In many cases it may be useful to calculate total traffic for number of prefixes and make custom actions when it reaches specified value.
You can enable it this way:
sudo fcli set main enable_total_hostgroup_counters enable
You also can create any number of custom hostgroups which can consist any number of networks this way:
sudo fcli set hostgroup servers sudo fcli set hostgroup servers calculation_method total sudo fcli set hostgroup servers networks 192.168.1.0/24 sudo fcli set hostgroup servers networks 10.10.1.2/16 sudo fcli commit
Please be aware that each specific prefix can be added only once for all total hostgroups. If you add same prefix multiple for two different hostgroups it will be assigned only to one of them randomly.
You can debug per hostgroup traffic using following fcli command:
sudo fcli show hostgroup_counters_total
Our default dashboards set for Grafana includes dashboard which show per hostgroup traffic.
When you create total hostgroup you will be able to see host top talkers per hostgroup this way:
sudo fcli show host_counters_per_hostgroup_v4 <hostgroup_name> sudo fcli show host_counters_per_hostgroup_v6 <hostgroup_name>
For all total hostgroups we have field “parent_name” which specifies hostgroup name which should be used as parent. In this context “parent” means that the current group will use networks list from parent group. It’s a useful option when you have the same networks list for per-host and for total hostgroups. You can use only per_host hostgroup as parent.
You can set it this way:
sudo fcli set hostgroup client1 parent_name client1_per_host
To configure automated attack detection using total traffic to hostgroup, please follow to this guide.
FastNetMon automatically creates hostgroup called global_total which accounts traffic not included into any existing total hostgroup. If you prefer you can create it manually but it’s not required.
sudo fcli set hostgroup global_total sudo fcli set hostgroup global_total calculation_method total