It is imperative to have not only source and destination IP address but also source and destination port. Netflow reports both. For some reason NTA stores one value as 'random high port' regardless of whether it is or it isn't. This makes the data meaningless if I am looking for patterns in the traffic, possible odd traffic, perhaps something not working as it should. In particular I can't use netflow reports for building ACLs when I don't have all that info. Now, you may say that wasn't the goal of NTA and that's fine. But the truth is 90% of my needs including analysis, troubleshooting, and monitoring can be accomplished with what is reported in a netflow record...assuming I can get to all the data in that record. It sure beats the hassle of setting up a span or tap and using wireshark for hours on end. If I am going to report netflow data to a collector somewhere, it is a reasonable explanation I should be able get to all of that data. If I cannot, why am I bothering? Even a simple tool such as Lancope lets me see both ports values as they are reported in the flow record, not just one. Most companies, mine included, can't afford two tools and it won't take management very long to decide NTA isn't the best tool if some of the data is discarded upon collection. I am already being pushed to abandon NTA and use Lancope because it is cheaper. All the great things about NTA (which lancope can't do) won't mean a thing if the one thing I need to do today can't be done with it. It's so simple...store what you get. Don't change it or drop it just store what you get.
Top Comments