Find the cause of high bandwidth utilization in SolarWinds NTA

If a node managed in SolarWinds NPM is also a NetFlow source, it exports NetFlow data that you are currently monitoring in SolarWinds NTA. You can use SolarWinds NTA to analyze interface bandwidth utilization on the node whenever your workflow requires.

This procedure assumes that you have created an Orion alert on bandwidth utilization for a specific interface, and that the alert has been triggered based on your threshold setting. For example, you may have set the trigger threshold at 80% of interface bandwidth and you now see an alert-related event.

  1. Click My Dashboards > NetFlow > NTA Summary.
  2. Under NetFlow Sources, locate and expand the relevant node.
  3. Click the interface for which you received the bandwidth utilization alert.
  4. View the Top XX Endpoints for the interface.

    Each endpoint in the list has a utilization percentage associated with it. You should quickly see here the endpoint(s) responsible for the utilization alert. And you should see the domain associated with the endpoint. Even with the option Resolve IPv4 and IPv6 addresses to DNS hostnames enabled, SolarWinds NTA resolves hostnames in loading the Top XX Endpoints resource.

  5. View the Top XX Conversations to correlate the relevant items from the Top XX Endpoints list.

    The endpoints in these conversations should allow you to infer if the traffic involved in these bandwidth-consuming conversations qualifies as critical to your organization. If not, you can take steps to block the offending domain or investigate for a virus attack.

    If the bandwidth consumption reflected in these conversations does meet the criteria for organizational propriety or importance, then you probably need to consider this as a capacity planning or traffic management problem. If you cannot easily increase provision more bandwidth then you might consider managing the traffic on the interface with CBQoS priorities.