Hello,
Goal: Multiple Netflow senders sending to Nprobe and Ntop on same
server. Ability to view traffic in each subnet, or view traffic from
individual netflow sources.
I would like some assistance please. I have read the user guide (ntop &
nprobe)
I have also read this thread
http://www.gossamer-threads.com/lists/ntop/misc/38960
and this excellent article
http://www.ntop.org/ntopng/creating-a-hierarchical-cluster-of-ntopng-instances/
This is what I have, and what I would like to achieve.
Remote Network A - 192.168.0.0/24
Netflow streams from Cisco ASA (192.168.0.254) sending to nprobe on
192.168.2.1:2055
Remote Network B - 192.168.1.0/24
Netflow streams from Cisco ASA (192.168.1.254) sending to nprobe on
192.168.2.1:2055
Local Network C - 192.168.2.0/24
Netflow streams from Cisco ASA (192.168.2.254) sending to nprobe on
192.168.2.1:2055
The server 192.168.2.1 runs both nprobe and ntopng
I would like to check on traffic in each subnet. So I want to check
which nodes are doing what in each subnet.
I don't want all the traffic mix together.
This is what I have tried.
Start ntopng using
-i=tcp://127.0.0.1:5556
-i=tcp://127.0.0.1:5557
-i=tcp://127.0.0.1:5558
I try to start multiple nprobes to listen on port 2055. But I need to
filter traffic so I tried
nprobe -f src ip 192.168.0.254 --zmq tcp://*:5556 -i none -n none
--collector-port 2055 -b 2
But you can't use BPF filtering as a collector...
if I use this
nprobe --zmq tcp://*:5556 -i eth1 -n none --collector-port 2055 -b 2
This shows all traffic in all the netflows... if I select the interface
*5556 in ntop it shows me all traffic....
I also tried this
nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055 -b 2
but this will *not* show any incoming netflows being decoded on port
2055. A tcpdump shows they are arriving.
So I decided, to change the ports of each netflow stream to make it
easier for nprobe.
Remote Network A - 192.168.0.0/24
Netflow streams from Cisco ASA (192.168.0.254) sending to nprobe on
192.168.2.1:2055
Remote Network B - 192.168.1.0/24
Netflow streams from Cisco ASA (192.168.1.254) sending to nprobe on
192.168.2.1:2056
Local Network C - 192.168.2.0/24
Netflow streams from Cisco ASA (192.168.2.254) sending to nprobe on
192.168.2.1:2057
But again if I do this
nprobe --zmq tcp://*:5556 -i eth1 -n none --collector-port 2055 -b 2
nprobe --zmq tcp://*:5557 -i eth1 -n none --collector-port 2056 -b 2
nprobe --zmq tcp://*:5558 -i eth1 -n none --collector-port 2057 -b 2
no matter which interface I select on the ntopng interface I see all
traffic aggregated. I can't view the traffic from just one nprobe instance.
e.g if I select *5556 interface in ntopng, I should only see traffic in
the 192.168.0.0 subnet, but I see all traffic.
e.g if I select *5557 interface in ntopng, I should only see traffic in
the 192.168.1.0 subnet, but I see all traffic.
e.g if I select *5558 interface in ntopng, I should only see traffic in
the 192.168.2.0 subnet, but I see all traffic.
I'm obviously doing something silly. Any assistance is greatly
appreciated. I am about to purchase a pro license, and a nprobe license,
I just want to show management this works before proceeding.
Best Regards,
Warren
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
