We currently have Solarwinds NPM 10.3.1, NTA 3.10.0 and I have a question that maybe someone can help me with.
On our Domain everyone who surfs the web from their workstation at one particular branch location has a certain External IP address. They go out surfing the web, listening to Pandora or Iheartradio and my Net Flows only show for the last hour that (not a real ip address) 126.96.36.199 has ingress and egress bytes of 1.6GB for the past hour using world wide web http traffic. It doesn't tell me the exact IP of the offending PC.It could be anyone in our Domain, but we do use a Web filter that has certain groups set to all access for the internet and the majority of my work personnel can access only what websites are needed. So this maybe good traffic and maybe a VP abusing the system.
1) Do I not have a setting correct in my NPM setup?
2) Are we missing a add-on that will help me isolate these IPs?
Any help is appreciated.
This is not a NTA issue, it's a flow collection issue. You just need to collect your flow export data from a device or interface behind the one doing the NAT onto the public IP address. It sounds like you're collecting from the outside interface of your Internet edge router, which will show everything coming from the post-NAT IP address. Either 1) change your flow export to another interface on the same device before NAT occurs, or 2) collect NetFlow from another device deeper inside your network that doesn't do NAT.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.