32 Replies Latest reply on Aug 29, 2010 6:35 PM by elijah_lovejoy

    Ideas for new NetFlow reports?

    chris.lapoint

      We're starting work on our next release of NTA and one of the things we heard loud and clear was "more reporting".   Please post your report requests, including the use-case, and we'll try to get them in.

      Thanks,

      -Chris

        • Re: Ideas for new NetFlow reports?
          ecklerwr1

          I know it's probably beyond the scope of just a new report but the:

          Endpoint-centric Traffic Analysis Resources - ability to see traffic analysis data related to a specific Orion node (non-NetFlow source). For example, the ability to open an Orion node details page for a Windows server and see the top conversations to/from this server.

          With also the ability to report on not just conversations to and from a non netflow source endpoint but even between two non-netflow source hosts in the flow data.

          • Re: Ideas for new NetFlow reports?
            kjmartin

            I have 2 reporting feature requests:

            1. Have subnet based reports as my sites around the world all have their own 10. subnet.

            2. Have the ability to apply filters on the report before running the report via the web.

              • Re: Ideas for new NetFlow reports?
                chris.lapoint

                Thanks for the replies, keep them coming!

                  • Re: Ideas for new NetFlow reports?
                    chris.lapoint

                    Moved from Re: Historical Netflow Reports

                    stevel                                                                                                                   i am trying to modify the Top 20 Traffic Sources By Domain - Last 24 hrs....this is under the Historical Netflow Reports.  what i want to do is see the top users during a specific time period....say from 2:00am to 3:00am.   what i can't seem to figure out is what to set in Select Fields....i've got the filter set up for the connection i want and i have the time frame....what am i missing?

                      • Re: Ideas for new NetFlow reports?
                        chris.lapoint

                        stevel                                                                                                                  i am trying to modify the Top 20 Traffic Sources By Domain - Last 24 hrs....this is under the Historical Netflow Reports.  what i want to do is see the top users during a specific time period....say from 2:00am to 3:00am.   what i can't seem to figure out is what to set in Select Fields....i've got the filter set up for the connection i want and i have the time frame....what am i missing?

                        When you say "top users" do you mean that you're trying to add the actual endpoints responsible for the traffic through the top domains?

                        If you can clarify the use-case, we'll see what we can do to help.

                          • Re: Ideas for new NetFlow reports?
                            stevel

                            Chris

                             

                            Basically we need to what external ip is using the bandwidth on a particular circuit that we have set up in NetFlow....but we need to be able to see it by hour and/or see a specific timeframe. 

                            A bonus feature would be to get a report automatically sent when a circuit reaches a threshold....inlcuded in the report would be the top x users that are creating the traffic.  we run our web site from our corporate office and this information would really help.

                              • Re: Ideas for new NetFlow reports?

                                I second the request for this feature. I would like to add to the request:

                                -"reporting by hour and/or see a specific timeframe" and possibly the capability/flexablity to report on a specific timeframe, over a specific amount of time, say 7 days, 14 days, or 30 days, etc.

                                  • Re: Ideas for new NetFlow reports?
                                    jswan

                                    I'd like some meta-reporting and charting capability: in other words, how do the results of the existing reports change over time? For example, if I run top 100 conversations every day, how many hosts in the top 100 are the same over a month? If I run top 50 receivers by unique partners every day, how do those change over time?

                            • Re: Ideas for new NetFlow reports?
                              adeimel

                              Ability to view multiple top XX on the same view with different time periods selected. This appears to not work either by design or bug. Case #144598 has details.

                          • Re: Ideas for new NetFlow reports?
                            ckocian

                            I like to see some type of NTA filtering to allow data flow type reporting for a particular branch/site. Thanks 

                            • Re: Ideas for new NetFlow reports?
                              charly_DF

                              I like a reports about:

                              - CBQoS per interface-policy report

                              - Top conversations

                              - Conversations of a host

                              -  Top CBQos

                                • Re: Ideas for new NetFlow reports?
                                  chris.lapoint

                                  Can you elaborate on exactly what you'd like to see (e.g. what columns) and what options you'd want to be able to filter by?

                                  We already have a Top Conversations report in NTA 3.6.   Is it not providing what you're looking for?

                                    • Re: Ideas for new NetFlow reports?
                                      kjmartin

                                      I would like to be able to filter especially custom filter by any/all avialable columns. For example all of our laptop names begin with "L" and "D" for desktops. If I want to only see desktops that are communicating with a certain server on specific ports between time A and B at a certain site in our global network.

                                       

                                      Filters [Just an Easy Example]:

                                      Show only desktops: D*

                                      On Ports: 250-700

                                      Specific Server: XYZServer

                                      Start Time: 8:00 am

                                      End Time: 11:00 am

                                      Date: 3/5/10

                                      Site: traversing SwitchABC

                                  • Re: Ideas for new NetFlow reports?

                                    We have a requirement which includes the following:

                                    --We have availability reports named and setup for each month of the year.

                                    --We would like to be able to schedule those reports to be sent via email either on the last day of the month, or the first day of the following month.

                                    --Also, these reports need to be displayed in Excel and attached to email, because we have plain text email requirement.

                                    --Also, if we could have an "export to EXCEL" button on the reports page, that would be great.

                                    • Re: Ideas for new NetFlow reports?
                                      chuco

                                      I would like to see a report for TOP XX countries. This could be useful with information for an attack from China and so on.

                                      • Re: Ideas for new NetFlow reports?
                                        ecklerwr1

                                        Chris-

                                        I know it's a little more than a report but still excited about:

                                      • Endpoint-centric Traffic Analysis Resources - ability to see traffic analysis data related to a specific Orion node (non-NetFlow source). For example, the ability to open an Orion node details page for a Windows server and see the top conversations to/from this server.
                                      • Thanks for your constant attention the NTA and sign me up immediately for the next beta of NTA... the NTA3.6RC was a very positive experience... and big improvementI think I may tie-dye my SW Tshirt too :}

                                        • Re: Ideas for new NetFlow reports?
                                          ecklerwr1

                                          sorry for the duplicate post... thwack was fracked!^#^&$@^%@!$%@

                                           

                                          Note: I deleted duplicate posts on 3/23~ Marie

                                          Note: Thanks Marie :}

                                          • Re: Ideas for new NetFlow reports?

                                            The existing CBQoS reporting is handy, but enriching that would certainly be beneficial (per policy, site comparison, load vs drop things).

                                            On the QoS front being able to have the NTA offer some policy suggestions based on traffic flow data would also be good.   I mean I realise you can sort of do that now if you leverage the right data but there is no "automated" option I've seen by which you can track a dataset and a protocol class (like RTP Audio or a suite that uses multiple ports) and have that compare to a policy pulled via SNMP and use that in a baseline/threshold calculation and suggest a policy adjustment.   AutoQoS has its issues and whilst a proficient engineer could work it out, a business user might struggle more?   Just a thought, I realise I'm spitballing a bit (you should see the number of whiteboards I get through :D)

                                            Being able to segment network areas into zones or domains (which may be possible now, i'll admit I haven't tried it) would also be using it.    The ability to group functional areas for Orion is good but giving MPLS vs Hosting transit domains would help some of my customers (as a loose example).

                                            On the whole to be honest, its great already... I haven't played with it much on the template exports like IPFIX (most of my users are languishing in version5 netflow and jflow) so any work you can leverage with that (as the data sets it can theoretically collect according to IANA are huge).

                                             

                                            Cheers!   Keep up the awesome work!

                                            • Re: Ideas for new NetFlow reports?
                                              sjweinstein

                                              perhaps I am something.   But I would like to see the ability to add and delete devices by specific ip or host anme

                                              • Re: Ideas for new NetFlow reports?

                                                I have been trying to create a report for AVG Bandwidth Utilization by month for two or three days now. Can't get it work. Any ideas? Is the functionality there and I am missing something?

                                                THX

                                                • Re: Ideas for new NetFlow reports?
                                                  adeimel

                                                  One report or view that I'm not seeing is the ability to aggregate data from all netflow sources for a single ip group.

                                                  Top XX charts for instance by defined ip group for instance would be helpful. Drilling down from the current TopXX into a group and then having to select from netflow source is cumbersome when mining for data.

                                                  Reporting for defined IP groups also seems to be lacking in 3.6 but would be most helpful.

                                                  • Re: Ideas for new NetFlow reports?
                                                    addenkik

                                                    I would like to have the report from source to destination traffic utilization along with the ports used to connect to destination.

                                                    • Re: Ideas for new NetFlow reports?
                                                      smargh

                                                      To be Frank, I haven't done anything with the NetFlow module - I've only done basic research.

                                                      Perhaps you could expand reporting into the areas of traffic analysis at a lower level than just looking at the top talkers or highest traffic levels. From what I've seen of the features of ManageEngine's NetFlow Analyzer, it appears possible to dig down into the low-level figures.

                                                      Our network is heavily firewalled. Reporting on attempted connections would be a useful addition - it looks like Orion's NetFlow discards uncommon flows below a particular threshold.

                                                      For example, a daily report of hosts attempting to communicate on port 25 would be useful to spot users potentially infected with malware, or it might indicate any hosts are potentially attempting to do other unacceptable things. The same goes for common file sharing ports, or other ports of interest (VPN, 8080, etc).

                                                      Reporting on hosts connecting to more than X peers would also be good. It would be even better if it would only include hosts which haven't been included in any of the previous Y reports, so that it will only alert for new hosts and will never (after the first few reports) include major file servers. I realise that this would involve data storage changes though.

                                                      Perhaps I'm thinking more along the lines of firewall log aggregation rather than "proper" netflow use cases, but it's what would be cool for me.

                                                        • Re: Ideas for new NetFlow reports?
                                                          jspanitz

                                                          @smargh - I like where you are going with this.  The Manage Engine "Security Snapshot" and it's underlying views would be very useful.

                                                          Since we have a proxy server sitting between users and the firewall, if there were some way to follow traffic from the end node through the proxy and out to the firewall, that would be incredible.  I know the connection is terminated on the proxy, but even if we could see that there is high utilization between firewall and proxy and a corresponding high utilization between proxy and end node, that would help us quickly pinpoint the abuser.  We can sort of do this now but it is a multi step process.  We are open to suggestions if there is a better way now to do this.

                                                        • Re: Ideas for new NetFlow reports?
                                                          SpinnerRow

                                                          We need a report with IP address, Host Name, Bytes TX, Bytes RX and Total Bytes with the ability to filter on IP Subnets (as either destination or source) and summerize by IP. 

                                                          • Re: Ideas for new NetFlow reports?

                                                            I require a report that will identify what impact a new application using a specific port has on the bandwidth availability for that site. So for example the report would need to report on:

                                                            1) Specific traffic port TCP 1494 (CITRIX TRAFFIC - ICA)
                                                            2) Specific time (business hour time)
                                                            3) specific remote site
                                                            4) reflects percentage and how much data consumed over wan bandwidth
                                                            5) sampling rate at per min or the minimal that we can get as much detail as possible
                                                            6) If possible show each users or device percentage used on the available bandwidth at the time

                                                            Essentially i need this to provide accurate reporting on new applications introduced into our network so that i can say if that application will impact the site 512k/512k available bandwidth at most small sites.