Hello, I'm having an issue with NTA matching flows from a server using nProbe on an interface with a high index number (0x30004 in this case.) It seems to me like there might be an overflow (or looping, or rolling over of the field – not sure the correct terminology) calculation problem.
NetFlow v5 has a two byte field for the interface index number (0x0000-0xffff, or 0-65535 in decimal.) Most windows interfaces start at 0x10001 (65537 in decimal.) When you enter that number in nProbe for the -u and -Q switches (which tells nProbe to set the NetFlow index field to that value), nProbe rolls it into 0x0001 (1 in decimal) for the NetFlow packet (I verified this by packet capture.) SolarWinds seems to recognize this fine and matches it up to the interface with the index of 65537 on that node.
However, I have one server with an interface index number of 0x30004 (196612 in decimal.) When I enter that number as the -u and -Q switch in nProbe, it "rolls" the number to 0x0004 as I would expect (196612 - 65536 x 3 = 4.) When SolarWinds NTA receives the packet, I receive the following error: "NetFlow Receiver Service is receiving a NetFlow data stream from an unmanaged interface on xxxxxx. The NetFlow data stream will be discarded. Please follow the link xxxxxx or use the Orion System Manager to add Interface '#4' in order to process this NetFlow data stream."
My theory is that NTA can recognize a one-time "rolled" index field, but not a three-time "rolled" index field value. Can a moderator run this theory past a dev? Ideally it would be able to recognize an unlimited (or extremely high) number of "rolled" index fields. For example an interface with an index of 4, 65540, 131076, 196612, 262148, 327684, Etc, would all identify with a NetFlow packet with an index field value of 0x0004.
Any thoughts?
Neil
