Top 5 Talkers Summary is blank

nicholashadaway · Post by **nicholashadaway** » Tue Mar 03, 2020 4:40 pm

Attached to this post is an image showing my summary page and the top 5 talkers data is NOT showing up. Help?

nicholashadaway · Post by **nicholashadaway** » Tue Mar 03, 2020 4:45 pm

Attached to this post is the output of these commands:
chage -l nna >/tmp/info.txt
grep nna /etc/group >>/tmp/info.txt
ps -ef --cols=300 >>/tmp/info.txt
ls -lR /usr/local/nagiosna/ >>/tmp/info.txt

nicholashadaway · Post by **nicholashadaway** » Tue Mar 03, 2020 4:53 pm

And here is an example of the netflow config on a cisco device:

flow record Plixer-nbar
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match application name
collect datalink mac source address input
collect datalink mac destination address input
collect routing destination as
collect ipv4 dscp
collect ipv4 id
collect ipv4 source prefix
collect ipv4 source mask
collect transport tcp source-port
collect transport tcp destination-port
collect transport tcp flags
collect transport udp source-port
collect transport udp destination-port
collect interface output
collect flow direction
collect flow sampler
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
flow exporter Netflow-Scrutinizer
description Production-Netflow-Exporter
destination XXX.XXX.XXX.XXX
source GigabitEthernet0/0/0.1
transport udp 2055
option interface-table timeout 60
flow monitor Netflow-Monitor
description XXXX-NetFlow
exporter Netflow-Scrutinizer
cache timeout active 60
record Plixer-nbar

Post by **tgriep** » Tue Mar 03, 2020 5:45 pm

If the time is out of sync between the Cisco Device and the NNA server, that is one reason the Top 5 talkers are not displaying.
Make sure they are in sync.

You also may want to simplify the settings in the Cisco device.
See this document for sample configs that should work on your device.
https://assets.nagios.com/downloads/nag ... alyzer.pdf

nicholashadaway · Post by **nicholashadaway** » Wed Mar 04, 2020 10:28 am

time is synchronized properly with the rest of our network. NTP is very important in our environment and everything network-wide is in sync by less than 100ms.

The netflow export config has been working with our scrutinizer installation for a long time now. I can't go back to my network guys and tell them that we need to change all of our core network equipment without something more concrete. The benefits described by the sales literature I haven't been able to get out of this software so far and I am just not seeing network clarity, extensive network analysis, or adaptability at all.

I love Nagios. Have been using the software since it was called NetSaint. The XI product is something I support daily at the company I work for. My job specifically is Nagios Administrator! I experience the value and power of it every day and I share that story with everyone. I want to do the same for analyzer but so far I am just seeing that we dumped a lot of money into something that doesn't work the way it was advertised.

Please help me understand what I am doing wrong?

Post by **tgriep** » Wed Mar 04, 2020 5:20 pm

Only thing I can say is that NNA has different needs than scrutinizer.

Can you go to the following folder and post a few of the nfcapd.xxxxxxxxxxxx files here so I can see the data that is being captured?

Code: Select all

/usr/local/nagiosna/var/Port2055/flows

nicholashadaway · Post by **nicholashadaway** » Thu Mar 05, 2020 11:06 am

attached is a recent capture.

Post by **tgriep** » Thu Mar 05, 2020 4:26 pm

Take a look at the data I dumped and you will see timestamps from 1969 and that is the issue.

Code: Select all

Date first seen          Event  XEvent Proto      Src IP Addr:Port          Dst IP Addr:Port     X-Src IP Addr:Port        X-Dst IP Addr:Port   In Byte Out Byte
2020-03-05 09:04:44.353 INVALID  Ignore UDP       172.16.80.80:50089 ->      172.21.3.48:161            0.0.0.0:0     ->          0.0.0.0:0          416      0
2020-03-05 09:04:44.354 INVALID  Ignore UDP        172.21.3.48:161   ->     172.16.80.80:50089          0.0.0.0:0     ->          0.0.0.0:0          461      0
1969-12-31 18:00:00.49282 INVALID  Ignore TCP      172.21.36.175:49363 ->    172.24.199.76:2000           0.0.0.0:0     ->          0.0.0.0:0           52        0
1969-12-31 18:00:00.368 INVALID  Ignore TCP      172.24.199.76:2000  ->    172.21.36.175:49363          0.0.0.0:0     ->          0.0.0.0:0           40      0
1969-12-31 18:00:00.62645 INVALID  Ignore TCP      172.21.16.196:49196 ->    172.24.199.76:2000           0.0.0.0:0     ->          0.0.0.0:0           52        0
1969-12-31 18:00:00.25537 INVALID  Ignore TCP      172.24.199.76:2000  ->    172.21.16.196:49196          0.0.0.0:0     ->          0.0.0.0:0           40        0
1969-12-31 18:00:00.368 INVALID  Ignore UDP      12.253.31.149:5060  ->    32.253.138.58:5060           0.0.0.0:0     ->          0.0.0.0:0          468      0

If you have multiple Devices sending Flow data to the same port on the NNA server (Port 2055) one of them is mis-configured and is not sending the correct time stamp.

If it is only the device in the post, change the configuration to match one of the examples from the PDF document.

Nagios Support Forum

Top 5 Talkers Summary is blank

Top 5 Talkers Summary is blank

Re: Top 5 Talkers Summary is blank

Re: Top 5 Talkers Summary is blank

Re: Top 5 Talkers Summary is blank

Re: Top 5 Talkers Summary is blank

Re: Top 5 Talkers Summary is blank

Re: Top 5 Talkers Summary is blank

Re: Top 5 Talkers Summary is blank