jswan

This is not possible in current releases. However, I have been told by SW that this kind of policy reporting is a high priority for future releases (with no expected dates attached, of course, per their usual policy).

I don't know anything about AutoCAD, but in situations like this I'd look first at server resource contention, and second at a full packet capture. NTA isn't going to give you much more than throughput.

No. The NTA database has no features that are directly exposed to users. The only thing you can choose is whether to follow or ignore the Solarwinds provisioning guidelines. :-)

You need to export your Netflow records from the user side of the network before the traffic goes through proxies or NATs.

I don't think the FWSM supports NetFlow; AFAIK it's only supported on ASAs.

I don't know of a way to do this directly within NCM (someone correct me if I'm wrong), but you might be able to do it in several steps: 1) Run a command script to identify all the access ports on the switch. On IOS-based Cisco switches, something like this should work: show interface status | exclude trunk|routed Have NCM…

In addition to top-talkers monitoring, I use (or want to use) Netflow for security monitoring and forensic traffic analysis. Firewall and IDS logs generally only give you information about trigger packets, or the initial packet in a session. Netflow makes it easy to take an IDS alert or a firewall log entry and get more…

One thing you need to make sure that you do is to add a blacklist capability for AD accounts. We had User Device Tracker for a while but we had to get rid of it because of the lack of this feature. The problem is that we have a desktop management system that does logins to all workstations periodically, which would…

I'm pretty sure the answer is no, but can you define what you mean by connections per second? Are you talking about TCP SYNs per second, the average number of flows in the device's flow cache at time t+1s that were not there at time t, something else?

I don't think there's a way to summarize a specific list of interfaces, but if you want a summary for the whole switch you could do that with a "node summary" view in the Flow Navigator.

access-list OUTSIDE extended permit udp host 10.100.100.98 host 192.168.144.15 eq 2055 Replace "OUTSIDE" with the name of the ACL on your outside interface. You may need to do something similar for your inside ACL if you have one. If there's NAT involved, you'll need the appropriate NAT translation too.

* Use Flow Navigator to build:* View Type: Detail * Detail View Type: Interface * Select the appropriate node and 10 GigE interface. * Select the desired time period. * Select SSH (tcp/22) as the application * Click Submit * On the "Top N Endpoints" element in the resulting page, click Edit, and change "Maximum Number of…

What supervisor engine do you have?

I am pretty sure that encryption/decryption is implemented after NetFlow accounting in the interface order of operations; hence all you should expect to see on VPN interfaces is the statistics for the encrypted traffic. Thus you probably just need to configure your "ip flow ingress/egress" statements on the internal routed…

Solarwinds Support is here. You can't get specific websites or URLs from NetFlow because NetFlow does not track HTTP headers.

NetFlow v5 export doesn't work over traditional IOS IPSec configs (that is, IPSec connections configured with crypto maps commands applied to interfaces). Not sure about v9. The easiest way around this is to change to IPSec/GRE, which works fine with NetFlow export. Obviously, this requires that both ends of the VPN…

I don't think top talkers optimization affects the flows-per-second that NTA can process; rather it has to do with how much data is retained in the database. This in turn affects read performance from the database. If you turn it off, your read performance plummets if you have a lot of flows. Some things you could try: 1)…

I think you're out of luck. Unfortunately, forensic flow analysis is not one of NTA's strong points, and from everything I've seen and heard it's not an area that's much targeted by Solarwinds for development (I would be happy to be told I'm wrong here!). There are other products out there that are really good at forensic…

I'm not familiar with NetFlow on the ASAs, but can you report based on the destination subnet using IP address groups?

If you search this forum for "perfmon" you'll find several threads describing how to use Windows Performance Monitor to get this data.

Could you send /var/log/messages to syslog and use Orion to parse the syslogs?

Here's a paper on Netflow v9: www.cisco.com/.../technologies_white_paper09186a00800a3db9_ps6601_Products_White_Paper.html Basically, v9 carries a lot more information. I haven't tried it in NTA so I don't know how well it's supported.

AS 0 is your autonomous system. The line for Google represents traffic going to/from Google's ASN. The next three lines show the routers through which that traffic passed, along with the amount of traffic transiting each router.

We are running our ACS 4.2 servers in Hyper-V with no problems, and have been for some time. What's happening with yours?

I don't have a canned report for it, but I can think of two ways to get the information: * Run a NCM command script to execute "show vtp status" on the desired nodes, then parse the results. * Use custom pollers in NPM to poll the appropriate OIDs inside ciscoVtpMIB (1.3.6.1.4.1.9.9.46.1.1.1 is VTP version, for example).…

The Python sample code included with the SDK has some typo-bugs in it: .json() is a method of the request object, not an attribute, so ()s are required but not included. I posted a fixed, slightly more friendly version here: https://gist.github.com/jayswan/9239153

I don't know of a way to get that specific info from Solarwinds NTA, but if you but a packet capture on the relevant interface you can use the statistics tools in Wireshark to tell you how many unique TCP flows are in the capture file. There is also a Unix/Linux CLI utility called tcpflow that will do the same thing.

You can do it however you want--put your "ip flow ingress|egress" commands on the tunnel interaces if you want to see NetFlow stats on the traffic inside the tunnels; put them on the physical interface if you want to see the traffic categorized as tunnel traffic (i.e., it will show up as IP protocol 47). You could even do…

My first recommendation would be to get really good at Wireshark. You can do a LOT of stuff with Wireshark, and you can even do it pretty efficiently if you spend enough time learning it. Laura Chappell's new book on Wireshark is a great place to start.

If you don't even want the messages logged locally in the switch's log buffer, a really simple way is to turn off link status logging: interface range f0/1 - 48 no logging event link-status