Nagios Support Forum

Looking at the chord diagram and the query results, just wondering how are the "top IPs" that shows up are determined. Attached is a sample. The diagram shows that 10.62.11.99 is one of the top talker, but look at the query, there are other top talkers where the IPs doesn't show up. So what does the chord diagram represent in comparison to the data?

This chord diagram is generated from my query. That's why I was wonder why the top IP is doesn't correspond to the chart. The chart and diagram created is generated from a single query. The top of the chart definitely does not match the top IP of the chord diagram in terms of bandwidth.

I don't remeber exactly what was used, but it was aggregated by dstip, dstport, srcip. Query I believe was for dst port 80 or dst port 443.
In the chart, there are other IPs with much more Bytes usage showing.

I ran another test, this time using only 2 aggregates as you suggested, and recorded the settings.
Aggregate by: dstip,dstport
Time Frame: 1 hour
Query: dst port 80 or dst port 443

In this case, the top IP was 10.62.11.232 but it does not show in the chord diagram.

Sorry for the confusion above - that answer is not correct, I have crossed it out.

The chord diagram represents the amount of connections being made, not the bandwidth of those connections.

Let's say I have 2 example servers - test.jolson.local, and test2.jolson.local.

If test.jolson.local reached out to 500 servers with 1KB of data, while test2.jolson.local reached out to 1 server with 1TB of data, test.jolson.local would take up 99% of the chord diagram. Ultimately this graphic can help you diagnose which computers on the network are making the most 'disparate' connections. The graph is not related directly to bandwidth used (though bandwidth and amount of connections often coincide).

Does that help answer your question?

Thanks, that's a bit more clear. So can this "amount of connections" be queried? Ie if I add into the query something like (src ip xxx and dst ip xxx) then would I see all the connections and can compare the two. Or perhaps that's not something we can query?

For example, do two queries like:

aggregate by dstip,srcip,dstport,srcport
query: (dst ip 10.62.11.232 or src ip 10.62.11.232) and (dst port 80 or dst port 443)
and compare that to
aggregate by dstip,srcip,dstport,srcport
query: (dst ip 10.62.11.99 or src ip 10.62.11.99) and (dst port 80 or dst port 443)

Yes, you can query by dstip, srcip, dstport and srcport and use "aggregate by" to increase the granularity. Please, review the query examples in our "Understanding And Using Custom Queries In Network Analyzer" document:

http://assets.nagios.com/downloads/nagi ... alyzer.pdf

I am still not getting a good query that can match the chord diagram. I think there is no way to validate the chord diagram in terms of "connections". Since sorting by flow, bytes, packets, etc doesn't really show the count that the chord diagram uses.

I performed a test on my lab box that should produce the information you're after.

I performed a query based on a source/destination port of 80: The resulting chord diagram: For reference, jolson.nagios.local is in grey, test2.nagios.local is in blue.

I then performed another query using just jolson.nagios.local. Note that you need to use an IP address here as opposed to a hostname: Note: jolson.nagios.local has 15 pages of results. There are 20 results per page.

Now let's perform another query against the second largest 'host' in my chord diagram: You can see that there are 3 pages of results. This is expected based on the chord diagram displayed - the blue section is much smaller than the grey section, and therefore has fewer results.

Let's query a host that's smaller still - this one is the 'red' host located on the bottom-right of the chord diagram. The host is called support.nagios.com: Hopefully this all makes sense. The amount of results that appear correspond with the chord diagram.