Troubleshoot Application Discovery

I am sending NetFlow to the network sensor but i am not seeing any topology info on the Application Discovery server.

Solution:

  1. Check Incoming NetFlow Traffic:

    Make sure that NetFlow traffic uses Port 2055. To see incoming NetFlow:

    1. Identify the interface name by running the command:

      ifconfig

    1. Use the following command to monitor NetFlow traffic on Port 2055:

      : tcpdump -i <interface name e.g. eth0> -T cnfp port 2055

  2. If NetFlow traffic is detected, verify the sampling configuration:

    1. Run the following command for at least 5 minutes to capture NetFlow traffic into a PCAP file :

      tcpdump -i <interface name e.g. eth0> -T cnfp port 2055 -w netflow.pcap

    2. Open the created netflow.pcap file in WireShark.

    3. Verify that the data in the NetFlow packets includes:

      Required
      • Source VLAN
      • NetFlow Version
      • IPv4 Protocol
      • IPv4 Source address
      • IPv4 Destination address
      • Source port
      • Destination port
      • Counter bytes
      • Counter packets
      Recommended
      • TCP flags

      If one or more of these fields is missing NetFlow record will not be processed.

    4. For each flow, verify Packets and Octets (Bytes) as follows. Flows are only processed if these two requirements are met:

      • Packets count per record is greater than 10.

      • The ratio of the bytes counter to the packet count must be at least 60.

  3. Otherwise, contact AlgoSec Support.

 

If you need to send a support archive to AlgoSec for troubleshooting, do the following:

  • At the top right of the Application Discovery page, click Help > Support files.

  • A zip file is saved locally, named AAD_support_<date><ID>.zip