Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

complex searches in NTA

It doesn't appear that the standard interface to NTA allows for complex searching, e.g.:

Top 10 Endpoints NOT using t(cp/80 OR tcp/443)

Top 10 Endpoints using UDP > 32768

All conversations between 1.1.1.1 and 2.2.2.2

Has anyone figured out a way to build custom queries of this sort? This is fairly easy to do even with free *nix-based CLI Netflow tools, so I figure it's got to be possible, but I'm no SQL wizard.

Find more posts tagged with

Accepted answers

floyd.may

There are some hidden features in the syntax in the URL that might help you in the first two cases, and the third is similar. If you're looking at any given NTA view, there's a NetObject GET parameter in the URL. Depending on how deep you drill into the NTA data on the website, this parameter will accumulate "filters". So if you clicked down from an interface into an Endpoint into an Protocol, you'll have a NetObject parameter that looks like NP:6;E:192.168.1.5;I:2220. If you break this down, this means:

NP:6 - you're viewing a NetFlow Protocol numbered 6 (TCP)
E:192.168.1.5 - This view is filtered by traffic that is going to or from the host at IP address 192.168.1.5
I:2220 - This view represents traffic that went across the interface with Orion interface ID 2220

So, if you were to inject a filter like "A:~80,443" this will exclude traffic across ports 80 and 443. Here's an example on the Orion demo server:

http://oriondemo.solarwinds.com/Orion/TrafficAnalysis/NetflowProtocolDetails.aspx?NetObject=NP:6;A:~80,443;I:2220;T:Last%2015%20Minutes

You can create a multi-port application to cover your second case, and you would replace the port number with the number that NTA automatically assigns to the multi-port app.

For the third case, if you drill down into an Endpoint, there should be a Top Conversations resource. If you click on the conversation bubble (instead of the hostname), you'll go to a Conversation view. Here's an example of a Conversation view on the demo server:

http://oriondemo.solarwinds.com/Orion/TrafficAnalysis/NetflowConversationDetails.aspx?NetObject=NC:10030017100-205188179233;I:2220

Each octet in the IP address is zero-padded to three characters and the separating dots are removed. So, in your case, you'd want something like NC:1001001001-2002002002:I:<whatever interface the traffic went across>. You'll get an error if you don't specify an interface - this is enforced to prevent double-counting.

Hope this helps!

(edit)
The Traffic View Builder may be of some help in putting together these types of advanced reports as well.

All comments

mcbridea

Hi jswan,

Advanced NTA search is on the roadmap. Today you would do it via sql.

Andy

jswan

Can you give an example or two? I have a DBA who can help me with this if I have a place to get started.

mcbridea

I too am no sql expert unfortunately. The NTA database is pretty easy to understand though so I guessing that with your knowledge of NetFlow and an sql guru it wouldn't be too hard.

floyd.may

NP:6 - you're viewing a NetFlow Protocol numbered 6 (TCP)
E:192.168.1.5 - This view is filtered by traffic that is going to or from the host at IP address 192.168.1.5
I:2220 - This view represents traffic that went across the interface with Orion interface ID 2220

So, if you were to inject a filter like "A:~80,443" this will exclude traffic across ports 80 and 443. Here's an example on the Orion demo server:

http://oriondemo.solarwinds.com/Orion/TrafficAnalysis/NetflowProtocolDetails.aspx?NetObject=NP:6;A:~80,443;I:2220;T:Last%2015%20Minutes

You can create a multi-port application to cover your second case, and you would replace the port number with the number that NTA automatically assigns to the multi-port app.

http://oriondemo.solarwinds.com/Orion/TrafficAnalysis/NetflowConversationDetails.aspx?NetObject=NC:10030017100-205188179233;I:2220

Hope this helps!

(edit)
The Traffic View Builder may be of some help in putting together these types of advanced reports as well.

jswan

This is excellent, thanks! Are the NetObject parameters documented anywhere?

floyd.may

Nope, they're hidden features Undocumented and unsupported. Using the Traffic View Builder would be a good way to learn your way around them, though.

jswan

A couple of follow-up questions/comments:

1) Where do I find Traffic View Builder?

2) If I try to add a multi-port application for UDP 32768-65535, the UI seems to get stuck in a loop. It keeps asking if I'm sure I want to add the application. During this time, the Orion web interface is unresponsive (i.e., if I open another window and connect to the main Orion page, it doesn't display until I force a reload of the Manage Applications and Service ports page).