Profile Tag and Filter 2:None will give us traffic breakdown for all
tags.
See that a Profile Tag check box is also included in the list. You can deselect this option
because we are not interested in the entire list of profile managed objects, only AMOs.
You can also remove the ATLAS row too because it will show all AMO (OTT) traffic in your
network.
Other rows show us traffic levels for each tag:
• How much Apple OTT services traffic is being used?
• How much CDN traffic is in my network?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-23
OTT Applications
• What type of
applications are being
used by my OTT traffic?
VISIBILITY + THREAT

– Cost-effective resource
management
– Apply different network
and security policies etc.
• Use “Profile Tag” with
“ATLAS” value to match
all OTT traffic
– Use second filter
“application” without a
value

What type of applications are being used by my OTT traffic?

Identify OTT applications on your network and manage resources cost-effectively. Understand
the real drivers of traffic growth.
Apply different network and security policies etc. Evaluate the competitiveness of in-house
service offerings.
Use “Profile Tag” with the “ATLAS” value to match all OTT traffic. Profile Tag with ATLAS
gives you cumulative traffic for all OTT services.
Then use Filter 2:Applications to list all applications used by OTT traffic.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-24
Routers carry OTT traffic
• Which routers are
forwarding traffic for Apple
services?
VISIBILITY + THREAT
– Make operational changes
– Improve the quality of
Apple services
• Use the “Profile Tag” with
“Apple” value and select
second filter “Routers”
– You can select the specific
Apple AMO for more
granular data

You need to know which routers are forwarding traffic for Apple services. Apple services
(Apple Store or IOS Update) can cause big changes in the network traffic profile. The aim is to
improve user experience by applying specific policies to routers.
Use the “Profile Tag” with “Apple” value and select second filter “Routers”. Profile Tag with
Apple matches all Apple AMOs.
You can also use the Profile filter with more specific Apple AMOs like Apple Store, IOS
Update, Apple TV, iTunes etc.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-25
OTT Customers
• Your company is
deploying a
solution to optimize video
streaming VISIBILITY + THREAT

– For better quality video

streaming
• Which of my customers
has been using Streaming
content?
– Helps to offer new services
• Use the “Profile Tag” with
“Streaming” value and
filter “Customer”
COPYRIGHT © 2021 NETSCOUT SYSTEMS, INC. 26

Your company is deploying a solution to optimize video streaming. Streaming video on popular
sites such as YouTube, Netflix, and Twitch, and the growing demand for ultra-high-quality
video is increasing bandwidth requirements and network congestion.
Which of my customers has been using Streaming content?
OTT reports are useful and brings content visibility in your reports. You can use this visibility to
monetize your resources and offer new services to your customers.
Use the “Profile Tag” with “Streaming” value and filter “Customer” to match all your streaming
traffic with that configuration. You can also see a break down by customer by using an
additional “Customer” filter:
• IN: Destined to the Streaming service, sourced from the customer
• OUT: Sourced from the Streaming service, destined to the customer

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-26
OTT top IPs
• Which individual IPs are
using a specific service?
– Track subscriber usage VISIBILITY + THREAT

– Understand how much

traffic is needed per
subscriber
• Reports > Profiles >
Top Talkers External
– The Top Talker report
shows you individual IP
usage for the selected
resource

Which individual IPs are using specific services?

The Top Talkers External report helps understand traffic behavior for the subscribers
(individual IPs) and then apply network or security policies accordingly.
It also provides you the visibility of max usage per IP. The Top Talkers reports are not
accessible through the Explore page.
Use Reports > Profiles > Top Talkers External. External means that it is reporting external IPs
of the managed object. It shows which IPs are communicating with a managed object, not the
managed object IPs (the Top Talkers Internal report wouldd be required in this case).

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-27
OTT Reports
CDNs

• AMOs also provides CDN

visibility VISIBILITY + THREAT

– Control how content is cached

– Accelerate applications
– Ensure availability
• Options:
– You can use the “CDN” tag to
see cumulative CDN traffic
– Or select a specific CDN AMO

AMOs can also provide CDN visibility so you can control how content is cached. You have
visibility over where your content is cached so you can plan and invest accordingly. It also
helps to accelerate applications and prevent heavy pages, and long distances from the origin
can slow down webpages.
The reports help you to ensure availability - overloaded or unavailable infrastructure prevents
users from accessing applications.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-28
CDN Usage by Peers
ATT-INTERNET4

• Streaming demand
is growing and SSI

visibility of VISIBILITY + THREAT

streaming traffic by
peers is required
INTERNET2-IP2X
– Private peering
opportunities
– Reduce peer traffic

Netflix demand is growing in the network and companies need to have visibility of Netflix traffic
by peers.
Close to 95% of Netflix traffic globally is delivered via direct connections between Open
Connect (Netflix cache servers) and the residential ISPs our members use to access the
Internet.
Netflix openly peer with any network at IXP locations where they are mutually present, and
private interconnection is considered appropriate.
This helps to improve their customers' Netflix user experience by localizing Netflix traffic and
minimizing the delivery of traffic that is served over a transit provider.
Netflix itself also provides a report for ranking Netflix performance per ISP
(https://ispspeedindex.netflix.net/).

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-29
CDN Usage by Peers (cont.)

• Use filter Profile and select

streaming AMO
– Focusing a single AMO VISIBILITY + THREAT

– Second filter “AS Peer”

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-30
OTT Reports
CDN Internal Usage

• Which of my customers
are accessing the CDN
networks mostly? VISIBILITY + THREAT

– CDNs carry a significant

portion of the world’s
Internet traffic
– Improve quality for these
customers when
accessing CDNs
• Use “Profile Tag” with
value “CDN” and second
filter “Customer”

Which of my customers are accessing the CDN networks mostly?

From small and medium content companies, to the world’s large corporations, all rely on CDNs
to provide a seamless web experience to their end users.
The CDN has played an important role in enhancing the user experience.
Content can be delivered at speed. It can be the difference between a click giving you
immediate access to new content, or there being a frustrating wait while a page loads or a
video buffers.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-31
Knowledge Check
Reporting Overview
Q1: Over-the-Top services are: Q3: Which two filters might you use to view CDN
a) legacy services such as television, phone, and usage by peers?
radio a) Profile
b) delivered by an “over-the-top” box b) Peer
c) guaranteed to provide optimal network c) AS Peer
performance
d) ASN
d) the delivery of 3rd-party applications
Q4: Dynamic DNS matching managed
Q2: ATLAS-based managed objects are always objects require:
tagged as? a) NETSCOUT Arbor Edge DNS (AED)
a) ASERT b) NETSCOUT InfiniStream (ISNG)
b) AIF c) NETSCOUT Arbor DNS Transport Management
c) ATLAS System (TMS)
d) ALERT d) NETSCOUT Dynamic DNS System

Solution: Q1 = d ; Q2 = c ; Q3 = a + c ; Q4 = b

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-32
Summary

• OTT definition and common OTT services were discussed

• OTT reporting importance and business requirements were explained

• OTT data delivery that is correlated with Internet evolution was reviewed

• OTT and Sightline relationship was clarified by explaining Sightline ATLAS and
AIF

• Various Sightline OTT reports were shown with some use-cases

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-33
Lab Exercise
Lab 6: OTT Reporting

• Online Lab Access: https://portal.ne.netscout.com/

• Environment: Sightline
• Credentials: Provided by the Instructor
• Time to Complete: 60 minutes
• Lab Objectives:
– Access to the OTT reports
– Understand when to use which OTT reports

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 7-35
NETSCOUT – Arbor Sightline
Traffic Reporting and Analysis 7-36
Unit 8 Managed Object Traffic
Reporting
Sightline Visibility Course

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-1
In this module you will…

• Explore Infrastructure Resource Monitoring Using Managed Objects

• Work With Managed Object Reports

• Explore Infrastructure Managed Object Reporting Use Cases

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-2
Infrastructure Managed Objects and
Boundaries

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-3
Managed Object - Definition
Customer/Profile managed objects monitor:
- ISP end customers
- Subsidiary ISPs
- ISP infrastructure resources
- DNS servers
- Web server farms
- CDN caching servers
- Other infrastructure

Managed objects must be defined to get the most from the reporting in the system. Here are
some examples of possible managed objects that can be created.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-4
Managed Object Boundary Type Global
Boundary Type
• Global Network Boundary
– Counted along the external
boundary of the network
– Counts traffic in/out of the
network boundary to/from
managed object
– Traffic which both originates and
terminates within the network
boundary is not counted

Managed object traffic is only counted where the boundary is defined (to avoid double
counting).
• The Network/Global boundary is the default boundary.
• This cannot count traffic flowing inside the network.
Sightline uses global boundaries to define all entry and exit points to the network that it
monitors. It uses algorithms to determine which monitored interfaces connect to external BGP
ASNs, and it labels these interfaces as “external.” Sightline considers in and out traffic on
these external interfaces for managed objects that use the global boundary.
Sightline uses boundary-based counting to ensure accuracy while eliminating the double
counting of flows. It aggregates information across multiple boundary interfaces and routers to
track traffic in and out of the network, each router, or user configured managed objects. Every
object the system tracks has a boundary on which the system counts data.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-5
Managed Object Boundary Type Local
Boundary Type
• Local Interface Boundary
– Can be used when monitoring
routers connected to the managed
object
– Used when you want a more detailed
boundary than the network boundary
– Counts all data for the managed
object and not just the traffic that
traverses the network provider
boundary

Managed object traffic is only counted where the boundary is defined (to avoid double
counting).
The Local boundary needs to be defined if you do not want to use the default Global/Network
boundary.
Traffic that flows only on the network will be counted.
Local Boundary
Used when monitoring routers directly connected to the managed object – i.e. customer
aggregation router.
Used when you want to configure a more detailed boundary than the network boundary for the
customer so you can capture backbone traffic from the customer. This could be done on the
actual customer interfaces if they're monitored, on an aggregation router, or even on a
POP/regional gateway router that connects a region to the main network backbone.
Counts all data for the managed object and not just the traffic that goes across the network
provider boundary.
Traffic is counted along specifically configured boundary interfaces.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-6
Traffic Reporting on Managed Objects
Get deeper insight into:
- What they use your network for
- Who do they communicate with the most
- How their traffic volumes change over time
- Which internal resources they use the most
- Through which peers their traffic flows
- etc.
Use Case:
- Troubleshooting issues with customer
- Provide peports

Managed object traffic reporting can give you great insight into the traffic for a particular
resource.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-7
Managed Object Traffic Reports

Deep Dive

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-8
Scope of Managed Object Traffic Reporting
For this managed object:
• What visibility do you have of
the managed object traffic
over your network?
• What type of questions can
you answer about this
managed object resource?

What insight can you get for a managed object?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-9
What Answers Can Sightline Reports Provide?
For this managed object:
• Amount of traffic (volume)
• Type of traffic (protocols, applications,
packet size, ToS)
• Where is the traffic going to? (ASNs,
next hops, managed object:peers)
• Which infrastructure does it use?
(routers, interfaces, managed
object:profile, other managed Which internal
resources are they
object:customers) using?

• Top talkers for traffic to/from managed What does the traffic profile
look like? Source/Destination of my
customer traffic?
object Where does the traffic go to?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-10
Resource Dashboards
Reports > Customers/Profiles > Dashboard Traffic volumes
- First get a general overview of the managed object

For more details

Top 5: per category, click
- Apps “View All”
- Peers
- Fingerprints
- Cities
- Ports

General overview of the managed object.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-11
How Is The Managed Object Using My Network?
• Customers/Profiles vs Internal Breakdown:
– Reports > Customers/Profiles > Internal Breakdowns > Router

Routers mostly
used

Get insight into which routers are carrying most of this managed objects traffic.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-12
How Is The Managed Object Using My Infrastructure?
• Customer/Profile vs Internal Breakdown:
– Explore > Traffic - Filter 1:Customer; Filter 2:Interface

Which interfaces carry most of the managed object's traffic?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-13
Explore Chatty Hosts/Congestion Issues
• Where is this traffic going to/coming from?
Top Talkers inside the
– Reports > Customers/Profiles > Top Talkers Internal customer/profile managed
– Reports > Customers/Profiles > Top Talkers External object

Top Talkers outside the

customer/profile managed
objects

Top Talker Internal = IPs carrying most traffic inside the managed object
In case of congestion, is there someone responsible from the customer site? Check for the
most active IP addresses within the customer managed object space
Top Talker External = IPs carrying most of the traffic outside the managed object
In case of congestion, where is the traffic going to or coming from? Check for the most active
remote end points that are used to exchange data

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-14
How Far Is This Managed Object's
Traffic Transported? 208.115.136.37/32
• Reports > Customers/Profiles > BGP > NextHops
12.127.248.17/32

Which Nexthops
are mostly used

For the managed object, which nexthops (peer external interface IPs) are used for traffic
leaving the network?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-15
Where In The World Is The Traffic
Going To/Coming From?
• Reports > Customers/Profiles > Country | Region | City Geo-Location

Countries, regions and

cities most talked to

Breakdown of traffic for the managed object based on geo-location.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-16
Which Peers Are Used By The
Managed Object’s Traffic?
• Reports > Customers/Profiles > BGP > ASNs Peers

For which peers is the managed object traffic flowing to/from?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-17
Origin ASN For The Google
Facebook
Managed Object Traffic Netflix

• Reports > Customers/Profiles > BGP > ASNs Origin

Which ASNs are mostly receiving/sending traffic for this managed object – Google, Facebook,
Netflix etc?

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-18
Type Of Traffic And Applications Used
• Reports > Customers/Profiles > Applications

Protocols/Ports
mostly used

Insight into application ports used by managed objects.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-19
How Does This Managed Object Use My Internal
Resources?
• Customer x profile managed objects
• Create profile managed objects for whatever you want to report on:
– All direct peers Specifically select what
– Caches you want to report on
– Internal DNS
– etc.

If other managed objects (profiled) have been defined/created, then they can be used to see
how much of the customer managed object traffic is going to these profiled managed objects.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-20
Has This Managed Object's Traffic Changed?
• Explore > Traffic Traffic volumes for the last year

Get an idea of the traffic growth over time for the managed object.
You can use the fixed reports which always have one reference which is broken down by a
subclass.
When using Explore > Traffic you can select multiple references at a time to be used with the
selected subclass.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-21
Knowledge Check
Reporting Overview
Q1: What visibility do you have of your Q3: What type of questions can you answer
customers’ traffic over your network? about a managed object?
a) Type of traffic a) Which routers are used in a peers path
b) Destination of the traffic b) Has this managed object's traffic changed
c) Which infrastructure they are using c) Which YouTube videos are being watched

d) Top talkers for traffic to/from managed object d) What deny/allow lists are in use by the customer

Q2: Why is the managed object boundary Q4: Where can I view a Sankey Diagram of my
important to understand? customer’s traffic?
a) Comparing Applications Dashboard
a) Validates which peers are connected by BGP
b) More Reports tab on the Customer Dashboard
b) Displays how far customer’s traffic is transported
c) Relationships selection on Explore Traffic page
c) Identifies the volume of current traffic d) Customer Network Summary
d) Used to eliminate double counting of traffic

Solution: Q1 = a + b + c + d ; Q2 = d ; Q3 = b ; Q4 = c

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-22
Summary

• You now understand what constitutes a managed object resource

• You can dissect a managed object resource to gain more insight/information

about their traffic

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-23
Lab Exercise
Lab 7: Managed Object Traffic Reporting

• Online Lab Access: https://portal.ne.netscout.com/

• Environment: Sightline
• Credentials: Provided by the Instructor
• Time to Complete: 30 minutes
• Lab Objectives:
– Understand the traffic seen for a particular MO

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 8-25
NETSCOUT – Arbor Sightline
Traffic Reporting and Analysis 8-26
Unit 9 Multi-Dimensional
Reporting
Sightline Visibility Course

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-1
In this module you will...

• Define big data and learn its capabilities in network visibility

• Discover how big data is implemented in Sightline

• Learn about the functionalities Insight adds to Sightline

• Explore traffic reporting using Insight

• Practice using Insight reports

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-2
Big Data

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-3
What Is Big Data?

• Big data is a term that

describes large, hard-
to-manage volumes
of data.
– Grows exponentially
– Variable data
– No traditional data
management tools can
store it or process it
efficiently

Big data is a term that describes large, hard-to-manage volumes of data that inundate
businesses on a day-to-day basis. But it’s not the amount of data that’s important. It’s what
organizations do with the data that matters.
Organizations collect data from a variety of sources, including business transactions, smart
(IoT) devices, industrial equipment, videos, social media and more.
Data is growing exponentially with the growth of the Internet of Things. Data streams into
businesses at an unprecedented speed and must be handled in a timely manner.
Data comes in all formats, and it is variable – from structured, numeric data in traditional
databases to unstructured text documents, emails, videos, audios, stock ticker data and
financial transactions.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-4
Big Data In Network Visibility

• Big data is being used

in various industries such as
energy, finance, education,
government etc.
• Big data in network visibility
provides:
– Clearer business insight
– Smarter planning and design
decisions
– Reduces time to root cause

In the energy industry, big data helps oil and gas companies identify potential drilling locations
and monitor pipeline operations. Financial services firms use big data systems for risk
management and real-time analysis of market data.
Other government uses include emergency response, crime prevention and smart city
initiatives.
Big data solutions provide additional capabilities to network visibility, you can:
• Access more granular data flexibly and gain clearer business insight.
• Make better design decisions with access to complete, hi-fidelity historical data.
• Conduct deep forensics into past events to determine root causes.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-5
Big Data in Sightline

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-6
Sightline Classic Reports

• Pre-configured, pre-
populated reports
• Many built-in reports
• Economical storage
• Optimized for
managed objects
• Data granularity
diminishes over time

Sightline has more than 400 pre-configured reports such as customer traffic by routers, peer
traffic by BGP ASN origin etc. Network reports are an example of pre-populated reports. They
are being populated as soon as the system starts receiving flows. The report data is stored in
Sightline databases.
It is economical because no extra storage is required for these reports, and you can see
historical data for years.
These reports are generated for each managed object. If you don’t create managed objects for
your resources, you can not see reports belonging to that resource. When you create managed
objects, it triggers Sightline to start additional processing in terms of reporting.
Sightline is not only responsible for reporting, it also has DDoS detection and mitigation
functions. Data kept for reporting does not store real flow records because this would require
huge storage. Instead, Sightline stores traffic values for each report in a timely-manner and
granularity is decreased over the time.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-7
Sightline Insight

• Insight is an add-on to
Sightline powered by Big-
Data technology
• Insight provides
– Advanced traffic analytics
– Security investigation
• It transforms a Sightline
deployment into a rich
network traffic explorer

Insight transforms a Sightline deployment into a rich network traffic explorer that extends
Sightline with new reporting and forensics capabilities. Intuitive workflow enables “speed of
thought” traffic analytics and forensics.
It enables network and security engineers to flexibly slice and visualize the data to answer
network, security and business questions.
Insight supports all major use cases - root cause analysis and debugging, DDoS forensics,
transit/peering analysis and network planning.
Network visibility and advanced analytics play an ever more critical role in maintaining
optimum network operations and making intelligent business decisions.
Insight is built to maximize the analytical power of bigdata and puts it within reach of network
operators and network professionals.
See the diagram to understand how Insight is installed on top of Sightline to bring additional
features.
Flow data from routers goes to the TRA appliances and not directly to Insight.
TRAs still continue to bin data and perform their legacy reporting duties. Insight receives is the
raw, annotated flow data directly from TRAs.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-8
Sightline Insight (cont.)

• Additional hardware is
required called an Insight
cluster
• Scalable
– Grows with demand
• Flexible and depends on:
– Number of flows in your
Sightline deployment
– Duration of historical data
– Redundancy

The collective hardware that is added to your Sightline deployment to use Insight is called
an Insight cluster. An Insight cluster is made up of nodes. Each node performs specific
tasks.
Insight is a scalable solution that can grow as your needs change. You can add appliances
to your cluster to increase processing capacity, data retention and
redundancy.
Insight is a flexible system with many options for tuning performance. Some things to consider
are:
• The number of flows per second (fps) that Sightline sends to the Insight cluster
• The duration of historical data that you want to explore using Insight (for example, two
weeks, two months, or six months)
• The redundancy of the data stored

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-9
How Insight Enhances Sightline

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-10
What Is The Value Of Insight?
• Big data makes a difference in
analysis Sightline Insight
• High-fidelity, long-term storage
of your flow data
• Multi-dimensional, visual
Raw Long Term
analysis for complex queries Flows Storage

• Enhanced forensic
investigation

Insight Extends and Enhances Existing Sightline Deployments

The new big-data technologies that have come about in recent years take advantage of the
increased ubiquity of hardware resources while also enabling multi-dimensional access over
all stored data, meaning that any combination of any number of correlations can be retrieved
and analyzed with a simple yet powerful data exploration interface.
Insight also enables high fidelity historical and forensics analysis by retaining raw traffic flows
for as long as storage allows, providing a photographic memory of high-detail historical traffic
patterns as well as facilitating DDoS and other security investigations.
Insight provides multi-dimensional analysis for many existing network visibility challenges. For
instance, when conducting peering analysis, multi-dimensional analysis brings ASN origin,
peers, routers, interfaces, customers and more aspects together all at one time and makes it
easy to see traffic move from the source to the destination and how it touches the intermediate
steps.
Insight means you can move freely and intuitively through historical data in less time to learn
more about past attacks, targets and indicators without being overwhelmed by multi-
screen/multi-report process.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-11
Insight Has The Actual Data
Sightline has a subset of the Sightline + Insight has the actual
annotated netflow data annotated netflow data

flow records flow records

annotated annotated
flow records flow records

Insight
Sightline database
report database

Analytics of binned data Analytics of raw data

Let's look at more details about how Insight enhances Sightline.

Sightline has a subset of the annotated netflow data, while Insight has the actual annotated
netflow data that provides a full account of each traffic instance.
Annotated flow is the data structure after flow has been processed. For example, annotated
flow includes source and destination ASN numbers as well as IP addresses and layer-4
information.
The diagram shows how Sightline receives the flow records, processes the data and annotated
flows are gathered. Annotated flows are calculated and stored in a report database. Sightline
provides the analytics of the binned (calculated) data. What is stored in the Sightline database
(shown in orange) is different from the actual annotated flow.
Insight brings additional functionality to Sightline as seen in the next diagram. Annotated flow
records are not binned (calculated), they are stored in the Insight database without losing any
granularity. This provides extra functionality to Insight. Insight has the capability to analyze the
raw data because it never loses the actual annotated flows.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-12
Insight Extends Raw Flow Storage
Sightline has a simple raw flows Sightline + Insight has the actual
database annotated netflow data

Sightline has a simple, high-capacity raw flow records database, while Insight is built on top of
a scalable, distributed analytics data store that significantly extends flow storage to archive
flow data for even the largest networks with sub-second accuracy.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-13
Insight Does Not Require Managed Objects
Managed object requirement in
No limitation in Sightline + Insight
Sightline

annotated annotated
flow records flow records

managed managed
object object
matched matched

Sightline Insight
report database database

We see 4 annotated flows in the diagram, 3 of them match with managed objects. This means
that for these 3 annotated flows, data is being processed by the Sightline reporting daemon
and reflected to managed object reports for later usage. This does not apply to network and
router reports, but managed object reports such as customer, ASN origin etc.
If you don’t have a managed object for the flow being processed, the data is not reflected to
most of the Sightline reports (not all), and you can not access this data later. This is why
creating managed objects for important resources is recommended in Sightline. This does not
affect DDoS detection and all annotated flows (matching or non-matching) are considered
here.
Insight is different. It stores every single annotated flow data in its database to access later.
You can access all details of your resources even you didn’t previously create a managed
object for it. As can be seen in the diagram, all 4 annotated flows are stored in the Insight
database, even those that do not match any managed object.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-14
Insight Data Remains
The granularity of the data Granularity of the data is retained
decreases with Sightline with Sightline + Insight
Economical storage, fast access 100% data fidelity

00:00 00:55 00:00 00:55

2 weeks
00:00 00:55 1 year
00:00 00:55

00:00 00:55 2 weeks

With Sightline, the granularity of the data decreases with the passage of time, while the
granularity of the data is retained with Insight.
Sightline is not designed to store every annotated flow. Daily and frequent usage of the reports
besides fast access is Sightline’s key functionality. In Sightline, you lose details and binning
cycles with the passage of time. For example, if you have 12 binning points for a 1-hour report,
this reduces to 2 binning points after 1 week, and 1 binning point after 2 weeks as was seen in
the previous unit.
Insight brings big data functionality to Sightline and is designed to store every single annotated
flow. That stored data is never aggregated. Even after 1 year, you will see the same granular
data.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-15
Insight Has Unlimited Filters

Maximum two filters with Sightline

As many available filters as required

with Sightline + Insight

Sightline allows you to filter traffic data using two facets of the traffic.
Insight allows you to create a filter using as many available facets as you want to display data
of interest. Each facet that is added to a filter narrows the scope of the traffic data that is
displayed.
Remember that Sightline filters provide you the binned data while Insight brings you the actual
annotated flow data.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-16
Insight Is More Visual
Display traffic as a time series with Visualize the relationships between
Sightline multiple filters with Sightline + Insight

visualize the relationships

time series

Sightline allows you to display traffic as a time series, while Insight also allows you to visualize
the relationships between multiple facets. This is particularly useful when you want to identify
the elements of your network that are carrying the largest amounts of traffic within the duration
of a given time period, rather than individual high-traffic and low-traffic incidents that occur in a
time period.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-17
Insight Has Richer Geolocation Reports
City, region and country reports for Geolocation reports for both internal
internal or external to my network and external with Sightline + Insight
in Sightline

• Cities internal to your network • View location data either

• Regions and countries internally or externally
external to your network

Sightline allows you to investigate traffic data from cities internal to your network and regions
and countries external to your network, while Insight allows you to investigate traffic data for
cities, countries, and/or regions either internal or external to your network.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-18
Accessing and Using Insight

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-19
Accessing Insight

• Explore > Insight • Explore with Insight button at:

• Directly access • Explore > Traffic page
Insight query • Pre-defined report pages
page
• DoS alert pages
OR Reports > Peers > Summary

You can access Insight via two methods.

The first is from the menu bar, select Explore > Insight.
When you access Insight from the Explore menu, the time period defaults to a three-hour
timeframe that ends with the current time.
The other one is to click the Explore with Insight button on the following pages traffic
information pages:
• DoS alert pages
• Pre-defined report pages
• Explore > Traffic page
When you access Insight from one of these pages, some of the corresponding traffic data from
the page is passed to the Filter box on the Insight page. For example, the time
period displayed on the page is sent to the Time selector in Insight, and traffic properties are
sent to the Filter box in Insight.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-20
Insight Control Bar

Time Selector: Time period of the traffic displayed on all tabs.

Filter Box: Allows you to select the view and the facets.
Tabs: Allows you to change the type of information that is displayed.
Fidelity: Select the fidelity of the traffic data displayed. High, Medium or Low.
Calculation: Select the desired method for calculating the data to display.
Units: Select the units that are used to express displayed traffic data.

Time: Select the time period for the traffic displayed on the graph and table in each tab.
Units: Select the units that are used to express traffic data displayed on the Insight page. After
you change the selected units, click Update to apply and display the changes. The options are
bps, pps and fps (flow per second).
• Calculation: Select the desired method for calculating the data to display on the Insight
page. The following methods are available:
• Last: displays the values of the last traffic logged during the selected time period.
• Average: displays the average of all traffic during the expanded time period.
• Max: displays the maximum of all traffic during the expanded time period.
• PCT95: displays the 95th percentile of all traffic during the expanded time period.
• Total: displays the total amount of all traffic during the expanded time period.
Fidelity:
• High (Standard): Insight runs a query on 100% of all traffic data for the time period and
returns all traffic data that matches the settings in the control bar. High-fidelity queries take
more time to return than lower-fidelity queries. This is the default setting.
• Moderate (Faster): Insight runs a query on 10% of all traffic data for the time period and
scales the traffic that matches the settings in the control bar to account for sampling.
Moderate-fidelity queries take less time to return than high-fidelity queries.
• Low (Fastest): Insight runs a query on 1% of all traffic data for the time period and scales
the traffic that matches the settings in the control bar to account for sampling. Low fidelity
queries take significantly less time to return than higher-fidelity queries.
(continued)

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-21
Insight Control Bar

Time Selector: Time period of the traffic displayed on all tabs.

(continued)
Filter: Allows you to select the view and the facets for which traffic is displayed on
the Insight page. Facet means any dimension or aspect and we will cover it in more detail at
upcoming slides.
Tabs:
• Summary: Displays a summary of the traffic specified in the control bar, both in graph and
in table form.
• Relationships: Displays a Sankey diagram that allows you to visualize the volume of traffic
moving between facets specified in the Filter box.
• Top Contributors: Displays tables and graphs that allow you to see traffic for the top
contributors within the facets you select on this tab.
• Raw Flows: Displays predefined information for about 50 raw flow records for the traffic
specified in the control bar. This information includes various aspects of the traffic, such as
IP protocol, source and destination port numbers, and source and destination IP addresses.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-22
Insight View and Filter Usage

VIEW FILTER
• From which perspective you • Define the traffic you want to
want to view traffic? investigate with filters
– as it entered or exited the – traffic that passed through a
network certain interface, router etc.
– wherever it was seen – traffic that uses certain ports,
– when it crossed a certain protocols etc.
customer boundary – traffic that was sent to a
– when it crossed a customer specific host or prefix, ASN etc.
boundary with certain tag

The Insight Filter box is where you define the traffic you want to investigate in Insight.
When you use the Filter box, ask yourself the following two basic questions:
1. What kind of traffic do I want to see?
Example answers:
• I want to see traffic that started or ended at a certain customer
• I want to see traffic that passed through a certain interface
• I want to see traffic that was sent to a specific host or prefix
• I want to see the traffic of the ports that received the most traffic
This is determined by the facets you select in the Filter box
2. What perspective do I want to see the traffic from?
Example answers:
• I want to see the traffic as it entered or exited the network
• I want to see the traffic wherever it was seen
• I want to see the traffic when it crossed a certain customer's boundary
This is determined by the View selector in the Filter box.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-23
Using the View Selector

• The View selector is a

component of the Filter box
• It allows you to select from
which perspective you want
to view traffic
• Example views you can use:
– Network
– All Flows
EVERYWHERE
– Customer
– Peer

The View selector is a component of the Filter box. It allows you to select the perspective you want to
view traffic that is displayed on the Insight page.
Network: Displays traffic that crosses the network boundary.
Customer: Displays traffic that crosses a customer managed object's boundary and matches the
managed object's match value.
Peer: Displays traffic that crosses a peer managed object's boundary and matches the managed object's
match value.
Profile: Displays traffic that crosses a profile managed object's boundary and matches the managed
object's match value.
Customer Tag: Displays traffic that crosses a customer managed object's boundary, matches the
managed object's match value, and matches a tag assigned to the managed object.
Peer Tag: Displays traffic that crosses a peer managed object's boundary, matches the managed object's
match value, and matches a tag assigned to the managed object.
Profile Tag: Displays traffic that crosses a profile managed object's boundary, matches the managed
object's match value, and matches a tag assigned to the managed object..
All Flows: All flows are displayed. Boundaries are not considered.
Note: When using All Flows Insight may count traffic multiple times if the traffic matches the filter criteria.
For example, if you are investigating a destination host, and traffic passes through three routers to arrive
at that host, Insight counts and displays the traffic three times when using the All Flows view.
If you set the View to Customer and select the managed objects for customer A and customer B, Insight
displays traffic that:
• crossed the boundary of customer A and matched the match value of customer A, or,
• crossed the boundary of customer B and matched the match value of customer B

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-24
Using the Facets

• You can add as many

facets as possible
and facet values to Customer
the Filter box Applications
Prefix
• Useful when you ASN ..
know which facet
exclude
values are important certain
to see (or not see) in traffic matching
value for
your query results the facet

• Multiple values within

same facet means
OR

You can add as many facets and facet values to the Filter box as you want, but more facets,
more values, and a longer time period increase the time it takes to collect and display the
traffic information on the Insight page.
• Click Is (=) to select an “equals” operation. For example, to display the traffic of Customer
A, filter by “Customer = A”.
• Click Is Not (!=) to select a “does not equal” operation. For example, to display traffic from
customers other than Customer A, filter by “Customer != A”.
Insight processes multiple values within the same facet with an OR operator. If you specify
multiple values for a facet, Insight displays traffic that matches any of those values. For
example, if you selected TCP Port facet and values 443, 80 it brings you data if it is either TCP
port 443 or TCP port 80.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-25
Quiz - Using the Facets

Q : Show the traffic for Customer A when traffic is

entering or exiting from my network.

Q : I would like to see all traffic matching to Customer A

everywhere in my network. This can report double-counting but I
need a full visibility of individual Customer A flows.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-26
Quiz - Using the Facets

Q : Show the traffic for Customer A or Customer B in my

network boundary. The report should show both
customer’s traffic.

Q : Show the top router traffic used by Customer A at my

network boundary.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-27
Quiz - Using the Facets

Q : Show the traffic for top customers who used most of

the traffic but exclude Customer A and B.

Q : Show the top combinations of router and destination origin ASN traffic
used by customer A.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-28
Insight Reports Display – Summary
Time series graph

The Summary tab displays a graph of the traffic specified in the control bar.
Each column represents a facet selected; each row represents the dataset in graph.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-29
Insight Reports Display – Relationships
Visualize the volume

The Relationships tab makes it easy to visualize the volume of traffic moving between facets
specified in the Filter box. It is particularly useful when you want to identify the elements of
your network that are carrying the largest amounts of traffic within the duration of a given time
period, rather than individual high-traffic and low-traffic incidents that occur in a time period.
Insight indicates the volume of traffic that moves between facets. Traffic is visualized using
gray connections of varying thicknesses; thicker connections indicate higher traffic volume,
and thinner connections indicate lower traffic volume. To display additional information:
Hover your mouse pointer over a connection to display details about the traffic moving
between the facet on the left and the facet on the right.
Hover your mouse pointer over a specific facet to display details about the combination of all
traffic moving between the facets on the left and the facets on the right.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-30
Insight Reports Display – Top Contributors
Display Top contributors for the traffic matching filters

The Top Contributors tab allows you to display the top traffic contributors of certain facets
within the traffic specified by the Filter box.
For example, you can see which customers and routers have the most traffic on destination
port 80 by setting Destination Port = 80 in the Filter box, and then setting Customer and Router
on the Top Contributors tab.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-31
Insight Reports Display – Raw Flows
Actual individual flows

The Raw Flows tab lists actual flows for forensic purposes. It is not possible to list all individual
flow records, they are randomly selected by considering filter and timeframe criteria. The more
filters you do, the more precise list you will get.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-32
Data Fidelity

• Insight stores massive

amount of data
– This means that doing
large queries (longer
timeframe, bigger
dataset) takes more
time
High: 100% of all traffic data. Takes more time.
• Insight allows the user
to query the sampled
data Moderate: 10% of all traffic data. Takes less time.

– Faster query
performance Low: 1% of all traffic data. Faster than others.

Fidelity selectors allow the user to query the sampled data. It allows longer queries (weeks to
months) to finish earlier while providing enough fidelity to answer long term trend analysis
questions. Insight uses sampled data sources for this purpose.
Tip: If you run query after query in an effort to find certain traffic patterns or anomalies, you can
set the Fidelity selector to Moderate (Fast) or Low (Fastest) to process your queries quickly.
After you find the traffic that you are interested in, you can set the Fidelity selector to High
(Standard) and view the results at full fidelity.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-33
Data Fidelity Use Case Use Low Fidelity and look in a smaller dataset
Use High Fidelity for the filtered data

Filter with interested items and then use High Fidelity to access all flows

Let's say you are checking for source IP addresses sending the highest traffic for the last 3
hours. This could result in a lot of IP addresses!
Use Low Fidelity for a faster query in the smaller dataset to gather the source IP list.
In the Low Fidelity results, select the most interesting source IPs and use High Fidelity to
retrieve all flows belong to these IPs. This will give increased granularity and a higher
response time, but all the data for the selected IPs will be in the results.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-34
Saving a Query

Useful to re-query
Save the current Use “Saved
complex or daily
query settings Queries” to access
requirements

Insight allows you to save the current control bar settings and then reload them later from
the Saved Queries tab. Each saved query contains all of the information in the control bar that
is necessary to reload the currently displayed Insight page.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-35
Session History

Does not
Last 25 Current UI The results are
query Insight
queries session in the browser
cluster

Session History tab allows you to display the results of the last 25 queries from the current UI
session. The query results are stored temporarily in your web browser, which means that you
can display them again quickly without re-querying the Insight cluster. The session history is
lost when you do any of the following:
• Close the browser window or tab
• Refresh the Insight page

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-36
Smart Alerts

• Checked every 5 minutes

• Smart Alert is created when threshold is exceeded

You can use the traffic filtering features of Insight to detect very specific types of traffic, and
then trigger an alert when that traffic exceeds a certain threshold. This is called Smart alerting.
You use the Insight page (Explore > Insight) to create Smart alert configurations. Use the
Insight page to display the traffic that you want to detect and then click the Set Smart
Alert button to start creating a configuration. Set the detection details, including the traffic
threshold for triggering alerts, and save the configuration.
Sightline uses the details of each Smart alert configuration to query the Insight cluster every
five minutes. When Insight detects that the traffic specified in a Smart alert configuration
exceeded the specified threshold, Sightline creates a Smart alert. When Insight detects that
the traffic dropped below the specified threshold, Sightline stops the alert.
Just as with other alert types, Sightline displays Smart alerts on the alert listing pages. When
you click the ID of a Smart alert, you can display the traffic that triggered the alert on the
Insight page and investigate the incident.
Let's assume there is a customer suffering from DNS Amplification attacks. We can create a
Smart Alert specifically for this customer and attack type and get notifications once traffic
exceeds the configured threshold.
Currently, Smart alerts cannot be mitigated.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-37
Insight Reports and Use-Cases

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-38
Network Traffic Breakdown
• Network wide customer A and B traffic breakdown by routers and applications

The result is displayed by using a relationship graph. This filter does not anchor the
directionality (source IP, input interface etc.), therefore the graph is bidirectional.
In other words, the graph shows both the traffic sourced from Customer A and destined to
Customer A.
When you hover with the mouse, you can see IN and OUT values for the pairs.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-39
Network Traffic Breakdown (cont.)
• Network wide customer A and B source traffic breakdown by routers and
applications

Here the data is anchored by selecting a filter that limits it to traffic in one direction. The filter is
for Source Customer being A or B and now the traffic behaves in a more predictable fashion.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-40
Customer External Communication
• Examine customer external communication breakdown by origin ASN, IPv4 BGP
Prefix and individual external IPs

A relationship graph is used to see a complete picture of the traffic distribution.

This is the customer's traffic breakdown by external IP (does not belong to the customer) and
origin ASN and IPv4 BGP prefixes.
The report gives a good summary of customer’s external communications.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-41
Network Traffic Entire Path
• Full picture of your network traffic

This example displays the entire network’s traffic breakdown from source origin ASN to
destination origin ASN. It shows which peers the traffic is coming from and going to, and which
router(s) are forwarding that traffic. It's a good summary to understand network wide routing
decisions.
The report also gives a breakdown of router input and output interfaces to understand routing
decisions at each router level.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-42
Analyze Peer Traffic
• Peer sourced traffic shown for which ASNs and which applications

This example report is to understand the traffic utilization for each peer. Peers are being used
to access which Origin ASNs, and for what application types.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-43
Customer Malicious IPs
• Customer sourced malicious traffic pattern and destination

If you need a high-level view of the traffic matching certain signatures sourced from your
customer, you could use these facets.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-44
Malware Communication
• It is known that source port 59533 is being used by a specific malware…

It is common that new malware communication quickly becomes popular worldwide. You can
use Insight flexible filtering to match this traffic in your network and see a source country and
destination IP breakdown. By using this you can understand where the malware traffic comes
from and is destined to which of IPs in your network.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-45
Malware Communication (cont.)
• See individual flows for the filtered traffic…

Raw flows gives you the actual flow records that match the malware traffic to get more insight
about the traffic pattern.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-46
Examine the DDoS Attack
• 35.12.50.2 IP is under attack, what type of traffic is coming from which sources?

Sightline has alerts that give you detailed information about the alert traffic. Insight has also
flexible filters to report this traffic. If you know your certain IPs or prefixes that are under attack,
you can use facets to understand the sources and types of traffic.

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-47
Knowledge Check
Reporting Overview
Q1: Insight is included with all Sightline Q3: Which view may count traffic multiple times if
deployments? the traffic matches the filter criteria?
a) True a) Network
b) False b) All Flows

Q2: What is one value of Insight? c) Customer

a) A simpler solution for big data analytics d) Peer

b) Aggregated flow data to minimize long-term Q4: What displays a Sankey diagram to visualize
storage needs the traffic between facets specified in the Filter?
c) Multi-dimensional visual analysis for complex a) Summary tab
queries
b) Raw Flow Tab
d) Alternative reporting on deep packet inspection
c) Relationships tab
d) Top Contributors tab

Solution: Q1 = b ; Q2 = c ; Q3 = b ; Q4 = c

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-48
Summary

• Big Data definition, services and usage in network visibility were discussed

• We were introduced to the Big Data implementation in Sightline known as Insight

• We compared Insight and Sightline functionalities and discussed details

• Insight access methods and usage were shown

• Example Insight reports and use cases were discussed

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-49
Lab Exercise
Lab 8: Multi-dimensional reports with Sightline Insight

• Online Lab Access: https://portal.ne.netscout.com/

• Environment: Sightline
• Credentials: Provided by the Instructor
• Time to Complete: 30 minutes
• Lab Objectives:
– Discover various multi-dimensional reports with multiple filters
– Understand how Sightline Insight helps for reporting

NETSCOUT – Arbor Sightline

Traffic Reporting and Analysis 9-51
NETSCOUT – Arbor Sightline
Traffic Reporting and Analysis 9-52
Corporate Headquarters
310 Littleton Road
Westford, Massachusetts 01886-4105

Revised: 08 December 2021

Toll Free +1 888 357 7667
T +1 978 614 4000
F +1 978 14 4004

www.netscout.com Information presented in this document is subject to change without notice.

The contents of this publication may not be reproduced (in any part or as a
Copyright © 2021 NETSCOUT whole) without the permission of the publisher. Peakflow X is a trademark of
All rights reserved. Arbor Networks. All other trademarks are the property of their respective
owners.

MY Arbor Best Practices - v1
No ratings yet
MY Arbor Best Practices - v1
71 pages
Using FlowSpec For Diverting Traffic To A TMS
100% (1)
Using FlowSpec For Diverting Traffic To A TMS
30 pages
AED 2600 Installation Guide
No ratings yet
AED 2600 Installation Guide
10 pages
II. Arbor Networks SP System Administrator Training Book
67% (3)
II. Arbor Networks SP System Administrator Training Book
257 pages
Arista Universal Cloud Network Design
100% (1)
Arista Universal Cloud Network Design
71 pages
SL DDOS Detection Mitigation Admin Course 1.16a - R9.5.0.0
No ratings yet
SL DDOS Detection Mitigation Admin Course 1.16a - R9.5.0.0
114 pages
PocketGuide Jun23
0% (1)
PocketGuide Jun23
40 pages
Arbor SP-TMS 8.4.0-Advanced Configuration Guide 20180404
No ratings yet
Arbor SP-TMS 8.4.0-Advanced Configuration Guide 20180404
312 pages
Arbor APS STT - Unit 11 - Protection Setting Details - 25jan2018
No ratings yet
Arbor APS STT - Unit 11 - Protection Setting Details - 25jan2018
88 pages
XN-L Interfacing Guide PDF
33% (3)
XN-L Interfacing Guide PDF
25 pages
Arbor Networks Sightline 9.0.2 9.0.1 9.0 Release-Notes 2019-09-24
No ratings yet
Arbor Networks Sightline 9.0.2 9.0.1 9.0 Release-Notes 2019-09-24
40 pages
Arbor APS STT - Unit 08 - Peace Time Tuning - 25jan2018
No ratings yet
Arbor APS STT - Unit 08 - Peace Time Tuning - 25jan2018
30 pages
Virtual Machine Installation Guide: Sightline
No ratings yet
Virtual Machine Installation Guide: Sightline
32 pages
Arbor APS STT - Unit 12 - Arbor APS Administration - 25jan2018pptx PDF
No ratings yet
Arbor APS STT - Unit 12 - Arbor APS Administration - 25jan2018pptx PDF
83 pages
Partner Training AED
No ratings yet
Partner Training AED
39 pages
Arbor Networks Help - Configuring Loopback Interfaces PDF
No ratings yet
Arbor Networks Help - Configuring Loopback Interfaces PDF
2 pages
SL DDOS Detection Mitigation User Course 1.16a R9.5.0.0
No ratings yet
SL DDOS Detection Mitigation User Course 1.16a R9.5.0.0
484 pages
APS 6.0 Defend Unit 2 UI and Create PGs - 20180823 PDF
No ratings yet
APS 6.0 Defend Unit 2 UI and Create PGs - 20180823 PDF
106 pages
Introduction To Using Sightline and TMS
0% (1)
Introduction To Using Sightline and TMS
1 page
Arbor Networks Help - Ports Used by SP
No ratings yet
Arbor Networks Help - Ports Used by SP
4 pages
APS 6.0 Defend Unit 1 APS Overview - 20180823
No ratings yet
APS 6.0 Defend Unit 1 APS Overview - 20180823
39 pages
Arbor APS STT Unit 02 Deployment 25 Jan2018
No ratings yet
Arbor APS STT Unit 02 Deployment 25 Jan2018
50 pages
Arbor APS STT - Unit 05 - Inline Mitigation - 25jan2018
No ratings yet
Arbor APS STT - Unit 05 - Inline Mitigation - 25jan2018
81 pages
NE - 9 - Volumetric DDoS Attacks
No ratings yet
NE - 9 - Volumetric DDoS Attacks
9 pages
Sightline 9.3 Release Notes 2020-07-31
No ratings yet
Sightline 9.3 Release Notes 2020-07-31
40 pages
Arbor APS STT Unit 01 Design Basics 25 Jan2018
No ratings yet
Arbor APS STT Unit 01 Design Basics 25 Jan2018
31 pages
APS 6.0 Defend Unit 3 View Attack Details - 20180823 PDF
No ratings yet
APS 6.0 Defend Unit 3 View Attack Details - 20180823 PDF
82 pages
AED STT Unit 01DesignBasics v6.4
No ratings yet
AED STT Unit 01DesignBasics v6.4
32 pages
Arbor APS STT - Unit 13 - SSL Inspection - 25jan2018 PDF
100% (1)
Arbor APS STT - Unit 13 - SSL Inspection - 25jan2018 PDF
40 pages
TMS Mitigation Status DoS Alert 65153 IPv4
100% (1)
TMS Mitigation Status DoS Alert 65153 IPv4
9 pages
Arbor-Advanced DDoS Trends and Protection
No ratings yet
Arbor-Advanced DDoS Trends and Protection
43 pages
Arbor APS STT - Unit 10 - Outbound Threat Protection - 25jan2018
No ratings yet
Arbor APS STT - Unit 10 - Outbound Threat Protection - 25jan2018
27 pages
Arbor Networks SP 8.4 and TMS 8.4.0 Deployment and Appliance Limits 2018-04-16
No ratings yet
Arbor Networks SP 8.4 and TMS 8.4.0 Deployment and Appliance Limits 2018-04-16
19 pages
NE - 5 - Backup & Restore
No ratings yet
NE - 5 - Backup & Restore
3 pages
NE - 3 - Upgrading AED Software
No ratings yet
NE - 3 - Upgrading AED Software
5 pages
Arbor APS STT Unit Optional Console 25jan2018
No ratings yet
Arbor APS STT Unit Optional Console 25jan2018
83 pages
BGP FlowSpec Cisco
No ratings yet
BGP FlowSpec Cisco
14 pages
Working With Offramp-Onramps
No ratings yet
Working With Offramp-Onramps
39 pages
Netscout University - Lab - Router Profiled Automatic Threshold Configuration
No ratings yet
Netscout University - Lab - Router Profiled Automatic Threshold Configuration
6 pages
Release Notes: Arbor Edge Defense
0% (1)
Release Notes: Arbor Edge Defense
28 pages
Traffic Diversion Techniques For DDoS Mitigation
No ratings yet
Traffic Diversion Techniques For DDoS Mitigation
25 pages
NE - 12 - Outbound Threats
No ratings yet
NE - 12 - Outbound Threats
3 pages
Netscout University - Lab - Payload Regular Expression - DNS
No ratings yet
Netscout University - Lab - Payload Regular Expression - DNS
6 pages
NE - 2 - AED System Configuration
No ratings yet
NE - 2 - AED System Configuration
4 pages
DDOS
No ratings yet
DDOS
187 pages
CP R80.10 IPS BestPractices Guide
No ratings yet
CP R80.10 IPS BestPractices Guide
18 pages
ThePocketGuide Jan2022
No ratings yet
ThePocketGuide Jan2022
40 pages
Virtual Machine Installation Guide: Sightline
No ratings yet
Virtual Machine Installation Guide: Sightline
38 pages
ClearPass Deployment Guide - Mobility Access Switch Configuration For 802.1X Wired Authentication
No ratings yet
ClearPass Deployment Guide - Mobility Access Switch Configuration For 802.1X Wired Authentication
4 pages
NETSCOUT Arbor Edge Defense 2600 Appliance Quick Start Card
No ratings yet
NETSCOUT Arbor Edge Defense 2600 Appliance Quick Start Card
4 pages
Arbor TMS FCAP Cheat Sheet
No ratings yet
Arbor TMS FCAP Cheat Sheet
2 pages
Radware DefensePro Datasheet Updated
No ratings yet
Radware DefensePro Datasheet Updated
6 pages
NE - 7 - Working With Protection Groups
No ratings yet
NE - 7 - Working With Protection Groups
6 pages
NE - 8 - Apply Profile Capture
No ratings yet
NE - 8 - Apply Profile Capture
3 pages
TMS Mitigation Countermeasures Technical Details
No ratings yet
TMS Mitigation Countermeasures Technical Details
57 pages
Netscout University - Lab - TCP SYN Authentication Countermeasure
No ratings yet
Netscout University - Lab - TCP SYN Authentication Countermeasure
3 pages
Untitled
No ratings yet
Untitled
730 pages
Virtual AED 7.1.0.0 Installation Guide
No ratings yet
Virtual AED 7.1.0.0 Installation Guide
68 pages
100 F5 Interview Questions
No ratings yet
100 F5 Interview Questions
9 pages
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
From Everand
Mastering Netscaler VPX: Learn how to deploy and configure all the available Citrix NetScaler features with the best practices and techniques you need to know
Marius Sandbu
No ratings yet
Ref_Guide_-_Sightline_Visibility_&_Traffic_Analysis_-_220912
No ratings yet
Ref_Guide_-_Sightline_Visibility_&_Traffic_Analysis_-_220912
40 pages
86 - NETSCOUT Arbor Insight
No ratings yet
86 - NETSCOUT Arbor Insight
3 pages
IP Addressing and Subnetting: Workbook
No ratings yet
IP Addressing and Subnetting: Workbook
24 pages
PT NC140D3 Id
No ratings yet
PT NC140D3 Id
4 pages
Compact Guardlogix Controllers: User Manual
No ratings yet
Compact Guardlogix Controllers: User Manual
136 pages
Defensepro Ts
No ratings yet
Defensepro Ts
1 page
Mcafee Network Security Platform 10.1.x Installation Guide 9-6-2022
No ratings yet
Mcafee Network Security Platform 10.1.x Installation Guide 9-6-2022
289 pages
HACKING The Ultimate Hacking For Beginners
No ratings yet
HACKING The Ultimate Hacking For Beginners
238 pages
NGN Question bank
No ratings yet
NGN Question bank
3 pages
Avaya Aura™ SBC System Administration Guide: V.6.0 © 2010 Avaya Inc. All Rights Reserved
No ratings yet
Avaya Aura™ SBC System Administration Guide: V.6.0 © 2010 Avaya Inc. All Rights Reserved
164 pages
Fifa 21
No ratings yet
Fifa 21
6 pages
Foundation: Larry L. Peterson and Bruce S. Davie
No ratings yet
Foundation: Larry L. Peterson and Bruce S. Davie
70 pages
Det Bill Excel Servlet
No ratings yet
Det Bill Excel Servlet
14 pages
IP Video Surge Protection: Dtk-Mrjpoes or Dtk-Mrjpoe
No ratings yet
IP Video Surge Protection: Dtk-Mrjpoes or Dtk-Mrjpoe
1 page
Arquitectura de Seguridad - 1 Hoja
No ratings yet
Arquitectura de Seguridad - 1 Hoja
1 page
Chapter 4 - LTE Network Call Flow
100% (1)
Chapter 4 - LTE Network Call Flow
40 pages
Tseda Moses
No ratings yet
Tseda Moses
6 pages
Unit 1
No ratings yet
Unit 1
69 pages
Properties of MAC Protocols
No ratings yet
Properties of MAC Protocols
2 pages
Evolution To LTE An Overview February 2010
100% (2)
Evolution To LTE An Overview February 2010
33 pages
Osi Model and TCP Assignment
No ratings yet
Osi Model and TCP Assignment
7 pages
Properties of Bluetooth System
No ratings yet
Properties of Bluetooth System
2 pages
DB90RX User Manual
No ratings yet
DB90RX User Manual
29 pages
CV of Shariq Siddiqui
No ratings yet
CV of Shariq Siddiqui
3 pages
IPT Report
No ratings yet
IPT Report
46 pages
ODU 600v2 + CTR 8300-8540 Datasheet ANSI 28 January 2021
No ratings yet
ODU 600v2 + CTR 8300-8540 Datasheet ANSI 28 January 2021
4 pages
Computer Network Lab - 1 (Cisco Packet Tracer) 1. Build A Peer To Peer Network Between Two Pcs
No ratings yet
Computer Network Lab - 1 (Cisco Packet Tracer) 1. Build A Peer To Peer Network Between Two Pcs
11 pages
P2P and DRM Interoperability
No ratings yet
P2P and DRM Interoperability
73 pages
UNIT-III: Mobile Networking: Virtual IP Protocols - Loose Source Routing Protocols - Mobile IP - CDPD - GPRS
No ratings yet
UNIT-III: Mobile Networking: Virtual IP Protocols - Loose Source Routing Protocols - Mobile IP - CDPD - GPRS
20 pages
Noah Anita-Tourista (Assignment)
No ratings yet
Noah Anita-Tourista (Assignment)
2 pages