Documentation forNetFlow Traffic Analyzer
Analyzing network traffic and bandwidth is a key capability of SolarWinds Observability Self-Hosted (formerly Hybrid Cloud Observability) and is available in the Advanced edition. NetFlow Traffic Analyzer (NTA) is also available in a standalone module.

NAT Stitching

Enable NAT Stitching to monitor and report on the full path of your network traffic, ensuring that you have a comprehensive view of the conversations between your internal network and external entities. With NAT Stitching, you can observe conversations that traverse through Network Address Translation (NAT) devices, such as routers, security gateways, firewalls, and load balancers.

When you enable NAT Stitching, you have the possibility to not only store public IP addresses of devices, but also link the communication to private IP addresses on your network. If NTA detects Post-NAT fields in flow data, the IP addresses are automatically switched during processing.

Enable NAT Stitching

In fresh installations, the feature is enabled by default. If you have upgraded from an earlier version, NAT Stitching is disabled. To enable the feature:

  1. In the SolarWinds Platform Web Console, click Settings > All Settings.

  2. Under Product specific settings, click NTA Settings.

  3. Under NetFlow Management, select Enable NAT Stitching.

NAT events

If the feature is disabled, you receive a one-time notification and an event message.

You can either click dismiss to remove the notification from the notification bar, or click the notification to access the Events page and review related events.

When the feature is disabled, the service tries to detect NAT-capable devices. If devices are found, an event message of NetFlow Device Capability type is displayed in the SolarWinds Platform Web Console. Detection is based on NetFlow/IPFIX data templates. If the templates contain Post-NAT fields for a particular device and if the device is sending data, the device is considered NAT-capable.

When NAT-capable devices are detected while the feature is disabled, you receive an events message with a list of the detected devices. Click NTA Settings in the events message to access NetFlow Management settings and enable NAT Stitching.

Review how NAT stitching affects you data

  1. Select a device with NAT configured and navigate to the NetFlow Node Details page for the device.

  2. Observe the Top 10 Endpoints widget. You should see large amount of traffic reported under the hostname/IP address of the router or edge device. In the image below, that would be the device router-us1.demo.

  3. Observe the Top 10 Conversations widget and check what conversations are reported. You may want to change to Absolute Time Period, confirming the prefilled time range, to persist the actual charts and to compare with charts after the settings change.

    If you don’t have the Top 10 Endpoints and Top 10 Conversations widgets on the NetFlow Node Details page, add them.

  4. Enable NAT Stitching.

  5. Go back to the NetFlow Node Details page and set the default time interval to Last 1 hour. After 5 - 10 minutes refresh the page to see if and how the data changed.

  6. In the Top 10 Endpoints widget, you should see that the amount of data reported under the router hostname or IP address reduces significantly and traffic load is now reported under hostnames or IP addresses from the internal network. In the below example, that would be pc192-168-100-144.

  7. In the Top 10 Conversations widget, you should see a different list of conversation. Less conversation with routers or edge devices (for example, between router-us1.demo and thwack.com), more between private and public endpoints, for example, between pc192-168-100-14 and thwack.com, or between solarwinds.com and pc192-168-100-51.

    If there is no significant difference, you may try a different device for investigation. If you still don’t see any significant difference, the device may be capable of reporting Post-NAT data, but there is no NAT traffic or no significant amount of NAT traffic visible in widgets.

  8. Additionally, you can investigate one of the conversations between an endpoint in a private network and a public endpoint. In the scenario below, conversation between pc192-168-100-144 and thwack.com was investigated by expanding the legend under the charts to the interface level and clicking an interface, for example eth16.

  9. When you open the NetFlow Conversation page, switch the flow direction to ingress and egress to see both requests and responses. Observe the Conversation Total Bytes Transferred to check if only one direction was reported before the settings change. If both directions are reported before and after the settings change, NAT stitching does not affect you and it does not matter if you keep it enabled or disabled.

  10. You can also investigate the Conversation Traffic History widget to see the traffic directions.

    Without NAT stitching you should see only one direction of the traffic.