When placed on the Node Details or Interface Details view, this widget provides a view of the applications responsible for the most traffic passing through the viewed node or interface over the selected period of time.

This widget shows only applications whose monitoring has been enabled on the Manage Applications and Service Ports view. Data for ports and applications whose monitoring is not enabled are collected, aggregated, and shown in the Top XX Applications widget as Unmonitored Traffic. For more information about monitored ports and applications, see Configuring Monitored Ports and Applications.

If you are seeing no data in the Top XX Applications view, make sure you are receiving data for the flow type selected in the top right of the Top Applications panel. If monitoring NBAR2 applications for which you are not seeing a name identified for the application, see NBAR2 Applications for an explanation of how these applications are classified in NTA.

The table below the chart provides the following information:

• Application: The application name with its assigned port number in parentheses.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of data (in bytes and packets) flowing to the selected application through the viewed node or interface.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all traffic through the viewed object attributed to use of the listed application.
  

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

View details about NBAR2 applications

If you select NBAR2 in the drop-down in the top-right corner of the Top XX Applications widget, NTA populates the chart with the top NBAR2 applications identified by name.

NBAR2 applications are identified by name and application vendor icon. Hover over the icon of the application vendor to see the name of the vendor.

View unmonitored traffic

If there are applications whose monitoring is not enabled in the Manage Applications and Service Ports page, the Top XX Applications widget on a summary view displays the Unmonitored Traffic item. This item aggregates traffic coming from ports or applications whose monitoring is not enabled at the moment.

1. Click the Unmonitored Traffic item to go to the NetFlow Applications Summary view filtered by unmonitored traffic.
2. Consult the Top XX Applications widget. The widget will list unmonitored applications, and allow you to monitor appropriate ports.

Enable monitoring of unmonitored ports

If you are viewing the Top XX Applications widget on an Unmonitored Traffic view, you can enable monitoring of unmonitored ports:

1. In the list of unmonitored applications, click Monitor Port to enable monitoring of the port.
2. On the Monitor Application window, select the port(s) to monitor.
3. Select the Source and Destination IP Address and the protocol to monitor.
4. Enter a Description, and then click Add Application to enable monitoring.

   You can also enable monitoring for these applications and ports on the Manage Applications and Service Ports page. For more details, see Configuring Monitored Ports and Applications.

Top XX Applications (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view.

The endpoint-centric Top XX Applications widget provides a ranked list of applications responsible for traffic passing through the specified node or interface.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

When placed on the Node Details or Interface Details view, this widget provides a view of the autonomous systems responsible for the most traffic passing through the viewed node or interface over the selected period of time.

To find out more about autonomous systems monitored by NTA, see Managing Autonomous System Networks.

The table below the chart provides the following information:

• Autonomous System: The autonomous system ID.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of data (in bytes and packets) flowing to the selected autonomous system through the viewed node or interface.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all traffic through the viewed object that can be attributed to listed autonomous systems.
  

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

When placed on the Node Details or Interface Details view, this widget provides a view of the autonomous systems conversations responsible for the most traffic passing through the viewed node or interface over the selected period of time.

Clicking a listed autonomous systems conversations or drilling down to relevant nodes and interfaces opens the NetFlow Autonomous Systems Conversations Summary for the selected conversation.

When placed on the Node Details or Interface Details view, this widget provides a view of the conversations responsible for the most traffic passing through the viewed node or interface over the selected period of time.

The table below the chart provides the following information:

• Conversation: Conversation endpoints with IP addresses in parentheses.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of data (in bytes and packets) flowing in the selected conversation through the viewed node or interface.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all traffic through the viewed object that can be attributed to a particular conversation.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX Conversations (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view. The endpoint-centric Top XX Conversations widget provides a ranked list of conversations conducted over the selected node or interface.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

The table provides the following information:

• Conversation endpoints with IP addresses in parentheses.
• The amount of data in bytes, flowing in the selected conversation through the viewed node or interface.
• The percentage of all traffic through the viewed node or interface that can be attributed to a particular conversation.

When placed on the Node Details or Interface Details view, this widget provides a view of the countries responsible for the most traffic passing through the viewed node or interface over the selected period of time.

The table below the chart provides the following information:

• Country:  The name of the country and its flag, if available.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of data (in bytes and packets) traceable to the listed country over the selected period of time.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization):  Displays the percentage of all traffic over the viewed node or interface that is traceable to the listed country.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX Countries (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view.

The endpoint-centric Top XX Countries widget provides a ranked list of countries to and from which the selected node or interface initiated or terminated traffic.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

• When placed on a summary view, the widget shows top domains responsible for most traffic from all monitored nodes.
• When placed on the Node Details or Interface Details view, this widget provides a view of the domains responsible for the most traffic passing through the viewed node or interface over the selected period of time.

Top XX Domains widgets are not available if Live DNS Lookup for IPv4 and IPv6 addresses is enabled. For more information about DNS resolution options in NTA, see Configuring DNS and NetBIOS Resolution.

Packet flow for IP groups and countries can include two domains within each communication packet processed through a network device. The total traffic presented for top domains may thus appear as much as twice what it actually is.

The table below the chart provides the following information:

• Domain: Displays the domain logo icon, if available, and name.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of traffic, in both bytes and packets, transmitted by each domain through the viewed object over the selected period of time.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all traffic over the viewed node or interface that is traceable to the listed domain.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX Domains (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view.

The endpoint-centric Top XX Applications widget provides a ranked list of domains to and from which the selected node or interface initiated or terminated traffic.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

When placed on the Node Details or Interface Details view, this widget provides a view of the endpoints responsible for the most traffic passing through the viewed node or interface over the selected period of time.

There are always two endpoints for each communication packet processed through a network device, and the total traffic counted for endpoints can thus seem double what it is.

To find out more about resolving endpoint names, see Configuring DNS and NetBIOS Resolution.

The table below the chart provides the following information:

• Hostname:  Displays the endpoint hostname or IP address.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of traffic, in both bytes and packets, through the viewed object traceable to the listed endpoint over the selected period of time.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all traffic over the viewed object that is traceable to the listed endpoint.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX Endpoints (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view.

The endpoint-centric Top XX Endpoints widget provides a ranked list of endpoints to which the selected node or interface initiated or terminated traffic.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

When placed on the Node Details or Interface Details view, this widget provides a view of the IP address groups responsible for the most traffic through the viewed node or interface over the selected period of time.

For more information about IP address groups defined in your NTA, see Selecting IP Address Groups for Monitoring.

There can be two domains for each communication packet processed through a network device, and thus the total traffic counted for IP address groups can seem as much as twice what it is.

The table below the chart provides the following information:

• Group: Displays the IP address group range or name.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of traffic in both bytes and packets, through the viewed object traceable to the listed IP address group over the selected period of time.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all traffic over the viewed object that is traceable to the listed IP address group.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX IP Address Groups (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view. The endpoint-centric Top XX IP Address Groups widget provides a ranked list of IP address groups responsible for the most traffic through the viewed node or interface.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

When placed on the Node Details or Interface Details view, this widget provides a view of the conversations responsible for the most traffic passing through the viewed node or interface over the selected period of time.

For more information about IP Address Groups defined in your NTA, see Selecting IP Address Groups for Monitoring.

The table below the chart provides the following information:

• IP Address Group Conversation: The IP address groups conversation endpoints with IP addresses in parentheses.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of data (in bytes and packets) flowing in the selected IP address group conversation through the viewed node or interface.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all traffic through the viewed object that can be attributed to the appropriate IP address groups conversation.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX IP Address Groups Conversations (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view. The endpoint-centric Top XX IP Address Groups Conversations widget provides a ranked list of IP groups conversations in which the selected node or interface initiated or terminated traffic.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

The table provides the name or IP address of each NetFlow source, the interface, the received percent utilization, and the transmitted percent utilization.

When placed on the Node Details or Interface Details view, this widget provides a view of the protocols responsible for the most traffic passing through the viewed node or interface over the selected period of time.

For more information about protocols monitored by NTA, see Configuring Protocol Monitoring.

The table below the chart provides the following information:

• Protocol: Displays the protocol type.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of data (in bytes and packets) using appropriate protocols routed through the viewed node or interface over the specified time period.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the distribution of traffic through the viewed object using each listed protocol over the specified time period.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX Protocols (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view. The endpoint-centric Top XX Protocols widget provides a ranked list of protocols over which the selected node or interface initiated or terminated traffic.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

When placed on the Node Details or Interface Details view, this widget provides a view of the receivers responsible for the most traffic passing through the viewed node or interface over the selected period of time.

The table below the chart provides the following information:

• Hostname: Displays the name or IP address of the receiving endpoint.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of data, in both bytes and packets, routed through the viewed object received by the listed endpoint over the specified period of time.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all traffic routed through the viewed node or interface that is received by the listed endpoint over the specified period of time.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX Receivers (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view.
The endpoint-centric Top XX Receivers widget provides a ranked list of receivers to which the selected node or interface initiated traffic.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

When placed on the Node Details or Interface Details view, this widget provides a view of the countries that receive the most traffic from the viewed node or interface over the selected period of time.

When placed on the Node Details or Interface Details view, this widget provides a view of the domains that receive the most traffic from the viewed node or interface over the selected period of time.

When placed on the Node Details or Interface Details view, this widget provides a view of the IP address groups that receive the most traffic from the viewed node or interface over the selected period of time.

When placed on the Node Details or Interface Details view, this widget provides a view of the countries responsible for sending most traffic to the viewed node or interface over the selected period of time.

When placed on the Node Details or Interface Details view, this widget provides a view of the domains responsible for sending most traffic to the viewed node or interface over the selected period of time.

When placed on the Node Details or Interface Details view, this widget provides a view of the IP address groups that send the most traffic to the viewed node or interface over the selected period of time.

When placed on the Node Details or Interface Details view, this widget provides a view of the transmitters responsible for the most traffic passing through the viewed node or interface over the selected period of time.

The table below the chart provides the following information:

• Hostname: Displays the name or IP address of the transmitting endpoint.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of data, in both bytes and packets, routed through the viewed object transmitted by the listed endpoint over the specified period of time.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all traffic routed through the viewed node or interface that is transmitted by the listed endpoint over the specified period of time.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX Transmitters (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view. The endpoint-centric Top XX Transmitters widget provides a ranked list of transmitters that initiated traffic to the selected node or interface.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

When placed on the Node Details or Interface Details view, this widget provides a view of the service types responsible for the most traffic passing through the viewed node or interface over the selected period of time.

For more information about types of service monitored in NTA, see Configuring NetFlow types of service.

The table below the chart provides the following information:

• Type of Service: Displays the type of service.

• Ingress Bytes, Egress Bytes/Ingress Packets, Egress Packets: Displays the amount of traffic, in both bytes and packets, handled by the listed service through the viewed object over the selected period of time.
  The columns displayed depend on the flow direction set in the top left corner of the view (either only Ingress Bytes, or only Egress Bytes, or both columns).

• Percent (Utilization): Displays the percentage of all serviced traffic through the viewed object that is handled by the listed type of service.

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

Top XX Types of Service (Endpoint Centric)

You can customize an endpoint-centric version of this widget and place it on the NetFlow Node Details or Interface Details view. The endpoint-centric Top XX Types of Service widget provides a ranked list of service types with which the selected node or interface initiated or terminated traffic.

For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

When receiving WLC traffic, this widget appears on the NPM Wireless Controller and Wireless Access Point pages. It provides a view of the WLC applications responsible for the most traffic passing through a concrete wireless controller or access point over the selected period of time.

This widget shows only WLC applications whose monitoring has been enabled on the Manage Applications and Service Ports view. Data for ports and WLC applications whose monitoring is not enabled there are collected, aggregated, and shown in the Top XX WLC Applications widget as Unmonitored Traffic. For more information about monitored ports and applications, see Configuring Monitored Ports and Applications.

The table below the chart provides the following information:

• Application: The WLC application name with its assigned port number in parentheses.

• Client MAC: The media access control (MAC) address of the client.

• Access Point: The access point to which the WLC application belongs.

• Ingress Bytes, Ingress Packets: Displays the amount of data (in bytes and packets) flowing to the selected WLC application through the viewed node or interface.

• Percent (Utilization): Displays the percentage of all traffic through the viewed object that can be attributed to use of the listed WLC application.
  

The first value describes the percentage of the appropriate item based on items shown by the chart. Individual items in the legend add up 100%. This percentage can be absolute or relative. For more information, see Set the Percentage type for Top XX lists.

A value in parentheses is available only for interfaces. It describes how the appropriate item utilizes the interface bandwidth in percentage.

If the utilization is approximately twice as high as it should be, for example 150% instead of 75%, it might be caused by flow duplication. For more information, see Resolve duplicate flows.

For each listed device, the Flow and CBQoS Sources widget provides the following details:

• A color-coded device status icon
  • Green: The selected source is either able to actively send flow data or it is currently able to provide CBQoS information.
  • Yellow: Device status is unknown, flow data has not been received, or CBQoS information cannot be polled from the selected device. This color may be displayed for interfaces on a Down node, as it is impossible to determine interface status when the parent node is down.
  • Red: The selected device is unable to actively provide flow or CBQoS data.
• An icon indicating the device type or manufacturer
• For each listed source interface, both the incoming and outgoing traffic volume
• For all listed flow-enabled devices, the date and time of the last flow packet received by the NTA collector
• For all listed CBQoS-enabled devices, the date and time of the last CBQoS poll completed by the NTA collector

You can encounter various issues in the Flow and CBQoS Sources widget, such as:

Devices not listed in the widget

If you are not seeing expected flow‑ or CBQoS-enabled devices in the Flow and CBQoS Sources widget, confirm that the following is true for your flow‑ and CBQoS-enabled devices:

• Confirm that the automatic addition of NetFlow sources option is enabled on the NetFlow Traffic Analysis Settings view. For more information, see Enable the automatic addition of flow sources.
• Flow‑enabled nodes and interfaces must be monitored by NPM before they can be recognized in as flow sources in NTA. For more information about adding devices for monitoring by NPM, see Add flow-enabled devices and interfaces to the SolarWinds Platform database.
• Flow-enabled devices must be configured to send flow data to the NPM server on which you have installed NTA.
• Confirm that the SolarWinds NetFlow Service has been started in the Windows Services listing. To view a list of services, log on to your NTA server as an administrator, and then open Control Panel > Administrative Tools > Services.

Time stamp "never" or not up to date

If the time stamp of the last received NetFlow or CBQoS data is not as expected, click Manage Flow Sources to confirm that flow monitoring is enabled for the appropriate device and interfaces. For more information, see Flow sources and CBQoS polling.

Errors

NetFlow Receiver Service Stopped

NTA informs you that SolarWinds NetFlow Service stopped.
"NetFlow Receiver Service [service name] Stopped."

Resolve the event

1. Start the SolarWinds Platform Service Manager in the SolarWinds Platform > Advanced Features program folder.
2. Check the status of the SolarWinds NetFlow Service.
3. If it is stopped, select it, and then click Start.

License limitation

NTA informs you that your NTA license does not match your NPM license, and NTA thus cannot monitor your flow traffic.
"License limitation doesn't fit SolarWinds Platform license!"

Resolve the event

Make sure your NTA license matches your NPM license. Both NPM and NTA must be at the same license level. For more information, see Licensing SolarWinds.

No valid license

NTA informs you that your license is expired.
"License status check failed: no valid license were found for [license key not in brackets]"

To resolve this event, log in to the SolarWinds customer portal, and procure an appropriate NTA license.

Invalid template

NTA informs you that incoming NetFlow v9 flows have a wrong or invalid template.
"NetFlow Receiver Service [xy] received an invalid v9 template with ID xx from device x.x.x.x. See knowledge base for more information."

Resolve the event

1. Log in to the appropriate device and check the template.
2. Make sure the device exports an appropriate template in one-minute intervals. For more information, see Device configuration examples.
3. Make sure the template includes all required details. For more details, see Required Fields.
   

Invalid IPFIX template

NTA informs you that the IPFIX template does not include required fields.
"NetFlow Receiver Service [xy] received an invalid IPFIX template with ID XX from device x.x.x.x. "

Resolve the event

1. Log in to the appropriate device and check the template.
2. Make sure the device exports an appropriate template in one-minute intervals. For more information, see Device configuration examples.
3. Make sure the template includes all required details. For more details, see Required Fields.
   

NetFlow time difference error

This event informs you that the time difference between your servers (SolarWinds Platform database server, NTA Flow Storage database, and the NTA Service server) is above the critical threshold. The critical threshold is hard-coded to 300s.
"Time on NetFlow Receiver Service [xy] is: xxx. DB server time is xx. The difference is: 719 s. Which is above critical threshold. The data won't be correct. Synchronize the clocks and restart the service."

Resolve the event

Synchronize time settings on all servers (SolarWinds Platform database, NTA polling engine(s), and NTA Flow Storage database server).

Cannot connect to NTA Flow Storage database

This event informs you that NTA Flow Storage database is currently unavailable.
"Cannot connect to NTA Flow Storage database. NTA cannot save any flows now."

Resolve the event

Make sure that the NTA SQL Flow Storage database server is running and online. For tips on troubleshooting issues with the SQL database, see Best practices and troubleshooting for the SolarWinds Platform database in the SolarWinds Platform documentation.

Warnings

Unmanaged NetFlow Node

This event informs the user that NTA is receiving NetFlow traffic from a node which is not managed in NPM.
"NetFlow Receiver Service [xy] is receiving NetFlow data stream from an unmanaged device (x.x.x.x). The NetFlow data stream from x.x.x.x will be discarded. Please use SolarWinds Platform Node management to manage this IP address in order to process this NetFlow data stream, or just use Manage this device."

Resolve the event

Click Manage This Device and complete the Add Node wizard to add the node in NPM. For more information, see Adding Devices for Monitoring in the Web Console.

Unmanaged NetFlow Interface

This event informs you that NTA is receiving traffic from an interface which is not managed in NPM. However, the corresponding node is managed in NPM. Click Add this interface or Edit this interface to add the object to NPM for monitoring.
"NetFlow Receiver Service [xy] is receiving NetFlow data from an unmanaged interface 'interface1name To interface2name'. Click Add this interface or Edit this interface to manage interface and process its flow data."

Resolve the event

Click Add This Interface or Edit This Interface, and add the interface to NPM for monitoring. For more information, see Adding Devices for Monitoring in the Web Console.

Unmonitored NetFlow Interface

NTA informs you that it is receiving flow traffic from an interface, which is managed in NPM, but not monitored in NTA. This happens if the Enable Automatic Addition of NetFlow Sources in NTA Settings is disabled.
"NetFlow Receiver Service [xy] is receiving NetFlow data from unmonitored interface if name on node. Click Monitor NetFlow source or enable the "Automatic addition of NetFlow sources" option on the Netflow Settings page to process future NetFlow data from this interface."

Resolve the event

1. Click Monitor NetFlow Source and enable monitoring for the interface. For more details, see Add flow sources and CBQoS-enabled devices.
2. Click Automatic Addition of NetFlow Sources and make sure the Enable Automatic Addition of NetFlow Sources option is selected. For more information, see Enable flow monitoring from unmanaged interfaces.

Not Primary NPM Node IP Address

This event informs you that the mentioned node has more IP addresses and that the IP address through which flow data are coming is not used for polling purposes.
NetFlow Receiver Service [xy] is receiving NetFlow data from an NPM device name (device IP address) through an IP address that is not its primary IP address. The NetFlow data will be discarded. Enable the Match NetFlow devices also by not primary IP Address option to process NetFlow data from this device.

Resolve the event

Follow the link to NetFlow Settings and make sure the Allow Matching Nodes by Another IP Address option is selected. For more information, see Enable flow monitoring from unmanaged interfaces.

Unmonitored NetFlow Interface Automatically Added

NTA informs you that an unmonitored interface has been added into NetFlow sources automatically. This happens if you enabled the Enable Automatic Addition of NetFlow Sources option in the NTA Settings. For more information, see Enable the automatic addition of flow sources.
"NetFlow Receiver Service [xy] is receiving NetFlow data from an unmonitored interface. The interface if name on service is being added to NetFlow sources."

NetFlow time difference warning

This event informs you that there is a time difference between your database and NTA servers, but it does not exceed the critical threshold.
"Time on NetFlow Receiver Service [xy] is: xxx. DB server time is xx. The difference is: xxx s. Which is above threshold. Fetched data could be unreliable."

To prevent corrupt data, synchronize time settings on all servers:

• SolarWinds Platform database
• NTA polling engine(s)
• NTA Flow Storage database server
  

NetFlow time difference warning ended

This event informs you that the time difference between the database server and NTA server has been resolved and the server times have been synchronized.
"Time on NetFlow Receiver Service [xy] is: xx, DB server time is: xx. The difference is: 0s. Which is under warning threshold"

System information

NetFlow Receiver Service Started

NTA informs you that the NetFlow service has been started. This event is triggered when the SolarWinds NetFlow Service starts.
"NetFlow Receiver Service [service name] started - listening on port(s) [port number(s)]."

NetFlow Receiver Service settings changed

NTA informs you if the port it is listening on has changed, or if a new port has been added. For more information, see NetFlow Collector Services.
"NetFlow Receiver Service [service name] setting was changed - listening on port(s) [port number(s)]."

NetFlow Event: Interface index mapping is being used for node

NTA informs you that a new device using interface index mapping has been added for monitoring in NTA.

Interface index mapping is being used for node [node name].

SNMP index is a value identifying a specific interface. Flows coming from this device are using different values than SNMP interface indexes and NTA thus needs to establish a relation between the interface index and the values included in these flows.

NetFlow Event: Removing interface index mapping for node

NTA informs you that interface index mapping has been removed for a node.
Removing interface index mapping for node [node name].

For more information, see NetFlow event: interface index mapping used for a node.

NetFlow database maintenance

NTA informs you that the database maintenance has been completed.
NetFlow Database Maintenance: Deleted x expired endpoints in x.xx seconds.For more information, see SolarWinds Platform database maintenance.

Scheduled shrink performed

NTA informs you that the SolarWinds Platform database has been compressed.
Scheduled shrink performed. DB size before shrink xMB, DB size after shrink xMB, released space xMB. For more information, see SolarWinds Platform database maintenance.

Updating data to be used in Top XX Aggregated widgets

NTA informs you that data aggregation settings for Top XX applications, Top XX Conversations or Top XX Endpoints has been changed.
Updating data to be used in showing Top [x] [Conversations, Applications, or Endpoints].
This event only occurs in NTA 4.0 using SQL for storing flows and in older NTA versions. For more information, see Adjusting Data Aggregation Settings.

Windows Firewall is turned on

NTA informs you that the NetFlow service has started or restarted and it is blocked by a firewall.
"Windows FireWall is turned on and its current exceptions do not allow the NetFlow Service to receive packets. Run the Configuration wizard for Services to remedy."

Resolve the event

Go to Windows Firewall settings and review if the NetFlow Service is allowed for inbound traffic on UDP port 2055, or other port if you have changed the NetFlow listening ports.

Information

NetFlow Licensing

NTA informs you that you are running an evaluation version, which has not been licensed yet.
Your SolarWinds NetFlow Receiver Service Evaluation [receiver name] will expire in x days. Please contact SolarWinds support to purchase a licensed version. Thank you.

To resolve the issue, purchase a license and activate it. Your SolarWinds licenses can be activated directly during the installation process. However, SolarWinds also provides a powerful License Manager which allows you not only to activate your licenses, but also deactivate a license on a certain machine and re-activate it elsewhere.

Unable to start listening on port

NTA informs you that the port NTA is listening at is being used by another listener. NTA thus cannot collect flows.
Unable to start listening on port x. Waiting until the port is free.

Resolve the event

1. Log in to the device and check what applications use the port NTA is using. Port 2055 is the default.
2. If the port is being used by another application, close the application.
3. If the port is being used only by the SolarWinds NetFlow Service, restart the service:
   1. Start the SolarWinds Platform Service Manager in the SolarWinds Platform > Advanced Features program folder.
   2. Check the status of the SolarWinds NetFlow Service.
   3. If it is stopped, select it, and click Start.

Port is free, listening

NTA informs you that the port it is listening at is free again, and that the issue has been resolved.
Port x is free, listening.

Notification Event Status Reset

NTA informs you that you have reset the Last 200 Events view by clicking Clear Notification.
"Resetting unknown traffic notifications events."

For more information about seeing cleared events, see Filter events and display historical events in NTA.

Connection to NTA Flow Storage database has been restored

This event is triggered when the connection to NTA Flow Storage database is restored.

The table below the chart provides the following information:

• Status Icon: Displays collector status visually, where a green icon indicates that the collector can actively receive flow and CBQoS data and a red icon indicates that the collector cannot actively receive flow and CBQoS data.

• Server Name: The network identification of the NetFlow collector.

• Receiver Status: A verbal statement of collector status.

• Collection Port: This is the port on which the NetFlow collector is listening for NetFlow data. The collection port is set during the installation and configuration of NetFlow Traffic Analyzer.

Click Edit to set the Maximum Number of Posts to Display.

Click View All to open the THWACK NTA forum, where you can read all posts related to NTA.

Click Join THWACK to go to the THWACK registration page and join for immediate access.

When placed on the Node Details or Interface Details view, the widget provides a chart reporting the number of unique IP addresses that have communicated with the viewed node or interface.

A custom endpoint-centric version of this widget, called Unique Visitors (Endpoint Centric), can also be placed on the NetFlow Node Details or Interface Details view, providing a view of the unique IP addresses with which the viewed node or interface has communicated during the selected period of time. For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

• The name of the NBAR2 application.
• The category of the NBAR application. Examples include browsing, email, and gaming.
• The subcategory of the category. For the browsing category, subcategory examples include rich media HTTP content and authentication services.
• The group to which the application belongs. For example, the Yahoo group includes the Yahoo accounts and Yahoo mail NBAR2 applications.
• Total amount of application traffic in the indicated period of time.
• Total number of application traffic packets sent in the indicated period of time.

• Application name.
• Port used by the application.
• Total amount of application traffic in the indicated period of time.
• Total number of application traffic packets sent in the indicated period of time.

• Name.
• ID.
• Organization.
• Registration Date.
• Last Update.

This widget provides the following traffic details:

• Total Traffic using the selected system over indicated time period.
• Total Packets transferred over the indicated time period.

When placed on the Node Details or Interface Details view, this widget provides a view of the total bytes transferred during conversations utilizing the viewed node or interface over the selected period of time.

• Date and time for each exchange in the viewed conversation.
• The protocol used for each exchange of the conversation.
• Beneath the names or IP addresses of the conversation participants, the application or port used by the respective conversing endpoints with an arrow indicating the direction of traffic for each exchange of the conversation.
• The amount of traffic communicated in bytes.
• The number of packets communicated.

Clicking a participant IP address or name opens the NetFlow Endpoints view.

• IP Address.
• Hostname.
  • Click Edit to change the friendly name of this endpoint. It will not, however, change the network identification of the viewed endpoint.
  • Click Lookup to immediately resolve the endpoint hostname.
• IP Address Group, if defined.
• Domain.
• Country.
• Total Traffic Transmitted, in bytes, over the time period indicated.
• Total Traffic Received, in bytes, over the time period indicated.
• Date/Time stamp of the Traffic Last Transmitted from the selected endpoint.
• Date/Time stamp of the Traffic Last Received by the selected endpoint.

• Group name.
• Range of IP addresses that is included in the group.
• Total Traffic over a specified time period.

• Protocol Name.
• Protocol Number.
• Total Traffic using the selected protocol over the indicated period of time.

For a complete list of all currently recognized protocol names and numbers, see the IANA Assigned Internet Protocol Numbers list.

When placed on the Node Details or Interface Details view, this widget provides a view of the total bytes transferred through the viewed node or interface over the selected period of time.

A custom endpoint-centric version of this widget, called Total Bytes Transferred (Endpoint Centric), can also be placed on the NetFlow Node Details or Interface Details view, providing a view of the total bytes transferred by the viewed node or interface over the selected period of time. For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

When placed on the Node Details or Interface Details view, this widget provides a view of the total packets transferred through the viewed node or interface over the selected period of time.

A custom endpoint-centric version of this widget, called Total Packets Transferred (Endpoint Centric), can also be placed on the NetFlow Node Details or Interface Details view, providing a view of the total packets transferred by the viewed node or interface over the selected period of time. For more information about adding endpoint-centric widgets, see Add endpoint-centric widgets to NTA views.

If this widget is displayed on the CBQoS Details view, the CBQoS Drops widget provides both a graph and a table reporting the amount of traffic corresponding to the selected CBQoS policy class that is filtered out or dropped as a result of policy maps currently enacted on the viewed interface.

If you have defined nested policies for your interface, you can see a hierarchical tree of classes and policies in this widget. Next to each class, you can see the corresponding traffic in the last hour and last day.

The CBQoS Policy Details view displays only policies that are currently applied on the interface.

You can also display this widget on a CBQoS Details view by clicking a class which you want to see on a CBQoS details view. The CBQoS Policy Details widget provides a graphical representation detailing the amount of traffic corresponding to the selected CBQoS policy class that has passed over the viewed interface in both the hour and the 24 hours prior to the currently viewed time period.

Because there are different formulas for calculating bitrate in loading CBQoS widgets and in generating reports, there is a case in which the numbers on 24 hour views do not correlate. When the device from which the data is being collected has been a CBQoS source node for less than 24 hours, the CBQoS Policy Details widget will show a different number compared to the comparable CBQoS report.

If this widget is displayed on the CBQoS Details view, the CBQoS Post-Policy Class Map widget provides both a graph and a table detailing both the average and the most recently polled amount of traffic corresponding to the selected CBQoS policy class passing through the viewed interface resulting from the application of policy maps on the viewed interface.

If this widget is displayed on the CBQoS Details view, the CBQoS Pre-Policy Class Map widget provides both a graph and a table detailing both the average and the most recently polled amount of traffic corresponding to the selected CBQoS policy class passing through the viewed interface prior to the application of any policy maps.