This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Netflow- need more details on what is causing high T1 usage

Hello allemoticons_plus.png

I have multiple T1 locations with high bandwidth utilization that I can see with our Top 10 Interfaces by Percent Utilization on the circuits. At these locations we have multiple desktops, laptops. etc,  with lots of traffic caused by end users or other causes. I need to be able to show what exactly is causing the high bandwidth utilization in detail whether it is from the web or a file transfer, etc. How can I do this? Ty! emoticons_check.png 

  • I have not. I would love to learn how to use it for this. TY for your reply.

    Edited: I have used this in Netflow "Top 10 NetFlow Sources by % Utilization". I am now reading the support doc here

  • If you look under the endpoints in question, you can see what protocols they're using. If you can navigate to the layer-3 interface (vlan, etc) the end-users in question are using, you can see what the most used protocols are.

  • Ah ok! So I dive into the Netflow Endpoints. So say I have a user watching Netflix all day and it is sucking up a fractional T1 that data will post and I can drill into it to see the Hostname\IP.  Am I stating that somewhat correctly?

  • It probably will, depending on whether or not that protocol is recognized. (it may fall under unknown traffic). It should though. Most traffic is easily identified, especially when that traffic is something the user shouldn't be doing.

  • If you combine this with the Network QoE sensor form NPM 11, you should easily be able to identify exactly what you are looking for.

    NTA will give you packet header information, specifically the 7 key fields outlined by NetFlow v5.

    • Source IP Address
    • Destination IP Address
    • Source Port Number
    • Destination Port Number
    • Layer 3 Protocol Type
    • Type of Service (ToS) byte value
    • IfIndex (Logical Interface) Number

    This is a tad bit limited as you generally don't see exact websites from Flow Data (in my experience). More accurately described, you will see your traffic patterns.

        - In other words, you will be able to see the conversations, application port numbers, protocols, etc. of all the traffic leaving or coming into the layer 3 interface where you are generating flow data (usually a router interface). You will also see how much of the total bandwidth, with respect to that single interface, each of those metrics takes. So, 90% of the traffic for Gi0/0/1 is between Johnny Appleseed's IP address and this destination public IP address over port 80/HTTP. (notice I say, destination public IP address, not website URL. Sometimes you get a domain, sometimes you don't.)

    Now, to be fair, this is still a HUGE leap ahead of the current visibility you have if you are not using Flow Data in your network analysis. So don't let it sound like NetFlow isn't the coolest thing since sliced bread. emoticons_wink.png

    However, if you add NPM 11's Network Sensor into the mix, then you automagically have insight into the exact use (and response times) of the packets passing the SPAN/Mirror port that your sensor watches. You can see how much use on that port goes to social media, legitimate business sites, online shopping, etc. (This is because we are now looking at the ENTIRE packet, not just the header). Now, you've got the coolest thing since the butter you put on your sliced bread. emoticons_happy.png Imagine adding a live view of WireShark into your SolarWinds website, but with pretty colors and pie charts instead of lines of text running by the screen.

    For reference:

        http://www.solarwinds.com/documentation/Netflow/docs/NetFlowBasicsandDeploymentStrategies.pdf

        http://www.solarwinds.com/documentation/en/flarehelp/orionplatform/#oriondpimonitoringqoe.htm%3FTocPath%3DOrion%2520Plat…

    -ZackM

    Loop1 Systems: SolarWinds Training and Professional Services

  • Hi astral

    If you need a bit more detail above what NTA and NPM 11 will give, you could also try LANGuardian. Like NPM 11 it uses deep packet inspection but it also pulls other metadata like file names and URI resource names.

    Have a look at it in action at this link which shows the integration with Orion. Click on the fileshare traffic under top applications or click on a domain within the website element.

    http://demo2.netfort.com/Orion?AccountID=guest

    You can download a 30 day trial and it may provide the answers you are looking for if you don't get anywhere with the suggestions so far

    Darragh

  • I think I am getting it.  Today I was able to identify a Cisco Phones (7945-VOIP) on a voice gateway that was being forwarded to another location causing 4MBS of data to be exchanged by looking at the "Top 5 conversations" on that particular node.

  • Ty. But why in the Hades is a Cisco phone transferring  4 mbs of data without video! Time to go to the Cisco forums. Heh - ty for your help/