Display flows based on destination port

Gustelj

My enterprise backup application, which runs every night, always connects to the same port (TCP 1500) on the backup server. Source port is different on every run. I don't see this application's flow correctly in NTA 3.5 SP2. I can recognize it based on the time interval, amount of transferred data and the peers. NTA displays only source port (different every night) and "random high port" for the destination port. The IOS command show ip cache flow, executed when the application is running, displays the flow information correctly (marked red below), e. g.:

show ip cache flow

  IP packet size distribution (148624873 total packets):

     1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

     .001 .253 .018 .008 .003 .003 .002 .002 .004 .002 .001 .002 .001 .000 .000

      512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

     .001 .003 .000 .004 .682 .000 .000 .000 .000 .000 .000

 

  IP Flow Switching Cache, 278544 bytes

    143 active, 3953 inactive, 1832565 added

    34704629 ager polls, 0 flow alloc failures

    Active flows timeout in 30 minutes

    Inactive flows timeout in 15 seconds

 

  IP Sub Flow Cache, 21640 bytes

    143 active, 881 inactive, 1832502 added, 1832502 added to flow

    0 alloc failures, 720 force free

    1 chunk, 14 chunks added

    last clearing of statistics 2d10h

 

  Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

  --------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

  TCP-Telnet        5195      0.0         4   164      0.1       4.5      14.9

  TCP-FTP           3000      0.0        12    62      0.1       1.0       3.0

  TCP-WWW          84959      0.4        24   520     10.0       4.7       7.1

  TCP-SMTP           255      0.0       779  1050      0.9       5.0       1.5

  TCP-other       776072      3.6       175  1064    647.3       4.4       8.3

  UDP-DNS          44971      0.2         1    72      0.2       0.0      15.4

  UDP-NTP          42972      0.2        10    76      2.2       9.7      15.4

  UDP-TFTP             3      0.0         1   101      0.0       0.0      15.5

  UDP-Frag             2      0.0         4    24      0.0      17.7      15.1

  UDP-other       800476      3.8        10    78     41.1       5.3      15.4

  ICMP             74633      0.3         1    63      0.4       0.2      15.4

  IP-other            63      0.0         4   820      0.0       0.5      15.5

  Total:         1832601      8.7        80   994    702.6       4.6      12.0

 

  SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

  Vl1           10.32.0.40      Tu13201*      10.0.192.18     06 07FC 05DC   398K

  Vl1           10.32.0.40      Tu13201       10.0.192.18     06 07FC 05DC   398K

  Vl1           10.32.0.160     Tu13201       10.0.96.101     11 0403 007B   217

  Vl1           10.32.0.160     Tu13201*      10.0.96.101     11 0403 007B   217

  Vl1           10.32.1.66      Tu13201*      172.16.10.30    06 0B7D 0051   112

  Vl1           10.32.1.66      Tu13201       172.16.10.30    06 0B7D 0051   112

  Tu13201       10.0.192.18     Vl1           10.32.0.40      06 05DC 07FC   184K

Network topology is MPLS VPN with GRE tunneling. Netflow device is Cisco router 3800. All interfaces are managed by NPM, although not necessary for performance and faults and are configured to export ingress and egress traffic.

How to display (aggregate) flows based on destination port in NTA?

Thanks.

Gustelj

Upgrade to NTA 3.6 RC3 helped to solve this issue. Great job Solarwinds and thanks to the support team.