How is the same flow through different deivces presentet?

Hi Guys,

I´m totally new to NTA and the orinon platfrom and question about how the same conversation is collected and presentet if there are multiple devices along the path that collect/send netflow data.

so basically I have this scenario:

|host| ---- |layer3 device| ----- |layer3 device| ---- |firewall| ----- |server|

all the devices are set up to send netflow data to the orion platform, and the interfaces are configured as ingress.

My question is how this will effect the presentation of the data, will I get 3 "copies" of the same flow and the sum of all the traffic passed through will be 3 times the actual traffic amount or will the platform somehow merge it and recognize that it is the same flow being reported by different devices?

The thing is that when I look at the detail for the flow I can see which devices reported and how much traffic that have been passed through the different interfaces. What I see Is a the different devices also report different numbers, so in this case it is not 3 copies of the same conversation,

Thanks in advance

Find more posts tagged with

orion

netflow

nta

Accepted answers

All comments

mesverrum

Yes you will get a duplicate of the data for each device that reports traffic on any summary or aggregate page. Solarwinds makes no attempt to dedupe the raw data. When viewing inside NTA you almost always will be filtering down to a specific node or interface any time you want to avoid seeing duplicate data.

As far as devices not displaying the same the same numbers, you'll have to investigate each device and ensure they are doing things consistently. For example, many devices only report samples of data, the might only check 1/1000 packets for flows. Usually they also broadcast a template to the collector that let's it know these are samples and the numbers need to be stretched out to reflect that. But obviously if one device is sampling and the other is doing full capture you would be comparing and estimate to the truth and you'd want to prefer the full capture if available. If you have 3 different machines taking 3 different sets of samples you are pretty much guaranteed they could only be compared in very broad generalizations like saying maybe 30% of total traffic is https, but getting specific about what sites were being accessed becomes just a ballpark guess.

Its going to be up to you to know how your specific hardware collects and presents flow data to make sure you aren't comparing apples to oranges.

skum

Hi Marc,

Thank you for your reply, that clarifies alot. this setup has all the differnet network vendors one could think of and what seems to be default settings for each vendor.. probably a lot of different sampling-rates etc.

the Orin plattform is set to autodetect the rates, is there a way to actually see which sampling rate each device uses when reporting in to the system?

mesverrum

Ipfix sends template packets periodically so you maybe could capture a wireshark sample and spot them there, I haven't grabbed on of those in a few years though.
https://www.plixer.com/blog/understanding-netflow-and-ipfix-templates/

skum

thanks for the link, that was great info. Unfortunately, I´m not able to do any wireshark captures in the network to find out. I was thinking if there was a way to see the actual sampling rate if you look at a device in the Orion platform.

I could always ask the network admin to do some show commands and so on to see what each device uses but that will take time.

mesverrum

I don't recall ever seeing anything visible in the Orion UI that shows that info, but that does sound like a good feature request, i just went ahead and made the FR if you want to vote it up.

https://thwack.solarwinds.com/t5/NCM-Feature-Requests/Allow-user-defined-code-snippets-from-NCM-to-display-on-various/idi-p/606783#M2113

skum

Sorry for late reply I just saw this and voted your request up.

while here I´d like to ask another thing. I did some tests and noticed that the nta report shows about 52% of an actual load in an conversation a cross a random device in the network. This has to be related to the samplingrates of the devices and that the auto-detection maybe isnt beeing able to detect it. Whats your take on that?