Difference between Netflow and NBAR2 Graphs?

Hi all. I just want to confirm a theory here. I'm looking at NTA and seeing that switching my Top XX Applications between Netflow and NBAR2 shows vastly different data in terms of numbers, i.e., the total amount of data in GB that's passed through an interface.

Am I correct in assuming that NBAR2 will not identify as much traffic as Netflow, so that's why I'll see TB of data under Netflow while only GB of data under NBAR2?

If that's the case, where does the traffic that NBAR can't identify go?

Is it that all the traffic is sent to NTA, but only the traffic that could be ID'd by NBAR2 protocol packs show up in the NBAR2 graph?

I would've expected that the "unknown" category under NBAR2 would hold all the unidentifiable traffic so the total numbers for each graph would match.

OR, is it just that NBAR2 can only ID traffic at L7?

Please help me understand this, thank you.

Find more posts tagged with

nbar2

nbarvsnetflow

nbar_monitoring

nta

Accepted answers

verwin_u

1.
documentation.solarwinds.com/.../nta-set-up-nbar2-on-a-cisco-device.htm

> Did you configure to export netflow and nbar at the same interval?

> For NBAR2, the important command is "option application-table" - this will enable the sending of a list of all applications that can be classified using NBAR2 included those manually created. Here with timeout 60 seconds.

2.
documentation.solarwinds.com/.../nta-applications-nbar2.htm

> You are correct. It should display some what like "unrecognized, unclassify, or unknown id".

> have you include the remaining traffic? NTA has this setting that will only display the top 95% data if they are a bit of small portions of data it will not be considered in the report.

3.
> Check if they still have difference if you compare nta and nbar in SPECIFIC INTERFACE LEVEL and not in device or global level as not all devices or interfaces cannot send nbar data.

4.
> NBAR is somewhat like new and will really need further checking and system enhancement. If everything checks out. i strongly recommend having a ticket to SW for it to be checked by sr engineers/ae/dev.

> L7 is application. Top application and nbar are L7 info.

All comments

marcrobinson

Hmm What version of NTA are running? Are you reporting on both inbound and outbound flows?

k_bolt

Hello Marc, thanks for your time. I'm now on NTA 2023.1 and I use "ip flow monitor NTAmon input" on all interfaces. Are you saying I should also configure "ip flow monitor NTAmon output'?

Edit: I'm assuming you meant selecting 'Ingress and Egress' under Flow Direction?

verwin_u

> L7 is application. Top application and nbar are L7 info.

k_bolt

Ah I think might be on me. The configurations are correct however, the remaining traffic seems to make up for my differences. I just happened to choose interfaces with some rather "niche" traffic. Thank you for this detailed reply, I appreciate it.