Troubleshoot Application Discovery
I am sending NetFlow to the network sensor but i am not seeing any topology info on the Application Discovery server.
Solution:
-
Check Incoming NetFlow Traffic:
Make sure that NetFlow traffic uses Port 2055. To see incoming NetFlow:
-
Identify the interface name by running the command:
ifconfig
-
Use the following command to monitor NetFlow traffic on Port 2055:
: tcpdump -i <interface name e.g. eth0> -T cnfp port 2055
-
-
If NetFlow traffic is detected, verify the sampling configuration:
-
Run the following command for at least 5 minutes to capture NetFlow traffic into a PCAP file :
tcpdump -i <interface name e.g. eth0> -T cnfp port 2055 -w netflow.pcap
-
Open the created netflow.pcap file in WireShark.
-
Verify that the data in the NetFlow packets includes:
Required - Source VLAN
- NetFlow Version
- IPv4 Protocol
- IPv4 Source address
- IPv4 Destination address
- Source port
- Destination port
- Counter bytes
- Counter packets
Recommended - TCP flags
If one or more of these fields is missing NetFlow record will not be processed.
-
For each flow, verify Packets and Octets (Bytes) as follows. Flows are only processed if these two requirements are met:
-
Packets count per record is greater than 10.
-
The ratio of the bytes counter to the packet count must be at least 60.
-
-
-
Otherwise, contact AlgoSec Support.
If you need to send a support archive to AlgoSec for troubleshooting, do the following:
-
At the top right of the Application Discovery page, click Help > Support files.
-
A zip file is saved locally, named AAD_support_<date><ID>.zip