Documentation forNetFlow Traffic Analyzer
Analyzing network traffic and bandwidth is a key capability of SolarWinds Observability Self-Hosted (formerly Hybrid Cloud Observability) and is available in the Advanced edition. NetFlow Traffic Analyzer (NTA) is also available in a standalone module.

Set up NBAR2 on Cisco devices

Network Based Application Recognition (NBAR) is the mechanism used by certain Cisco routers and switches to recognize a dataflow by inspecting some of the packets sent. NTA 2024.4 supports unknown traffic detection and advanced application recognition through NBAR2.

First, configure your Cisco devices to send NBAR2 data to NTA. Second, add those devices as nodes in NPM and NTA.

The following values are examples used in the commands below:

  • NTArec
  • NTAexp
  • NTAmon
  • GigabitEthernet0/1
  • 10.10.10.10

Create a new Flexible NetFlow configuration

Add the flow record

This process is similar to creating a standard NetFlow configuration. In this case, you add the collect application name command to enable the sending of AppID in each flow.

flow record NTArec
	match ipv4 tos
	match ipv4 protocol
	match ipv4 source address
	match ipv4 destination address
	match transport source-port
	match transport destination-port
	match interface input
	collect interface output
	collect counter bytes
	collect counter packets
	collect application name
exit

Add the flow exporter

The option application-table command enables the sending of a list of applications that can be classified using NBAR2, including applications that were manually created. The option application-attributes command enables the sending of categories for all applications.

flow exporter NTAexp
	destination 10.10.10.10
	source GigabitEthernet0/1
	transport udp 2055
	export-protocol netflow-v9
	template data timeout 60
	option application-table timeout 60
	option application-attributes timeout 300
exit

Add the flow monitor

The flow monitor connects the flow recorder and the flow exporter. You can configure multiple recorders, exporters, and monitors at once.

flow monitor NTAmon
	description NetFlow nbar
	record NTArec
	exporter NTAexp
	cache timeout inactive 30
	cache timeout active 60
exit

When receiving long flows, these values may need to be adjusted, see Troubleshoot Long Flow Errors in NTA for more details. For more information about the timeout values, refer to the Cisco NetFlow Command Reference.

Apply the monitor to an interface

Assign the Flexible NetFlow configuration to the interface from which to monitor NetFlow.

interface GigabitEthernet0/1
	ip flow monitor NTAmon input
	ip flow monitor NTAmon output
exit

Diagnostic commands

show flow record "recordName"
show flow export "exporterName"
show flow monitor "monitorName"
show flow exporter statistics
show flow interface

Determine the applications your device can recognize

The Protocol Pack is a list of applications, definitions, and categories that your device can recognize.

Check the Protocol Pack version

show ip nbar version

View a list of the available applications

show ip nbar protocol-id

Edit an existing record

If you edit an existing record that is in use, you receive the following error:

% Flow Record: Flow Record is in use. Remove from all clients before editing.

To resolve this error, remove the connection between the monitor, record, and interface.

Disable the connection

interface GigabitEthernet0/1
	no ip flow monitor NTAmon input
	no ip flow monitor NTAmon output
exit

Add the application recognition field into the record

flow record NTArec
	collect application name
exit

Add the application recognition field into the exporter

flow exporter NTAexp
	option application-table timeout 60
	option application-attributes timeout 300

Restore the connection

interface GigabitEthernet0/1
	ip flow monitor NTAmon input
	ip flow monitor NTAmon output
exit