IBM Support

QRadar Network Insights: Verifying network cabling is correct and receiving network traffic



Looking at the back panel of the QNI, there are multiple LAN connectors. How can you verify that the QNI network cabling is correct and is receiving flow data?

Resolving The Problem

  • Confirm QRadar Network Insights (QNI) was installed, as described in the Installation guide. Looking at the QNI back panel, there are multiple ports. The management ports are associated with port 4 and port 6. These are used to replicate data between the QNI and the Console. Port 3 is reserved for the IMM, remote management system.
  • The only ports that accept raw network traffic via mirrored span port or network tap are the designated Napatech card ports. The Network Packet Capture Card is displayed in figure 1 as the Network Packet Capture Card. If it is a stand-alone QNI appliance, then all 4 ports are the same. If you are trying to stack the product, only 2 out of the 4 ports receive traffic. Verify you are sending decrypted raw network traffic to QNI.
  • Refer to chapter 7  "Creating a Stack" of the Installation guide to cable stacked QNI 1920 appliances. QNI 1901 and 1910 appliances do not support stacking.
    Figure 1. Back panel of the QRadar Network Insights 1920 appliance

    Figure 2. Legend for use with the QRadar Network
    Label Description
    2 Network Packet Capture card (SFP/SFP+)
    3 IMM Port (1 GbE TX)
    4 Management ports (10 GbE SFP+)
    5 Cabled internally. Do not use these ports
    6 Management port (1 GbE TX)

    To test if the QNI is receiving data
    1. From the Console, SSH as the root user to the QNI.
    2. Type the command:  /opt/napatech3/bin/monitoring
      You should see a result similar to:

      Figure 3. napatech monitor with SFP type, Link status, and Tx values.
    3. If there is no traffic displayed, check whether the Link column is "Down" and not 'Full" status. Make sure you are using the correct small form-factor pluggable transceiver (SFP) part numbers. Refer to Network capture transceivers section of the QRadar Network Insights 1920 Article for the correct SFP.
    4. To determine the SFP part numbers, physically inspect the SFP's or use these commands to figure out what SFP part numbers are in use:
      1. grep -i pn /var/log/messages
      2. zgrep -i pn /var/log/messages.*
    5. The output should look similar to: 
      ntservice: Port 3: NIM info: (Vendor: FINISAR CORP., PN: FTLX1471D3BCL, SN: xxxxxx)

    Document Location


    [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6E69","label":"IBM QRadar Network Insights"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

    Document Information

    Modified date:
    21 July 2022