Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Seeing a LOT of traffic between EOC server and 1 site

I have noticed this week that I am seeing a LOT of traffic between our EOC server and one of the Orion sites.

I currently have 4 Orions feeding into our EOC server. I noticed on our local Orion server that the top conversation/end points has been between our EOC and one of the remote Orions.

What is interesting (and I might not understand this) is that in NetFlow it shows the conversations using ports other than 17777. I was under the impression that EOC would use only 17777. I am seeing ports like 2197, 1541, 1182, 2898.

When I do a netstat -b and look for the remote Orion server I see it listed like

TCP EOCservername:2898 Orionservername:17777 ESTABLISHED 5092

It might be that the ports reflected by NetFlow are local random ports but I don't understand why I am seeing so much traffic between these servers. The remote Orion in question only has 1 node that I am monitoring.

Thoughts?

Find more posts tagged with

eoc

high_traffic

Accepted answers

All comments

derhally

This is how TCP connections work. The port on the client uses a random port and connects to a specified port on the destination server. So what you are seeing is correct. EOC will always talk to Orion on port 17777.

How frequent are the conversations?

FormerMember

Ok that confirms what I thought but I am not sure as to why there is so much traffic between these 2 sites and not the others (with more nodes).

I am not sure how to see how frequent but it is usually either the top 1 or top 2 user of my network according to NetFlow per hour.

derhally

Under the Orion Servers tab, it should show you the time when the server was last polled. This differences should never be less than the polling interval specified for that Orion server.

If they are it might be that a poll is taking a long time. Does that server have a lot of Traps, Syslogs, or events?

FormerMember

Ah, this is an interesting screen!

Ok, I am seeing all Orion servers there and the Last polled is within a minute or two but what I see is that the node count on the server in question is 922. Does the amount of nodes on the remote Orion affect the amount of traffic? I thought traffic between the EOC and remote Orion's was supposed to minimal....