3 Replies Latest reply on Apr 22, 2015 4:13 PM by Craig Norborg

    NTA not reporting on all traffic

    jasonflory

      Hello Everyone

       

      We just installed NTA in our environment and noticed that NTA is not reporting on all conversations from end points.  Seems it is missing a great deal.  If I use the real-time network traffic analyzer is shows a completely different data set.  I did go into settings and select monitor all traffic.

       

      We are using NTA 4.0 and will be upgrading soon.

       

      Netflow source is a Cisco 3850 with 3.3.0 IOS.  See below

       

      flow record NTArecord

      match ipv4 tos

      match ipv4 protocol

      match ipv4 source address

      match ipv4 destination address

      match transport source-port

      match transport destination-port

      match interface input

      collect interface output

      collect counter bytes long

      collect counter packets long

      !

      !

      flow exporter NTAexport

      destination 10.2.4.100

      source GigabitEthernet1/0/1

      transport udp 2055

      template data timeout 60

      !

      !

      flow monitor NTAmonitor

      exporter NTAexport

      cache timeout active 60

      record NTArecord

        • Re: NTA not reporting on all traffic
          Craig Norborg

          NTA by default does not report on all traffic flows, only what it considers to be interesting.  What does it consider to be interesting?  

           

          Go to your NTA settings, then look at "Applications and Service Ports - Choose the applications and ports that you want to monitor".    This is a list of everything that is currently monitored.    You can choose what it does/doesn't monitor here and even add new application and service ports that might be relevant to your environment.  If you'd rather just monitor all ports regardless of what is on that page, go back to the main NTA settings page and look for the "Enable data retention for traffic on unmonitored ports" and check that.

           

          You might also need to go to "Monitored Protocols" to see what protocols are being monitored. 

           

          Why don't they monitor everything by default?   Saves on database space and makes reporting quicker.

            • Re: NTA not reporting on all traffic
              jasonflory

              Thanks Craig

               

              We did go to settings and select monitor all ports.  We wanted to do this in the begging so we could start to label traffic.  The flows that it is missing are standard protocols.  Port 445 for cifs.  As a test I installed realtime netflow analyzer and selected my machine as an endpoint and then did things like RDP, file transfers, etc.  SolarWinds NTA does not show the same thing as the realtime traffic analyzer does.  When it does pickup traffic the "total traffic' is usually in correct.  For instance I transferred 3 GB of data and it saw 10mgs between my machine and file server.

               

              I am only monitoring traffic input.  From what I understand that should get everything. 

                • Re: NTA not reporting on all traffic
                  Craig Norborg

                  Ah, didn't know that.   Going out on a limb here and guessing you might have a Layer-3 image installed on your switch?   If so, can you describe the topology a bit?   Are the source and destinations of the traffic your monitoring on the switch itself?     Are the source/destination on the same subnet or different subnets?  Are you configuring all interfaces with the netflow commands?   What about the Layer-2 VLANS?

                   

                  I haven't worked at all with Netflow on a 3850 much, but from what I'm reading you probably want to configure up your netflow template on the inbound direction of each interface that traffic might pass over.     It's possible you might need to configure it on your L-3 and L-2 VLAN interfaces, which appears to be supported on this platform.

                   

                  I know on the 6500's by default you only see the traffic that isn't Layer-3 switched, until you configure some mls commands I think.  Quite often the only traffic you see is that going to from the router, like telnet/ssh/snmp/etc until you get it configured right.    From the 3850 features, it sounds like this might not be the case with the 3850's though, I definitely don't see it in the IOS commands right now.

                   

                  Unfortunately the only 3850 I have available is in a low traffic area, so I’m not sure if what I’m seeing in our config is all the netflow we should be seeing or not.  I am seeing some flows reach over 10Mb  though.   Our configuration is very similar to yours…