5 Replies Latest reply on Dec 15, 2009 2:37 PM by Donald_Francis

    Searching and filtering - Your hopes and desires?

    chris.lapoint

      What are your top 5 use-cases are for searching and filtering of flow-based traffic data? 

      I'm interested in the following:

      1. Use-cases that you can accomplish today but would like to see improved

      2. Use-cases you wish you could accomplish with NTA

      Thanks in advance for your feedback!

      -Chris   

        • Re: Searching and filtering - Your hopes and desires?
          njoylif

          While trying to find flows for a given subnet, search by endpoint and put the subnet in.
          It returned every IP in the subnet range, whether it had data flows or not.  I'd love to see this return only IPs with data for the given period.  Chris mentioned a workaround on Re: search endpoint gives all IPs in range - data or not? in the interim...Thanks Chris

          • Re: Searching and filtering - Your hopes and desires?
            jswan

            The biggest thing I want is performance over larger data sets. Right now searching more than 2 hours in the past is extremely slow to nonfunctional.

            After that, I want the ability to search for conversations between two arbitrary hosts.

            Next, the ability to search for conversations between arbitrary groups of hosts, definable by IP address range, list, or prefix/mask combination.

            Next, the ability to exclude certain traffic types from searches.

            All of this is necessary to use NTA for almost anything beyond top-talkers type monitoring. One of the best things about NetFlow is the ability to search for patterns in the past when troubleshooting network or security problems, and advanced search is necessary for either.

              • Re: Searching and filtering - Your hopes and desires?

                After that, I want the ability to search for conversations between two arbitrary hosts.

                Next, the ability to search for conversations between arbitrary groups of hosts, definable by IP address range, list, or prefix/mask combination.

                Next, the ability to exclude certain traffic types from searches.

                 



                I agree with these things as well. I don't have a major performance issue searching old information (maybe that's hardware oriented for you, jswan?), but at this point NTA's searching leaves a lot to be desired.  A search page that looks something like:

                Endpoint/subnet 1 : (value box)

                Endpoint/subnet 2 : (value box that includes the option of  "all")

                Start date/time:

                End date/time:

                Include: (Top talkers, Ports, applications, etc)

                Exclude: (ports, ip ranges, etc)

                Would be VERY helpful.



              • Re: Searching and filtering - Your hopes and desires?

                I'd like to be able to ideally define an ip range or a subnet as a node or something similar - something I can do top XX reports on etc.

                My environment has around 70 sites on the WAN. We are just finishing up a conversion from an older frame system to a new MPLS network. On the frame router, each circuit had its own subinterface, so I could easily differentiate flows by circuit.

                On the MPLS router, however, there's only one real circuit. So I'm forced to either use a clunky, non-management-friendly report from report writer that I have to manually refresh, or I have to collect flows from the edge, which adds additional bandwidth. I've chosen to use the edge flow information, but I don't like it. If I could define a subnet as a node, I could go back to using the head end as my netflow source and just differentiate the sites by their subnets