Does the Dashboard only populate from the Bridge Port traffic?

0

606 views
I can't really put the Insight in the path between the switch and routers, so I have setup span sessions on a cisco switch that are mirroring traffic to ports 1 & 2 on the Insight. 

I know that the traffic is getting to the Insight as I can initiate a capture on port 3 using OmniPeek and see the traffic, however the Dashboard (and Kibana in general) aren't seeing any traffic from port 2 or port 3. 

Is the Dashboard and local capture only there for traffic that flows through the bridged ports? Or is there something I need to do to enable the Dashboard / local storage to receive traffic from ports 1 through 3?

Thanks.
capture; dashboard ports
 
asked September 27, 2017 04:27 PM
By:
Andras Bellak

 

5 Answers

0
Best answer
 

Captures from any interface can be sent to Kibana, but they need to have specific names and configurations.

The name of the capture must say Reporting Auto Capture-SPAN for example.

You will also need to configure the Statistics output in the capture options to match the bridge captures, including the settings under Set Schedule.  This will ensure that the .csv  files will be sent to the Kibana dashboards. You will also need to determine which analysis options need to be turned on for the data.  Keep in mind, additional captures will definitely impact performance.

 

flag
answered September 28, 2017 07:49 AM
By: Savvius Team
0
 
You will also need to configure the Statistics output in the capture options to match the bridge captures, including the settings under Set Schedule.  This will ensure that the .csv  files will be sent to the Kibana dashboards. 











































flag
answered October 19, 2017 08:28 AM
By: Savvius Team
0
 
Keith -

How is trafifc going to the Insight? 

I'm doing a monitor session that copies traffic from my switch to router link over to the Insight via Ethernet 2 on the Insight. 

Ethernet 1 on the Insight is the managment port, so that shouldn't be seeing traffic.

If you have the Insight in between your switch and router in the bridge ports you shouldn't have to change anything. If you are doing what I'm doing and feeing the Insight traffic from a network span, then you need to select the adapter that you spanning to on the Insight for the reporting captures. Mine are set to Ethernet 2 and working well.

Andras
flag
answered October 19, 2017 07:52 AM
By: Andras Bellak
0
 
I found the configuration change immediately after posting this question - in OmniPeek you have to set the Reporting captures to use one fo the interfaces that is receiving the traffic.

There doesn't appear to be a way to capture the traffic into reports from more than one interface at a time unfortunately.

Thanks,
Andras

flag
answered September 30, 2017 02:11 PM
By: Andras Bellak
0
 
Is there a document that walks through the configuration?  I have tried the following and it does not work:

  1. Setup Insight with capture on eth1
  2. Setup ELK on 'Local' (The device created 'Reporting Auto Capture - Analysis' and '... - Expert Events') 
  3. Verify bridge traffic is going to dashboard
  4. Change the 2 'Reporting Auto Capture - xxx' from Bridge to eth1

After doing this I don't get anything sent to the dashboard.  Is there a different name for the captures when I change from Bridge to eth1?
flag
answered October 18, 2017 10:08 AM
By: Keith McLaren

Your answer


Preview
Contact Us Savvius Blog Follow Savvius on Twitter Like Savvius on Facebook Follow Savvius on LinkedIn Follow Savvius on YouTube Follow Savvius on Slideshare

Alert