darragh.delaney · Self

Do you have a list of IP addresses? According to the article below you should check HTTP traffic for init.icloud-analysis.com entries in your firewalls or proxies logs. I know you could resolve this domain to an IP easily enough but it may change if there is a CDN involved, Apple scrambles after 40 malicious “XcodeGhost”…

Hi alanaround‌ Not sure if this will help with the diagnosis but we have a tool called LANGuardian which can also connect to a SPAN port. There is a 30 day trial available on our website so you could use this to see what sort of data is coming out of your SPAN port. LANGuardian does not use any filters on what devices to…

It may be a job for deep packet inspection. Instead of running Wireshark on the NetFlow server setup a SPAN or mirror port and get a copy of the traffic going to and from the router which is exporting the NetFlow data. You then need to connect that SPAN port to NPM 11.x which has QoE running or if you want an even deeper…

I don't think this is possible with NTA. There is an interesting article at this link which was written by a fellow Thwack member. You do have some options and most use network packets as a data source. You just need to setup a SPAN or mirror port and applications like Dropbox can be detected by looking at the packet…

hi rgnetmon First up, NetFlow is not great when it comes to network edge monitoring. More in this post Loopback Mountain: Why NetFlow Isn't A Web Usage Tracker "NetFlow v5 isn't a good web usage tracker because nowhere in the list of fields above do we see "HTTP header". The HTTP header is the part of the application layer…

Dont seem to have the badge either? Have most of the geeky metal ones though

Hi astral, When you say you want to analyze Ctitix traffic, what sort of detail are you looking for? Do you just want flow type information (IP addresses, volumes) or do you want to do a deeper dive into the taffic and report on applications and associated metadata? Darragh

We develop a product called LANGuardian which includes an IDS and integrates with SolarWinds Orion. The IDS is based on Snort and it will automatically update as well as giving you an option to add your own IDS signatures. In recent days customers have used it to detect all sorts of issues on networks, from Ransomware to…

Hi There, As Jeff mentions above you can use a SPAN port. The 3750 allows for the setup of two monitoring sessions and each session can be used to monitor a range of ports or VLANs. You can get more info at the following link which also has a link to a free tool which we developed which can be used to setup SPAN ports.…

I'm not sure if Netflow can do this as a proxy is involved, not a limitation with NTA but Netflow, somebody on here may know more though. You could also try some products or tools that simply use raw traffic, no flow enabled devices required, and 'sniff' at the right side of the proxy. For example configure a SPAN port to…

Hi There, Depending on how far back you want to keep records for NTA may be an option for you. Just export flow records from your Cisco 3800 and create custom reports based on subnets or sub interfaces. NTA will also report on things like what TCP\UDP ports (80, 443, etc..) is consuming the bandwidth. We also have a…

Hi There, This is an interesting question due to the way a lot of content is been served at the moment. The suggestions above may work for services like Facebook but you will need to make sure you keep the IP blocks updated. Another thing you may observe is lots of data associated with IP address registered to CDN services…

Hi There, We have a product called LANGuardian which integrates with NTA. It uses a DPI engine to extract information like DNS queries and HTTP headers from network traffic. I ran a quick test and looked for any traffic associated with googledrive.com or drive.google.com and I got the result shown in the image below. This…

Yes, you just need a NetFlow source at one of the sites Darragh

Hi Adam, When it comes to monitoring user activity you may be able to see what’s happening by focusing on a number of network tap points at the core. This could include things like server, router and firewall connections. This approach would then allow you to leverage SPAN ports which can connect to deep packet inspection…

Hi There, One option you have here is to look at a DPI tool which could give you the detail that you want. A DPI tool can look at HTTP headers and extract information like URLs and URIs. There are a few systems out there in this space and we develop one called LANGuardian. It plugs into a SPAN or mirror port and is ideal…

NPM will allow you to check for multicast activity on interfaces and page 68 of the Orion Network Performance Monitor Administrators Guide has some basics on this If your switches support NetFlow then you could create a custom report to focus on the subnet 224.0.0.0/4 which should show levels and the sources. If you dont…

Hi sreynosa‌, Another option is to use a tool called LANGuardian. It can monitor shared folders by analyzing the traffic going to and from the file servers, just setup a SPAN or mirror port.You can then integrate the data collected by LANGuardian with your SolarWinds views. You can see an example of this at the link below.…

Hi fbrown@pgh2o.com​ While I am using a different system in this video these are the reports I look at when focusing on data centers. Within NTA you probably just need to filter on the subnet(s) associated with the co-lo location https://www.youtube.com/watch?v=jGIXZSuarNc Darragh

Hi Ethan, The most common use case I come across for Flow is WAN analysis. One of the main drivers for that is the fact that flow options exist on most routers. From a storage point of view I think most people want at least 1 weeks’ worth of data which is not aged in any way. Flow does have its problems as its mostly…

Hi shocko DPI is a broad term in today's world in my opinion. Covers everything from Wireshark to DPI within firewalls and in these cases it is very useful. However, this discussion seems to be around DPI when it comes to traffic analysis. As per other replies, the Solarwind implementation revolves around timing. I work…

For network and WAN link performance you will need NPM. Uses SNMP and WMI to gather high level stats on the health of things For application performance you can also use NPM 11 but it depend on how much detail you need. If you need to drilldown into things like Microsoft Exchange queue sizes then you may need SAM Finally,…

You have two options 1. Enable NetFlow or some other flow option on a L3 network device like a switch or router. This will give you header information like source\destination IP address and some content data like the amount of information being transferred. Flow can be a good way to get a top level view of how much data is…

As a follow on to the WannaCry post I have just published this one which looks at detecting SMBv1 systems in more detail. Now I know you can disable it via group policy and that may be the end of it but a lot of people are running audits after just to double check. How to Detect SMBv1 Use on Your Network Using Traffic…

That is very true. What we find sometimes is that on medium\large networks users get afraid when they see this and they don't tell anyone. Network admins get caught on a loop of restoring and restoring when the Ransomware keeps active. All they need to know is where the damn client is

Hi There, When it comes to getting visibility on your LAN you have two options. One is to download and install nProbe and set up a SPAN port off your 3560 core switch. If you are not familiar with setting up SPAN ports, we have developed a free tool which is available at this link for the purpose. The other option would be…

When it comes to monitoring external IP addresses packet capture would be recommended. The reason is that many services now use content delivery networks (CDN) like Amazon or Akamai. Packet analysis will let you look inside the HTTP headers. On a small scale you could use Wireshark but in a corporate environment you could…

It is interesting the level of detail, visibility one can grab ‘off the wire’. Making it readable and actionable is a challenge for sure. Wire data analytics is a very flexible option and because it involves looking inside the packets and extracting crucial information, the granular detail very suitable for many network…

Your Cisco 2960 switches will have an option to set up a SPAN port. With SPAN ports you can choose to monitor ports or VLANs and you can download a free tool at this link which makes it easy to set them up. Once you have your SPAN port setup you can use nProbe to convert the packet data to flow data. More on setting up…

Hi wombatactual I think you will need to do packet analysis for this. This post is somewhat related. Loopback Mountain: Why NetFlow Isn't A Web Usage Tracker An example of what can be done with packet analysis is shown at the link below, check out the Top Proxy Flows section. The data is coming from one of our products…