What We're Working On

Provide both source and destination PORT numbers from netflow collections in NTA for query purposes

It is imperative to have not only source and destination IP address but also source and destination port.   Netflow reports both.  For some reason NTA stores one value as 'random high port' regardless of whether it is or it isn't.  This makes the data meaningless if I am looking for patterns in the traffic, possible odd traffic, perhaps something not working as it should.  In particular I can't use netflow reports for building ACLs when I don't have all that info.  Now, you may say that wasn't the goal of NTA and that's fine.  But the truth is 90% of my needs including analysis, troubleshooting, and monitoring can be accomplished with what is reported in a netflow record...assuming I can get to all the data in that record.   It sure beats the hassle of setting up a span or tap and using wireshark for hours on end.     If I am going to report netflow data to a collector somewhere, it is a reasonable explanation I should be able get to all of that data.  If I cannot, why am I bothering?  Even a simple tool such as Lancope lets me see both ports values as they are reported in the flow record,  not just one.  Most companies, mine included, can't afford two tools and it won't take management very long to decide NTA isn't the best tool if some of the data is discarded upon collection.  I am already being pushed to abandon NTA and use Lancope because it is cheaper.  All the great things about NTA (which lancope can't do) won't mean a thing if the one thing I need to do today can't be done with it.  It's so simple...store what you get.  Don't change it or drop it just store what you get.

  • I agree completely. NTA often incorrectly determines the direction of connection establishment and displays dynamic source ports in the Port field. And while in the report there is no way to display the source port, which would smooth out this problem. Surprisingly, the problem has not been resolved since 2017. :( P.S. I don’t think we will want to renew the license for this product for another year.
  • Absolutely agree. NTA often incorrectly determines the direction of connection establishment and displays dynamic source ports in the Port field. And while in the report there is no way to display the source port, which would smooth out this problem. Surprisingly, Solarwinds has not solved this problem since 2017. :( P.S. I don’t think that we will renew the license for this product for another year.
  • I totally agree with both the statements above.

  • Gone are the days, if they ever truly existed, where source port(s) no longer matter.  Yes, many apps still require a very wide range of source ports.  While other apps specific a single source port.

    Between NAT and PAT at the firewalls, and IPv4's limitations, and firewalls' CPU / Memory resources required for translations, src and dst ports become more and more important for properly understanding which apps are flowing.

  • I agree 100%.  Not having a single dashboard with source IP, Dest IP, source port, Dest port is not good.  Having this data immediately available for troubleshooting most issues is imperative.  It is very frustrating to have to look through several dashboards to piece this together.  It makes me want to go back to Plixer Scrutinzer which had all these fields on a single dashboard view.

    Please add this single view in future releases of NTA.