Orion NTA and nProbe: Analyzing bandwidth hogs without flow-capable network equipment

I’ve spoken to quite a few customers who would love to gain visibility into top bandwidth users on their network, but alas, their networking gear does not support flow-based traffic analysis (e.g., NetFlow, sFlow, J-Flow).  I’ve also heard from existing Orion NetFlow Traffic Analyzer (NTA) customers who’ve got great visibility in their core network, but would like to extend NetFlow-based analysis to other non-flow capable sites. 

If you fall into either the aforementioned scenarios, you have several options:

   1. Leverage your Cisco ASAs – Cisco ASAs running the 8.2 software release support exporting NetFlow which Orion NTA can collect and analyze.   For instructions on how to enable NetFlow on your Cisco ASA, see this KB article

   2. Deploy devices that do support NetFlow – This may be overstating the obvious, but if you have the budget, it makes sense to simply deploy devices that support NetFlow into those locations and configure them to export to your Orion NTA collector. For example, a Cisco 800 series router supports NetFlow and is relatively inexpensive

   3. Use a software exporter on a span or mirror port - If you have a managed switch, you can usually configure it to send all the traffic to a single span or mirror port (consult your vendor’s documentation). You can then install a software exporter on a computer and attach it to the span port. The software exporter will then send flow records to your Orion NTA collector.

#1 and #2 are pretty straightforward, so I won’t spend any more time talking about those options.  So, let’s focus on #3.  What is a software exporter and how do you set it up to work with Orion NTA?  

A software exporter transforms received network packets into summarized flow data that collectors like Orion NTA can store and analyze.  There are quite a few software exporters out there, but nProbe is probably the most popular. nProbe also runs on both Windows and Linux, so I’ve focused my integration testing with this software exporter. 

Here’s how to set up nProbe to work with Orion NTA:  

1. Download and install nProbe on a Windows (or Linux) server

• Download an evaluation version of nProbe and install it on a server.  The eval version of nProbe supports 2,000 flows export, so you’ll eventually need to purchase a copy.  It’s around $100.

2. Enable port spanning or port mirroring on your Managed Switch

• Configure port mirroring or port spanning on your managed switch to the port that the server running nProbe is connected.  This will allow nProbe to see all traffic flowing through the switch.  You’ll need to consult your switch documentation for how to configure port mirroring or port spanning. If possible, consider only spanning the ports of interest to reduce the amount of flow data collected.
  

3. Add the nProbe server to Orion

• Add the server running nProbe to Orion, including all interfaces
• Add the server interfaces as monitored NetFlow Sources
• Go to NTA settings and enable “Allow monitoring of flows from unmanaged interfaces”

4. Configure nProbe to export flows to Orion NTA

• Open command prompt on nProbe server and navigate to C:\Program Files\nProbe-Win32>
• Run nProbe from CLI using the options listed below: 

             nprobe

                 /c - output to console.  This is the easiest method, especially for a demo situation, because you can review the debug messages.

                 -n <Orion NTA server address>:<port>  - IP address and port that should receive the flow records.  Use 2055 for port.

                 -b 1 - modest level of reporting

                  -i  <interface> - generally 1 on Windows; en0/eth0 on Linux; en0 for Ethernet on OSX, en1 for wireless

                 -u <in-index> - sets the ingress interface for all flows (use 1).

                 -Q <out-index> - sets the egress interface for all flows (use 2). 

          E.g. nprobe /c -i 1 -n 10.199.15.50:2055 -b 1 -u 1 -Q 65539

• NOTE:  It’s important the ingress (-u) and egress (-Q) interface indexes be set to the server interfaces being managed in Orion. NTA will drop flows from interfaces that are not managed in Orion.  You can see the interface index for the server interfaces in Orion by drilling down to their respective interface details view. So, if your nProbe server had two interfaces being monitored in Orion NTA, you would just set the option –u to the index of one of them and the –Q switch to the index of the other.   See nProbe documentation for other command line options.