Stay patient - just trying to help you here, Andrew.
If it were me trying to better identify this traffic, I would increase the sampling and port monitoring. With sFlow, the load is not invasive - and I use Procurves with all ports monitored in some instances with no hiccups.
Based on your descriptions of your remote sites, I would say your chance of excessive/measurable broadcast traffic is low, short of a malfunctioning NIC/eccentric printer.
are you looking to see how much local broadcast traffic is occurring on that remote site's LAN, or looking to see how much broadcast traffic is coming out of the WAN pipe? In either case, you can start - if you want - by simply searching on a broadcast address as 'Endpoint IP' on your NTA dashboard.
Just to add to rharland's post, I'd recommend doing the endpoint filter on an Interface Detail view instead of a summary view. As was discussed recently in another thread, it seems like certain filters produce either strange or no results at all with summary views.
Thanks for you reply : it certainly makes sense to look a the broadcast address to see broadcast traffic ! 🙂
I'm looking to see how much broadcast traffic there is on the remote LAN. I don't think they'll be any broadcast traffic on the WAN link : each site is a seperate LAN with a c class subnet and I don't think the WAN routers will pass broadcasts
I'm getting my Netflow's from a switch on the remote LAN and using the remote LAN's broadcast address. At the moment, I'm seeing nothing (in a 1 hour period) which suggest either (1) I have very low level of broadcast or (2) my sampling rate is so low I'm not seeing the broadcasts (currently set to sample 1 in 100 packets) or (3) I'm doing something wrong 😞
Have you attempted to search on all 255s, instead of the subnet's logical broadcast? You may be surprised at what you see.
Is there a way to use wild cards for the subnets e.g. 192.168.*.255 . I've get an invalid address error when I enter it as an endpoint filter. Don't really want to enter 50+ broadcast addresses manually 😞
Have you tried *.*.*.255? That will give you a breakdown of all subnet-specific broadcast addresses. Works for me, anyway.
In Flow Navigator, I'm selecting a detail view, then selecting a node and interface. I then select 'Endpoint' , type in a filter of *.*.*.255 and click 'Add Filter'. At that point I get the errror 'Please enter a valid IP addess or host name'
I'm running NTA 3.10.0 on NPM 10.5
Let's try a different approach. At the Netflow summary page, go to the top right search dialog, enter *.*.*.255 and change the search context to 'Endpoint IP Address'. Perform that search. Do you receive results?
Some progress: I'm seeing some results for 169.254.255.255 and some for 255.255.255.255. But nothing for my 192.168 subnets.. 😞
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.