Jan.Krivanek

Hello dwiens, Could you specify which type of limitations are you trying to use? From what you described, I suspect that you used Group of Nodes limitation - for internal guys, we already have this internaly tracked as #3626. 

Hello hjarriel, The message in log is unrelated to your problem. That application collision means that your NTA receiver received flow reporting packet going trough port for which there is not a unique application (in your case this packet can be interpretted as belonging to application with id 100003 or 100007, and will…

Hello tylerlucas, I see that in your screenshot the Top Endpoints resource shows approximately two times more traffic then Top Protocols resource. I understand your concerns about correctness of displayed data but this is actually expected results. Each packet going trough router has its source and destination (means two…

The fast workaround here is to rename interfaces (in Orion), whose names contains single or double quotes or curly bracket(s). Regards Jan

Does this happen on the system startup? Or on any deterministic occation, or just randomly?

Hello Provident_NWS, The interfaces sending NetFlow data need to be managed by NTA in order to be able to see the data. You can do this by following the link into the alert message or by using the "Manage Sources" button on Netflow Sources resource. Also we dont repeat the alert for one interface (even though there is…

Hi hanlu, Shortly say - Endpoints resource is not directional, it displays both - Transmitters and Receivers (so it also duplicates communicated data by design). So by short example - if we would have the following communications: from to bytes __________ A -> B 10 B -> A 10 C -> A 10 Then Top Endpoints, Transmitters and…

Hello smartd, I am not hundred percent sure, but this seems to be “by design” of processing packets in order to identify related applications. Simply just one port from communication is preserved and its either the one (from source port and destination port) that is monitored or the smaller one if both are monitored. So in…

Hi Biks, see . In short - reindexing is very probably already done (and restarting service should be safe, but will not help with the displayed message though), mistake is in reporting its progress and SW support should be able assist quickly once you submit a ticket. You may also try to copy-paste something suspicious…

Hi ciscoman, The answer depends on version of NTA from which you try to upgrade. But I would definitely suggest you to start with this post: I see your reply under that post, so if you already tried our NTA removal tool and it did not help to resolve your problem, I would suggest to open support ticket (if your NTA is…

Hi Swine, NTA is using DNS on machine where service is installed (if DNS resolution set to 'persistent') or where web server resides (if DNS resolution set to 'on demand'). Also there are some know limitation when changing DNS resolution from 'on demand' to 'persistent' - is there a chance that you performed this change in…

There could be a similar behavior caused by different time(s) on some of the computers running following instances: Netflow Traffic Analyzer service, Web concole, Database server. If this is your case then I would recommend adjusting times so that they are same on all computers running mentioned instances (as NetFlow…

Hello Donald_Francis You can try to define applications with destination port 2055, destination IP group as the group of your NetFlow Engines, and source IP groups as the groups of nodes (or single nodes) for which you want to see the bandwidth consumption. Regarding the aggregation – just in case you are referring to new…

Hello tao_lao, Unluckily there is currently no way how to build application definition from existing applications using logic operators. So the only way is by defining new IP group as you described. Regards Jan

Hi artie_effim, My apology for confusion, we actually store already mapped id of application, so one incoming flow will always belong to one application. So your definition of applications IS SUBSTRACTIVE. Actually we do not allow overlapping/inclusive application definitions with one exception and that is that one of the…

Hi artie_effim, No, the application definition will include all the data for which it is defined, even though there is an overlap/inclusion between applications definitions. Unluckily there is currently no option how to define more complicated application definition using exclusion, union and other set operators.

Hello tao_lao, The NetFlow protocol does not preserve state of the communication, so it is not possible to analyze individual traffic information as traffic belonging to one application. Instead we define application by ports and IP groups, so If you define one IP group containing both – client and server - and define…

Hi Bizarro, indexing of your DB very probably finished much quicker, but then something went wrong with reporting of progress of indexing. We already went over few similar cases, so you can submit support ticket and your case should be resolved quickly. For quicker assistance, you can try to look to NTA log -…

Hello familyofcrowes, Actualy this is given by design and cannot be customized. Fastest manual way of changing direction can be by appending ";FD:Both" to the end of URL once the page starts loading. Regards JanK 

Hi toms003, Are there any messages about traffic from unmanaged interfaces in 'Last 25 Events' resource on NetFlow Summary page? Are you able to see NetFlow traffic from that router in a wireshark on the receiver machine? Regards Jan

It is likely that with adding interfaces with comparable bandwidth the growth of DB will grow linearly, however this is not true for extending the data retention – then the growth of DB space would be more comparable to logarithmic growth. That’s because of so called collapsing. NTA collapsing means that (with default…

Hi Swine, we match applications based on used port(s), so it could have been potentialy also different traffic just using same port(s) (1720 in this case I guess). Anyway you should be able to click that line in a Application resource to drill down to Application view showing you detail info that need (endpoints etc.).…

Hello njoylif,If I understand it right, you are trying to get view on whole monitored system, filtered just by some specific condition (something like summary view, but filtered by specific IP group, or something like IP group view but not filtered by node).Unluckily, this is not currently possible – you can either have…

Hello inrouted,Absolutely no need to apologize for your question – obviously it was not such an easy one if it took so long to receive some answer.From what you described I can imagine just a three possible problems:- If you enable NetBIOS resolution on Netflow Setting page, Netflow service is using only NetBIOS. But you…

Dear MFA, this is rather by the nature of compressed (collapsed) data. To prevent bloating of our database tables we perform several levels of so called collapsion in some time intervals - so for last two hours you have data with bigger granularity then for last day, where data are "averaged" - so instead of your spike to…

Hi rickq, The boundaries in this dialog are Start date, End date. So you need to switch values you entered, so that they bound nonempty time span. Regards Jan