Different number of sample found when comparing data from RA Report Analyzer to NFA Network Flow Analyzer

Document ID : KB000020270
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

CA have seen this where a customer raised an issue comparing results and differences between the same report in RA to the same report in NFA.
They saw sample results, and high and unreasonable data/traffic values.
For instance, they couldn't understand is why they had compared having seen 121 samples in RA and only 53 sample in NFA.

Example;

RA 9.0 (121 samples 1 min res)- for > Stacked Protocol Trend - In 3 Apr 15:43 - 3 Apr 17:43

NFA 9.1 (53 samples- 1 min res) - for > Stacked Protocol Trend - In exact same time period.

CA support should be sent the CACDF files (Now called CA Remote Engineer) this exe needs to be used to gather support logs from the harvester in question and a wire shark PCAP frm the interface/link for CA to analyze and review to see if perhaps your issue matches this known problem.
Please see - ftp://ftp.ca.com/caproducts/tools/Documentation/CA_RemoteEngineer_Information_Gathered.htm
and
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={EFE86F1C-4379-4417-94A6-8C4947D5853F }

Any why is this happening - Well It 'might' be the flow is sending 'counter' samples, which were not supported by CA code before the release of NFA 9.1.3.
After raising a support case, then please send files and the PCAP for CA Support to analyze this further for you.

Solution:

Potential fix, if the issue matches;

That CA found a bug in it's flow parsing code that was introduced in 9.1.0.and we have fixed it for the NFA 9.1.3 release, which should be due out late Summer 2013.

Defect - 117515