NTA not reporting on all traffic

Hello Everyone

We just installed NTA in our environment and noticed that NTA is not reporting on all conversations from end points. Seems it is missing a great deal. If I use the real-time network traffic analyzer is shows a completely different data set. I did go into settings and select monitor all traffic.

We are using NTA 4.0 and will be upgrading soon.

Netflow source is a Cisco 3850 with 3.3.0 IOS. See below

flow record NTArecord

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port

match interface input

collect interface output

collect counter bytes long

collect counter packets long

flow exporter NTAexport

destination 10.2.4.100

source GigabitEthernet1/0/1

transport udp 2055

template data timeout 60

flow monitor NTAmonitor

exporter NTAexport

cache timeout active 60

record NTArecord

Find more posts tagged with

netlfow

nta 4.1

cisco_3850_netflow

Accepted answers

All comments

cnorborg

NTA by default does not report on all traffic flows, only what it considers to be interesting. What does it consider to be interesting?

Go to your NTA settings, then look at "Applications and Service Ports - Choose the applications and ports that you want to monitor". This is a list of everything that is currently monitored. You can choose what it does/doesn't monitor here and even add new application and service ports that might be relevant to your environment. If you'd rather just monitor all ports regardless of what is on that page, go back to the main NTA settings page and look for the "Enable data retention for traffic on unmonitored ports" and check that.

You might also need to go to "Monitored Protocols" to see what protocols are being monitored.

Why don't they monitor everything by default? Saves on database space and makes reporting quicker.

jasonflory

Thanks Craig

We did go to settings and select monitor all ports. We wanted to do this in the begging so we could start to label traffic. The flows that it is missing are standard protocols. Port 445 for cifs. As a test I installed realtime netflow analyzer and selected my machine as an endpoint and then did things like RDP, file transfers, etc. SolarWinds NTA does not show the same thing as the realtime traffic analyzer does. When it does pickup traffic the "total traffic' is usually in correct. For instance I transferred 3 GB of data and it saw 10mgs between my machine and file server.

I am only monitoring traffic input. From what I understand that should get everything.

cnorborg

Ah, didn't know that. Going out on a limb here and guessing you might have a Layer-3 image installed on your switch? If so, can you describe the topology a bit? Are the source and destinations of the traffic your monitoring on the switch itself? Are the source/destination on the same subnet or different subnets? Are you configuring all interfaces with the netflow commands? What about the Layer-2 VLANS?

I haven't worked at all with Netflow on a 3850 much, but from what I'm reading you probably want to configure up your netflow template on the inbound direction of each interface that traffic might pass over. It's possible you might need to configure it on your L-3 and L-2 VLAN interfaces, which appears to be supported on this platform.

I know on the 6500's by default you only see the traffic that isn't Layer-3 switched, until you configure some mls commands I think. Quite often the only traffic you see is that going to from the router, like telnet/ssh/snmp/etc until you get it configured right. From the 3850 features, it sounds like this might not be the case with the 3850's though, I definitely don't see it in the IOS commands right now.

Unfortunately the only 3850 I have available is in a low traffic area, so I’m not sure if what I’m seeing in our config is all the netflow we should be seeing or not. I am seeing some flows reach over 10Mb though. Our configuration is very similar to yours…