cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 11

Can Neflow Traffic Analyzer tell me how much broadcast traffic I have on my LAN?

Jump to solution

I have multiple remote sites connected over VPNS (via WAN links) to my main site. My NPM\NTA server sits in the main site.

Can NTA give me some numbers on the amount of broadcast traffic on a remote site?

Thanks

Tags (2)
1 Solution

Stay patient - just trying to help you here, Andrew.

If it were me trying to better identify this traffic, I would increase the sampling and port monitoring. With sFlow, the load is not invasive - and I use Procurves with all ports monitored in some instances with no hiccups.

Based on your descriptions of your remote sites, I would say your chance of excessive/measurable broadcast traffic is low, short of a malfunctioning NIC/eccentric printer.

View solution in original post

0 Kudos
15 Replies
Level 7

hi sir,

how did you add a subnet (lets say in your case: 169.254.255.255) in the NTA and examine its bandwidth?


its my first time for NTA. pls help


thanks

0 Kudos

Andrew,

are you looking to see how much local broadcast traffic is occurring on that remote site's LAN, or looking to see how much broadcast traffic is coming out of the WAN pipe? In either case, you can start - if you want - by simply searching on a broadcast address as 'Endpoint IP' on your NTA dashboard.

Level 11

Thanks for you reply : it certainly makes sense to look a the broadcast address to see broadcast traffic ! 🙂

I'm looking to see how much broadcast traffic there is on the remote LAN. I don't think they'll be any broadcast traffic on the WAN link : each site is a seperate LAN with a c class subnet and I don't think the WAN routers will pass broadcasts

I'm getting my Netflow's from a switch on the remote LAN and using the remote LAN's broadcast address. At the moment, I'm seeing nothing (in a 1 hour period) which suggest either (1) I have very low level of broadcast or (2) my sampling rate is so low I'm not seeing the broadcasts (currently set to sample 1 in 100 packets) or (3) I'm doing something wrong 😞

0 Kudos

Have you attempted to search on all 255s, instead of the subnet's logical broadcast? You may be surprised at what you see.

0 Kudos
Level 11

Is there a way to use wild cards for the subnets e.g.  192.168.*.255 . I've get an invalid address error when I enter it as an endpoint filter. Don't really want to enter 50+ broadcast addresses manually 😞

0 Kudos

Have you tried *.*.*.255? That will give you a breakdown of all subnet-specific broadcast addresses. Works for me, anyway.

0 Kudos
Level 11


No joy

In Flow Navigator, I'm selecting a detail view, then selecting a node and interface. I then select 'Endpoint' , type in a filter of *.*.*.255 and click 'Add Filter'. At that point I get the errror 'Please enter a valid IP addess or host name'

I'm running NTA 3.10.0 on NPM 10.5

0 Kudos

Let's try a different approach. At the Netflow summary page, go to the top right search dialog, enter *.*.*.255 and change the search context to 'Endpoint IP Address'. Perform that search. Do you receive results?

0 Kudos
Level 11

Some progress: I'm seeing some results for 169.254.255.255 and some for 255.255.255.255. But nothing for my 192.168 subnets.. 😞

0 Kudos

Are you positive that those subnets are seeing broadcast traffic? Are all ports being monitored for flows?

0 Kudos
Level 11

Am I positve those subnets are seeing broadcast traffic ? No, What I'm attempting to do is discover the level of broadcast traffic on the LAN. Potentialy it could be very low. Most of the remote sites I'm looking at have 10-20 people mainly using Citrix with no local servers.

Are all ports being monitored? No, I'm only monitoring a small subset of ports for flows since I haven't previously needed to look at every port. Futher, I believe broadcast traffic will appear on all ports on a LAN\VLAN so there's no need to monitor all of them to see a broadcast (?). Having said that, since I'm only samplng 1 packet in 100 the more ports gives me a better chance of seeing a broadcast packet..? Either that or sample more often on the currently monitored ports?

A secondary reason to limit the number of ports monitored for flows was to limit the workload on the switches, not that I think I'm making them work hard at the moment, just being cautious.

(As background , we're using HP switches)

0 Kudos

Stay patient - just trying to help you here, Andrew.

If it were me trying to better identify this traffic, I would increase the sampling and port monitoring. With sFlow, the load is not invasive - and I use Procurves with all ports monitored in some instances with no hiccups.

Based on your descriptions of your remote sites, I would say your chance of excessive/measurable broadcast traffic is low, short of a malfunctioning NIC/eccentric printer.

View solution in original post

0 Kudos
Level 11


Success at last

I've added a couple more monitored ports and am finaly seeing some broadcast traffic. As you predicted (and I suspected) there's not much (which is a good thing!) but I can now see it.

Thanks for all your help!

0 Kudos

Excellent! Glad to be of assistance.

0 Kudos
Level 13

Just to add to rharland's post, I'd recommend doing the endpoint filter on an Interface Detail view instead of a summary view. As was discussed recently in another thread, it seems like certain filters produce either strange or no results at all with summary views.