IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this community and its apps will no longer be available. More details available on our FAQ.
Topic
  • 1 reply
  • Latest Post - ‏2016-03-29T18:27:20Z by dwight s (IBM)
RobWalker
RobWalker
1 Post

Pinned topic Network Tab has No Data

‏2016-03-28T18:42:43Z |

We're on 7.2.5 patch 2 IF 2. Today when I opened the Network Activity tab it was completely blank, no flow data of any kind. We have all of our flow data going to our NBAD appliance. We've never used this tab much but would like to make more sense out of it. 

 

Any idea where I should go to start troubleshooting it? I opened a PMR but support has a reluctance to respond on Mondays it seems...I've checked with our Networking team and they didn't make any changes this weekend...I get no results on flow data in any searches going back 7 days. 

 

I've never troubleshot this appliance and have no idea where to start. What service supports NBAD?

 

Thank you.

  • dwight s (IBM)
    dwight s (IBM)
    3 Posts

    Re: Network Tab has No Data

    ‏2016-03-29T18:27:20Z  

    Hi Rob ... 

    Flows are generated by the "qflow" process, which normally runs on a 12xx, 13xx flow collector, a 17xx flow processor, or on the console, depending on your configuration.  When you say "NBAD" appliance, do you mean a flow collector? 

     

    Here are a few things to check:

    • ensure you have flow sources configured and associated to a "qflow" component in the "flow sources" area on the admin tab
    • verify there -is- a qflow component in your deployment, either in system & license management, or in the "deployment editor" app
    • search your "system notification" log source for events with the phrase/text "flow" or "qflow".  This would probably indicate whether or not you're qflow process is generating flows.  They should look something like this:
      Mar 29 05:02:00 csd2-primary [QRadar] [13115] qflow0: [INFO] [1459238460] Sent 34 flows to 172.16.77.102:32010
      Mar 29 05:02:00 csd2-primary [QRadar] [13115] qflow0: [INFO] [1459238520] 35 flows (0 OF, 0 SF(0)) 107719732 bytes, 30869 packets
      Mar 29 05:02:00 csd2-primary [QRadar] [13115] qflow0: [INFO] Stats in packetsource NIC
      Mar 29 05:02:00 csd2-primary [QRadar] [13115] qflow0: [INFO] [1459238520] Packets for Non-Thread ops :  Packets Received: 17803022:Packets Dropped: 21044Packet rate: 514/sec
      Mar 29 05:02:00 csd2-primary [QRadar] [13115] qflow0: [INFO] Stats in packetsource NIC
      Mar 29 05:02:00 csd2-primary [QRadar] [13115] qflow0: [INFO] [1459238520] Packets for Non-Thread ops :  Packets Received: 63:Packets Dropped: 0Packet rate: 0/sec

       
    • If you did have flows before, look back to see where they stopped.  Look for system notification logs around that time period, from qflow, to see if the behavior changed - did it stop processing flows?  were there errors present at the time?
    • depending on the flow sources you have configured, you could check your flow sources - span/mirror ports, taps, etc, to see if they are enabled.  If you're using netflow to generate flows, ensure the routers are still configured to send.  If they are netflow, you could use 'tcpdump' on your flow collector to see if you see data coming in on port 2055 (tcpdump -nn -i eth0 port 2055) - that's the common netflow port. 
    • on the flow processor in your deployment - 17xx or your console, depending on where it goes - check in /store/ariel/flows/records/2016/3/29/, to see if there are data files in there.  This is where flow data is kept on the processors that store it. 

    If all these seem to indicate the existence of traffic, but you still don't see anything in the UI, then there's something else going on. 

    dwight s