PRTG Manual: Toplists

Packet Sniffer sensors and xFlow (NetFlow, jFlow, sFlow, IPFIX) sensors not only measure the total bandwidth usage, but also break down traffic by IP address, port, protocol, and other parameters. This way, PRTG can tell which IP address, connection, or protocol uses the most bandwidth. PRTG shows the results in Toplists.

Packet Sniffer sensors and xFlow (NetFlow, jFlow, sFlow, IPFIX) sensors not only measure the total bandwidth usage, but also break down traffic by IP address, port, protocol, and other parameters. This way, PRTG can tell which IP address, connection, or protocol uses the most bandwidth. PRTG shows the results in Toplists.

Toplist Top Protocols for a Packet Sniffer Sensor

Toplist Top Protocols for a Packet Sniffer Sensor

Toplist Storage

PRTG looks at all network packets and collects the bandwidth information for all IPs, ports, and protocols.This creates a huge amount of analysis data. To reduce the amount of data that is actually stored, PRTG only stores the top 100 entries of each Toplist in the database at the end of a specified Toplist period by default.

Toplist Overview

Toplists are only available for xFlow and Packet Sniffer sensors. PRTG displays Toplist on the sensor's Overview tab.

Toplist Overview for a Packet Sniffer Sensor

Toplist Overview for a Packet Sniffer Sensor

By default, there are three preconfigured Toplists:

Toplist

Description

Top Talkers

Shows bandwidth usage by IP address.

Top Connections

Shows bandwidth usage by connection.

Top Protocols

Shows bandwidth usage by protocol.

Working with Toplists

  • Click one of the Toplist names on the sensor's Overview tab or click b_toplists_window below a Toplist to view a distribution chart and a list of source IPs and destination IPs, source ports and destination ports, protocols, or kinds of traffic in different channels, for example. What kind of information is available depends on the selected Toplist.
  • Click one of the Toplist names on the sensor's Overview tab or click b_toplists_window below a Toplist to view a distribution chart and a list of source IPs and destination IPs, source ports and destination ports, protocols, or kinds of traffic in different channels, for example. What kind of information is available depends on the selected Toplist.
    • Click an entry in the Toplist periods list on the left side to view data for a specific time period. The default time period is 15 minutes. You can also manually define the start and end time of the Toplist period that you want to view. Use the date time picker to enter the date and time. Additionally, several table list options are available.
    • Click Print This Toplist to view a printer-friendly version of your Toplist and use the print dialog of your browser to print the Toplist.
    • Click Sensor Overview to return to the selected sensor's Overview tab. For a quick selection of other Toplists of the selected sensor, click one of the Toplist tiles at the top of the page.
Toplist Tiles

Toplist Tiles

  • Click Add Toplist on the sensor's Overview tab to create a new Toplist. The available options are the same as when you edit a Toplist.
  • Click b_delete_light below a Toplist on the sensor's Overview tab and confirm with Delete to delete the Toplist.

Edit Toplists

Click b_toplists_edit below a Toplist on the sensor's Overview tab to modify a Toplist.

Setting

Description

Name

Enter a meaningful name to identify the Toplist.

i_round_blueIf the name contains angle brackets (<>), PRTG replaces them with braces ({}) for security reasons. For more information, see the Knowledge Base: What security features does PRTG include?

Toplist Type

  • Top Talkers (IP address): Shows bandwidth usage by IP address.
  • Top Connections: Shows bandwidth usage by connection.
  • Top Protocols: Shows bandwidth usage by protocol.
  • Custom: Create your own Toplist by selecting one or more Toplist fields.

Toplist Fields

This setting is only visible if you select the Custom option. Select the fields that you want to add to the Toplist by enabling the check box in front of the respective field name. The available options depend on the sensor. They are different for Packet Sniffer, NetFlow v5, NetFlow v9, IPFIX, and sFlow sensors.

i_round_blueFor performance reasons, only select the fields that you really need to monitor.

i_square_cyanFor more information, see section Performance Considerations.

Toplist Period (Minutes)

Define the time span that a Toplist period covers in minutes. Enter an integer value. When a Toplist period is finished, PRTG stores the top results and starts a new Toplist period.

i_round_blueTo avoid load problems on the probe system, do not set this time period too long. The default setting is 15 minutes.

i_square_cyanFor more information, see section Performance Considerations.

Top Count

Define the length of your Toplist. PRTG stores only this number of entries for each Toplist period. Enter an integer value.

i_round_blueTo avoid load problems on the probe system, set this value as low as possible. The default setting is 100 to store the top 100 entries for each Toplist period.

i_square_cyanFor more information, see section Performance Considerations.

Reverse DNS Lookup

Define if you want to do a reverse Domain Name System (DNS) lookup for IP addresses that are stored in the Toplist:

  • Reverse DNS lookup for IP addresses: Determine the domain name that is associated with an IP address and show it in the Toplist.
  • No reverse DNS lookup: Only show IP addresses. Select this option to increase performance.

Data Transfer

Define how the probe sends the Toplist data set to the PRTG core server:

  • According to scanning interval (default): Send data in the scanning interval defined in the settings of the sensor for which you create this Toplist.
    i_round_blueThis setting can create a lot of bandwidth usage and CPU load if you have many Packet Sniffer sensors, complex traffic, or long Toplists.
  • At end of Toplist period: Send data once a Toplist period is finished.
    i_round_blueThis setting creates less bandwidth usage and CPU load, but you cannot see the data of the current Toplist in the PRTG web interface. You can only see Toplists with finished time periods.

i_square_cyanFor more information, see section Performance Considerations.

Memory Limit (MB)

Define the maximum amount of memory (in megabytes) that the probe uses to collect the different connection information. Every Toplist adds its amount of used memory to the probe's memory consumption. Increase this value if the number of captured connections is not sufficient. Enter an integer value.

i_round_redSave your settings. If you change tabs or use the main menu without saving, all changes to the settings are lost.

Performance Considerations

If you create Toplists for data lines with considerable usage (for example, steady bandwidth over 10 megabits per second) or if the traffic is very diverse (for example, many IP addresses or ports with only little traffic each), consider the following aspects:

  • The probe gathers all information that is needed for the Toplist in RAM during each Toplist period. By default, only the top 100 entries are transferred to the PRTG core server. Depending on the Toplist type and the traffic patterns, the required memory can consume many megabytes.
  • Define Toplist periods that are as short as possible to minimize memory usage. This is especially important when the traffic is highly diverse.
  • Memory requirements can grow almost exponentially with each Toplist field that you use in the Toplist definition (depending on the traffic pattern). Avoid complex Toplists for high and diverse traffic. For example, the Toplist Top Connections with 5 Toplist fields needs a lot more memory than the Toplist Top Talkers with 1 Toplist field.
  • If you notice a high bandwidth usage between the PRTG core server and the probe, try the At end of Toplist period option in the Toplist settings.
  • If you get Data incomplete, memory limit was exceeded messages, try to increase the memory limit in the Toplist settings but keep an eye on the memory usage of the probe process.
  • To increase the performance of a Toplist, disable the reverse DNS lookup setting.

Notes

  • When you work with Toplists, be aware that privacy issues can come up for certain configurations of this feature. Using Toplists, you can track all single connections of an individual system to the outside world and you must make sure that it is legal for you to configure PRTG like this.
  • Keep in mind that Toplists can be viewed in the PRTG web interface. You might not want to show lists of domains that are used in your network to others, so restrict access rights to sensors that have Toplists.
  • Toplist charts, for example for top connections, are not meant to be used for detailed analysis. Instead, they should indicate if there is an uncommon, bigger change in this Toplist.

More

i_square_blueKNOWLEDGE BASE

What security features does PRTG include?

Advanced Procedures