In solarwinds we can view by conversation. I can't seem to find that option in NNA. I can sort by top talkers and such, but I want to know who are having the busiest conversation.
Thanks!
Conversation view
Conversation view
2 of XI5.6.14 Prod/DR/DEV - Nagios LogServer 2 Nodes
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
-
jdalrymple
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: Conversation view
Create a query, aggregate by srcip,dstip - don't bother including Raw Query data if you want to query ALL your traffic. You may have to impose some sort of limit using Raw Query if you want it to finish ever.
When the Query is done sort how you wish - bytes, bytes/sec.
This is host <--> host. I was shooting to make one that aggregated by all 4 fields, but I couldn't get that to work at all for me. I'm going to do some digging in the backend and see if that's just a UI bug or if nfdump is blowing up completely.
When the Query is done sort how you wish - bytes, bytes/sec.
This is host <--> host. I was shooting to make one that aggregated by all 4 fields, but I couldn't get that to work at all for me. I'm going to do some digging in the backend and see if that's just a UI bug or if nfdump is blowing up completely.
Re: Conversation view
Thanks man....I think we're actually getting the hang of this now 
2 of XI5.6.14 Prod/DR/DEV - Nagios LogServer 2 Nodes
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
-
jdalrymple
- Skynet Drone
- Posts: 2620
- Joined: Wed Feb 11, 2015 1:56 pm
Re: Conversation view
I would guess that nfdump is just not smart enough to handle a query aggregating by all 4 primary fields with no raw query - it wasn't going to finish in any reasonable amount of time. I doubt there is going to be anything we can do about that.
I added a nice simple query "dst port 80 or dst port 443" and that gave me results in about 10 seconds (at the CLi)
Running the same query in the GUI, got a chord diagram in about 5 seconds, but nfdump died and my little wait spinner just sat and spun in the UI.
Is aggregating by all 4 fields going to be important? If so I'll have to run this one up to the devs to look at.
I added a nice simple query "dst port 80 or dst port 443" and that gave me results in about 10 seconds (at the CLi)
Running the same query in the GUI, got a chord diagram in about 5 seconds, but nfdump died and my little wait spinner just sat and spun in the UI.
Is aggregating by all 4 fields going to be important? If so I'll have to run this one up to the devs to look at.
Re: Conversation view
Not for me, I don't think so.jdalrymple wrote:Is aggregating by all 4 fields going to be important? If so I'll have to run this one up to the devs to look at.
2 of XI5.6.14 Prod/DR/DEV - Nagios LogServer 2 Nodes
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
Re: Conversation view
Yes Mr. McDonald, lock 'er up!
2 of XI5.6.14 Prod/DR/DEV - Nagios LogServer 2 Nodes
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
See my projects on the Exchange at BanditBBS - Also check out my Nagios stuff on my personal page at Bandit's Home and at github
