Stefano
this is strange. We need to investigate it: the flows with no protocol
detected are new flows or continuation of old flows cut by netflow in
sub-flows?
Regards Luca
On 03/07/2013 11:54 AM, Stefano Bianchi wrote:
Luca,
thanks for quick response, i may have done something wrong because i
fail somewhere.
I download the latest version of nprobe and I build it.
i'm looking to some ldap packet not recognized by nprobe, so i add
tcp:389@LDAP
in the protos file and i start the probe.
Some packet are recognised and some not, and neither L7_PROTO &
L7_PROTO_NAME are filled. i see it in the databasewhere i store the
flows.
mysql> select L7_PROTO,L7_PROTO_NAME,PROTOCOL from lflows where
L4_DST_PORT = 389;
+----------+---------------+----------+
| L7_PROTO | L7_PROTO_NAME | PROTOCOL |
+----------+---------------+----------+
| 0 | | 17 |
| 112 | LDAP | 17 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 17 |
| 112 | LDAP | 6 |
| 0 | | 6 |
| 0 | | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 0 | | 17 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
| 112 | LDAP | 6 |
+----------+---------------+----------+
28 rows in set (0.00 sec)
what could be wrong ?
I start it using this init.d script
#!/bin/sh
<snip>
<snip>
PIDFILE="/var/tmp/nprobe.pid"
NETFLOW_COLLECTOR="udp://110.9.44.88:3002"
DB_HOST="localhost"
DB_SCHEMA="nprobe"
DB_TABPREFIX="l"
DB_USER="nprobe"
DB_PASSWORD="xxxppppp"
PROTOS="/tmp/protos.txt"
BINPATH="/home/ops/nprobe_6.11.130301_svn3231_proplugins"
case "$1" in
start)
echo "Starting nprobe"
wget --no-proxy -N -O /tmp/protos.txt http://10.19.61.88/protos.txt
$BINPATH/nprobe -i eth2 -Q 1 -u 1 -G -b 2 -g "$PIDFILE"
--ndpi-proto-ports $PROTOS\
-T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP
%OUTPUT_SNMP %IN_PKTS %IN_BYTES \
%FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT
%TCP_FLAGS %PROTOCOL %SRC_TOS \
%SRC_AS %DST_AS %IPV4_SRC_MASK %IPV4_DST_MASK %FLOWS %FRAGMENTS
%CLIENT_NW_DELAY_SEC \
%CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC
%APPL_LATENCY_SEC %APPL_LATENCY_USEC \
%NUM_PKTS_UP_TO_128_BYTES %NUM_PKTS_128_TO_256_BYTES
%NUM_PKTS_256_TO_512_BYTES %NUM_PKTS_512_TO_1024_BYTES \
%NUM_PKTS_1024_TO_1514_BYTES %NUM_PKTS_OVER_1514_BYTES
%FLOW_PROTO_PORT %LONGEST_FLOW_PKT %SHORTEST_FLOW_PKT \
%RETRANSMITTED_IN_PKTS %RETRANSMITTED_OUT_PKTS %OOORDER_IN_PKTS
%OOORDER_OUT_PKTS %L7_PROTO %L7_PROTO_NAME" \
-n "$NETFLOW_COLLECTOR"
"--mysql=$DB_HOST:$DB_SCHEMA:$DB_TABPREFIX:$DB_USER:$DB_PASSWORD" >
/var/log/nprobe
;;
<snip>
<snip>
Il 07/03/2013 11:18, Luca Deri ha scritto:
Stefano
il the name is the same as an existing protocol, then you "enrich"
the old protocol. If it is a new string you create a new protocol
Cheers Luca
On Mar 7, 2013, at 11:16 AM, Stefano Bianchi
<[email protected]> wrote:
Hi there,
A question about nprobe & "protos" file.
if i wrote a list like
tcp:81,tcp:8181@HTTP
udp:5061@SIP
tcp:860,udp:860,tcp:3260,udp:3260@iSCSI
tcp:443@HTTPS
tcp:3229@global-cd-port
tcp:3288,udp:3288@COPS
tcp:1521@ORACLE-LISTENER
is this list valid ? I mean the @protocol/application name must be
one of the 155 recognized by nprobe/nDPI or may be an arbitrary name
(and how it fit in the L7_PROTO field sent into netflow v9 packet)?
thanks in advance
/stefano
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
