Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Netflow Traffic Analyzer (NTA) > Netflow Traffic Analyzer (NTA) Training > Free SolarWinds Training Videos - NTA > How to troubleshoot NetFlow using Wireshark - Video

How to troubleshoot NetFlow using Wireshark - Video

Updated November 27, 2018

Overview

This video (6:52) shows you how to use Wireshark to troubleshoot four of the most common issues that may occur when sending flow data to SolarWinds NetFlow Traffic Analyzer.

 

 

This video is available in the following languages:  English

Environment

  • NTA

Related Resources

Video Transcription

This video shows you how to use Wireshark to troubleshoot four of the most common issues that may occur when sending flow data to SolarWinds®NetFlow Traffic Analyzer. NTA collects and analyzes flow data from multiple vendors, including NetFlow v5 and v9, Juniper®JFlow, sFlow, Huawei NetStream®, and IPFIX. 

By running Wireshark®, you can verify that the flow data is reaching the SolarWinds NTA collector and that the required fields are included in the packets.

We'll focus on analyzing CFlow packets. If you need to troubleshoot issues with sFlow, please click the link to the video covering that topic.

This video addresses the following issues:

  • Are the packets reaching the server?
  • Does the information for the flows contain the required fields?
  • Are the interfaces contained in the Wireshark capture managed by Network Performance Manager?
  • Is the NetFlow data missing for one or more devices?

 

Here is a list of the required fields for NTA to process the flows correctly. The first four are all mandatory. If any of these fields contain zeros, the packets will be dropped.

For Source Port and Destination port, at least one field should include a valid value other than zero.

And at least one of the SNMP interface indexes should also include a valid value other than zero.

If you are using NetFlow v5, these fields are included automatically in the flow data.

For additional data collection, like ToS, BGP, or NBAR2, you can include these optional fields.

Wireshark must be installed on the same server as NetFlow Traffic Analyzer and on any additional polling engines that are being used to collect flow data.

You can download Wireshark from https://www.wireshark.org/download.html.

Once Wireshark is installed, you are ready to troubleshoot your flow data. In order to minimize the number of packets being captured, you should add a filter to make the data easier to analyze.

To do this, open Wireshark, select the interface where the flows are being sent, and enter your criteria in the Capture Filter section by typing udp port 2055. UDP port 2055 is the SolarWinds default, but if your NTA collector is configured to listen to a different port, enter that port number instead. Double-click on the interface where the NetFlow data is being sent.

If you are using an older version of WireShark, go to the menu bar, select Capture, then Options to access this same interface.

If you don't see any data here, something is preventing the packets from reaching the SolarWinds NTA collector.

Some common reasons for this could be an external firewall such as a Cisco® ASA, a Windows firewall enabled on the server, or other security appliances or software.

If you have local security software installed, you might see the packets in Wireshark, but NTA will not process them until you have added a rule to allow traffic on your designated port.

Once you are receiving the packets, you can start investigating the flow data.

In the Packet List pane, if CFLOW appears in the Protocol field, then Netflow/IPFIX data is being received.

Expand the FlowSet in the Packet Details pane in order to verify the fields being exported. If you see "No Template Found," this means that Wireshark has not received the template yet. You may need to wait up to thirty minutes, depending on your template timeout setting configured on the device.

Once the template is received, you should see a list of flows.

If you don't, you may need to decode the packets. Please view this article to learn how to do that.

Let's expand the "Flow 1" FlowSet and compare the fields to the list of required fields that we discussed earlier.

Remember, the highlighted fields are mandatory. The Octets field is the same as the In-Bytes.

For the Source Port and Destination port, at least one field must include a value other than zero. As we can see, this is the case. The Source Port contains a value of zero and the Destination Port contains the value 2048. This means only data for the destination port will be stored in the database.

For the SNMP interface indexes, at least one field must include a value other than zero. This is also the case. The InputInt has a value of one and the OutputInt has a value of zero. This means only the ingress data will be stored in the database.

In this example, 'IP ToS' and 'Packets' are two optional fields that do contain values.

If you are using Flexible NetFlow on a Cisco device, and any of the fields are missing, verify the configuration of the flow record. If you are using a vendor other than Cisco, you may need to contact them directly to troubleshoot missing fields or invalid data.

If Netflow data is being collected from devices, but there are one or more devices that are not showing data, this filter will minimize the packets that Wireshark is capturing, making it easier to isolate the issue. In this example, the filter will only capture from a device with IP address 10.199.252.14, and only data that is directed to the designated port.

As you can see in this view, only the packets from the filtered IP address are being captured. So now, you can investigate the flow record from this one device and troubleshoot any issues.

If NetFlow data is not being collected on an interface but you think that it should be, verify that the InputInt or OutputInt in Wireshark contains the same SNMP ifIndex value as the interface that is being managed in NPM. You can do this by going to the Interface Details view in NPM.

If they do match, like we see here, then data will be collected on the Ingress direction.

If the interface index value does not appear in any of the flows, then data will not be collected for that interface.

If you analyze the packets and all the correct data is being sent to the collector, but no data is appearing in the charts, please confirm that the following NetFlow Traffic Analyzer settings are enabled:

 "Allow Monitoring of Flows from Unmonitored Ports," and "Allow Monitoring of Flows from Unmanaged Interfaces."

Once you have verified that flow data is reaching the NTA collector and that all the required fields are included in the packets, you can analyze your NetFlow data using SolarWinds NetFlow Traffic Analyzer.

 

Last modified

Tags

Classifications

Public