Documentation forNetFlow Traffic Analyzer
Analyzing network traffic and bandwidth is a key capability of Hybrid Cloud Observability Advanced and is also available in a standalone module, NetFlow Traffic Analyzer (NTA). Hybrid Cloud Observability Advanced and NTA are built on the self-hosted SolarWinds Platform.

Set up network devices to export NetFlow data

You must configure your device to send flow data to SolarWinds NTA.

NTA collects NetFlow data, on port 2055 by default, only if a network device is specifically configured to send data to NTA. As a NetFlow collector, NTA can receive exported NetFlow version 5 data and NetFlow version 9 data that includes all fields of the NetFlow version 5 template. Once it collects NetFlow traffic data, NTA analyzes device bandwidth usage in terms of the source and destination endpoints of conversations reflected in the traffic.

Requirements

  • Each device must be configured to export NetFlow data to NTA.
  • Each device that exports NetFlow data to NTA must be monitored in NPM. Only nodes whose interfaces were discovered by NPM can be added as NetFlow sources.
  • Traffic from a device that is not monitored in NPM appears only in aggregate as traffic from unmonitored devices. If the device is setup to export data to NTA, but is unmonitored in NPM, the collector may receive the data without being able to meaningfully analyze it.
  • The specific interface through which a device exports NetFlow data must be monitored in NPM. The interface index number for this interface in the SolarWinds Platform database (interface table) must match the index number in the collected flow data.

Set up a device to export NetFlow data to NTA

  1. Log in to the network device.
  2. Enable NetFlow export on the device using appropriate commands. The following example enables NetFlow on a Cisco 6500 Series device:
    ip flow-export source <netflow_export_interface><interface_num>
    ip flow-export version 5
    ip flow-export destination <Orion_Server_IP_address> 2055
    ip flow-cache timeout active 1
    ip flow-cache timeout inactive 15
    snmp-server ifindex persist
  3. Add the device exporting NetFlow to NPM for monitoring.

    If you are adding a large number of NetFlow enabled nodes, use SolarWinds Platform Network Sonar. For more information, see Discovering and Adding Network Devices.

    If you are only adding a few nodes, it may be easier to use Web Node Management in the SolarWinds Platform Web Console. For more information, see Adding Devices for Monitoring in the SolarWinds Platform Web Console .

  4. Verify that the device is exporting NetFlow data as expected and that the device is monitored in NPM.

    To verify that data are exported correctly, use a packet capture tool, such as WireShark, to search for packets sent from the network device to the SolarWinds Platform server.

    Example

    If you successfully add a NetFlow enabled device with IP address 10.199.14.2 to NPM, and the device is actively exporting NetFlow data to the SolarWinds Platform server, you will see in WireShark a packet like the one (49) highlighted below in gray:

    As expected, we see in the packet details that 10.199.14.2 is its source IP address and 10.110.6.113 is the destination, which is the SolarWinds Platform server. This correlates with the node details on the device in the SolarWinds Platform, as highlighted in yellow.

    To verify that the IP address of the exporting interface on the network device is the one being monitored in SolarWinds Platform:

    1. Open a command line interface, log into the network device, and then type show run to see the running configuration of the device.
    2. Page down to the lines where the export source interface is defined. In this case, we see ip flow-export source Ethernet0/0.

    To discover the IP address for this interface, type show run int Ethernet0/0. The IP address of the interface, 10.199.14.2, is being monitored by the SolarWinds Platform server.

  5. Click My Dashboards > NetFlow > NTA Summary.

    Under NetFlow Source, verify the NetFlow-enabled nodes listed with a recent time posted for collected flow.