Hi all, Per recommendations on the mailing list, I went ahead and took the jump to ntopng + nprobe (demo). I have a Cisco 891 producing netflows and sending them to my nprobe collector, which then feeds ntopng with ZMQ flow. It is exporting NetFlow v9.
I'm also having a hard time identifying traffic and top talkers. I'm not finding it as easy as it was with ntop. I fire off test downloads and have a hard time identifying the result as a top talker (which it most def is). Nprobe start (tried to get every flag I could in there. %PROTOCOL_MAP was removed because ntopng didn't like it): nprobe --zmq "tcp://*:5556" -i none -n none -t 120 -d 15 -l 60 --tunnel --bi-directional -L 192.168.50.0/24,192.168.99.0/24,192.168.23.0/24,192.168.59.0/24,XX.XX.Y59.16/28 -r --collector-port 2055 -V 9 -T '%IN_PKTS %IN_BYTES %SRC_TOS %IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_AS %DST_AS %IPV4_SRC_MASK %IPV4_DST_MASK %OUT_BYTES %INPUT_SNMP %OUTPUT_SNMP %OUT_PKTS %IN_SRC_MAC %OUT_DST_MAC %SRC_VLAN %DST_VLAN %DIRECTION %FLOW_ID %FLOW_START_SEC %FLOW_END_SEC %BIFLOW_DIRECTION %FRAME_LENGTH %DHCP_CLIENT_MAC %DHCP_CLIENT_IP %DHCP_CLIENT_NAME %HTTP_URL %MYSQL_USERNAME %MYSQL_DB %SMTP_MAIL_FROM %SMTP_RCPT_TO %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_SIP_CALL_ID %POP_USER %SIP_CALL_ID %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_CODECS %FTP_LOGIN %FTP_PASSWORD %FLOWS %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %L7_PROTO %L7_PROTO_NAME' -b 2 --account-l2 --vlanid-as-iface-idx Ntopng start: ntopng -i tcp://localhost:5556 -l -w 3000 -m 192.168.50.0/24,192.168.99.0/24,192.168.23.0/24,192.168.59.0/24,XX.XX.Y9.16/28 When I fire off my test download, I expect the dashboard to show my hostname in the pretty flow table until the download stops. That is not the case. I have an easier time tracking it down in Active Flows, but the stats seem weird. For starters - VLAN tags aren't coming through. All report as 0. Second, throughput seems to be just flat out wrong. A few dozen bytes per second on a flow I'm downloading at 300-600 KB/sec? Doesn't seem right. Third, all of a sudden my Durations are listed as 136 years?! Fourth (and I just tried increasing flow timeout to try and fix this), I'd like my 2GB file download to come up as a single flow. Sometimes, when testing this even on a 100MB file, the flow will disappear and reappear with a new total counter. If I add the two flows, they equal out to be the size of the file. Fifth, since nprobe is in demo mode and supports a max of 25,000 flows - how do I make ntopng/nprobe forget about the first flows and continue rolling the window? Sort of on a FIFO basis? My main task is being able to identify top talkers within the last few hours. Not deep historical analysis or packet inspection beyond identifying the traffic. Here are some relevant lines from my cisco config ip flow-capture fragment-offset ip flow-capture packet-length ip flow-capture ttl ip flow-capture vlan-id ip flow-capture icmp ip flow-capture ip-id ip flow-capture mac-addresses ip flow-export source Vlan50 ip flow-export version 9 ip flow-export template options timeout-rate 1 ip flow-export template timeout-rate 1 ip flow-export destination 192.168.50.150 2055 ip flow-export destination 192.168.50.51 2055 <-- two ntop test boxes. ip flow-top-talkers top 25 sort-by bytes ip flow-cache timeout inactive 45 ip flow-cache timeout active 1 my interfaces have "ip flow ingress" and "ip flow egress" on them (including vlan50) Daniel Confidential: This electronic message and all contents contained may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the addressee only. If you are not the addressee, any disclosure, copy, distribution or use of the contents of this message is prohibited. If you have received this electronic message in error, please notify me immediately by return email and destroy the original message and all copies.
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
