I am trying to learn how to track a device causing a high traffic flow.
Here is the scenario:
NPM is reporting High Traffic from an interface or a set of interfaces on a switch. That switch in turn is reporting another interface connected to an upstream switch having high traffic. It is fairly obvious that the two incidents are the same, in this case.
Using NTA, I am able to determine that the traffic is flowing through a router (also reporting high traffic on the LAN interface) and the router in Netflow states that the interface IS the troubled traffic.
Using the information from NTA, I can determine that the alert in NPM is from this high traffic. NTA allows me to see where the traffic is originating. In this case, it is a video camera with an identifying name. But, that took a lot of figuring out in NTA to see the device downstream from the router.
Since the camera has an IP address (verified in IPAM and DNS, I can eventually get to the device in question and ferret out that the interface on the switch is the camera's interface is the same one in question. I did have to go to the switch and ask it to tell me the ARP table via the IP Address. I am NOT using SW to get this information for where it is located.
Now I have to figure out what device is connected to this camera. NTA tells me that it is either a server or a device and I have to figure out the connection. After lots of tracking, not using NTA or NPM, I finally come to the fact that this flow is coming from a PC. I'm not sure how I got there because I have tracked so much stuff!
The question is this:
How can I use the "High Traffic" on this set of interfaces alert from NPM and then NTA to determine what is at each end QUICKLY and then IPAM for WHO Might be logged in?
I know the two routers and I can see the traffic reports from NTA but, only through the routers. The switches do not do Netflow or NBAR.
I would like to be able to write a scenario that everyone could use in order to quickly track this. I would want to first figure out how to use NTA to get to the device and then on that device figure out with IPAM/UDT who is on the PC
So the gist of it is that you'd review the interface and check the top endpoints and top conversations for the data:
You can use built in alerts for High Receive/Transmit Percent Utilization with Top Talkers to help you narrow it down faster.
IPAM alone won't tell you who's signed in, but UDT will for sure.
With NTA you should be able to tell the port of the traffic as well, so theoretically you could determine if it was web traffic or another application and especially if you have NBAR2 (Cisco) then you could tell if it was Youtube, etc.
Further, I am trying to figure out how to be able to glom something together from an NTA Usage page that would zero in on the culprit(s) and then be able to show some history from said evil culprit.
I still do not see how to get UDT to ACCURATELY show who is on the device at the time of the high usage.
I can't ever rely on UDT to be accurate since it wants to give history. There have even been times when I use my own log in and find that I am logged in to several devices at the same time, when I am not.
Please explain how one gets the info from UDT accurately.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.