0 Replies Latest reply on Mar 28, 2017 8:05 AM by BakerD

    Bytes Discrepancy

    BakerD

      I have a user in a remote office that generated a lot of traffic.  When digging in the amount Solarwinds shows does not match the amount my firewall logs show.  Looking at the same time frame of last 24hrs.

       

      SW netflow shows 15.9Gbytes.  I'm looking at Last 24hrs, Ingress, on the remote office router MPLS interface and conversion between source/destination IP.

       

       

      My firewall shows 8.1GBytes.  This is looking at last 24hrs, Bytes received, filtered on source/destination address.

       

      I'm more inclined to trust my firewall reporting at this point.  Why is SW showing almost double?

       

      Below is the config on my router for netflow/nbar.  Is it because I have input and output on my interface and only need one?  If so which is best and will it still show traffic for both directions?

       

      flow record NTArec

      match ipv4 tos

      match ipv4 protocol

      match ipv4 source address

      match ipv4 destination address

      match transport source-port

      match transport destination-port

      match interface input

      collect interface output

      collect counter bytes

      collect counter packets

      collect application name

      !

      !

      flow exporter NTAexp

      destination X.X.X.X

      source GigabitEthernet0/0

      transport udp 2055

      template data timeout 60

      option application-table timeout 60

      option application-attributes timeout 300

      !

      !

      flow monitor NTAmon

      description NetFlow nbar

      exporter NTAexp

      cache timeout inactive 30

      cache timeout active 60

      record NTArec

       

       

       

      interface GigabitEthernet0/0

      description MPLS

      bandwidth 10000

      ip address Y.Y.Y.Y

      ip flow monitor NTAmon input

      ip flow monitor NTAmon output

      ip flow ingress

      ip flow egress

       

       

      EDIT:  Actually now that I looked at just NBAR, it shows 8Gbytes.  So lines up with my firewall.  How can I fix netflow to be more accurate?

       

      Thanks