3 Replies Latest reply on Jun 21, 2016 6:28 AM by stibi

    Netflow Reporting - IPGroupSegmentID Property

    equalswql

      Hello Fellow Thwackers,

       

      As referenced by my name, when I want to create a report/alert/etc I usually skip and go right to custom swql query

       

      I'm wondering if anyone can assist with the following :

       

      I am attempting to write a swql query for netflow reporting and notice that the SourceIPGroupSegmentID/DestinationIPGroupSegmentID property (from Orion.Netflow.Flows) are  all linked to the Orion.Netflow.SourceIPGroup table.

      However the ID fields differ - and there is not common table I can find that links the two IDs to each other.

       

      For instance - There are only 30 instances of IP Groups in the Orion.Netflow.SourceIPGroup table - IDs 1-30.

       

      The value that corresponds with ID 30 is 95 in the SourceIP/DestinationIPGroupSegmentID - 30 maps to 95.

      I created a new group, and observed that group 31 matches with SourceIP/DestinationIPGroupSegmentID of  114.

       

      Can anyone explain how this is being calculated? If I can determine either where or how this mapping is done, I can definitely arrange some reporting based on IP Address Groups (and I think thwack could definitely use a few more posts on how to do custom Netflow reporting...)

       

      Thank you -

       

      =Swql

        • Re: Netflow Reporting - IPGroupSegmentID Property
          petr.klang

          Hi,

          IP address groups in netflow can contain multiple ranges or single IPs. IP address space 0.0.0.0-255.255.255.255 is divided by all of these ranges and smaller parts - segments are created. IP groups then have reference to these IP address group segments.

           

          ID of segments is incremental, if you create new IP groups, probably new segments will be created and segments are reassigned to IP Address groups. Also if you delete all IP Address groups and create same groups again, new segments will be created.

           

          Petr

          1 of 1 people found this helpful
            • Re: Netflow Reporting - IPGroupSegmentID Property
              equalswql

              Hello Petr,

               

              I'm aware of how the IP address group segments work - my main point was that there is no mapping between the IDs that are created/recreated and the name of the Ip address group itself - this makes capturing data more difficult through swql unless there is a mapping somewhere between tables - which I haven't located yet.

              It can be done through the web reporter so I'm assuming there is some mapping mechanism there in the background - trying to locate that.

               

              Thank you,

               

              =Swql

                • Re: Netflow Reporting - IPGroupSegmentID Property
                  stibi

                  Hi,

                   

                  NTA tables are referencing Orion.NetFlow.IPAddressGroups table. The mapping to between segments and ip group ID is done automatically on background.

                   

                  Usage example:

                  SELECT T1.SourceIPGroup.Name, T1.DestinationIPGroup.IPAddressGroupID

                  FROM Orion.NetFlow.Flows AS T1

                  WHERE T1.SourceIPGroup.Enabled = 1

                   

                  Petr

                  1 of 1 people found this helpful