Submit a ticketCall us

Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at customersuccess@solarwinds.com

 

 

 

 

Home > Success Center > Netflow Traffic Analyzer (NTA) > Ingress/Egress/Both options influence the NTA Top XX endpoints resource

Ingress/Egress/Both options influence the NTA Top XX endpoints resource

Table of contents
No headers
Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 1,198 Votes: 1 Revisions: 8

In NetFlow, there are three terms you will frequently see: endpoints, transmitters, and receivers. Any NetFlow conversation is made of 3 parts: Source IP, Destination IP, and port.

For example, let's say there is a user on a Windows PC downloading a file from an FTP on Amazon, and FTP uses port 21. Obviously, the data conversation starts from the FTP server (Source IP) heads to the PC (Destination IP) and travels on FTP port 21.

An endpoint could be the Amazon FTP server or the Windows box. It is just a point where the data conversation beings/stops, making it an endpoint. If the IP address is downloading a file from the net, it is a receiver. If the IP address is sending out a file, it is a transmitter. So an endpoint is not where traffic ends but one of the IPs in the data conversation (Source or Destination).

Ingress and egress describe interfaces on your switches or routers:

  • Ingress means interfaces used for incoming traffic.
  • Egress means interfaces used for outgoing traffic.

Note: The size of ingress/egress packets is usually the same. However, it can differ for example if you have CBQoS policies defined for individual interfaces and the policies define that certain packets are dropped and not delivered to the appropriate endpoint.

 

Let's take a look at a scheme and how it's reflected in the resource. 

The following figure shows two flows:

Flow 1: PC1 (source) > the traffic of 86.7 Mbytes is coming to the switch through interface if1 (ingress) and leaving the switch via interface if2(egress) > PC 2 (destination)

Flow 2PC3 (source) > the traffic of 33.1 Mbytes is coming to the switch through interface if3 (ingress) and leaving the switch via interface if2 (egress ) > PC 2 (destination)

ingr_egr_endp.png

 

And now, let's take a look at this situation reflected in the NTA Top XX Endpoints resource:

kb_topendpoints_both_new.png

 

 

On the figure above, NTA detected three endpoints, 10.140.126.2 (PC2), 10.140.126.1 (PC1), and 10.140.126.3 (PC3). 

 

If you drill down the endpoints, you'll see the switch and its interfaces with individual traffic data.

In case of PC2 (10.140.126.2), which is the destination endpoint for both flows, we can see that three switch interfaces are used:

  • if2 - the interface both flows (F1 and F2) use for leaving the switch (egress: 86.7+33.1=119.8 Mbytes)
  • if1 - the interface used by flow F1 for entering the switch (ingress: 86.7 Mbytes)
  • if3 - the interface used by flow F2 for entering the the switch (ingress: 33.1 Mbytes)

 

To see only ingress information, select the Ingress option. Only the Ingress columns and interfaces relevant for ingress will be shown in the chart.

To see only egress information, select the Egress option. Only the Egress columns and interfaces relevant for egress will be shown in the chart.

For more information about the resource, see webhelp for Top XX Endpoints

Last modified
20:34, 22 Jun 2016

Tags

Classifications

Public