14 Replies Latest reply on Jan 6, 2009 8:22 AM by BryanBecker

    Basic search in NTA

    Debbi

      Let's say some one IP on a particular network is hogging the bandwidth.  I am not exporting netflow from its ingress interface, so I have to look at the traffic as it comes into our more central devices.  I would like to see a list of every IP in use on that network in the last 15 minutes that netflow knows about (say, 172.20.13.x) on one screen and what they are accessing, at least a TopN.  I thought the IP search would do it, but it just gives a list of individual addresses and I would have to click on each one separately.  I am sure this is very simple and I am missing something obvious.  Thanks much!!  -Debbi

        • Re: Basic search in NTA
          Andy McBride

          If you want to see who is hogging bandwidth why not just use the top N reports?

            • Re: Basic search in NTA
              Debbi

              Some of these networks are very small and run over a T1.  A user who is "hogging" one meg of bandwidth would never show up on a central TopN report.   We do not export from those small routers or where they first ingress into our central network, so we have to search the flows exporting from our central 6509 switches.  I hope that explains it.  -Debbi 

                • Re: Basic search in NTA
                  Andy McBride

                  Would the IP schema allow you to segregate the 'branches' by IP address groups?

                    • Re: Basic search in NTA
                      Debbi

                      Yes it would.


                       


                      Debbi

                        • Re: Basic search in NTA
                          Debbi

                          OK, even as I await how the ip grouping can help me here, I have another question, again, probably easy for you and so very helpful for me.  If I choose an interface and go to the Netflow Interface Details page, when I click on one of the TopN domains, it brings me to a nice screen that includes list of  top senders and top receivers.  What I want to be able to do is to do a search for, say, facebook.com (not one of the TopN) and have it show me the top senders and receivers no matter what interface.  I wanna see all of em on one screen.  This seems like something everyone would want to do - How many people are accessing Facebook?  But I cannot find an easy way to do it.   If I simply use the "Search Netflow Endpoint" on the main NTA page, it comes up with all of the individual entries.  I don't want to go into every one.  Possible?


                           Thanks for all your help!


                          Debbi

                            • Re: Basic search in NTA
                              Debbi

                              I guess no one has any input on this?  I guess I will need to open a support ticket.  -Debbi

                                • Re: Basic search in NTA
                                  Andy McBride

                                  I haven't found a good way to do this except in Traffic View Builder, which does make you choose a router. I'll check further with development.


                                  Andy

                                    • Re: Basic search in NTA
                                      Debbi

                                      Thanks for your reply!  I would be happy, for now, to write a report, if the results could look something like this:


                                      172.20.13.1


                                      dest1.something.com   3.0GB


                                      dest2.something.com   621MB


                                      dest3.something.com  305MB


                                      172.20.13.2


                                      dest1.something.com  123MB


                                      dest2....


                                      Would this be possible?  Usually I can find a canned report that will provide me a starting point, but I have been unable to make one that gives me what I want.


                                      Debbi

                                        • Re: Basic search in NTA
                                          Andy McBride

                                          I'm not sure what the final report will look like  - to make sure I'm clear, I've asked dev to see if we can do this with existing features or maybe a SQL query.

                                            • Re: Basic search in NTA
                                              Andy McBride

                                              Debbi,

                                              I am adding the ability to search globally as a feature enhancement to Traffic View Builder. This in conjunction with using IP Address Groups for those small subnets will allow you to look at small subnets not directly exporting flows and see who is doing what. It won't do the exact report you indicate above but will answer your original question.

                                              Andy

                                                • Re: Basic search in NTA
                                                  BryanBecker

                                                  I'm not starting to play with Traffic Builder now.  I have 2 things I'm trying to run but I'm not seeing how to do it.

                                                  I want to search on an endpoint.  So I select Endpoint filtered view.

                                                  Under Filter by Application I do not have a drop-down list.  Yet if I try building by application I see a drop-down list.  This too only allows 1 app to be selected.  Can we get check-boxes to select multiple ports/applications?

                                                  Also...it seems you can only select 1 router.  Is it possible to search all routers or perhaps have check-boxes for the ones you want?

                                                  Finally...I want an easy way to see all Netflow between 2 hosts.

                                                  BB

                                                    • Re: Basic search in NTA
                                                      Andy McBride

                                                      Hi Bryan,

                                                      For the endpoint search you should get an application dropdown and be able to add multiple apps. Maybe check your application and service port settings. I use monitor all ports(or enable all monitoring) depending on version. Today you do have to search one router at a time but I have a fix on my roadmap.

                                                      For seeing all NetFlow between 2 hosts do you mean being able to search for all conversations between 2 endpoints for a certian time period? If this is the request, this is not in place not but also on the roadmap.

                                                      Andy

                                                        • Re: Basic search in NTA
                                                          BryanBecker

                                                          Yeah...I'm not getting the application drop-down in the endpoint filtered view.  In the application filtered view I am.  I am also monitoring all 65535 ports.  If I expand the Filter by application option I get the box with the + Add next to it and a exclude selected applications check-box under it.  I can add a port number, like 80, but I can't select a port from a drop-down list.

                                                          BB