jswan

The view above is useful, but (IMHO) it needs to show specific port numbers instead of the mapped application name. For example, I'm looking at a conversation now that shows "random high port" on one side and "wellKnownPorts" on the other side. It would be much more useful to see exactly what ports are involved in each…

Another possibility is that you're only seeing one side of the conversation in NTA. In other words, 2382 might be the source port. You'd be able to see this immediately in Wireshark or in "show ip cache flow" on the router if you can catch it while it's happening, but it's not always obvious in NTA. This is one of the…

I have the same problem. I opened a ticket and they told me they've got a bug on file for this and it will need to be fixed in a service pack.

If the proxy server is a regular one where each client browser has to be explicitly configured with the hostname/IP address of the proxy server, there's no way to see the client conversations in NetFlow. This is because the destination IP address for the client is actually the proxy server itself; the proxy terminates the…

Andy, I understand completely. However, this goes back to the same point I've tried to make repeatedly over time: a NetFlow collector shouldn't be solely a top-talkers reporter. Why can't there be a mechanism to view raw conversation data separately from mapped application statistics?

As far as I can tell, you still can't add an NTA interface resource to a custom summary at all. In 3.7 the option was available but it didn't work; now the option is gone. I have a support case open on this that has been escalated to development.

You should be seeing distinct NetFlow information for both addresses... if the voice VLAN and data VLANs are subinterfaces on the same physical router interface, make sure you have both of them configured for "ip flow ingress" and make sure they are monitored separately in NPM.

The problem turned out to be in the NPM module instead of the NTA module. I had all of the interfaces selected in the NTA configuration, but in the NPM configuration only the physical interface was monitored, not the FastEthernet subinterfaces. This caused the NTA statistics for the serial interface to be incorrect because…

Here's the bytes transferred from NPM: And here's the interface details from NTA: The interface detail diagram looks like it's showing only the control plane packets.

I would also like to see alerts for VoiP traffic based on error thresholds, jitter thresholds, or traffic alerts when server traffic across the links spikes. I also like the idea I read earlier in the thread about alerting when Netflow detects a rise in the usage of a certain port, for virus detection. I agree with you on…

The Solarwinds NTA database discards a lot of the detailed NetFlow information during its flow summarization process. Today, there's no way to view flows all the details you list in your post. There are high-end commercial flow products that are oriented towards detailed flows. In the open-source world, I believe that…

It needs to be a configurable list of accounts. We have two accounts used by our desktop management software that constantly create the same event log entry that UDT uses to correlate username to IP address, making UDT's output useless without the ability to ignore these events.

I don't know; your record looks OK to me, but I haven't used custom records with NTA before. If your code supports it, maybe you should try changing to classic NetFlow v5 or v9 config. The other thing that looks a little strange to me is that you're exporting a sampler table--maybe try removing that? Check the NTA…

I just wanted to add a little clarification to this issue: 1) The IP SLA operation generally used to measure synthetic voice quality is UDP jitter. 2) Normally, IOS routers are configured use the strict priority queue only for voice packets marked with DSCP 46 (Expedited Forwarding). 3) By default, IOS sets the ToS byte to…

Vulnerability assessment and log correlation are both completely new markets that Solarwinds would be trying to break into. Tough job, and very expensive in terms of upfront investment. The biggest things I think SW could do with existing products to improve security monitoring are: 1) Vastly improved NetFlow search and…

Yes. It sounds like you want to have an EEM or ERM applet write a custom syslog message. The syslog service on the router will then forward that message to whatever syslog hosts you have configured. The documentation referenced above has information on all of this, but it's definitely oriented to someone familiar with…

If you know your IP address ranges, all you need to do is set up IP Address Groups in the NTA settings page, then use Flow Navigator to filter on those ranges.

I mentioned this before in another post... but the support ticket system needs to be able to accept a diagnostics upload at the time the ticket is opened. This would save an entire round of emails between the customer and the support desk. It's usually the first thing they ask for, and then the customer has to go to…

As an ex-Trigeo customer, here are some things that would be mandatory for me to consider coming back to the product: 1) Pricing in-line with other NPM modules. 2) No dependencies on proprietary embedded apps like AIR, Flash, Java, Crystal Reports, or separate installed consoles. It needs to work in a regular browser. 3)…

Try this: look at the "conversations" view and pull down the data units menu and change it to "Rate" instead of "Data transferred per time interval". That seems to give the aggregate transfer rate for an IP address group. I don't see any way to easily get the average, though. PS: I mean the "conversations" section of the…

That's pretty much correct. With proxies and "traditional" NetFlow, you have the following options: 1) NetFlow exporter outside of proxy: allows you to see proxy-server to Internet flows. 2) NetFlow exporter behind proxy: allows you to see client to proxy-server flows. 3) Transparent (aka "intercepting") proxy: allows you…

Upon further examination, it appears that this report gives the correct SN for Catalyst switches, but not routers. It looks like the Chassis ID report contains both the Chassis ID for routers and the Chassis Serial Number for switches. You can copy this out into Excel and massage it to get the correct SNs.

I'm not sure what you mean--it is fairly easy to template IP SLA operations and monitor them with NPM. For example: ip sla monitor 1 type echo protocol ipIcmpEcho 1.2.3.4 ip sla monitor schedule 1 life forever start-time now Then, in NPM create a UnDP to monitor and alert on the status of the SLA operation. The OIDs are in…

I'm not sure I understand what you're asking, but if you want to see from the router CLI what interfaces are enabled for NetFlow: Router#sh ip flow interface FastEthernet0/0 ip flow ingress ip flow egress Serial0/1/0 ip flow ingress ip flow egress Serial0/3/0 ip flow ingress ip flow egress

I don't use CatTools, but might the problem be that CUCM uses a ":" as the end-of-prompt character, rather than "#" like other Cisco devices? As an alternative you might consider setting up a backup schedule using the Disaster Recovery System scheduler in the CUCM GUI. The SSH-based backup system seems rather clunky to me.

We run both Hyper-V and vSphere in what I would describe as a large SMB or small enterprise environment, so multiple hypervisor support is important to us. Will the new versions of Hyper-V have control plane/data plane separation like VMWare does? This seems to me to be the big architectural difference at this point.…

I have found NTA to be almost unusable with Top Talker Optimization at 100%, and we peak at around 3,000 flows/sec.

Oh sorry, I missed the part about the terminal server the first time around. The short answer is no: NetFlow is by nature flow-specific, not user specific. If all the users on the terminal server share the same IP address, this makes it impossible to differentiate between users with NetFlow alone.

Check for SSH version compatibility--i.e. hard code IOS to "ip ssh version 2" and set NCM to use version 2 only. Also check to make sure your key is long enough on the IOS side. I vaguely recall that NCM doesn't like short keys. Try regenerating your SSH keys with a 1024 modulus.

Yes, I'd like to be able to search by source and destination IP address and source/destination port number at minimum, and be able to pair them. Right now I can only search for one end of the conversation; I need to be able to put all four items together in combination with AND/OR logic. The ability to track TCP flags and…