Thanks for the very fast reply! Indeed, adding the four IEs you highlighted solved the problem. IPFIX biflows are now exported. Thank you very much!
As a sidenode: For me adding the above four IEs to the template is enough to export biflows. It is not necessary to add the "--bi-directional" switch. The only effect that this switch has is the warning message that its unrecognized. regards Felix On 23/08/17 11:39, Luca Deri wrote: > Felix > please see (-h) but in general the option below > > [--biflows-export-policy|-N] <pol> | Bi-directional flows export policy: > | 1 - export bi-directional flows only > | 2 - export mono-directional flows only > > allows you to export only biflows or uniflows. THis is not what you want > to do (export bi-directional flows). To do so please > 1. in the -T use at lest the basic information elements such as > protocols and bytes. nprobe should have reported this in the startup log > 2. you need to use both IN and OUT as in the example below > > nprobe -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR *%IN_PKTS > %IN_BYTES **%OUT_PKTS %OUT_BYTES*%FIRST_SWITCHED %LAST_SWITCHED > %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL ..." > > Regards Luca > > @Simone: please fix the nProbe manual > > >> On 23 Aug 2017, at 11:27, Felix Erlacher <[email protected] >> <mailto:[email protected]>> wrote: >> >> Dear ntop team, >> >> I am using nprobe pro (8.1.170821) with the http plugin. >> The nprobe manual (8.1) states that to force flows to be bidirectional >> one should use the "--bi-directional" switch. >> If I run: >> >> sudo nprobe -n tcp://10.0.0.2:4740 -i /mynetworktrace.pcap >> --bi-directional -V10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %PROTOCOL >> %L4_SRC_PORT %L4_DST_PORT %FIRST_SWITCHED %LAST_SWITCHED %HTTP_URL >> %HTTP_METHOD" >> >> it works fine but no IPFIX biflows are exported and the output says >> "nprobe: unrecognized option '--bi-directional'". >> I also tried adding the "--biflows-export-policy 2" switch to the above >> command, but still the above "unrecognized option" error appears. >> >> Am I missing something obvious? >> Are there any other options to export IPFIX biflows? >> >> thanks and regards >> >> Felix >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
