Port recorded incorrectly

Question

I've run into an issue with NTA and it's port matching.

I'm running a service on TCP/11901. It's set as a monitored port in NTA. We also have ports TCP/11900 and TCP/11902, which are also set as monitored.

Connections to this port however sometimes record the source port instead of the destination port in NTA, which is completely and utterly useless to us.

If I bind my test application to source port 5254, then this is always recorded as the port instead of the destination port.

If I bind my test application to source port 5255, then the port is recorded correctly as 11901.

I unmonitored the default application on port 5254, rebound the source port as 5254. Back to 5254 being the recorded port.

I deleted the default application on port 5254 - the port is now recorded correctly as 11901.

If I now bind my test application to source port 11900, then the port is recorded incorrectly as 11900.

If I now bind my test application to source port 11902, then the port is recorded correctly as 11901.

I've used Wireshark to capture the Netflow packets, and the source/destination port order is always correct in them.

TLDR; rather than matching the destination port reliably, solarwinds seems to match both the source and destination ports and save the lowest of the two. Utterly bonkers.

Is anyone else experiencing this, or know if I'm doing something wrong to cause this?

ScottPB · Answer

Support have come back again - recording the correct port is definitely a feature request. Bonkers.

As our renewal is only a few months away I can't see this being fixed by then, so I've cancelled the renewal of all our Solarwinds licenses.

ScottPB · Answer

I've just heard back from development via support that this is apparently 'design intent'.

I’m sorry, but your developers have either misunderstood or have really designed a product that is actually useless for anyone using services on high ports.

I am not asking them to record both ports (although that would be nice) – I’m asking for them to choose the CORRECT port consistently, rather than just picking the lowest of the two based on the monitored ports list in SolarWinds. If customer A connection is logged against the destination port, then customer A's second connection is logged against the source port, that's clearly stupid.

Reporting by endpoint IP won't work for us, as Customer A might have Service A on port A, and Service B on port B, both billed differently.

It would seem that NTA doesn't meet our requirements and since it can't be fixed I think we'll cancel our renewals and look for a new platform.

jreves · Answer

I will also check in with the development team on this.

@jreves