If you haven't enabled NBAR2 in your routers, you're not getting all that Netflow offers.  You're missing the Application data that's passing through your L3 interfaces.

 

And you're probably getting Alerts from NTA, telling you that it's receiving Netflow data that's missing NBAR2 information from an NBAR2-compatible device.

 

There are at least four places you'll see that Alert.  One is at the top of your Main NPM page, with the white alarm bell and a red instance counter.  Click on it and you can see the alerts:

 

 

A second place you'll see these errors is in the Events page:

 

 

A third place you'll find it is on the NetFlow Traffic Analyzer Summary page, if you have added in the "Last XX Traffic Analyzer Events" Resource

 

A fourth place it appears is in the main NPM page for an L3 device's Node Details / Summary:

 

Obviously, Solarwinds thinks not getting your full NBAR2 information is pretty important.  Nobody needs unnecessary alerts, and it's easy to change a router to use NBAR2.  Just do it.

 

 

While I was cleaning up configurations on routers or L3 switches that originally had "plain" NetFlow, and that needed NBAR2 settings added.  I thought "Maybe someone on Thwack could benefit from this information."  I built this "before & after" comparison of their configs so you can see the extra commands needed:

Items in yellow are not part of the original Netflow "non-NBAR2" config on the left.  Don't be thrown off by different Flow Names--they're just names, and can be whatever you want, as long as you follow the right syntax.  Solarwinds puts some GREAT technical support links into their product that bring you right to the information you need to build Netflow properly.  Use them and you'll be happy.

 

If you have a router or L3 switch that's missing NBAR2 info, you won't be able to edit the existing Netflow settings until you remove the "ip flow monitor" statements (left column, bottom section) from every interface on which they are installed.  But once you take them out, it's easy to just remove all the old flow settings completely using the "no" command, and then you're starting with a clean slate.

 

After the old Netflow commands are removed, I can  edit the right column's "destination x.x.x.x" to point at the APE I want receiving the Netflow NBAR 2 data, and then paste the entire column into the router--EXCEPT for the bottom two lines:  "ip flow monitor NTAmon input" and "ip flow monitor NTAmon output".  Those lines must be inserted into the L3 interface(s) on the router or L3 switch.

 

You might want to only monitor Netflow NBAR2 data on the North-South interfaces going upstream to a Distribution or Core switch.  Or you might want to catch North-South AND East-West Netflow NBAR2 data by putting flow monitor statements on all sub-interfaces or VLAN interfaces (SVI's).

 

Once you've completed your work, instead of seeing nothing in the "Top 5 Applications" area on any L3 device's NPM Device Summary page, you'll start seeing data being added every ten minutes.  Data that tells you what applications are using that interface's bandwidth.  And that can be the secret ingredient to finding a bandwidth hog and correcting it!