Sorting NNA data by sending device?

[vAJ]

I'm trying to move our organization from Solarwinds netflow analyzer to NNA.

In SW's product, I can view each device's netflow , then get into my specifics like TopTalkers, etc.

In NNA, it seems that we have to create a separate source for each network device in order to do this. I understand that multiple devices can send to the same "source" but I can't figure out how to split up the information based on the "actual" source.

Also, where do we find query syntax references? The query doc is very limited.

-Andrew

[jdalrymple]

vAJ,

It seems like what you want to do should be possible with a simple query that displays only the data with 'dst host <nna> and dst port <nna source port>'. I can say that this will only work if your devices choose to include the netflow data itself into the flows - it seems my test device does not.

As far as a quick view of the "actual" sources parsed out within an NNA source, right now we're gathering the source information but within the product we're not doing anything with it, so as far as it being a built in function to separate those out - it doesn't exist. We could potentially add it as a feature request, and since I am personally unable to use my workaround to achieve the desired results it seems like it would be a good one.

As for query syntax, it is the virtually the same as pcap syntax as it's based on the nfdump filter engine.

If you would like me to put in that feature request can you please document exactly what it is you're seeking? I think I understand I just want to make sure so that I don't insert a needless feature request. Namely I'm trying to understand if you need the ability to filter on the "actual" source or if you're just looking for a display that indicates some metrics about the "actual" sources as individual units.

[vAJ]

Sure thing. And if anyone there would like to look at how we current use the other product, I'm happy to have a remote session to go through it all.

Thanks for the nfdump note, I hadn't gathered that as of yet.

[jdalrymple]

Namely I'm trying to understand if you need the ability to filter on the "actual" source or if you're just looking for a display that indicates some metrics about the "actual" sources as individual units.

Sorry vAJ, that was kind of a "this or that" question - or do you need both features?

[vAJ]

When I open the UI, I don't care to know about the collector.

I want to see the individual routers / switches, then drill into the metrics for each. Obviously, I could setup separate collector "sources" for each individual network device, but that would require a custom netflow config on each device. My network engineers would laugh me out of the room and go back to using Solarwinds.

Having indivudal device stats along with global Top X stats.

Tried to attached a screenshot sample, but getting this msg, "Sorry, the board attachment quota has been reached."

[jdalrymple]

So then the latter. You want to have your real sources sorted out when you're looking at the sources screen, but...


"host 10.10.10.1 and port 443 and source-netflow-dispatcher 6509-1A"

would be no more useful to you than just plain old

"host 10.10.10.1 and port 443"?

[vAJ]

Yeah, I'm just not getting what I need with this.

we have pairs of public edge routers, firewalls and distribution switches at each of our major sites. I'd like to build view that correlate to those sites separately. My network team wants to know which network device is reporting the traffic.

If this is clear as mud, please let me know...

[vAJ]

So, I'm starting to realize the only way I'm going to do this is similar to LogServer where I need to have disparate systems send their data to separate ports.

Then create separate sources and possibly source groups for each device?

[jdalrymple]

I talked with the developers about this some months ago. By my recollection NNA is currently storing that source data, it's just not doing anything with it, but we want to.

What you are describing makes perfect sense, I'm a big confused about our inability to achieve what you want though.

My network team wants to know which network device is reporting the traffic.

I can only assume that this is because you want to know which of your pair of border network devices is handling which traffic. You said routers so I assume there is "routing" going on. Unless they're somehow sharing layer 3 addresses (no technology I know of that allows this) it seems like this traffic should be separable without needing to know the source of the network device. The only situation I can think of where you would really need to know the source of the netflow would be if it was a layer 2 only device.

I'm sure I'm missing something... ???

[vAJ]

After reading back through the docs, I realized that it's recommended that each device send to separate listening ports. We're in the process of doing this now.

-Andrew