Thwack » SolarWinds » Engineer's Toolset » Netflow Realtime » Top 10 conversations are almost identical

in More Search Options

Top 10 conversations are almost identical

Last post 10-20-2007 7:45 AM by paullaf. 0 replies.
Page 1 of 1 (1 items)
Sort Posts:

  • 10-20-2007 7:45 AM

    • paullaf
    • Not Ranked
      •
    • Joined on 10-20-2007
    • Posts 5
    • Points 11

    Top 10 conversations are almost identical

    Reply

    Hi everyone,

    I've run a netflow realtime report of the top 10 conversations happening on a particular interface. The result is strange. Of the top 10 conversations, I'm seeing only 3 combinations of source IP, source port, destination IP and destination port. I'll try to post the report below:

     

    Conversation Source IP Address Source Hostname Source Port Destination IP Address Destination Hostname Destination Port Protocol Total Traffic Total Packets Traffic Percentage
    1 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 52.92 Mb 35601 15%
    2 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 47.87 Mb 32205 13%
    3 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 46.36 Mb 31190 13%
    4 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 40.39 Mb 27169 11%
    5 100.85.25.11 Microsoft-DS (445) 100.85.1.20 SwiftNet (1751) TCP 30.02 Mb 20205 8%
    6 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 29.64 Mb 19960 8%
    7 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 28.30 Mb 19035 8%
    8 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 26.83 Mb 18070 8%
    9 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 26.62 Mb 17906 7%
    10 100.85.8.11 Microsoft-DS (445) 100.85.1.20 cft-0 (1761) TCP 26.58 Mb 17882 7%

     

    Based on this, I felt that conversations 1-4 should be one conversation with the total traffic and packets added up. It would then account for a higher % of the traffic. Conversation 5 as it's listed in the report, should be a seperate conversation because the destination port is different. conversations 6-10 should be added together because it is the same communication.  Those last 4 together would be the new conversation #2 because conversation 5(as listed above) would be less megabyles than conversations 6-10 added together.

     Is my netflow calculating wrong or am I not getting something?

     Thanks,

     Paul
    Filed under:
    • Post Points: 1
Page 1 of 1 (1 items)