darragh.delaney · Self

Hi There, I recently passed the Solarwinds exam and I used the following resources to prepare - Study guides and videos which you mentioned - NPM admin guide : www.solarwinds.com/.../OrionAdministratorGuide.pdf - Installed a trial version of NPM so that I did not need to mess with my live version. This allowed me to make…

Hi saroopmalhi‌ If you want to capture website URLs then one option is to use packet capture to extract the URLs via a SPAN or mirror port. Once you have your SPAN port setup you can use an application like LANGuardian which can also integrate with SolarWinds Orion. Demo at link below…

Hi larst1 Maybe you need some sort of intermediate system to do some analysis and then forward events to Secureworks. Port mirroring could be a good data source but then you will need something to process the packets. One option is to use a network activity monitoring system like NetFort LANGuardian and then configure it…

Hi Mark, Just to expand a bit more on Callahans answer. I agree with him in that you can get the total traffic handled by the switch port in NPM. If you want further detail then a SPAN port off the 2960 can be a great resource for getting more info. One is to use nprobe as you mention and this will convert the SPAN traffic…

Hi j.dub‌ If your switch does not support NetFlow or if you want more granular information there is another option. We develop a product called LANGuardian which integrates with Orion. It uses network packets (SPAN\mirror port or TAP) as a data source. As well as getting traffic volumes and alerts you can drill down and…

Hi daneruyle‌ If you want to see traffic volumes between hosts then you will need something like SolarWinds NTA which can process NetFlow or Sflow data from routers or some switches. If you want to know "what the traffic is." then you may need to deploy a deep packet inspection tool. The latest version of NPM has this…

If you built a vSwitch for this purpose set the VLAN ID to 4095

Hi ken_cohen​ We develop a product called LANGuardian which uses packet information as a data source. It extracts certain metadata from HTTP headers like domain names and URI and associates this with user info from AD if needed. The data we capture can be displayed within SolarWinds views and you can see a demo of this in…

If you have a managed switch and say a SPAN port available, you could also a very good real time and historical view of USAGE by sniffing traffic, for example for each connection and client, the IP, user name if they are logging on, bandwidth used, amount of data uploaded and downloaded, and because DPI on actual packet…

Hi kitchenshark​ If your switches don't have NetFlow features or if you don't see the traffic going via L3 routers you may be able to use a SPAN or mirror port off the switches. So long as they are managed you should be able to set one up. If you are not sure just let me know what type of switches you use and I will see if…

Hi kentk94‌ This may not be the answer you are looking for as its using a different tool but it may get a bit of debate going. The link below shows a LANGuardian report which shows all flows associated with a network node. It's a common one used by some of our customers interested in network security. Is this the sort of…

Hi There, While you are awaiting for more answers on how you can do this via SAM, we have a solution which may be of interest. The product is called LANGuardian and it its main source of data is a SPAN port which would mirror data going to and from your Windows files shares. This would give you an audit trial of what files…

Would there be still a question as to why something on your network tried to communicate with an IP address known to be associated with a BOT? It may be worth monitoring traffic at your Internet gateway for a brief period to see if something on your network is making suspicious outbound connections. Our LANGuardian product…

Nprobe is free but you need to invest time. You don't really integrate it, you use it to convert the SPAN traffic to flow. I was never a huge fan of RSPAN because you are potentially sending high volumes of unprocessed packets across a LAN link. Better to deal with the SPAN traffic as close as possible to where it is…

Hi kamoy Two other options. You could connect the SPAN port to an nProbe device which would convert the packet info to flows. More reading here Orion NTA and nProbe: Analyzing bandwidth hogs without flow-capable network equipment Another alternative is to use a commercial product we develop called LANGuardian which…

Hi tv's frank‌ Another option would be to use a trial version of LANGuardian to take a look at the traffic associated with the server, Like with Q0E it uses deep packet inspection but it extracts different meta data which should be useful for troubleshooting. More in the video below. Darragh…

Have a look at this video and see if its the sort of data you are after. This is a DPI tool monitoring traffic to file servers and using the Orion interface to report on the data. You may need to skip on to half way to see the file share access reporting NetFort LANGuardian & SolarWinds Server and Application Monitor -…

When you mention you want to monitor access to files and shares than I am assuming you want an audit trail of who is accessing what on Windows or CIFS file shares. If this is the case you have a number of options available 1. Enable auditing on the file servers (file object access auditing) and use your log\event manager…

Hi Rejeesh, What type of switch does the TMG server connect to? You may have flow options available on this. Logging web activity events on the TMG server may be another option but my limited research shows that this is problematic in DHCP enviroments. More at this link. If you don't have flow options on your swicth then…

Hi seanmalhotra‌ Do you want reports for traffic utilization on the links to the 70 sites or are you looking for reports for what is happening on the LANs within the 70 sites? Darragh

Hi There, I am guessing you are the same person which asked this question over on Spiceworks? http://community.spiceworks.com/topic/532900-dpi-signature Another point I meant to bring up is where you will get a source of network packets. In most networks you have a couple of options, local on a client or server, SPAN ports…

Hi ugo.ahukannah@heineken.com‌ First up some interesting reading at this link on the subject. Most flow type data does not include packet content information like URL's. Loopback Mountain: Why NetFlow Isn't A Web Usage Tracker Other device features like Cisco NBAR will allow you to identify HTTP traffic but from what I…

Looks like you are using Riverbed appliances which could be compressing your data. If your NetFlow stats are associated with a port in front of the Riverbed appliance then the amount of traffic reported can be greater than you connection size. The Riverbed device will compress this data to get it across the link Darragh

Hi There, Not sure what your availability of NetFlow is like on the LAN, if you have something available you could look at using NetFlow to report on traffic over TCP port 25 which is used for SMTP We have also developed a product called LANGuardian which integrates with Orion. It can link to a SPAN port off your switch…

Hi Mark, The big advantage of monitoring your core switch is that you will see local traffic, ie users connecting to your servers and other devices on the LAN which may never go out over a router. It is not common for switches to have NetFlow features. In the past people bought NetFlow feature cards which were expensive.…

DPI is way more broad when it comes to traffic monitorization than just latency. Packet inspection is a process where network packets are analyzed and depending on what application you are using, certain information (AKA metadata) is captured. For most people DPI is automating a lot of the manual packet analysis which can…

Hi praveen.ks‌ I am not familiar with the MAC address export using NetFlow but hopefully someone may come along here with some advice on that. In case you do not find a solution using NetFlow you could use packet capture integrated with your Orion deployment. Check out the demo at the link below which shows a LANGuardian…

Hi nikkormat42‌ I am not sure of a way to do this directly in SolarWinds products but one option could be to use a tool like LANGuardian to gather data via deep packet inspection. Reports can then be generated to display hourly and\or weekly traffic totals. You can also integrate this data inside your SolarWinds views.…

Hi rufat87‌ Another option would be to use something like LANGuardian to capture the user information\metadata from network traffic and then integrate this with your SolarWinds views. You can see an example of this at the link below http://demo2.netfort.com/Orion/SummaryView.aspx?viewid=1&AccountID=guest There is also a…

Hi all, I did some quick analysis of the one drive traffic. From an IP lookup point of view all of the IP addresses are registered to Microsoft so you may not be able to definitely say it was Onedrive activity using IP look up alone. I used our own LANGuardian system to do this analysis but you may be able to use some of…