NA monitoring details

[faziz]

Hi

I tried to deployed NA and working fine, but I could not fine more details on NA, it show to me Bandwidth, there is no details about consumption of each traffic like most application consume traffic and per interface traffic, is that normal, because i saw it use NetFlow which should to give more details about the traffic, but just BW;

Thanks

[eloyd]

NA is most useful if you are well familiar with libpcap style search capabilities. You can look at all of the NetFlow data you've received and query based on source IP, destination IP, source port, or destination port and then group and sort that data (and graph and alert upon it) however you want.

[lmiltchev]

Thank you @eloyd!

@faziz, let us know if eloyd answered your question. If you are unsure of how to run custom queries in Nagios Network Analyzer, you could review our documentation on the topic here:

https://assets.nagios.com/downloads/nag ... alyzer.pdf

[faziz]

actually I am looking for BW per interface, and BW consumption for each application like HTTP, VoIP, Torrent, which i could not find on NA

[eloyd]

There is no higher layer OSI model stuff in NA. In other words, you can't say "show me the traffic for streaming video" like you can with, say, a Meraki dashboard. However, you can build a port-based search query that shows you traffic to (or from) your web servers. Here's one way to do it:

• Log in to NNA
• Select the source you wish to analyze (if you have more than one source)
• Click on the "Queries" sub-tab (not the one at the top, but the one to the left of "Percentile Calculator")
• Choose the following:
• Aggregate by srcip
• Choose whatever timeframe you want from the pull-down
• In the big empty box, enter: dst port 80
• Click the blue "Run Query" button

At this point, you should have results showing all traffic (within that source) to port 80, regardless of whether it was incoming traffic to your web site or outgoing from your site to another person's web site. You can refine this by changing the big box (the query) to be something like: dst port 80 and not src net 192.168.0.0/16

Assuming your local network is 192.168.0.0/16 subnetted, then this will show inbound traffic, since it's ignoring anything generated by internal hosts.

Hopefully, you get the idea.

[cdienger]

There are a couple default queries available to help find common botnets and p2p traffic and they can be used as templates to create additional queries for traffic you're interested in. You'll find them following @eloyd's steps and clicking Load under the Queries tab. They can also be found under the main Queries link at the top of the screen.