2019-11-23 06:46 PM
I'm trying to find and filter out large talkers through the packet decoder that could help in reducing our license usage.
What's the best way to find these large talkers on the decoder?
Thanks.
2019-11-23 06:54 PM
Jeremy
You could do something like a top 10 source addresses sorted by size
Aggregate by ‘packet size’
Select ip.src
Where ip.sec exists (You could put a network zone label in here too)
Descending order
And choose 10 (or what ever count you want)
Dave
2019-11-23 06:54 PM
Jeremy
You could do something like a top 10 source addresses sorted by size
Aggregate by ‘packet size’
Select ip.src
Where ip.sec exists (You could put a network zone label in here too)
Descending order
And choose 10 (or what ever count you want)
Dave
2019-11-23 07:29 PM
That seems simple enough, I'll give it a try, thanks Dave.
2019-11-24 09:32 PM
Hi Dave,
When you say 'aggregate by 'packet size'', is that the 'Summarize' field in the rule builder? If so, would 'packet count' be the correct one to select?
I don't see aggregate or packet size in the rule builder. Running 11.3.1.1
Thanks.
2019-11-24 09:39 PM
Jeremy
Summarize by ‘session size’
That’s what you want.
Dave
2019-11-25 11:24 PM
Thanks Dave, what you suggested was exactly what I was looking for.
2021-06-23 12:45 PM
Dave,
Can it also be usefull if we are looking for top log sources who are sending us most traffic cz our decoder is not able to handle and dropping packets..