Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 18

Ideas for new NetFlow reports?

We're starting work on our next release of NTA and one of the things we heard loud and clear was "more reporting".   Please post your report requests, including the use-case, and we'll try to get them in.



0 Kudos
32 Replies

I require a report that will identify what impact a new application using a specific port has on the bandwidth availability for that site. So for example the report would need to report on:

1) Specific traffic port TCP 1494 (CITRIX TRAFFIC - ICA)
2) Specific time (business hour time)
3) specific remote site
4) reflects percentage and how much data consumed over wan bandwidth
5) sampling rate at per min or the minimal that we can get as much detail as possible
6) If possible show each users or device percentage used on the available bandwidth at the time

Essentially i need this to provide accurate reporting on new applications introduced into our network so that i can say if that application will impact the site 512k/512k available bandwidth at most small sites.

0 Kudos
Level 9

We need a report with IP address, Host Name, Bytes TX, Bytes RX and Total Bytes with the ability to filter on IP Subnets (as either destination or source) and summerize by IP. 

0 Kudos
Level 12

To be Frank, I haven't done anything with the NetFlow module - I've only done basic research.

Perhaps you could expand reporting into the areas of traffic analysis at a lower level than just looking at the top talkers or highest traffic levels. From what I've seen of the features of ManageEngine's NetFlow Analyzer, it appears possible to dig down into the low-level figures.

Our network is heavily firewalled. Reporting on attempted connections would be a useful addition - it looks like Orion's NetFlow discards uncommon flows below a particular threshold.

For example, a daily report of hosts attempting to communicate on port 25 would be useful to spot users potentially infected with malware, or it might indicate any hosts are potentially attempting to do other unacceptable things. The same goes for common file sharing ports, or other ports of interest (VPN, 8080, etc).

Reporting on hosts connecting to more than X peers would also be good. It would be even better if it would only include hosts which haven't been included in any of the previous Y reports, so that it will only alert for new hosts and will never (after the first few reports) include major file servers. I realise that this would involve data storage changes though.

Perhaps I'm thinking more along the lines of firewall log aggregation rather than "proper" netflow use cases, but it's what would be cool for me.

0 Kudos

@smargh - I like where you are going with this.  The Manage Engine "Security Snapshot" and it's underlying views would be very useful.

Since we have a proxy server sitting between users and the firewall, if there were some way to follow traffic from the end node through the proxy and out to the firewall, that would be incredible.  I know the connection is terminated on the proxy, but even if we could see that there is high utilization between firewall and proxy and a corresponding high utilization between proxy and end node, that would help us quickly pinpoint the abuser.  We can sort of do this now but it is a multi step process.  We are open to suggestions if there is a better way now to do this.

0 Kudos
Level 7

I would like to have the report from source to destination traffic utilization along with the ports used to connect to destination.

0 Kudos
Level 10

One report or view that I'm not seeing is the ability to aggregate data from all netflow sources for a single ip group.

Top XX charts for instance by defined ip group for instance would be helpful. Drilling down from the current TopXX into a group and then having to select from netflow source is cumbersome when mining for data.

Reporting for defined IP groups also seems to be lacking in 3.6 but would be most helpful.

0 Kudos
Level 7

I have been trying to create a report for AVG Bandwidth Utilization by month for two or three days now. Can't get it work. Any ideas? Is the functionality there and I am missing something?


0 Kudos

I would really like a way to filter a top X report to a specific IP address I am looking for.

0 Kudos
Level 9

perhaps I am something.   But I would like to see the ability to add and delete devices by specific ip or host anme

0 Kudos
Level 7

The existing CBQoS reporting is handy, but enriching that would certainly be beneficial (per policy, site comparison, load vs drop things).

On the QoS front being able to have the NTA offer some policy suggestions based on traffic flow data would also be good.   I mean I realise you can sort of do that now if you leverage the right data but there is no "automated" option I've seen by which you can track a dataset and a protocol class (like RTP Audio or a suite that uses multiple ports) and have that compare to a policy pulled via SNMP and use that in a baseline/threshold calculation and suggest a policy adjustment.   AutoQoS has its issues and whilst a proficient engineer could work it out, a business user might struggle more?   Just a thought, I realise I'm spitballing a bit (you should see the number of whiteboards I get through :D)

Being able to segment network areas into zones or domains (which may be possible now, i'll admit I haven't tried it) would also be using it.    The ability to group functional areas for Orion is good but giving MPLS vs Hosting transit domains would help some of my customers (as a loose example).

On the whole to be honest, its great already... I haven't played with it much on the template exports like IPFIX (most of my users are languishing in version5 netflow and jflow) so any work you can leverage with that (as the data sets it can theoretically collect according to IANA are huge).


Cheers!   Keep up the awesome work!

0 Kudos

sorry for the duplicate post... thwack was fracked!^#^&$@^%@!$%@


Note: I deleted duplicate posts on 3/23~ Marie

Note: Thanks Marie :}

0 Kudos


I know it's a little more than a report but still excited about:

  • Endpoint-centric Traffic Analysis Resources - ability to see traffic analysis data related to a specific Orion node (non-NetFlow source). For example, the ability to open an Orion node details page for a Windows server and see the top conversations to/from this server.
  • Thanks for your constant attention the NTA and sign me up immediately for the next beta of NTA... the NTA3.6RC was a very positive experience... and big improvementI think I may tie-dye my SW Tshirt too :}

    0 Kudos
    Level 9

    I would like to see a report for TOP XX countries. This could be useful with information for an attack from China and so on.

    0 Kudos
    Level 9

    We have a requirement which includes the following:

    --We have availability reports named and setup for each month of the year.

    --We would like to be able to schedule those reports to be sent via email either on the last day of the month, or the first day of the following month.

    --Also, these reports need to be displayed in Excel and attached to email, because we have plain text email requirement.

    --Also, if we could have an "export to EXCEL" button on the reports page, that would be great.

    0 Kudos


    Can't you just view the report then right click on it and select export to excel?  That's what I do.

    0 Kudos

    Thanks all, please keep the new reports coming.  Also, please chime in if you like ideas posted by others to help us prioritize.

    0 Kudos
    Level 10

    I like a reports about:

    - CBQoS per interface-policy report

    - Top conversations

    - Conversations of a host

    -  Top CBQos

    0 Kudos

    Can you elaborate on exactly what you'd like to see (e.g. what columns) and what options you'd want to be able to filter by?

    We already have a Top Conversations report in NTA 3.6.   Is it not providing what you're looking for?

    0 Kudos

    I would like to be able to filter especially custom filter by any/all avialable columns. For example all of our laptop names begin with "L" and "D" for desktops. If I want to only see desktops that are communicating with a certain server on specific ports between time A and B at a certain site in our global network.


    Filters [Just an Easy Example]:

    Show only desktops: D*

    On Ports: 250-700

    Specific Server: XYZServer

    Start Time: 8:00 am

    End Time: 11:00 am

    Date: 3/5/10

    Site: traversing SwitchABC

    0 Kudos
    Level 8

    I like to see some type of NTA filtering to allow data flow type reporting for a particular branch/site. Thanks 

    0 Kudos