Daniel, if you use nProbe in proxy mode , you do not need to pass all the options as the best nProbe can do is to convert your flows.
In essence nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055 should be enough. Please provide screenshots that demonstrate the problem Thanks Luca On 29 Apr 2014, at 20:57, Daniel Dudkin <[email protected]> wrote: > Hi all, > > Per recommendations on the mailing list, I went ahead and took the jump to > ntopng + nprobe (demo). I have a Cisco 891 producing netflows and sending > them to my nprobe collector, which then feeds ntopng with ZMQ flow. It is > exporting NetFlow v9. > > I’m also having a hard time identifying traffic and top talkers. I’m not > finding it as easy as it was with ntop. I fire off test downloads and have a > hard time identifying the result as a top talker (which it most def is). > > Nprobe start (tried to get every flag I could in there. %PROTOCOL_MAP was > removed because ntopng didn’t like it): nprobe --zmq "tcp://*:5556" -i none > -n none -t 120 -d 15 -l 60 --tunnel --bi-directional -L > 192.168.50.0/24,192.168.99.0/24,192.168.23.0/24,192.168.59.0/24,XX.XX.Y59.16/28 > -r --collector-port 2055 -V 9 -T '%IN_PKTS %IN_BYTES %SRC_TOS %IPV4_SRC_ADDR > %IPV4_DST_ADDR %IPV4_NEXT_HOP %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT > %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_AS %DST_AS %IPV4_SRC_MASK > %IPV4_DST_MASK %OUT_BYTES %INPUT_SNMP %OUTPUT_SNMP %OUT_PKTS %IN_SRC_MAC > %OUT_DST_MAC %SRC_VLAN %DST_VLAN %DIRECTION %FLOW_ID %FLOW_START_SEC > %FLOW_END_SEC %BIFLOW_DIRECTION %FRAME_LENGTH %DHCP_CLIENT_MAC > %DHCP_CLIENT_IP %DHCP_CLIENT_NAME %HTTP_URL %MYSQL_USERNAME %MYSQL_DB > %SMTP_MAIL_FROM %SMTP_RCPT_TO %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_SIP_CALL_ID > %POP_USER %SIP_CALL_ID %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_CODECS > %FTP_LOGIN %FTP_PASSWORD %FLOWS %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC > %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC > %APPL_LATENCY_USEC %L7_PROTO %L7_PROTO_NAME' -b 2 --account-l2 > --vlanid-as-iface-idx > > > Ntopng start: ntopng -i tcp://localhost:5556 -l -w 3000 -m > 192.168.50.0/24,192.168.99.0/24,192.168.23.0/24,192.168.59.0/24,XX.XX.Y9.16/28 > > When I fire off my test download, I expect the dashboard to show my hostname > in the pretty flow table until the download stops. That is not the case. > > I have an easier time tracking it down in Active Flows, but the stats seem > weird. For starters – VLAN tags aren’t coming through. All report as 0. > > Second, throughput seems to be just flat out wrong. A few dozen bytes per > second on a flow I’m downloading at 300-600 KB/sec? Doesn’t seem right. > > Third, all of a sudden my Durations are listed as 136 years?! > > Fourth (and I just tried increasing flow timeout to try and fix this), I’d > like my 2GB file download to come up as a single flow. Sometimes, when > testing this even on a 100MB file, the flow will disappear and reappear with > a new total counter. If I add the two flows, they equal out to be the size of > the file. > > Fifth, since nprobe is in demo mode and supports a max of 25,000 flows – how > do I make ntopng/nprobe forget about the first flows and continue rolling the > window? Sort of on a FIFO basis? My main task is being able to identify top > talkers within the last few hours. Not deep historical analysis or packet > inspection beyond identifying the traffic. > > Here are some relevant lines from my cisco config > > ip flow-capture fragment-offset > ip flow-capture packet-length > ip flow-capture ttl > ip flow-capture vlan-id > ip flow-capture icmp > ip flow-capture ip-id > ip flow-capture mac-addresses > ip flow-export source Vlan50 > ip flow-export version 9 > ip flow-export template options timeout-rate 1 > ip flow-export template timeout-rate 1 > ip flow-export destination 192.168.50.150 2055 > ip flow-export destination 192.168.50.51 2055 ß two ntop test boxes. > ip flow-top-talkers > top 25 > sort-by bytes > > ip flow-cache timeout inactive 45 > ip flow-cache timeout active 1 > > my interfaces have “ip flow ingress” and “ip flow egress” on them (including > vlan50) > > Daniel > > > > Confidential: This electronic message and all contents contained may be > privileged, confidential or otherwise protected from disclosure. The > information is intended to be for the addressee only. If you are not the > addressee, any disclosure, copy, distribution or use of the contents of this > message is prohibited. If you have received this electronic message in error, > please notify me immediately by return email and destroy the original message > and all copies. > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
