6 Replies Latest reply on Jun 17, 2010 9:44 AM by GZhytar

    Need some NetFlow questions answered

    sotherls

      In version 3.1 there a re 2 settings:

      IPs to process at a time : 500
      Maximum minutes to process IPs : 15

      Does this mean that Orion NetFlow will attempt to resolve x number of IP's within x minutes?
      If it doesn't resolve all of the 500 IP's (above setting) in 15 minutes what does NetFlow do, roll them over?

      The reason why I ask is that a security application on our server thinks it is getting hit by a UDP Port Scan due to the number of resolutions NetFlow is handling. I verified this by stopping the NetFlow service and watching the server to see if it blocked the domain controller. If NetFlow is off Orion can poll the DC, if NetFlow is running it detects it as a scan and blocks that device for a duration of time - hence giving false downs for that DC.

      If I decrease the number of IP's to resolve or increase the minutes how will this impact NetFlow?

        • Re: Need some NetFlow questions answered
          sotherls

          Solarwinds ..... PLEASE, need an answer as soon as possible!!!!!

          • Re: Need some NetFlow questions answered
            davidmaltby

            So, if I remember this correctly, once a day, NTA service would try to resolve all the old IPs that it has that were stale  (Maybe 7 days or older, I think was the default) or have never been resolved (2 days default?)  Anyhow, it would send out the DNS requests in batchs of 500 at a time.  After getting answers for all of them, then it would send out another 500.  It would do this until they were all resolved a 15 minute duration was hit.

            Hope this helps.

            David

              • Re: Need some NetFlow questions answered
                davidmaltby

                Further in the past, if the count of the rows in the FlowCorrelation table was enormous, tech support would even suggest running the following T-SQL

                TRUNC TABLE FlowCorrelation

                This would remove all the rows from this table.  As new flows come into the system, then the IP addresses for those rows would repopulate the table.  Therefore, that resolution of commonly used IP addresses will get resolved quickly.  Which means that old charts with IP addresses that are no longer used, would not be resolved.  That is the only side-effect of running that T-SQL.

                Note: Later versions of NTA did a lot to address this problem.

                Thanks,

                David

              • Re: Need some NetFlow questions answered
                GZhytar

                Hi sotherls,

                this settings are for cleaning up expired IP addresses from your database (IP addresses that do not below to any flows).

                Regarding to your problem, possible solution could be to install NTA 3.6 where we've implemented On-Demand DNS option. It means that NTA will not resolve all IP addresses that pass through flows, but only those which displayed on a Web site. This significantly reduce load on DNS server and generally improves service and database performance.

                If you can't update to 3.6 you might find useful to completely disable name resolution. To do that find file %ProgramFiles%\SolarWinds\Orion\NetFlowTrafficAnalysis\NetFlowService.exe.config and change <nameResolver enabled="true" to <nameResolver enabled="false" . Then restart NTA service. Please notice that this changes will be overridden if you repair your NTA installation.

                thanks