0 Replies Latest reply on Mar 2, 2015 10:57 AM by kenw

    Netflow is under-reporting the amount of traffic

    kenw

      HI ,

       

      I have been wrestling with Netflow for months now, I have a server running NPM 11.0.1 and NTA 4.1.0.

       

      The collector is succesfully receiving netflow traffic from a Cisco 3750X switch, it is monitoring both ports on the C3KX-SM-10G module that is installed in the switch.

       

      The traffic I am monitoring comes from a particular IP address through the switch to a server, which then sends some traffic back to the that address.

       

      the problem I have is that the amount of traffic seen in Netflow is less than what is seen if I take a Pcap on that server.

       

      I am seeing varying differences, in a 24 hour period this could be a difference of 30MB, or as low as 2MB.

       

       

       

      I worked with Solarwinds and we took Pcaps on the Netflow server and confirmed that Netflow is reporting exactly what it is receiving from the switch, so I am now looking at the switch as the possible culprit.

       

      does anyone have any advice for me on where to start my investigation?

       

      I have a call logged with Cisco , but they seem to be taking their time responding to me.

       

      thankyou

      Ken