cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

How to verify port traffic received @ (NetFlow port 2055) / (Traps port 162 ) / ( Syslog port 514 )

In this article you will learn how to verify and capture the Traffic is been received for the NTA ( NetFlow / Traps & Syslog )

Firstly you will have to make sure you have configured your device correctly to send  required Traffic on Orion server IP & Port .

If you are new and have no idea about WHAT IS NETFLOW   i would recommend to watch these videos carefully and understand the requirements and configuration required on the Device .

Please see the Video below

How to troubleshoot NetFlow using Wireshark - Video - SolarWinds Worldwide, LLC. Help and Support

Cisco Netflow Advanced - YouTube

MicroNugget: Netflow - YouTube

How to configure Netflow on devices ?

How to Configure NetFlow on a Cisco Router - YouTube

Cisco ASA NetFlow Configuration Using ASDM - YouTube

Configuring NetFlow on Cisco 3700 Router and Cisco ASA - YouTube

SolarWinds Knowledge Base :: Configuring Cisco ASA devices for use with Orion NTA

Floapalooza: NetFlow, J-Flow, & sFlow Configure, Analyze, and Act on that Data - SolarWinds® Lab #4 ...

Overview of Network Traffic Flow Technologies - YouTube

Visibility in the Data Center

If you are new and have no idea about WHAT IS SYSLOG  i would recommend to watch these videos

Cisco - Syslog (kiwi) - YouTube

CCNA 200-120 - Syslog Basics - 81 of 84 - YouTube

Syslog - YouTube

If you still not able to see the traffic within Orion application please follow the steps below in order to filter and verify the traffic is actually been received at Orion port.

For this you will have to install the Wireshark as below.


Download Wireshark and install on Orion Server / Kiwi Syslog Server .

Wireshark · Download

Make Sure Windows / McAfee / Norton / Any other A/V Firewall Disabled on Orion Server / OR Create a Rule in Windows Firewall to allow port traffic in some cases i have found the Windows Firewall blocking the traffic to the service  even the traffic can bee seen in the  Wireshark

Click > Capture >Interfaces > Select "Required " Correct interface >

wireshark NTA 1.jpg

Now apply required filter.

Change the IP  in filter of Node which is sending Netflow to Orion (Cisco / Juniper / Switch / Router ) and apply.

ip.src == 192.168.1.1 && udp.port == 2055

OR

udp.port == 2055

click apply .

Are you able to see Flows from the Node like (Cflow (for Cisco )/ Jflow for Juniper  / Sflow )  ?

if no packet please check your device or network for further troubleshooting as this will confirm that

Orion is not receiving any packet hitting NTA default port 2055 .

NetflowT.JPG

******************** Use following for Traps / Syslog filter in Wireshark as above example *************

For Traps


ip.src == 192.168.1.1 && udp.port ==162

OR

udp.port == 162

traps.PNG

For Syslog


ip.src == 192.168.1.1 && udp.port == 514

OR

udp.port == 514

syslog.PNG



For more details please find 

SolarWinds Technical Reference Troubleshooting NetFlow

http://www.solarwinds.com/documentation/ref/NetFlowTroubleshooting.pd

After receiving NetFlow packets if you still not able to see the results

Please Note:

Solarwinds nta requires bytes group information.

Make sure NTA packets are not missing data (octet)

For more details see below KB post.

Required Flow template fields in NTA

https://support.solarwinds.com/Success_Center/Netflow_Traffic_Analyzer_(NTA)/Knowledgebase_Articles/...

Please contact device vendor you might need to change the netflow record and add the following.

collect counter bytes long
collect counter packets long

Comments

Thanks for adding up.

You can add multiple Ports if required.

>settings > NTA Settings > NetFlow Collector Services > port.jpg

If you don't see desired traffic at port 2055, take a look at port 6343 as it is default port for sflow devices. Then you can either set NetFlow service to listen at 6343 or change receiver port at the device.

If you don't see the traffic at any of those two ports, try to look at all udp traffic coming from that ip address with filter: ip.addr == 192.168.168.168 && upd.

What a great guide!  Nicely done.

very informative.

Very nice job, thanks!

joer

Included

Thank you -

Version history
Revision #:
1 of 1
Last update:
‎10-14-2012 06:33 AM
Updated by: