hi Dan, On 08 May 2014, at 18:52, Daniel Dudkin <[email protected]> wrote:
> My timezone was set wrong. I changed that. Seems to have fixed the issue. > Thanks. > > Still have the problem of not seeing top talkers for a particular host and no > VLAN information. please use the code in SVN that should address these concerns > > Is there anyway using the demo version of nprobe to utilize some of the > layer7 functionality of ntopng? Like the DNS queries or SIP stats or HTTP > requests? Definitively. On -T make sure you add the L7_PROTO field > Cheers luca > Also does anyone have any advice on Cisco timeout settings or monitoring both > ingress & egress on WAN side in combination with ingress/egress of my vlan > interfaces? I know monitoring ingress is kind of a new thing in NetFlow? > > Dan > > From: [email protected] > [mailto:[email protected]] On Behalf Of Daniel Dudkin > Sent: Thursday, May 08, 2014 12:41 PM > To: [email protected] > Subject: Re: [Ntop] NtopNG woes > > It is one in the same box in this case. > > Daniel > > From: [email protected] > [mailto:[email protected]] On Behalf Of [email protected] > Sent: Thursday, May 08, 2014 11:17 AM > To: [email protected] > Subject: Re: [Ntop] NtopNG woes > > Daniel, > > It caused by machine time issue, your nprobe machine is not sync with ntopng > box, > it makes the time duration calculation overflow.... > So most simple way is using your NTP server to correct it. > > br, > kaiser > ✉ > > Daniel Dudkin <[email protected]> 於 2014/5/8 下午10:48 寫道: > > > I did that and I'm back at the problem that caused me to add all those > options myself. See screenshot #1: > > <image001.jpg> > > And per my thread yesterday, I’m unable to identify with whom or what a host > was talking to when viewing their history. This makes it hard to yell at > people for consuming too much bandwidth. > > <image002.jpg> > > Daniel Dudkin > IT Business/System Specialist // American Auto-Matrix > One Technology Lane // Export, PA 15632 > www.aamatrix.com • [email protected] > Ph #: 724-733-0381 > > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Luca Deri > Sent: Wednesday, April 30, 2014 1:03 PM > To: [email protected] > Subject: Re: [Ntop] NtopNG woes > > Daniel, > if you use nProbe in proxy mode , you do not need to pass all the options as > the best nProbe can do is to convert your flows. > > In essence > > nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055 > > should be enough. > > Please provide screenshots that demonstrate the problem > > Thanks Luca > > On 29 Apr 2014, at 20:57, Daniel Dudkin <[email protected]> wrote: > > > Hi all, > > > > Per recommendations on the mailing list, I went ahead and took the jump to > > ntopng + nprobe (demo). I have a Cisco 891 producing netflows and sending > > them to my nprobe collector, which then feeds ntopng with ZMQ flow. It is > > exporting NetFlow v9. > > > > I’m also having a hard time identifying traffic and top talkers. I’m not > > finding it as easy as it was with ntop. I fire off test downloads and have > > a hard time identifying the result as a top talker (which it most def is). > > > > Nprobe start (tried to get every flag I could in there. %PROTOCOL_MAP > > was removed because ntopng didn’t like it): nprobe --zmq > > "tcp://*:5556" -i none -n none -t 120 -d 15 -l 60 --tunnel > > --bi-directional -L > > 192.168.50.0/24,192.168.99.0/24,192.168.23.0/24,192.168.59.0/24,XX.XX. > > Y59.16/28 -r --collector-port 2055 -V 9 -T '%IN_PKTS %IN_BYTES > > %SRC_TOS %IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %FIRST_SWITCHED > > %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_AS > > %DST_AS %IPV4_SRC_MASK %IPV4_DST_MASK %OUT_BYTES %INPUT_SNMP > > %OUTPUT_SNMP %OUT_PKTS %IN_SRC_MAC %OUT_DST_MAC %SRC_VLAN %DST_VLAN > > %DIRECTION %FLOW_ID %FLOW_START_SEC %FLOW_END_SEC %BIFLOW_DIRECTION > > %FRAME_LENGTH %DHCP_CLIENT_MAC %DHCP_CLIENT_IP %DHCP_CLIENT_NAME > > %HTTP_URL %MYSQL_USERNAME %MYSQL_DB %SMTP_MAIL_FROM %SMTP_RCPT_TO > > %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_SIP_CALL_ID %POP_USER %SIP_CALL_ID > > %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_CODECS %FTP_LOGIN > > %FTP_PASSWORD %FLOWS %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC > > %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC > > %APPL_LATENCY_USEC %L7_PROTO %L7_PROTO_NAME' -b 2 --account-l2 > > --vlanid-as-iface-idx > > > > > > Ntopng start: ntopng -i tcp://localhost:5556 -l -w 3000 -m > > 192.168.50.0/24,192.168.99.0/24,192.168.23.0/24,192.168.59.0/24,XX.XX. > > Y9.16/28 > > > > When I fire off my test download, I expect the dashboard to show my > > hostname in the pretty flow table until the download stops. That is not the > > case. > > > > I have an easier time tracking it down in Active Flows, but the stats seem > > weird. For starters – VLAN tags aren’t coming through. All report as 0. > > > > Second, throughput seems to be just flat out wrong. A few dozen bytes per > > second on a flow I’m downloading at 300-600 KB/sec? Doesn’t seem right. > > > > Third, all of a sudden my Durations are listed as 136 years?! > > > > Fourth (and I just tried increasing flow timeout to try and fix this), I’d > > like my 2GB file download to come up as a single flow. Sometimes, when > > testing this even on a 100MB file, the flow will disappear and reappear > > with a new total counter. If I add the two flows, they equal out to be the > > size of the file. > > > > Fifth, since nprobe is in demo mode and supports a max of 25,000 flows – > > how do I make ntopng/nprobe forget about the first flows and continue > > rolling the window? Sort of on a FIFO basis? My main task is being able to > > identify top talkers within the last few hours. Not deep historical > > analysis or packet inspection beyond identifying the traffic. > > > > Here are some relevant lines from my cisco config > > > > ip flow-capture fragment-offset > > ip flow-capture packet-length > > ip flow-capture ttl > > ip flow-capture vlan-id > > ip flow-capture icmp > > ip flow-capture ip-id > > ip flow-capture mac-addresses > > ip flow-export source Vlan50 > > ip flow-export version 9 > > ip flow-export template options timeout-rate 1 ip flow-export template > > timeout-rate 1 ip flow-export destination 192.168.50.150 2055 > > ip flow-export destination 192.168.50.51 2055 ß two ntop test boxes. > > ip flow-top-talkers > > top 25 > > sort-by bytes > > > > ip flow-cache timeout inactive 45 > > ip flow-cache timeout active 1 > > > > my interfaces have “ip flow ingress” and “ip flow egress” on them > > (including vlan50) > > > > Daniel > > > > > > > > Confidential: This electronic message and all contents contained may be > > privileged, confidential or otherwise protected from disclosure. The > > information is intended to be for the addressee only. If you are not the > > addressee, any disclosure, copy, distribution or use of the contents of > > this message is prohibited. If you have received this electronic message in > > error, please notify me immediately by return email and destroy the > > original message and all copies. > > > > _______________________________________________ > > Ntop mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
