jk_sui
Enthusiast
Enthusiast

ICMP and dynamic ports

Jump to solution

Hello everyone!

I hope someone can help me out here.

We have deployed vRNI in our environment and i am (almost) in love with the tool.
It helped me alot in network troubleshooting.

I have a two questions about what is collected and shown by vRNI.

Are ICMP pakets collected? If so, how do I see them?

And how about not well known ports?
I have a VM (on a overly NSX-T network) where i successfully connect to an IP (outside of the SDDC) with Ports 22, 443 and 80. If I do that, I can see all the flows from that VM to the IP. But if I try to connect with port 7999 (for example) I dont see a flow with that port. The connection on port 7999 will not be established (destination not listening or blocked by outside firewall), but I should still see the flow from the VM (as it is the source and as it is connected to vRNI), right?

The NSX-T manager cluster and vCenter of the VM are configured as datasources in vRNI with everything enabled.

I am a bit uncertain in what to expect and that is not so nice for troubelshooting. I hope someone can clarify this for me.
Thanks!

0 Kudos
1 Solution

Accepted Solutions
smitmartijn
VMware Employee
VMware Employee

Hi there,

  • Are ICMP pakets collected? If so, how do I see them?

vRNI currently logs TCP and UDP flows only, so you won't see ICMP in there.

  • And how about not well known ports?

Well-known ports are named (HTTPS, SSH, etc.), and non-well-known ports are indeed logged, but might not be named. It'll show you the port number, just perhaps not a name for it. 

  • The connection on port 7999 will not be established

Flow generation (on vCenter or physical switches) only happens when there's an established connection. Flows that get blocked don't have an established connection and won't show up in vRNI. However, if the flow gets blocked by NSX or the native Azure security policies, there's a special integration that will show those flows. You can see blocked flows in the security planner or by searching for: flows where firewall action = deny

View solution in original post

1 Reply
smitmartijn
VMware Employee
VMware Employee

Hi there,

  • Are ICMP pakets collected? If so, how do I see them?

vRNI currently logs TCP and UDP flows only, so you won't see ICMP in there.

  • And how about not well known ports?

Well-known ports are named (HTTPS, SSH, etc.), and non-well-known ports are indeed logged, but might not be named. It'll show you the port number, just perhaps not a name for it. 

  • The connection on port 7999 will not be established

Flow generation (on vCenter or physical switches) only happens when there's an established connection. Flows that get blocked don't have an established connection and won't show up in vRNI. However, if the flow gets blocked by NSX or the native Azure security policies, there's a special integration that will show those flows. You can see blocked flows in the security planner or by searching for: flows where firewall action = deny