HCO Study Guide for 1.2 PDF

Summary

This document provides information on NTA flow requirements, including supported flow protocols, versions, and sampled flow support. It also describes the difference between a polling engine and a collector in NTA and includes examples of Cisco Flexible NetFlow configuration. The document is a guide focused on understanding Network Traffic Analysis (NTA).

Full Transcript

7/28/23, 10:29 AM NTA flow requirements

NTA flow requirements
SolarWinds NTA supports these flow protocols:

Flow Supported Versions Sampled Flow Support
NetFlow v1, v5, and v9 v5 and v9

NetFlow v9 must have an appropriate Some devices using IOS versions export
template with all required fields. flows without specifying that it is being
sampled. SolarWinds NTA processes
these flows as unsampled.
sFlow v2, v4, and v5 Supported
J-Flow Supported Supported

Some devices using JunOS versions
export flows without specifying that it is
being sampled. SolarWinds NTA
processes these flows as unsampled.
IPFIX Supports IPFIX generated by ESX 5.1 Supported
and later, for IPv4 traffic.

Supports IPFIX generated by VMware
vSwitch.
NetStream v5 and v9 Supported
NetFlow Lite Supported on the following devices: Supported

Cisco Catalyst 2960-X
Cisco Catalyst 2960-XR
Cisco Catalyst 3560-CX
Cisco Catalyst 2960-CX

https://documentation.solarwinds.com/en/success_center/nta/content/nta-nta-flow-requirements-sw145.htm 1/2
7/28/23, 10:29 AM NTA flow requirements

Flow Supported Versions Sampled Flow Support
Cisco Wireless Supported on the following devices Not supported
Controller with the ipv4_client_app_flow_record
NetFlow template:

Cisco 2504 WLC
Cisco 3504 WLC
Cisco 5508 WLC
Cisco 5520 WLC
Cisco Flex 7510 WLC
Cisco 8510 WLC
Cisco 8540 WLC
Cisco WiSM2

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-nta-flow-requirements-sw145.htm 2/2
7/28/23, 10:29 AM Difference between a polling engine and a collector in NTA

Difference between a polling engine and a
collector in NTA
To understand the way SolarWinds NTA processes flow data, you first need to understand the
methods of capturing these data.

What is a flow collector?
Devices with flow enabled generate and export flow records. These records are collected using the
flow collector. The flow collector then processes and analyzes the data. Flow collectors can be either
hardware based, such as probes, or software based, such as the SolarWinds NTA collector. After
processing and analyzing data, the NTA collector presents these data in the web-based user interface
of the SolarWinds Platform Web Console.

What is a polling engine?
A polling engine is also used for monitoring and collecting data. While a collector gathers data that
are being sent to it by the particular device, a polling engine pings the device and requests the data to
be sent.

NTA is a collector, not a polling engine. You must set up your devices, such as routers or
firewalls, to send flow data to the collector.

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-difference-in-receiving-and-collecting-flow-traffic.htm 1/2
7/28/23, 10:29 AM Difference between a polling engine and a collector in NTA

https://documentation.solarwinds.com/en/success_center/nta/content/nta-difference-in-receiving-and-collecting-flow-traffic.htm 2/2
7/28/23, 10:29 AM Cisco Flexible NetFlow configuration

Cisco Flexible NetFlow configuration
Exporting flows on some Cisco devices (for example, the 4500 series, with Supervisor 7) requires
using Flexible NetFlow. This configuration example successfully exports flows from a Cisco 4507
with Supervisor 7:

Scripts are not supported under any SolarWinds support program or service. Scri
warranty of any kind. SolarWinds further disclaims all warranties including, wi
of merchantability or of fitness for a particular purpose. The risk arising out
and documentation stays with you. In no event shall SolarWinds or anyone else i
delivery of the scripts be liable for any damages whatsoever (including, withou
profits, business interruption, loss of business information, or other pecuniar
inability to use the scripts or documentation.

flow record ipv4
! match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect interface output
collect counter bytes
collect counter packets

flow exporter NetFlow-to-Orion
destination 10.10.10.10
source vlan254
transport udp 2055
export-protocol netflow-v5

flow monitor NetFlow-Monitor
description Original Netflow captures
record ipv4
exporter NetFlow-to-Orion
cache timeout inact 10
cache timeout act 5

https://documentation.solarwinds.com/en/success_center/nta/content/nta-cisco-flexible-netflow-configuration-sw1985.htm 1/2
7/28/23, 10:29 AM Cisco Flexible NetFlow configuration

vlan configuration 666
ip flow monitor NetFlow-Monitor input

The flow exporter destination and transport udp values must reflect the IP address and port
(2055) of your SolarWinds NPM server.

SolarWinds NTA supports NetFlow version 5 and version 9. For more information about NetFlow
version 5 or 9, see your Cisco router documentation or the Cisco website at www.cisco.com (© 2021
Cisco, available at https://www.cisco.com/, obtained on July 15th, 2021).

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-cisco-flexible-netflow-configuration-sw1985.htm 2/2
7/28/23, 10:30 AM How NTA works

How NTA works
SolarWinds NTA collects Class Based Quality of Service (CBQoS) and flow data, processes it, and
together with performance data collected by SolarWinds NPM, presents the data in graphs and
reports to show bandwidth use on your network. These reports help you:

Monitor interface-level network bandwidth usage, and identify users, applications, protocols,
and IP address groups that consume most bandwidth.
Track conversations between internal and external endpoints.
Analyze traffic patterns, with up to one-minute granularity, over months, days, or minutes by
drilling down into any network element.
Enhance bandwidth capacity before outages occur.

Flow monitoring architecture
The SolarWinds Platform is used to power SolarWinds products, including SolarWinds NTA. It
provides centralized administration, access control, and alerting and reporting. The SolarWinds
Platform Web Console is the web interface used for navigating through the NetFlow Summary page,
managing SolarWinds NTA settings, or common SolarWinds Platform features like alerts and reports.
The following diagram shows how data travels from flow-enabled network devices to the SolarWinds
NTA collector, which collects the data and inserts it into the SolarWinds NTA Flow Storage database.

CBQoS monitoring architecture
CBQoS implementations work much the same way as flow-enabled implementations, except that the
NetFlow collector polls each device and the device returns data that meets the CBQoS policies you
have defined. The system keeps collected data in the SolarWinds Platform database. The SolarWinds
Platform Web Console is then used to navigate through the dashboard, manage the product settings,
or the common features of the SolarWinds Platform products, such as alerts and reports. For more
information about CBQoS implementations, see View CBQoS data in the NTA Administrator Guide.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-how-nta-works.htm 1/2
7/28/23, 10:30 AM How NTA works

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-how-nta-works.htm 2/2
7/28/23, 10:30 AM Cisco NetFlow Configuration - Forum - Network Performance Monitor (NPM) - THWACK

Don’t miss your chance to meet our product experts in person at the Charlotte SWUG™ 
taking place August 8 – 9 [REGISTER NOW]

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new
discussion

Cisco NetFlow Configuration
tjay_monitexpert over 2 years ago

Best Practice / Highlights

NetFlow configuration varies slightly per hardware model
Set active timeout to 1 minute: “ip flow-cache timeout active” is the time interval
NetFlow records are exported for long lived flows (e.g. large FTP transfer). 1 minute
is
recommended and configuration is in minutes in IOS and seconds in MLS and NX-
OS.
Catalyst 6500/7600 require enabling NetFlow export within MSFC and PFC.
The following command will capture NetFlow within the same VLAN for Catalyst
6500/7600: ip flow ingress layer2-switched vlan {vlanlist}

NetFlow is based on 7 key fields
Source IP address
Destination IP address
Source port number
Destination port number
Layer 3 protocol type (ex. TCP, UDP)
ToS (type of service) byte
Input logical interface
If one field is different, a new flow is created in the flow cache.
Enabled NetFlow on EVERY layer-3 interface for complete visibility
It is best practice to use a NetFlow “source interface” that would never go down
such as a
loopback interface.
A “flow record” within Flexible NetFlow (that used in NX-OS) defines the keys that
NetFlow

https://thwack.solarwinds.com/product-forums/network-performance-monitor-npm/f/forum/92285/cisco-netflow-configuration 1/3
7/28/23, 10:30 AM Cisco NetFlow Configuration - Forum - Network Performance Monitor (NPM) - THWACK

uses to identify packets in the flow as well as other fields of interest that NetFlow
gathers
for the flow.

Cisco IOS NetFlow Configuration Guide
Netflow Configuration
In configuration mode issue the following to enable NetFlow Export:
ip flow-export destination 2055
ip flow-export source → (e.g. use a Loopback interface)
ip flow-export version 9 → (if version 9 does not take, use version 5)
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:
interface
ip flow ingress
Optional:
ip flow-export version 9 origin-as → (to include BGP origin AS)
ip flow-capture mac-addresses → show ip cache verbose flow
ip flow-capture vlan-id
Note: If your router is running a version of Cisco IOS prior to releases 12.2(14)S,
12.0(22)S, or 12.2(15)T the ip route-cache flow command is used to enable NetFlow
on an interface. If your router is running Cisco IOS release 12.2(14)S, 12.0(22)S,
12.2(15)T, or later the ip flow ingress command is used to enable NetFlow on an
interface.
Validate configuration:
show ip cache flow
show ip flow export
show ip flow interface
show ip flow export template
Reference:
http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/12_2sr/nf_12_
2sr_book.html

Native IOS Netflow Configuration:

In configuration mode issue the following to enable NetFlow Export:
mls nde sender version 5
mls aging long 64
mls aging normal 32
mls nde interface
mls flow ip interface-full

https://thwack.solarwinds.com/product-forums/network-performance-monitor-npm/f/forum/92285/cisco-netflow-configuration 2/3
7/28/23, 10:30 AM Cisco NetFlow Configuration - Forum - Network Performance Monitor (NPM) - THWACK

ip flow ingress layer2-switched vlan {vlanlist}
ip flow-export destination 2055
ip flow-export source → (e.g. use a Loopback interface)
ip flow-export version 9 → (if version 9 does not take, use version 5)
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist
Enable NetFlow on each layer-3 interface you are interested in monitoring traffic for:
interface
ip flow ingress
Optional:
ip flow-capture mac-addresses
ip flow-capture vlan-id
Hybrid / CatOS Netflow Configuration:set mls nde 2055
set mls nde version 5
set mls agingtime long 64
set mls agingtime 32
set mls flow full
set mls bridged-flow-statistics enable
set mls nde enable
Validate configuration:
show ip cache flow
show ip flow export
show ip flow export template
show mls nde
Reference:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/
nde.html

https://thwack.solarwinds.com/product-forums/network-performance-monitor-npm/f/forum/92285/cisco-netflow-configuration 3/3
7/28/23, 10:31 AM What protocols does NTA support?

What protocols does NTA support?
SolarWinds NTA collects and monitors interface-level flow data, and helps you identify consumers of
bandwidth. Flow data comes to SolarWinds NTA using one of many protocols.

Selectively specifying monitored protocols can reduce the amount of NetFlow traffic that SolarWinds
NTA processes, which improves performance. Specified protocols depend on the device type, as
each device supports different types of protocols. Check your vendor's documentation to determine
the correct protocols.

Difference between sampled and non-sampled flow:

Sampled flow: Collects less data and provides only a sample. This prevents the network from
overloading.
Non-sampled flow: Collects all data.

SolarWinds NTA supports these flow-enabled devices:

Flow Supported Versions Sampled Flow Support
NetFlow v1, v5 and v9 v5 and v9

NetFlow version 9 is configured Some devices using IOS versions export
the same as NetFlow version 5, flows without specifying that it is being
but uses a predefined template sampled. SolarWinds NTA processes these
that is exported in separate flows as unsampled.
flows. Flexible NetFlow is based
on NetFlow version 9, but the
fields are defined during
configuration.

NetFlow v9 must have an appropriate
template with all required fields.
sFlow v2, v4, and v5 Supported
J-Flow Supported Supported

Some devices using JunOS versions export
flows without specifying that it is being
sampled. SolarWinds NTA processes these
flows as unsampled.

https://documentation.solarwinds.com/en/success_center/nta/content/getting-started-guide/nta-what-protocols-does-nta-support.htm 1/3
7/28/23, 10:31 AM What protocols does NTA support?

Flow Supported Versions Sampled Flow Support
IPFIX Supports IPFIX generated by ESX 5.1 Supported
and later, for IPv4 traffic.
NetStream v5 and v9 Supported
NetFlow Lite Supported on the following devices: Supported

Cisco Catalyst 2960-X
Cisco Catalyst 2960-XR
Cisco Catalyst 3560-CX
Cisco Catalyst 2960-CX

Cisco Supported on the following devices Not supported
Wireless with the ipv4_client_app_flow_record
Controller template:
NetFlow
Cisco 2504 WLC
Cisco 3504 WLC
Cisco 5508 WLC
Cisco 5520 WLC
Cisco Flex 7510 WLC
Cisco 8510 WLC
Cisco 8540 WLC
Cisco WiSM2

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/getting-started-guide/nta-what-protocols-does-nta-support.htm 2/3
7/28/23, 10:31 AM What protocols does NTA support?

https://documentation.solarwinds.com/en/success_center/nta/content/getting-started-guide/nta-what-protocols-does-nta-support.htm 3/3
7/28/23, 10:31 AM Set up network devices to export NetFlow data

Set up network devices to export NetFlow data
You must configure your device to send flow data to SolarWinds NTA.

SolarWinds NTA collects NetFlow data, on port 2055 by default, only if a network device is
specifically configured to send data to NTA. As a NetFlow collector, SolarWinds NTA can receive
exported NetFlow version 5 data and NetFlow version 9 data that includes all fields of the NetFlow
version 5 template. Once it collects NetFlow traffic data, SolarWinds NTA analyzes device bandwidth
usage in terms of the source and destination endpoints of conversations reflected in the traffic.

Requirements
Each device must be configured to export NetFlow data to SolarWinds NTA.
Each device that exports NetFlow data to SolarWinds NTA must be monitored in SolarWinds
NPM. Only nodes whose interfaces were discovered by SolarWinds NPM can be added as
NetFlow sources.
Traffic from a device that is not monitored in SolarWinds NPM appears only in aggregate as
traffic from unmonitored devices. If the device is setup to export data to SolarWinds NTA, but is
unmonitored in SolarWinds NPM, the collector may receive the data without being able to
meaningfully analyze it.
The specific interface through which a device exports NetFlow data must be monitored in
SolarWinds NPM. The interface index number for this interface in the SolarWinds Platform
database (interface table) must match the index number in the collected flow data.

Set up a device to export NetFlow data to SolarWinds NTA
1. Log in to the network device.
2. Enable NetFlow export on the device using appropriate commands. The following example
enables NetFlow on a Cisco 6500 Series device:

ip flow-export source
ip flow-export version 5
ip flow-export destination 2055

https://documentation.solarwinds.com/en/success_center/nta/content/nta-setting-up-network-devices-to-export-netflow-data-manually-sw75.htm 1/4
7/28/23, 10:31 AM Set up network devices to export NetFlow data

ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist

For detailed information on configuring NetFlow on Cisco devices, search for the
appropriate configuration in the Cisco NetFlow Configuration guide (© 2021 Cisco,
available at https://www.cisco.com/, obtained on May 6th, 2021).
For information on enabling NetFlow for Cisco Catalyst switches, see Enable NetFlow and
NetFlow data export on Cisco Catalyst switches.
For information on enabling NetFlow on Cisco ASA devices, see Cisco ASA NetFlow
overview.
Otherwise, consult these examples as apply to your device:
Brocade (Foundry) sFlow configuration
HP sFlow configuration
Extreme sFlow configuration
Juniper sFlow configuration
Juniper J-Flow configuration
The documentation of your network device
3. Add the device exporting NetFlow to SolarWinds NPM for monitoring.
If you are adding a large number of NetFlow enabled nodes, use SolarWinds Platform Network
Sonar. For more information, see Discovering and Adding Network Devices.
If you are only adding a few nodes, it may be easier to use Web Node Management in the
SolarWinds Platform Web Console. For more information, see Adding Devices for Monitoring in
the SolarWinds Platform Web Console.
4. Verify that the device is exporting NetFlow data as expected and that the device is monitored in
SolarWinds NPM.

To verify that data are exported correctly, use a packet capture tool, such as WireShark, to
search for packets sent from the network device to the SolarWinds Platform server.
Example
If you successfully add a NetFlow enabled device with IP address 10.199.14.2 to SolarWinds
NPM, and the device is actively exporting NetFlow data to the SolarWinds Platform server, you
will see in WireShark a packet like the one (49) highlighted below in gray:

https://documentation.solarwinds.com/en/success_center/nta/content/nta-setting-up-network-devices-to-export-netflow-data-manually-sw75.htm 2/4
7/28/23, 10:31 AM Set up network devices to export NetFlow data

As expected, we see in the packet details that 10.199.14.2 is its source IP address and
10.110.6.113 is the destination, which is the SolarWinds Platform server. This correlates with
the node details on the device in the SolarWinds Platform, as highlighted in yellow.

To verify that the IP address of the exporting interface on the network device is the one being
monitored in SolarWinds Platform:
a. Open a command line interface, log into the network device, and then type show run to
see the running configuration of the device.

b. Page down to the lines where the export source interface is defined. In this case, we see
ip flow-export source Ethernet0/0.

To discover the IP address for this interface, type show run int Ethernet0/0. The
IP address of the interface, 10.199.14.2, is being monitored by the SolarWinds Platform
server.
5. Click My Dashboards > NetFlow > NTA Summary.

Under NetFlow Source, verify the NetFlow-enabled nodes listed with a recent time posted for
collected flow.

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-setting-up-network-devices-to-export-netflow-data-manually-sw75.htm 3/4
7/28/23, 10:31 AM Set up network devices to export NetFlow data

https://documentation.solarwinds.com/en/success_center/nta/content/nta-setting-up-network-devices-to-export-netflow-data-manually-sw75.htm 4/4
7/28/23, 10:31 AM Flow environment best practices

Flow environment best practices
This section provides recommendations for setting your flow environment.

Determine where to enable flow
SolarWinds NTA can capture and store vast amounts of flow data. To make the best use of
SolarWinds NTA, use the following guidelines to make decisions about where to capture enabled flow
data.

Understand your network and identify the types of problems you want to solve by capturing flow
data.
If you are unsure of where to begin, enable flow data at the core layer, let SolarWinds NTA run
for a period of time (for example, a week), and review the SolarWinds NTA resources in the
SolarWinds Platform Web Console to determine if the data collected is sufficient.
If you need more flow data, move to the distribution layer. Due to the proliferation of duplicate
data, SolarWinds recommends that you do not enable flows at the access layer.
If you want to monitor internal traffic and internet traffic, enable ingress and egress interfaces.
To capture the entire network conversation, enable ingress and egress on the external
interfaces of a single node, or enable ingress only on all interfaces on the node.

Be mindful of directionality and duplication
If your devices are configured to export NetFlow on both ingress and egress interfaces, you might
see duplicate traffic in the Summary widgets.

https://documentation.solarwinds.com/en/success_center/nta/content/getting-started-guide/nta-flow-environment-recommendations.htm 1/3
7/28/23, 10:31 AM Flow environment best practices

Duplicate flows can occur in the following cases:

You have both ip flow ingress and ip flow egress applied for all interfaces on a device.
You have set ip flow ingress on some interfaces and ip flow egress on other interfaces.
On your serial interfaces with subinterfaces, you have NetFlow export enabled on both the
physical and logical interfaces.

Set the retention period
Retention period specifies the time for which flow data are stored in the database until they expire
and are permanently deleted. The default retention period is set to 30 days

To optimize the retention period for your SolarWinds NTA Flow Storage Database, collect data for a
few days, and calculate the size of your SolarWinds NTA Flow Storage Database. You should then
have an idea of the volume of data your network produces with NetFlow enabled. Consider also the
space taken up by the database, and then adjust the retention period accordingly.

1. Click Settings > All Settings.
2. Under Product Specific Settings, click NTA Settings.

3. Scroll down to the Database Settings section.
4. Note the database Location: host name and whether the database is installed locally or
remotely.

The database Location is noted on the same page, under NTA Flow Storage Database
Settings.

5. In the Retention Period field, enter the number of days after which flow data is deleted.
6. In the Delete Expired Data list, select a frequency.
7. Click Save.

https://documentation.solarwinds.com/en/success_center/nta/content/getting-started-guide/nta-flow-environment-recommendations.htm 2/3
7/28/23, 10:31 AM Flow environment best practices

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/getting-started-guide/nta-flow-environment-recommendations.htm 3/3
7/28/23, 10:32 AM Required fields in SolarWinds NTA

Required fields in SolarWinds NTA
Most flow-enabled devices use a set of static templates to which exported flows conform.

If flow packets do not include the following field types and appropriate values, SolarWinds NTA
ignores the packets.

Requirements
The template must include all mandatory fields.
Where multiple elements are in a group, at least one of them must be included.
Optional fields are processed into flows if present. If not present, a default value is used.

For more information about fields required for sampled flows, see Sampled flow supported fields.

Mandatory fields for the flow template schema
Mandatory fields are required. If a mandatory field, or at least one field from a group, is not included
SolarWinds NTA cannot store flows.

Field Type
Field Type Description
Number
Protocol 4 Layer 4 protocol
SourceAddress 8, 27 Source IP address or Source IPv6 Address
DestAddress 12, 28 Destination IP address or Destination IPv6 Address
Interfaces Group

At least one of the following fields must be included in the template.
InterfaceRx 10 SNMP ingress interface index
InterfaceTx 14 SNMP egress interface index
Bytes Group

At least one of the following fields must be included in the template.
Bytes 1 Delta bytes

https://documentation.solarwinds.com/en/success_center/nta/content/nta-required-fields-sw148.htm 1/6
7/28/23, 10:32 AM Required fields in SolarWinds NTA

Field Type
Field Type Description
Number
Bytes 85 Total bytes
OutBytes 23 Out bytes
InitiatorOctets 231 Initiator bytes
ResponderOctets 232 Responder bytes

Optional fields for the flow template schema
If the following fields are not included in the template, a default value will be stored. Appropriate
widgets will thus show No Data.

Field Type
Field Type Description
Number
ToS 5 Type of service
SourceAS 16 Source BGP autonomous system number
DestAS 17 Destination BGP autonomous system number
PeerSrcAS 129 Peer source autonomous system number
PeerDstAS 128 Peer destination autonomous system number
ApplicationID 95 ID of application detected in NBAR2 flow
Source Port Group

At least one of the following fields should be included in the template.
SourcePort 7 Source TCP/UDP port
UdpSrcPort 180 Source UDP port
TcpSrcPort 182 Source TPC port
Destination Port Group

At least one of the following fields should be included in the template.
DestPort 11 Destination TCP/UDP port
UdpDstPort 181 Destination UDP port
TcpDstPort 183 Destination TPC port
Packets Group

At least one of the following fields should be included in the template. If no field is included, widgets
will show 0 in the packets column.
Packets 2 Delta packets
Packets 86 Total packets
OutPackets 24 Out packets
https://documentation.solarwinds.com/en/success_center/nta/content/nta-required-fields-sw148.htm 2/6
7/28/23, 10:32 AM Required fields in SolarWinds NTA

Field Type
Field Type Description
Number
InitiatorPackets 298 Total packets in a flow from the device that
triggered the session and remains the same
for the life of the session
ResponderPackets 299 Total packets from the device which replies
to the initiator
Long Flow Detection

At least one of the following field pairs should be included in the template for long-flow detection.
For example, if including LastSwitched must also include FirstSwitched.
LastSwitched 21 System uptime at which the last packet of
this flow was switched
FirstSwitched 22 System uptime at which the first packet of
this flow was switched
FlowStartSeconds 150 Time in seconds that the flow started
FlowEndSeconds 151 Time in seconds that the flow ended
FlowStartMilliseconds 152 Time in milliseconds that the flow started
FlowEndMilliseconds 153 Time in milliseconds that the flow ended
FlowStartMicroseconds 154 Time in microseconds that the flow started
FlowEndMicroseconds 155 Time in microseconds that the flow ended
FlowStartNanoseconds 156 Time in nanoseconds that the flow started
FlowEndNanoseconds 157 Time in nanoseconds that the flow ended
FlowStartDeltaMicroseconds 158 Sets the start delta of the flow
FlowEndDeltaMicroseconds 159 Sets the end delta of the flow
FlowDurationMilliseconds 161 Elapsed time in milliseconds of the flow
FlowDurationMicroseconds 162 Elapsed time in microseconds of the flow
Cisco WLC Flows

The following fields must be included for Cisco Wireless devices.
Bytes 1 Total bytes
Packets 2 Total packets
FlowDirection 61 Direction of the flow defined as Ingress or
egress.
ApplicationID 95 ID of application detected in flow
WlanSSID 147 Service Set Identifier or name of the WLAN
the wireless device is connected to
WirelessStationMacAddress 365 MAC address of a wireless device

https://documentation.solarwinds.com/en/success_center/nta/content/nta-required-fields-sw148.htm 3/6
7/28/23, 10:32 AM Required fields in SolarWinds NTA

Field Type
Field Type Description
Number
WirelessAPMacAddress 367 MAC address of a wireless access point
PostIPDiffServCodePoint 98 The definition of this Information Element is
identical to 'ipDiffServCodePoint', except that
As of NTA 2023.1, this it reports a potentially modified value caused
field is optional. by a middlebox function after the packet
passed the Observation Point.
IPDiffServCodePoint 195 Value of a Differentiated Services Code Point
(DSCP) encoded in the Differentiated
As of NTA 2023.1, this Services field. Differentiated Services fieldis
field is optional. the most significant six bits of the IPv4 TOS
FIELD or the IPv6 Traffic Class field.

The value may range from 0 to 63 for this
Information Element that encodes only the 6
bits of the Differentiated Services field.
Cisco WLC Flows

At least one of the following fields should be included in the template.
WirelessStationAddressIPv4 366 IPv4 address of a wireless device
IPv4SourceAddress 8 Source IPv4 Address
IPv4DestinationAddress 12 Destination IPv4 Address
Cisco ASA devices

The following fields must be included for processing flows from Cisco ASA devices.
FlowID 148 An identifier of a flow that is unique within an
observation domain.
FirewallEvent 233 Indicates a firewall event.

Notes
If SolarWinds states that SolarWinds NTA supports flow monitoring for a device, at least one of
the templates that the device exports satisfies these requirements.
The NetFlow v9 specification indicates that templates may be configurable on a device-by-
device basis. However, most devices have a set of static templates to which exported flows
conform. When SolarWinds states that a device is supported by SolarWinds NTA, SolarWinds
has determined that at least one of the templates the device is capable of exporting will satisfy
the SolarWinds NTA requirements. For more information, search for NetFlow version 9 flow
record format on www.cisco.com.
Cisco 4500 series switches do not provide information for the TCP_FLAGS field (field type
number 6) corresponding to a count of all TCP flags seen in the related flow.
Cisco Adaptive Security Appliances (ASA) are capable of providing flow data using a limited
template based on the NetFlow v5 template.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-required-fields-sw148.htm 4/6
7/28/23, 10:32 AM Required fields in SolarWinds NTA

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-required-fields-sw148.htm 5/6
7/28/23, 10:32 AM Required fields in SolarWinds NTA

https://documentation.solarwinds.com/en/success_center/nta/content/nta-required-fields-sw148.htm 6/6
7/28/23, 10:32 AM Add flow-enabled devices and interfaces to the SolarWinds Platform database

Add flow-enabled devices and interfaces to the
SolarWinds Platform database
SolarWinds NTA collects flow data from your network devices and analyzes network traffic based on
collected data.

To collect flow data, you must specify the SolarWinds NTA server as a target to which each device
exports data. For more information, see Set up network devices to export NetFlow data.

Only nodes whose interfaces were discovered by SolarWinds NPM can be added as Flow sources.

To analyze flow data, you must add each flow-enabled network interface to the SolarWinds Platform
database, so that they can be monitored in SolarWinds NPM.

To initiate flow monitoring, flow-enabled devices in the SolarWinds Platform database must be
designated as flow sources. For more information, see Add flow sources and CBQoS‑enabled
devices.

Adding flow-enabled devices and interfaces to SolarWinds NPM and designating the same
devices and interfaces as flow sources in SolarWinds NTA are separate actions. The
designation of flow sources does not affect licensing requirements for either SolarWinds NPM
or SolarWinds NTA.

1. Add the appropriate nodes to SolarWinds NPM.

If you are adding a large number of nodes, use Network Sonar Discovery.
Click Settings > Network Discovery.
Confirm that you add all flow-enabled interfaces on added devices.
For more information, see Discovering and adding network devices.

If you are only adding a few nodes, it may be easier to use Web Node Management in the
SolarWinds Platform Web Console.
Click Settings > Manage Nodes > Add Node.

For more information, see Adding Devices for Monitoring in the SolarWinds Platform Web
Console.
2. Click My Dashboards > Home > Summary.

3. Under All Nodes, verify that the devices were added.
https://documentation.solarwinds.com/en/success_center/nta/content/nta-adding-flow-enabled-devices-and-interfaces-to-the-orion-database-sw1… 1/3
7/28/23, 10:32 AM Add flow-enabled devices and interfaces to the SolarWinds Platform database

4. Click My Dashboards > NetFlow > Flow Sources.
5. To finish setting up NetFlow monitoring, enable NetFlow monitoring for the selected nodes. For
more information, see Add Flow Sources and CBQoS‑enabled Devices.

If you have already configured device interfaces to send flow data, SolarWinds NTA can detect and
analyze flow data after the device is added.

What happens after you add devices and interfaces to the
SolarWinds Platform database?
After installing SolarWinds NTA, the SolarWinds NPM polling engine establishes a baseline by
collecting network status and statistics.
Thirty seconds later, the SolarWinds NPM polling engine performs another collection. You may
notice an increase in the CPU usage during this time.
After these initial collections, SolarWinds NPM collects network information every ten minutes
for nodes and every nine minutes for interfaces. Flow analysis data displays in the SolarWinds
Platform Web Console in minutes.

Before leaving SolarWinds NTA to gather data, ensure you are collecting flow data for the correct
interface ports and applications. For more information, see Applications and service ports in NTA.

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-adding-flow-enabled-devices-and-interfaces-to-the-orion-database-sw1… 2/3
7/28/23, 10:32 AM Add flow-enabled devices and interfaces to the SolarWinds Platform database

https://documentation.solarwinds.com/en/success_center/nta/content/nta-adding-flow-enabled-devices-and-interfaces-to-the-orion-database-sw1… 3/3
7/28/23, 10:33 AM Disable flow sources and CBQoS-enabled devices

Disable flow sources and CBQoS-enabled devices
You can disable NetFlow and CBQoS monitoring through the NTA Settings in the SolarWinds Platform
Web Console.

Disable flow sources
1. In the SolarWinds Platform Web Console, click Settings > All Settings.

2. Under Product Specific Settings, click NTA Settings.
3. Click Flow Sources Management.

You can also access the Flow sources management page by clicking My Dashboards >
NetFlow > Flow Sources.

4. Use the Filters to find the devices to display.
5. Locate the interface you want to delete.

6. Select flow sources, and click Drop traffic.

If you disable NetFlow monitoring for a node or interface, the data stop being collected.
However, historical data are kept in the database. Enabling and disabling flow collection
can thus result in gaps in SolarWinds NTA graphs.

Disable CBQoS-enabled devices
1. In the SolarWinds Platform Web Console, click Settings > All Settings.
2. Under Product Specific Settings, click NTA Settings.

3. Under CBQoS Polling Management, click Manually manage CBQoS polling.

You can also access the CBQoS polling management page by clicking My Dashboards >
NetFlow > CBQoS Polling.

4. Use the Filters to find the devices to display.

5. Locate the interface you want to disable.
6. Select CBQoS sources, and click Disable.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-deleting-flow-sources-and-cbqos-enabled-devices-sw237.htm 1/3
7/28/23, 10:33 AM Disable flow sources and CBQoS-enabled devices

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-deleting-flow-sources-and-cbqos-enabled-devices-sw237.htm 2/3
7/28/23, 10:33 AM Disable flow sources and CBQoS-enabled devices

https://documentation.solarwinds.com/en/success_center/nta/content/nta-deleting-flow-sources-and-cbqos-enabled-devices-sw237.htm 3/3
7/28/23, 10:33 AM Charts in NTA

Charts in NTA
SolarWinds NTA charts display pie chart or area chart summaries of widget-related data, enabling a
more detailed view of widget. You can create different types of area charts, including stack area,
stack spline area, stack line, line, spline, and bar.

Charts offer tooltips with current values, as well as the ability to disable data series and to zoom in
on data. They also have features you can click offering detailed widget information and editing
capabilities.

Chart display limitations
SolarWinds Platform views can display up to 100 widgets.
Pie charts can display up to 100 items.
Area charts can display up to 10 items, with the rest of the series visible in the legend.

Chart types
Pie charts in NTA
Area charts in NTA

Chart customization options
Global settings defining how displayed data are calculated and setting default options. For
more information, see Charting and graphing settings in NTA.
Customize charts for the current session in NTA
Customize charts for all users in NTA

Data granularity shown by default
NTA Flow Storage database supports saving flow data without compression and with one-minute
granularity. However, charts display data in such detail only for time periods up to five hours.

Data are summarized in the following way:

For time periods up to five hours, charts display data with one-minute granularity. Data are not
summarized.
https://documentation.solarwinds.com/en/success_center/nta/content/nta-working-with-charts-sw834.htm 1/2
7/28/23, 10:33 AM Charts in NTA

For time periods of five hours up to 48 hours, charts display data with 15-minute granularity.
For time periods of 48 hours up to seven days, charts display data with one-hour granularity.
For time periods longer than seven days, charts display data with six-hour granularity.

View flow data for longer time periods with one-minute
granularity
To see flow data with one-minute granularity, set the time period displayed by the view to up to five
hours, focusing on the period you are interested in most.

For more information about setting time period for views, see Edit time settings for NTA views.

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-working-with-charts-sw834.htm 2/2
7/28/23, 10:33 AM Pie charts in NTA

Pie charts in NTA
The pie charts in this section show the Top 5 Endpoints widget, and use absolute percentage
calculations. For more information about chart settings, see Charting and graphing settings in NTA.

SolarWinds NTA gives each item its own piece of pie, depending on your chart settings. If more items
exist than what is configured to display, SolarWinds NTA creates a category in the legend of the pie
chart called Remaining traffic, which is not displayed in chart. If fewer items exist than what the chart
is configured to display, the chart shows only those widgets that exist.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-pie-charts-sw837.htm 1/2
7/28/23, 10:33 AM Pie charts in NTA

Example
The following chart divides traffic among the top five top endpoints. The largest traffic flow is from
LAB VCENTER50 (10.199.1.90) and is 56.85% of the total traffic flow. The next four highest
endpoints’ traffic flows are 7.25%, 7.23%, 4.89%, and 4.52% of the total traffic flow. SolarWinds NTA
labels all other endpoint flow traffic as Remaining traffic, which is 19.27% of the total traffic flow.

Pointing to the chart provides tool tips on the details for that portion of the chart. For example, the
pie chart above shows tool tip details for LAB VCENTER50 (10.199.1.90).

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-pie-charts-sw837.htm 2/2
7/28/23, 10:34 AM Create custom views with the Flow Navigator

Create custom views with the Flow Navigator
Using the Flow Navigator, you can create custom traffic views directly from any NetFlow view.

These custom filters allow you to view specific statistics about your entire network and its devices
without having to navigate through the web console by single-device views.

You can configure your custom traffic view to include devices, applications, time periods, and more
from one configuration pane.

Create a custom NetFlow traffic view with the Flow Navigator
1. Click My Dashboards > NetFlow > NTA Summary.

2. Click Flow Navigator on the left edge of the summary view. The Flow Navigator is available on
any default NTA view.
3. Specify the View Type.

a. If you want a filtered view of your entire network, click Summary, and select a summary
view.

b. If you want a filtered view of traffic passing through a specific node and interface, click
Detail, and select a Detail View Type.
4. Select the Time Period over which you want to view traffic data:
Select Named Time Period, and select a time period.
Select Relative Time Period, and provide a number appropriate for the selected time units.
The relative time period is measured with respect to the time at which the configured view
is loaded.
Select Absolute Time Period, and provide the start and end time periods.
5. Select a Flow Direction.
Select Both to include ingress and egress traffic in the calculations SolarWinds NTA
makes.
Select Ingress to include only ingress traffic in the calculations SolarWinds NTA makes.
Select Egress to include only egress traffic in the calculations SolarWinds NTA makes.
6. You can further limit the view by including or excluding some of the following items:

https://documentation.solarwinds.com/en/success_center/nta/content/nta-creating-custom-views-with-flow-navigator-sw1200.htm 1/4
7/28/23, 10:34 AM Create custom views with the Flow Navigator

IP Version
To only display network traffic related to IPv4 or IPv6 data, or to display data for both IPv4
and IPv6 traffic, expand IP Version, and select the appropriate filter. Click Add Filter.
Applications
If you want to limit your view to only display network traffic to and from applications, or to
exclude traffic to and from them, expand Applications, and then complete the following steps:

a. If you want to include traffic from specified applications, select Include.
b. If you want to exclude traffic from specified applications, select Exclude.
c. Enter the name of an appropriate application or the appropriate port number.
d. If you want to include or exclude another application, click Add Filter, and then enter the
name of the appropriate application.

Autonomous Systems
To only display network traffic to and from autonomous systems, or to exclude traffic to and
from certain autonomous systems, expand Autonomous Systems, and enter the ID of an
appropriate autonomous network. Click Add Filter.
Autonomous Systems Conversations
To only display network traffic related to specific autonomous system conversations, or to
exclude traffic to and from them, expand Autonomous System Conversations, and enter IDs of
autonomous systems involved in conversations. Click Add Filter.
Conversations
To only display network traffic related to specific conversations between two endpoints, or to
exclude traffic to and from them, expand Conversations and enter the endpoints involved in the
conversation. Click Add Filter.

Countries
To only display network traffic related to specific countries, or to exclude traffic to and from
them, expand Countries, and select a country to Include or Exclude.
To select multiple countries, select each one and click Add Filter to apply each selection.
Domains
To only display network traffic related to specific domains, or to exclude traffic to and from
them, expand Domains, and enter the domain name you want to Include or Exclude.

To add multiple domains, enter a name and then click Add Filter to apply your selection
after each entry.
If a domain name is not resolved and saved in NTA, you cannot use it in the Flow
Navigator. In this case, NTA will prompt you for a valid name. For more information about
resolving domain names, see Host and domain names in SolarWinds NTA
Endpoints

https://documentation.solarwinds.com/en/success_center/nta/content/nta-creating-custom-views-with-flow-navigator-sw1200.htm 2/4
7/28/23, 10:34 AM Create custom views with the Flow Navigator

To only display network traffic related to specific endpoints, or to exclude traffic to and from
them, expand Endpoints:
a. Enter the IP address or hostname of an appropriate endpoint to Include or Exclude.
b. If you want to include or exclude traffic from a specified subnet, enter the appropriate
range of IP addresses.
You can either type in the range, for example 192.168.1.0-192.168.1.255, or use the
CIDR notation, for example 192.168.1.0/24.

c. If you want to include or exclude another endpoint, click Add Filter, and then enter the
name of an appropriate endpoint.

IP Address Groups
To only display network traffic related to specific IP address groups, or to exclude traffic to and
from them, expand IP Address Groups, and then complete the following steps:
a. Enter an appropriate IP address group.
Though an IP Address Group is disabled, it may continue to appear in the list. As a
workaround, rename the group before disabling it. For example, for an IP Address Group
called PrimaryLAN, you might add _DISABLED to the end. An entry called
PrimaryLAN_DISABLED indicates that the group is inactive.

b. If you want to include or exclude another IP address group, click Add Filter, and then enter
the name of an appropriate IP address group.
IP Address Group Conversations
To only display network traffic related to conversations between specified IP address groups, or
to exclude traffic to and from them, expand IP Address Group Conversations:
a. Select the IP address groups involved in conversations that you want to include or
exclude.

b. If you want to include or exclude another IP address group conversation, click Add Filter,
and then enter the appropriate conversation IP address groups.

Protocols

To only display network traffic using specific protocols, expand Protocols and select the
protocol to Include or Exclude.

If you want to include or exclude another protocol, click Add Filter, and then select another
protocol.

Types of Service
To only display network traffic using specific service types, expand Types of Service and select
an appropriate type of service to Include or Exclude.

If you want to include or exclude another type of service, click Add Filter, and then select
another type of service.

7. Click Submit.
8. If you want to save your custom filtered view for future reference, click Save Filtered View to
Menu Bar.
https://documentation.solarwinds.com/en/success_center/nta/content/nta-creating-custom-views-with-flow-navigator-sw1200.htm 3/4
7/28/23, 10:34 AM Create custom views with the Flow Navigator

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-creating-custom-views-with-flow-navigator-sw1200.htm 4/4
7/28/23, 10:34 AM Local NetFlow Source

Local NetFlow Source
The Local NetFlow Source in SolarWinds NetFlow Traffic Analyzer (NTA) presents real flow data. It
allows you to use all standard SolarWinds NTA features, such as navigation, drill-down, filters,
reporting, and more, without any prior configuration and discovery.

The Local NetFlow Source presents live NetFlow traffic data sourced from, and destined to, the Main
Polling Engine server, providing basic insight into traffic on the Main Polling Engine. All traffic for any
network interface on the Main Polling Engine is captured and transformed into NetFlow flows.

When installing fresh NTA 4.6 and later, the Local NetFlow Source is enabled by default. If you are
upgrading from a previous version of NTA, you have to manually enable it.

The Local NetFlow Source works only on the Main Polling Engine. After an upgrade, the
Local NetFlow Source installs only when there is an existing node for the Main Polling
Engine. For more information, see Local NetFlow Source is not created after upgrade.
When you install the latest version of NTA or upgrade to version 4.6 and later, an
interface is created for the Local NetFlow Source. This interface consumes an NPM
license. Unmanaging the interface does not release the NPM license. You need to
remove the Local NetFlow Source interface in order to release the NPM license.
Removing the Local NetFlow Source interface is a permanent operation. If you wish to
use the Local NetFlow Source again, contact Technical Support.
After an upgrade, if there is a free license, the local NetFlow Source will consume it
immediately. Otherwise, it keeps checking for free licenses every one minute. When you
release a license, the Local NetFlow Source will consume it.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-local-netflow-source.htm 1/5
7/28/23, 10:34 AM Local NetFlow Source

Install the Local NetFlow Source
The Local NetFlow Source is automatically installed on the Main Polling Engine during the installation
or upgrade of SolarWinds NTA. The process is different for installations and upgrades:

During fresh installations of SolarWinds NTA, the Local NetFlow Source and the interface are
automatically created and added to the Main Polling Engine nodes. The Local NetFlow Source
is automatically enabled and starts capturing traffic on the Main Polling Engine.
When upgrading SolarWinds NTA, the Local NetFlow Source and the SolarWinds Platform
interface are automatically created and added to the Main Polling Engine nodes. The Local
NetFlow Source and traffic capturing are disabled by default and you need to enable it in the
Flow Sources Management page.

Both above scenarios create a new NetFlow Source and SolarWinds Platform Interface that
consume the customer license. You can manually delete the interface if needed.

Manage the Local NetFlow Source
You can manage the Local NetFlow Source through the following standard operations within the
SolarWinds Platform Web Console.

When installing NTA 4.6 and later fresh, the Local NetFlow Source is enabled by default. If you are
upgrading from a previous version of NTA, you have to manually enable it.

Enable/disable the Local NetFlow Source
Follow the steps below to enable or disable the Local NetFlow Source.

Disabling the Local NetFlow Source stops local traffic collection, and historical flow data for
the source are not visible in widgets.

1. In the SolarWinds Platform Web Console, click Settings > All Settings.
2. Click NTA Settings > Flow Sources Management.
3. To enable the Local NetFlow Source, select the check box in the NetFlow column.
4. Click Submit.

Manage the interface of the Local NetFlow Source
Follow the steps below to manage the Local NetFlow Source interface.

1. In the SolarWinds Platform Web Console, click Settings > Manage Nodes.
2. Select the Local NetFlow Source interface and click Maintenance mode.
3. Select one of the following options:
Unmanage Now to disable the node.
Disabling the Local NetFlow Source stops traffic collection, but historical flow data for the
Source stay visible.
https://documentation.solarwinds.com/en/success_center/nta/content/nta-local-netflow-source.htm 2/5
7/28/23, 10:34 AM Local NetFlow Source

Manage Again to enable the node.

Manage the Main Polling Engine node with the Local NetFlow Source
interface
Follow the steps below to enable or disable the Main Polling Engine node with the Local NetFlow
Source interface.

1. In SolarWinds Platform Web Console, click Settings > Manage Nodes.
2. Select the Local NetFlow Source and click Maintenance mode.
3. Select one of the following options:

Unmanage Now to disable the node.
Disabling the Local NetFlow Source stops traffic collection, but historical flow data for the
Source stay visible.
Manage Again to enable the node.

Delete the interface of the Local NetFlow Source
Follow the steps below to delete the Local NetFlow Source interface.

This operation is permanent. You cannot recreate the local NetFlow Source.

1. In the SolarWinds Platform Web Console, click Settings > Manage Nodes.
2. Select the Local NetFlow Source interface, and click Delete in the top-right corner.
This action permanently removes the Local NetFlow Source. You will not see historical flow
data for the Source.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-local-netflow-source.htm 3/5
7/28/23, 10:34 AM Local NetFlow Source

Delete the Main Polling Engine node with the Local NetFlow Source
interface
Follow the steps below to delete the node with the Local NetFlow Source interface on the Main
Polling Engine.

This operation is permanent. You cannot recreate the local NetFlow Source.

1. In the SolarWinds Platform Web Console, click Settings > Manage Nodes.

2. Select the Main Polling Engine node with the Local NetFlow Source interface, and click Delete in
the top-right corner.
This action permanently removes the Local NetFlow Source. You will not see historical flow
data for the Source.

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-local-netflow-source.htm 4/5
7/28/23, 10:34 AM Local NetFlow Source

https://documentation.solarwinds.com/en/success_center/nta/content/nta-local-netflow-source.htm 5/5
7/28/23, 10:34 AM NBAR2 Applications

NBAR2 Applications
SolarWinds NTA monitors Network Based Application Recognition (NBAR2) traffic. NBAR2 is an
application classification system that is used with deep packet inspection technologies to provide
better visibility into network traffic.

After you have enabled your devices to export NBAR2 flow records, you can view the Top NBAR2
Applications in summary views and reports.

When the netflow data is captured by NTA, the NBAR2 application classification may be unavailable
or unknown to NTA. In this case, you may see one of the following identifiers for applications that are
unidentified.

Unknown — a Cisco application for which there is no classification available from Cisco.
Unclassified— an application that is not supported or recognized by the NBAR engine on
Wireless LAN Controller traffic and is captured as unclassified.
Unrecognized — an application that NTA is not able to identify based on information in the
current NBAR2 database. This will mostly likely happen when NBAR2 is first enabled on a
device and it begins sending flows before sending the applications database. This occurrence
depends on the interval set in the device settings.
Remaining traffic — this is a standard label used on NTA charts to represent monitored traffic
that is not applicable to any category presented on the chart.

You can monitor NBAR2 applications by switching the view type in the top-right corner of the Top XX
Applications widget or from the NetFlow Applications Summary view. For more information about
monitoring applications, see Monitor NBAR2 Applications in NTA.

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-applications-nbar2.htm 1/2
7/28/23, 10:34 AM NBAR2 Applications

https://documentation.solarwinds.com/en/success_center/nta/content/nta-applications-nbar2.htm 2/2
7/28/23, 10:35 AM Monitor applications and service ports

Monitor applications and service ports
Because of the volume of data from flow-enabled network devices, monitoring all ports and
applications may severely affect the performance of both the SolarWinds Platform database and the
SolarWinds Platform Web Console.

You can decide what ports or applications should be monitored by SolarWinds NTA. If you are not
sure what ports and applications you should monitor, click Monitor Recommended Ports to monitor
the most common high traffic ports and applications.

Clicking Monitor Recommended Ports deletes all existing custom application and port
definitions.

Enable monitoring for ports or applications
1. In the SolarWinds Platform Web Console, click Settings > All Settings.

2. Under Product Specific Settings, click NTA Settings.
3. Click Application and Service Ports.

4. To enable monitoring an application or a port, click Enable in the Actions column.
5. To enable monitoring for all listed applications and ports, click Enable All Monitoring.
6. If you are not sure what ports and applications to monitor, click Monitor Recommended Ports.
7. Click Submit.

Disable monitoring for ports or applications
1. In the SolarWinds Platform Web Console, click Settings > All Settings.
2. Under Product Specific Settings, click NTA Settings.
3. Click Application and Service Ports.
4. To disable monitoring an application or a port, click Disable in the Actions column.

5. To disable monitoring for all listed applications and ports, click Disable All Monitoring.
6. Click Submit.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-enabling-or-disabling-monitoring-for-ports-or-applications-sw248.htm 1/3
7/28/23, 10:35 AM Monitor applications and service ports

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-enabling-or-disabling-monitoring-for-ports-or-applications-sw248.htm 2/3
7/28/23, 10:35 AM Monitor applications and service ports

https://documentation.solarwinds.com/en/success_center/nta/content/nta-enabling-or-disabling-monitoring-for-ports-or-applications-sw248.htm 3/3
7/28/23, 10:35 AM IP address groups unification with IPAM

IP address groups unification with IPAM
As of NTA 2020.2, you can unify IP address groups with SolarWinds IPAM. With the new IP Address
Groups Management page, you can import IPAM IP address groups and use them the same way as
standard NTA IP address groups:

See IP address groups in NTA widgets.
Create reports on IP address groups.
Use the IP address groups in Flow Navigator or NTA search.
Use the IP address groups as a Source and Destination IP Address Group for Applications.

Imported IPAM groups cannot be edited in NTA, only in IPAM. Any change in IPAM is
automatically reflected in NTA.

The new IP Address Group Management page also allows you to define IP ranges with CIDR notation
or filter IP address groups with predefined filters, search IP address groups by their names and
customize the visible information, such as columns in the table.

Using IPAM IP address groups in NTA
You must install SolarWinds NTA 2020.2 or later together with SolarWinds IPAM 2020.2 or later to be
able to import and use IPAM IP address groups in NTA.

1. In the SolarWinds Platform Web Console, click Settings > All Settings.
2. Under Product Specific Settings, click NTA Settings.

3. Under IP Address Groups, click Manage IP Address Groups.
4. Click Import IPAM group.
A list of IPAM IP address groups is displayed.
5. Select the IPAM IP address groups you wish to import.

Every checked item creates a new NTA IP address group with ranges from IPAM subnets under
the directly-linked IPAM IP address group. If you explicitly select IPAM IP address groups in a
hierarchy, you can create overlapped IP address groups.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-ip-address-groups-unification-with-ipam.htm 1/4
7/28/23, 10:35 AM IP address groups unification with IPAM

The IPAM IP address group must have at least one child subnet to be displayed in the
Import IP address group from IPAM window. Otherwise, this group will not be visible in
the list.

6. Click Import.
Groups are imported according to the displayed mapping.

Management options for IP address groups imported from IPAM
The imported IP address groups will show IPAM in the Managed by column. You cannot edit IP
address groups managed by IPAM through NTA, only through IPAM. All changes in IPAM are
automatically reflected in NTA after a delay which can take from 1 minute to 30 minutes, depending
on the number of changes made in IPAM.

IP address groups managed by IPAM can be deleted in NTA, but this operation deletes only the
NTA IP address groups imported from IPAM. The original IPAM groups are not affected.

You can filter the IP address groups to view only groups Managed by IPAM or groups Managed by
NTA. You can also filter the IP address groups that are set as Hidden or Shown in NTA widgets. The
filter options are available in the sidebar on the left of the IP Address Groups Management page.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-ip-address-groups-unification-with-ipam.htm 2/4
7/28/23, 10:35 AM IP address groups unification with IPAM

Selecting the IP address group provides the options to Edit, Show, Hide, or Delete the IP address
group. For more information, see Managing IP address groups.

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-ip-address-groups-unification-with-ipam.htm 3/4
7/28/23, 10:35 AM IP address groups unification with IPAM

https://documentation.solarwinds.com/en/success_center/nta/content/nta-ip-address-groups-unification-with-ipam.htm 4/4
7/28/23, 10:36 AM Applications and service ports in NTA

Applications and service ports in NTA
Use SolarWinds NTA to directly specify the applications and ports you want to monitor. Additionally,
you can specify protocol types by application, giving you the ability to monitor multiple applications
on the same port if each application uses a different protocol. You should review this list of ports and
applications and check the ports and applications you want to monitor, adding any that are not
present.

By default, SolarWinds NTA monitors recommended ports and applications that are used most on
typical networks.

SolarWinds NTA supports many applications out of the box. However, if you have custom
internal applications, remember to assign a port name and number to them so that they are
reported correctly and not marked unknown.

Access the applications and service ports settings
1. In the SolarWinds Platform Web Console, click Settings > All Settings.

2. Under Product Specific Settings, click NTA Settings.
3. Click Application and Service Ports.

To monitor ports on a server, you first need to create an IP address Group and then two
applications:

Let's assume you have a server with an IP address 1.1.1.1 and you want to monitor ports 80
and 443 on that server.

1. Add an IP address group with the IP address 1.1.1.1. For more information, see
IP address groups in SolarWinds NTA.
2. Create an application called Application1 with ports 80 and 443, and select your new
IP address group as the Source IP Address.

3. Create an application called Application2 with ports 80 and 443, and select your new
IP address group as the Destination IP Address.

You cannot create a single application when monitoring ports on a server.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-configuring-applications-and-service-ports-sw241.htm 1/3
7/28/23, 10:36 AM Applications and service ports in NTA

Learn more
Add applications and service ports
Edit applications and service ports
Monitor applications and service ports
Configure data retention for flows on unmonitored ports
Delete applications and service ports

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-configuring-applications-and-service-ports-sw241.htm 2/3
7/28/23, 10:36 AM Applications and service ports in NTA

https://documentation.solarwinds.com/en/success_center/nta/content/nta-configuring-applications-and-service-ports-sw241.htm 3/3
7/28/23, 10:36 AM NTA Settings page

NTA Settings page
Each of the following sections provides instructions for configuring SolarWinds NTA and customizing
it to meet your network analysis requirements.

Access the NetFlow Traffic Analyzer Settings page
1. In the SolarWinds Platform Web Console, click Settings > All Settings.

2. Under Product Specific Settings, click NTA Settings.

Available settings
The configuration actions described in the following sections require administrative access to
the SolarWinds Platform Web Console.

NetFlow management: Configure default behavior when flows from SolarWinds NPM devices
are received, towards data from ports not monitored in SolarWinds NTA, and unmanaged
interfaces.
Application and service ports: Configure the ports and applications that should be monitored in
SolarWinds NTA.
Autonomous systems: Manage autonomous systems monitored in SolarWinds NTA.

IP address groups: Manage IP address groups and select IP groups whose traffic should be
monitored in SolarWinds NTA.
Monitored protocols: Select what protocols you want to monitor in SolarWinds NTA.
Flow sources and CBQoS polling management: Select what flow sources and which CBQoS-
enabled devices you want to monitor with SolarWinds NTA.
NetFlow collector services: Add or change ports on which the NetFlow service is listening.
Types of services: Change names used for DiffServ Code Points in SolarWinds NTA.

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-configuring-netflow-management-settings-sw211.htm 1/2
7/28/23, 10:36 AM NTA Settings page

https://documentation.solarwinds.com/en/success_center/nta/content/nta-configuring-netflow-management-settings-sw211.htm 2/2
7/28/23, 10:36 AM IP address groups in NTA

IP address groups in NTA
SolarWinds NTA allows you to establish IP address groups for selective monitoring of custom
categories or segments of your network.

With well-defined IP groups, you can better characterize and assess NetFlow data that you receive.

SolarWinds recommends creating IP Address Groups, for example by location, especially for
the benefit of your first level support group, to quickly see IP Address ranges and makes things
easier to manage.

IP Address Groups Management page
As of NTA 2020.2, you can manage your IP address groups through a completely reimplemented
IP Address Groups Management page.

You can unify IP address groups with SolarWinds IPAM, define the IP Range with CIDR notation, filter
IP address groups with predefined filters, or search IP address groups by their name and customize
visible information. Changes on the IP Address Groups Management page are automatically
confirmed, unlike in earlier versions of NTA where you had to click the Confirm button to apply the
change.

All IP address groups features from previous versions of NTA are still available on the new
management page, except for the explicit Printable version.

Adding new IP address groups with ranges.
Deleting IP address groups.
Editing IP address groups and their ranges.
Importing and exporting IP address groups from or to XML files.
Enabling or disabling visibility of IP address groups in NTA widgets.

Access the IP Address Groups Management page
1. In the SolarWinds Platform Web Console, click Settings > All Settings.
2. Under Product Specific Settings, click NTA Settings.
3. Under IP Address Groups, click Manage IP Address Groups.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-managing-ip-address-groups-sw272.htm 1/4
7/28/23, 10:36 AM IP address groups in NTA

Available actions
All IP address groups features from versions prior to NTA 2020.2 are still available on the new
management page, except for the explicit Printable version.

Adding new IP address groups with ranges Expand All
Deleting IP address groups
Editing IP address groups and their ranges
Show or Hide IP address groups
Import IPAM IP address groups
Import IP address groups from a file
Export IP address groups to a file
Standard features of the filtered list

Troubleshooting IP address groups
In NTA you can have IP address groups with overlapping ranges. Unlike IP address groups,
applications cannot have groups with overlapped ranges in the same direction. If you have
applications linked to a group (source, destination) and you edit or delete that group, you can create
application collisions. These are overlaps in source or destination IP address groups. Application
collisions are caused by editing or deleting an IP address group, or importing IP address groups from
a file, deleting existing ones and replacing them with the new import. When a collision is detected,
the operation is stopped and NTA will display a pop-up window with the collisions listed in a table,
such as in the example below.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-managing-ip-address-groups-sw272.htm 2/4
7/28/23, 10:36 AM IP address groups in NTA

You can resolve the collision manually through the NTA Applications Management page or
automatically by clicking Save & Delete in the pop-up window.

Application collisions are automatically resolved by deleting one of the applications in the
collision. The applications with icon will be deleted. Applications with will remain in the
list.

Troubleshooting FAQs
Why is my NTA Application missing or why was it deleted? Expand All
Why are data in IP address group charts invalid or seem to be incorrect?
Why is the window with application collisions displayed again with different application when I've
already automatically resolved application conflicts?
I've exported all of my IP address groups into the XML file. Then I've imported them again. Why are
all IP address groups managed by IPAM are now standard IP Groups managed by NTA?
Can I use IPAM IP address groups with applications in NTA without my applications being deleted
by application collisions auto-resolving?
I've edited or deleted an IP address group and the Applications Conflicts window pops up. I want to
resolve the conflicts manually because auto-resolve options are not suitable for me. What can I do?

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-managing-ip-address-groups-sw272.htm 3/4
7/28/23, 10:36 AM IP address groups in NTA

https://documentation.solarwinds.com/en/success_center/nta/content/nta-managing-ip-address-groups-sw272.htm 4/4
7/28/23, 10:37 AM NTA shows "Never" or a date in the past in Netflow Sources "Last Received Netflow"

(https://support.solarwinds.com/)

SolarWinds uses cookies on our websites to facilitate and improve your online experience. By

continuing to use our website, you consent to our use of cookies. For further details on cookies,

please see our cookies policy (https://www.solarwinds.com/cookies).

Hide this Message

Select your Preferred Language from the below list

English (US)

NETWORK MANAGEMENT > NETFLOW TRAFFIC ANALYZER (NTA)
(/SUCCESSCENTER/S/TOPIC/0TO2J000… (/SUCCESSCENTER/S/TOPIC/0TO2J00…

NTA shows "Never" or a date in the past in Netflow Sources "Last
Received Netflow"

This article describes the issue about the Last Received NetFlow data showing that NTA has
stopped receiving NetFlow.

Aug 15, 2022 Success Center

FIRST PUBLISHED DATE
10/20/2018 6:57 PM

LAST PUBLISHED DATE
8/15/2022 5:02 PM

OVERVIEW
The Last Received NetFlow time stamp is not updating and shows a date in the past. NTA stops
receiving netflow data from the device since that day declared on last received netflow or it shows
never where the netflow data has not been received at all. See sample below:

ENVIRONMENT
NTA 4.6;NTA 2019.4;NTA 2020.2

https://support.solarwinds.com/SuccessCenter/s/article/NTA-shows-Never-or-a-date-in-the-past-in-Netflow-Sources-Last-Received-Netflow?langu… 1/5
7/28/23, 10:37 AM NTA shows "Never" or a date in the past in Netflow Sources "Last Received Netflow"

CAUSE

RESOLUTION
1. Open Windows Performance Monitor in Start > Windows Administrative Tools > Performance
Monitor.
2. Add SolarWinds NetFlow Counters.
3. Check Flows Received per Second.
4. Validate your progress with Wireshark.
a. Download and install Wireshark on your Orion Application Server.
b. Select Capture in Wireshark.
c. Select Options.
d. Under Capture Filter for selected device and application port number, select host and udp port 2055 (default).
e. Use the following filter when you want to filter out data in the Wireshark application:
ip.addr == && udp.port ==

For more information, see the Wireshark User's Guide
(https://www.wireshark.org/docs/wsug_html/#ChUseCaptureMenuSection)(©1989, 1991
Free Software Foundation, Inc., available at https://www.wireshark.org
(https://www.wireshark.org/), obtained on October 27, 2015.).

f. Validate that NetFlow data is reaching the Collector on port 2055 (default port).
You should see packets labeled CFLOW and sFlow in Wireshark under Protocol.

g. For sFlow, you will need to decode traffic by right-clicking on a packet and selecting decode
as.
Settings are as follows:

https://support.solarwinds.com/SuccessCenter/s/article/NTA-shows-Never-or-a-date-in-the-past-in-Netflow-Sources-Last-Received-Netflow?langu… 2/5
7/28/23, 10:37 AM NTA shows "Never" or a date in the past in Netflow Sources "Last Received Netflow"

Verify the port number by checking the Collector configuration under Settings > NTA
Settings > NetFlow Collector Services. Validate the route the device takes to the SolarWinds
server. Firewalls must be checked as some can have Access Lists that are not setup to allow

UDP packets or are set up incorrectly for TCP when NetFlow is UDP.
5. If you do not see any NetFlow data, check example configurations
(https://documentation.solarwinds.com/en/success_center/nta/Content/NTA-Device-
Configuration-Examples-sw1967.htm) to see if something is missing.
6. Run Tracert from the server to see if any other routes are in place that are blocking traffic on
port 2055 (for example, Firewall Checkpoint).
7. If all devices stopped at the same time and services are running, verify the IP address of the
SolarWinds Server did not change.
8. Change the NetFlow version from 5 to 9.

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use.
This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set
forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such
custom scripts or recommendations will be incorporated into your environment. You elect to use third-party content at your
own risk, and you will be solely responsible for the incorporation of the same if any.

https://support.solarwinds.com/SuccessCenter/s/article/NTA-shows-Never-or-a-date-in-the-past-in-Netflow-Sources-Last-Received-Netflow?langu… 3/5
7/28/23, 10:37 AM NTA shows "Never" or a date in the past in Netflow Sources "Last Received Netflow"

Did you know?
Solarwinds offers fully functional free trials of all of our products, from network and systems

management to IT Security and Database Monitoring

FREE TRIALS AND DOWNLOADS (HTTPS://WWW.SOLARWINDS.COM/DOWNLOADS?
LEC-DFT-CSC-SW_WW_X_PP_X_LD_EN_CSCDYK_X-ORIO-
20200600_ARTICLE_X_X_VIDNO_X-X)

Related Articles
No related articles yet
Articles are related if tend to be read by the same people

We'd like to hear from you.
Please submit this form to provide feedback
to the Success Center team.



We’re Geekbuilt.®
Developed by network and systems engineers who know what it takes to manage today's

dynamic IT environments, SolarWinds has a deep connection to the IT community.
The result? IT management products that are effective, accessible, and easy to use.

https://support.solarwinds.com/SuccessCenter/s/article/NTA-shows-Never-or-a-date-in-the-past-in-Netflow-Sources-Last-Received-Netflow?langu… 4/5
7/28/23, 10:37 AM NTA shows "Never" or a date in the past in Netflow Sources "Last Received Netflow"

(https://www.facebook.com/SolarWinds) (https://twitter.com/solarwinds)

(https://www.youtube.com/user/solarwindsinc) (https://www.linkedin.com/company/solarwinds)
COMPANY FOR CUSTOMERS
(HTTPS://WWW.SOLARWINDS.COM/COMPANY/H (HTTPS://CUSTOMERPORTAL.SOLARWINDS.COM/
OME) )

INVESTORS FOR GOVERNMENT
(HTTPS://INVESTORS.SOLARWINDS.COM/OVERVI (HTTPS://WWW.SOLARWINDS.COM/FEDERAL-
EW/DEFAULT.ASPX) GOVERNMENT/IT-MANAGEMENT-SOLUTIONS-FOR-
GOVERNMENT)
CAREER CENTER (HTTPS://SOLARWINDS.JOBS/)
GDPR RESOURCE CENTER
RESOURCE CENTER
(HTTPS://WWW.SOLARWINDS.COM/GENERAL-
(HTTPS://WWW.SOLARWINDS.COM/RESOURCES)
DATA-PROTECTION-REGULATION-CORE-IT)
EMAIL PREFERENCE CENTER
SOLARWINDS TRUST CENTER
(HTTPS://LAUNCH.SOLARWINDS.COM/SUBSCRIP
(HTTPS://WWW.SOLARWINDS.COM/TRUST-
TION-CENTER.HTML)
CENTER)

Legal Documents (https://www.solarwinds.com/legal/legal-documents) Privacy
(https://www.solarwinds.com/legal/privacy) California Privacy Rights
(https://www.solarwinds.com/legal/privacy#california-privacy-rights) Security Information
(https://www.solarwinds.com/information-security) Documentation & Uninstall Information
(https://support.solarwinds.com/SuccessCenter/s/?language=en_US) Sitemap (/sitemap.xml)
© 2023 SolarWinds Worldwide, LLC. All rights reserved.

https://support.solarwinds.com/SuccessCenter/s/article/NTA-shows-Never-or-a-date-in-the-past-in-Netflow-Sources-Last-Received-Netflow?langu… 5/5
7/28/23, 10:37 AM Configure resolving IPv4 and IPv6 addresses to DNS hostnames in NTA

Configure resolving IPv4 and IPv6 addresses to
DNS hostnames in NTA
Disabling the option Resolve and store IPv4 hostnames immediately when a flow record
is received when the option Resolve IPv4 and IPv6 addresses to DNS hostnames is
enabled decreases the amount of database memory used to store DNS information and the read and
write load on your SQL server associated with domain name resolution.

With the option Resolve IPv4 and IPv6 addresses to DNS hostnames enabled and the option
Resolve and store IPv4 hostnames immediately when a flow record is received
disabled, domain names are only resolved for device IP addresses that are actually displayed in
SolarWinds NTA widgets. Since they require DNS resolution with storing to calculate statistics, Top
XX IPv4 Domains, Top XX IPv4 Traffic Destinations by Domain (report), and Top XX IPv4 Traffic
Sources by Domain (report) become unavailable with this setting.

1. In the SolarWinds Platform Web Console, click Settings > All Settings.

2. Under Product Specific Settings, click NTA Settings.
3. Scroll to the DNS and NetBIOS Resolution section.
4. Make sure the option Resolve and store IPv4 hostnames immediately when a flow
record is received is unselected.

5. Make sure the option Resolve IPv4 and IPv6 addresses to DNS hostnames is selected.

6. Click Save.

© 2003-2021 SolarWinds Worldwide, LLC. All rights reserved.

https://documentation.solarwinds.com/en/success_center/nta/content/nta-configuring-on-demand-dns-resolution-sw470.htm 1/2
7/28/23, 10:37 AM Configure resolving IPv4 and IPv6 addresses to DNS hostnames in NTA

https://documentatio