I am trying to learn how to track a device causing a high traffic flow.
Here is the scenario:
NPM is reporting High Traffic from an interface or a set of interfaces on a switch. That switch in turn is reporting another interface connected to an upstream switch having high traffic. It is fairly obvious that the two incidents are the same, in this case.
Using NTA, I am able to determine that the traffic is flowing through a router (also reporting high traffic on the LAN interface) and the router in Netflow states that the interface IS the troubled traffic.
Using the information from NTA, I can determine that the alert in NPM is from this high traffic. NTA allows me to see where the traffic is originating. In this case, it is a video camera with an identifying name. But, that took a lot of figuring out in NTA to see the device downstream from the router.
Since the camera has an IP address (verified in IPAM and DNS, I can eventually get to the device in question and ferret out that the interface on the switch is the camera's interface is the same one in question. I did have to go to the switch and ask it to tell me the ARP table via the IP Address. I am NOT using SW to get this information for where it is located.
Now I have to figure out what device is connected to this camera. NTA tells me that it is either a server or a device and I have to figure out the connection. After lots of tracking, not using NTA or NPM, I finally come to the fact that this flow is coming from a PC. I'm not sure how I got there because I have tracked so much stuff!
The question is this:
How can I use the "High Traffic" on this set of interfaces alert from NPM and then NTA to determine what is at each end QUICKLY and then IPAM for WHO Might be logged in?
I know the two routers and I can see the traffic reports from NTA but, only through the routers. The switches do not do Netflow or NBAR.
I would like to be able to write a scenario that everyone could use in order to quickly track this. I would want to first figure out how to use NTA to get to the device and then on that device figure out with IPAM/UDT who is on the PC