12 Replies Latest reply on Apr 20, 2009 10:49 AM by MTorok

    Netflow & Sniffing

      Hello,

       

      I just installed Netflow, but I had 2 questions.

      1. One is how do i set up specific http monitoring. I mean like on solarwinds.com you see that their netflow sample has youtube showing up in the pie chart. Mine only says HTTP traffic and doesn't show which url it is going to.

       

      2. Is there a way to have netflow sniffer traffic from a cisco router or switch, or have tjhem sand it to another device to sniffer etc...?

       

      Thank you

        • Re: Netflow & Sniffing
          jswan

          1. Netflow does not have any application-layer information, so you cannot use it to get stuff that's contained only in HTTP transactions.

          2. Netflow is not a capture technology, so if I understand your question correctly the answer is no. However, there are tools that will take a SPAN session and export information about it as Netflow. Do a search on "nProbe" for one example.

          • Re: Netflow & Sniffing
            Andy McBride

            NTA does resolve IP addresses to DNS names so that's how you will see things like you tube traffic.

            It doesn't work like a sniffer.

              • Re: Netflow & Sniffing

                Hi,

                I looked in the manual but it doesn't explain anything. The manual is not very good for detailed configuring.

                 

                Can you please tell me how I would be able to enable this? All I see is World Wide Web HTTP 80 as the application.or do I need to configure it in the endpoints section and how?

                Also,

                Can you please also tell me what Unmonitored Traffic (-1) means?

                 

                Thank You again

                  • Re: Netflow & Sniffing
                    MTorok

                    atags,

                     

                    -1 is explained in the manual as follows:

                    Warning: Port -1 is designated by NetFlow Traffic  Analyzer as the default port for all types of unmonitored traffic. This port  should not be deleted, and it is recommended that the description not be edited.

                    See the following URL:

                    http://www.solarwinds.com/NetPerfMon/SolarWinds/OrionNetFlowPHSettingsApplicationServicePorts.htm

                    I will look into your YouTube configuration request.

                    Thanks,

                    Michael

                      • Re: Netflow & Sniffing

                        Hi. I am a little confused. The manual I have says nothing about Port -1 (unmonitored traffic). I am using a pdf manually called NetflowAdministratorGuide.pdf.

                        Also In addition, I was wondering what unmonitored traffic really means. Explanation.

                        Is there another manual on Netflow that I am not aware of?

                        Oh and thanks for looking into I will look into your YouTube configuration request.

                        Thank You

                          • Re: Netflow & Sniffing

                            NTA's Unmonitored Traffic port represents traffic that isn't specifically represented by a monitored application port.  You have the ability to monitor as few or as many TCP and UDP application ports as you need.  Any traffic that doesn't correlate to these monitored TCP and UDP application ports will be categorized as unmonitored, rather than just dropping the flows.

                            Hope this helps.

                            • Re: Netflow & Sniffing
                              Andy McBride

                              Unmonitored traffic is traffic on ports that NTA is not currently set to monitor. To Monitor all traffic, and get rid of this, Go to NetFlow Settings -> Applications and Service Ports -> Monitor All Ports.

                               

                              This will get rid of the -1 and let you see what ports this data is using.

                              • Re: Netflow & Sniffing
                                MTorok

                                The URL I included is actually to the page help for the Application and Service Ports page within the application.  I will also talk with the author to see about getting this same information in the Administrator guide.

                        • Re: Netflow & Sniffing
                          davidmaltby

                          We're not storing URLs, but we are storing the endpoints of the traffic.  I haven't got a chance to rewatch our video, but I'm pretty sure that what you saw was the Top XX Domains resource that was showing you youtube in the video.

                          Thanks,

                          David

                          • Re: Netflow & Sniffing
                            ebradford

                            atags,

                            It seems that an idea you have about netflow needs a little clarification. Netflow is not a technology that captures packets and looks at them. It is a Cisco propreitary technology where a router or multi-level switch (MLS) reports statistics on routed traffic. It won't report statistics on unrouted traffic (such as intra-VLAN traffic,  broadcasts, and other types of dropped packets). Since web sites are outside your VLAN, it is reported by your router. This is assuming that your router is configured to report Netflow traffic. Other manufacturers have similar technologies, such as Juniper has J-Flow.

                            The NetFlow Traffic Analysis (NTA) module of Orion receives the reports and then organizes it in a fairly easy to drill-down presentation. On our network, I select my core MLS for internet traffic analysis because it has the DNS names and IP addresses of both internal and external end points of traffic. Were I to do this on the Edge router, the internal endpoint would be our firewall address (using NAT), not the private network names and addresses.

                            If you want to find out which computers are going to youtube.com, you can do so by selecting the Domain option in "Traffic View Builder" portion of the Net Flow Summary page. Then, enter "youtube.com" in the field. Next, select the router you want to get data from. Again, I suggest using the core router or MLS. You can do a similar search for youtube.com as an endpoint usinf "search NetFlow Endpoint".

                            Right now, I am looking at our youtube.com usage over the last 2 hours, only one person has been browsing you tube in our office, and they used up only 30KB bandwidth. I guess that's not too bad... at least it was before the morning peak http use time of 8:00 to 9:00.

                            You can also drill down through the "Top # Endpoints". It may help  to edit the view to increase the number of endpoints to top 100, and increase the time beyond 2 hours. Anyway, if people are going to a web site, but that website isn't within the top endpointsthen it won't show up. Our top end points are typically our servers -- file servers, SQL servers, etc. That's what I like using the view builder, you can be more targeted. Of course, people have posted info on Thwack about how to filter out inter-VLAN traffic our out private VLANs, but I haven't learned that yet.

                            It seemed to me that you got a lot of replies from Solarwinds experts on your post, but many of those posts seemed to not address you concern of getting the  youtube info you were inquiring about. I hope this helps.

                            Eric

                            • Re: Netflow & Sniffing
                              ebradford

                              Michael,

                              I feel it is in rather poor taste that you selected you own post as the verified answer and marked it as such. You should not be the judge of the verified answer, the poster of the question should be the one who verifies that you have answered his questions. In fact, the answer you marked as verified even states that you will look into something -- what you weren't answering his question on it. Further, you didn't explain ANYTHING about port -1 from your own experience, you just regurgitated the same indescript answer from a manual that you didn't write.

                              You do not deserve 20 post point for this tech-ego mentalstrubation.

                              Eric