The NAST Tool & NFA Parser are a way of verifying the flows that a particular harvester is receiving. After running the tool, you will be presented with an HTML page that details the following information:
When opening a Support Ticket for troubleshooting missing or incorrect data from a Device/Interface, it would help speed up resolution if we have this file up front. Just download it to your Harvester, double click the file, and specify the time period you want to run it for. If you do not see your device in this report, chances are, the NetFlow is not making it to the Harvester. Each version of NFA has its own version of the NAST/NFAParser. See below for which version to use depending on your version of NFA: 9.1.3 & 9.2 - NASTv13.exe 9.1.2 - NASTv11.exe 9.0.161 - NFAParserv10.exe 9.0.118 - NFAParserv9.exe 8.3 or earlier (no longer supported) - NFAParserv8.exe
This document was generated from the following discussion: Tech Tips: NASTv12.exe available for NFA 9.1.3
Dear Stuart,
Thanks for your support. We still working on it. We will update you about our finding Once it complete.
Thanks
Then i gather all those from all my harvesters (where the above command runs once a day). The resulting files are gathered into a single directory with the name <harvester name>-loggedflows.txt and I use the following perl to clean it up and prepare it to be inserted into a custom database:
#!/usr/bin/perl
my $inputfile = @ARGV[0];my $i = 0;my @result;
open (INFILE, $inputfile);
$inputfile =~ s/.*\\(.*)-loggedflows\.txt/$1/g; #grab the harvester name
while () {chomp;if ($_ =~ m!.*(..../../.. ..:..:..).*Flows/Minute : (.*)!){@result[$i] = (["$1", $2]);$i += 1;}} #get the timestamp and fpm from each line of the file
close (INFILE);
open (OUTFILE, ">fpm.sql");
foreach $row (0..@result-1) { print OUTFILE "replace into flows values ('$inputfile',unix_timestamp(str_to_date('$result[$row][0]','%Y/%c/%d %T')),$result[$row][1]);\n"; } #prepares a sql file for insertion into custom db.flows table
close (OUTFILE);
Then I use this batch file (I should eventually rewrite this in PHP, but who has the time?) to generate some graphs. This is only part of a larger script, so some variables are already set by the time this code runs (%historyhours% is the number of hours the report encompasses, %historydays% is just %historyhours% * 24, %querynfap% is the command used to execute a query against the custom db, and %analysisoutfile% is the name of the file to output to):
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
echo Analyzing Harvesters by flow count...
set hrvbyflows=analyze_harvesters_byflows
(
echo select content from ^(select concat^(
echo '[\'',date_format^(from_unixtime^(sp_start^),'%%b-%%e %%H:00'^),'\','
echo ,round^(avg^(case when ^(name like 'hrv1%%'^) then fpm else 0 end^)^),','
echo ,round^(avg^(case when ^(name like 'hrv2%%'^) then fpm else 0 end^)^),','
echo ,round^(avg^(case when ^(name like 'hrv3%%'^) then fpm else 0 end^)^),','
echo ,round^(avg^(case when ^(name like 'hrv4%%'^) then fpm else 0 end^)^),','
echo ,round^(avg^(case when ^(name like 'hrv5%%'^) then fpm else 0 end^)^),','
echo ,round^(avg^(case when ^(name like 'hrv6%%'^) then fpm else 0 end^)^),','
echo ,round^(avg^(case when ^(name like 'hrv7%%'^) then fpm else 0 end^)^),','
echo ,round^(avg^(case when ^(name like 'hrv8%%'^) then fpm else 0 end^)^),','
echo ,round^(avg^(case when ^(name like 'hrv9%%'^) then fpm else 0 end^)^),'],'^) as content
echo ,sp_start
echo from nfaparser.flows group by date_format^(from_unixtime^(sp_start^),'%%b-%%e %%H:00'^)
echo order by sp_start desc limit %historyhours%^) tmp
echo order by sp_start asc;
) > %hrvbyflows%.sql
echo ^<div class="fullwidth widget" id="hrvbyflowsdiv1"^>
echo ^<H1 class="inline"^>Harvester %historydays% Day Flow Count History^</H1^>
echo ^<script type="text/javascript"^>
echo google.load^("visualization", "1", {packages:["corechart","table"]}^);google.setOnLoadCallback^(drawChart^);
echo function drawChart^(^) {
echo var fpm = google.visualization.arrayToDataTable^([
echo ['Harvester','HRV1','HRV2','HRV3','HRV4','HRV5','HRV6','HRV7','HRV8','HRV9'],
%querynfap% --skip-column-names --batch < %hrvbyflows%.sql
echo ]^);
echo var fpm_options = {title: 'Total Flows During Sample Period per Harvester',legend:{position: 'top'},isStacked: true,titlePosition: 'in'};
echo var chart = new google.visualization.LineChart^(document.getElementById^('fpm'^)^);
::echo var chart = new google.visualization.AreaChart^(document.getElementById^('fpm'^)^);
echo chart.draw^(fpm, fpm_options^);
echo var fpm_data = new google.visualization.DataTable^(^);
echo fpm_data.addColumn^('string','Date'^);
echo fpm_data.addColumn^('number','HRV1'^);
echo fpm_data.addColumn^('number','HRV2'^);
echo fpm_data.addColumn^('number','HRV3'^);
echo fpm_data.addColumn^('number','HRV4'^);
echo fpm_data.addColumn^('number','HRV5'^);
echo fpm_data.addColumn^('number','HRV6'^);
echo fpm_data.addColumn^('number','HRV7'^);
echo fpm_data.addColumn^('number','HRV8'^);
echo fpm_data.addColumn^('number','HRV9'^);
echo fpm_data.addRows^([
) >> %analysisoutfile%
echo select content from ^(select
echo concat_ws^(','
echo ,concat^('[\'',date_format^(from_unixtime^(sp_start^),'%%b-%%e'^),'\''^)
echo ,round^(avg^(case when ^(name like 'hrv1%%'^) then fpm else 0 end^)^)
echo ,round^(avg^(case when ^(name like 'hrv2%%'^) then fpm else 0 end^)^)
echo ,round^(avg^(case when ^(name like 'hrv3%%'^) then fpm else 0 end^)^)
echo ,round^(avg^(case when ^(name like 'hrv4%%'^) then fpm else 0 end^)^)
echo ,round^(avg^(case when ^(name like 'hrv5%%'^) then fpm else 0 end^)^)
echo ,round^(avg^(case when ^(name like 'hrv6%%'^) then fpm else 0 end^)^)
echo ,round^(avg^(case when ^(name like 'hrv7%%'^) then fpm else 0 end^)^)
echo ,round^(avg^(case when ^(name like 'hrv8%%'^) then fpm else 0 end^)^)
echo ,concat^(round^(avg^(case when ^(name like 'hrv9%%'^) then fpm else 0 end^)^),'],'^)^) as content
echo from nfaparser.flows
echo group by date_format^(from_unixtime^(sp_start^),'%%b-%%e'^)
echo order by sp_start desc limit %historydays%^) tmp
echo order by sp_start desc;
%querynfap% -N < %hrvbyflows%.sql
echo var table = new google.visualization.Table^(document.getElementById^('fpm_data_table'^)^);
echo table.draw^(fpm_data, {alternatingRowStyle: true, page: 'enable', pageSize: 10, cssClassNames: {oddTableRow:'alternatetabrow', tableRow:'tabrow', hoverTableRow: 'hovertabrow', selectedTableRow: 'hovertabrow'}}^);
echo }
echo ^</script^>
echo ^<div id="fpm" class="google_chart"^>^</div^>
echo ^<div id='fpm_data_table' class='datatable'^>^</div^>
echo ^</div^>
This batch file runs once a day and the output html uses the google visualization api to graph the data. Having this kind of data built into the product in the current version is a result, in part, of this report i built.
What version of NFA are you using zak4? What are your needs? You can take a look at %installpath%\Netflow\Logs\harvester*.log. I use the following command:
findstr /C:"Flows/Minute" e:\netqos\Netflow\Logs\harvester*.log > E:\nfaparser\loggedflows.txt
To tease out the total harvester flow rates. It doesn't break it down by router, but it gives you an idea of the total.
Hi,
Is there a way we can use such tool without upgrade. Desperately need actually we upgrade whole system in last September. Now we are in a face of production.
If there will any support will be highly appreciate.
BR,
Many of the features from NAST/NFAParser have been built into the new Flow Statistics page of NFA
Tech Tip: NFA 9.3.2 New Flow Statistics displays flow rates of all of your Harvesters (replaces NAST/NFAParser)
NASTv13/NFAParser for current newest version of NFA
Public version that everyone can vote on.
Because it has internal only information. I think it would be more effective if a user also submitted the same request as well, product management reviews all of the Idea they will be able to combine the votes on each end.
Why not have the admins move it so it retains its current vote count? A new idea would start at 0 votes.
Yes, that is an internal Idea I had submitted. I would recommend opening a Public idea for this request as well.
As Chris mentioned, the enhancement idea that he submitted is "Internal". So you won't be able to access it unless you are logged in with a CA ID that has permission to access internal links.
Thanks Chris for your quick reply..
Me too
I get an error when trying to go to that idea.
Prem,
No, there currently is no tool to replace the NASTv13 tool for NFA 9.3. It works partially on NFA 9.3, but has some issues because the version of Mysql changed to 5.6 in NFA 9.3. Note that NASTv13, while useful, was never an officially supported tool, so it was a use "as is" tool.
I submitted an internal enhancement request for a replacement for this tool in the link below do please go up vote the idea:
Replacement for NFAParser/NASTv13 tool to get Flows Per Minute and see raw data from devices.
You can use Wireshark as well to determine if you are receiving the proper formatted Netflow as shown in the doc below:
Tech Tips: How to determine if a NetFlow enabled device is sending the correct fields
Hi Tean,
Do we have utility to run on 9.3 NFA ?
My client has issue when running NASTv13.exe
It gives below error.
Can't call method "QueryValueEx" on an undefined value at script/nfaparser.pl line 134, <STDIN> line 1
thanks,
Prem