Hi Yuri,
thank you for your reply.
I have started 2 Nprobes, and reconfigured the ASAs...
ASA #1 to port 2055
nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055 --verbose 2
ASA #2 to port 2056
nprobe --zmq tcp://*:5557 -i none -n none --collector-port 2056 --verbose 2
I quickly check the netflow packets are arriving....
$sudo tcpdump -n dst port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 8192 bytes
04:33:39.776112812 IP 192.168.0.254.18656 > 192.168.13.7.2055: UDP,
length 1424
04:33:39.942931812 IP 192.168.0.254.18656 > 192.168.13.7.2055: UDP,
length 1400
$tcpdump -n dst port 2056
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 8192 bytes
04:33:49.856934812 IP 192.168.1.254.14780 > 192.168.13.7.2056: UDP,
length 1456
04:33:50.716154812 IP 192.168.1.254.14780 > 192.168.13.7.2056: UDP,
length 1452
But I do not see any verbose logging output of the Netflow stream (maybe
this does not happen?)
When I login to the NtopNg interface I see these messages...
No packet has been received yet on interface tcp://127.0.0.1:5556.
Please wait 6 seconds until this page reloads.
I change interface....
No packet has been received yet on interface tcp://127.0.0.1:5557.
Please wait 10 seconds until this page reloads.
I have confirmed the Cisco is exporting Netflow V9. I have changed the
nprobe start up to
nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055
--verbose 2 --flow-version 9
Still 'No packet has been received yet on interface tcp://127.0.0.1:5557"
So I changed the nprobe to utilized the IP address (not *)
nprobe --zmq tcp://192.168.2.1:5556 -i none -n none --collector-port
2055 --verbose 2
nprobe --zmq tcp://192.168.2.1:5557 -i none -n none --collector-port
2056 --verbose 2
and change the ntopng to start with
-i=tcp://192.168.2.1:5556
-i=tcp://192.168.2.1:5557
The message about No packets is *not* shown any more.
I waited 30 minutes... and All Hosts show "No Results Found", Active
Flows "No Results Found"
Any assistance is greatly appreciated.
Regards,
Warren
Warren,
what about use different collector port and, of course, reconfigure
your ASAs to send the traffic to the right port.
Something like
ASA #1 to port 2055
nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055
ASA #2 to port 2056
nprobe --zmq tcp://*:5557 -i none -n none --collector-port 2056
ASA #3 to port 2057
nprobe --zmq tcp://*:5558 -i none -n none --collector-port 2057
and then ntopng as you did.
Regards, Yuri
###############################################
Yuri Francalacci - [email protected] <mailto:[email protected]> -
http://www.ntop.org
"Simplicity is the ultimate sophistication" - Leonardo da Vinci
###############################################
On 11 Aug 2015, at 13:18, Warren Daly (OPUS) <[email protected]
<mailto:[email protected]>> wrote:
Hello,
Goal: Multiple Netflow senders sending to Nprobe and Ntop on same
server. Ability to view traffic in each subnet, or view traffic from
individual netflow sources.
I would like some assistance please. I have read the user guide (ntop
& nprobe)
I have also read this thread
http://www.gossamer-threads.com/lists/ntop/misc/38960
and this excellent article
http://www.ntop.org/ntopng/creating-a-hierarchical-cluster-of-ntopng-instances/
This is what I have, and what I would like to achieve.
Remote Network A - 192.168.0.0/24
Netflow streams from Cisco ASA (192.168.0.254) sending to nprobe on
192.168.2.1:2055
Remote Network B - 192.168.1.0/24
Netflow streams from Cisco ASA (192.168.1.254) sending to nprobe on
192.168.2.1:2055
Local Network C - 192.168.2.0/24
Netflow streams from Cisco ASA (192.168.2.254) sending to nprobe on
192.168.2.1:2055
The server 192.168.2.1 runs both nprobe and ntopng
I would like to check on traffic in each subnet. So I want to check
which nodes are doing what in each subnet.
I don't want all the traffic mix together.
This is what I have tried.
Start ntopng using
-i=tcp://127.0.0.1:5556
-i=tcp://127.0.0.1:5557
-i=tcp://127.0.0.1:5558
I try to start multiple nprobes to listen on port 2055. But I need to
filter traffic so I tried
nprobe -f src ip 192.168.0.254 --zmq tcp://*:5556 -i none -n none
--collector-port 2055 -b 2
But you can't use BPF filtering as a collector...
if I use this
nprobe --zmq tcp://*:5556 -i eth1 -n none --collector-port 2055 -b 2
This shows all traffic in all the netflows... if I select the
interface *5556 in ntop it shows me all traffic....
I also tried this
nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055 -b 2
but this will *not* show any incoming netflows being decoded on port
2055. A tcpdump shows they are arriving.
So I decided, to change the ports of each netflow stream to make it
easier for nprobe.
Remote Network A - 192.168.0.0/24
Netflow streams from Cisco ASA (192.168.0.254) sending to nprobe on
192.168.2.1:2055
Remote Network B - 192.168.1.0/24
Netflow streams from Cisco ASA (192.168.1.254) sending to nprobe on
192.168.2.1:2056
Local Network C - 192.168.2.0/24
Netflow streams from Cisco ASA (192.168.2.254) sending to nprobe on
192.168.2.1:2057
But again if I do this
nprobe --zmq tcp://*:5556 -i eth1 -n none --collector-port 2055 -b 2
nprobe --zmq tcp://*:5557 -i eth1 -n none --collector-port 2056 -b 2
nprobe --zmq tcp://*:5558 -i eth1 -n none --collector-port 2057 -b 2
no matter which interface I select on the ntopng interface I see all
traffic aggregated. I can't view the traffic from just one nprobe
instance.
e.g if I select *5556 interface in ntopng, I should only see traffic
in the 192.168.0.0 subnet, but I see all traffic.
e.g if I select *5557 interface in ntopng, I should only see traffic
in the 192.168.1.0 subnet, but I see all traffic.
e.g if I select *5558 interface in ntopng, I should only see traffic
in the 192.168.2.0 subnet, but I see all traffic.
I'm obviously doing something silly. Any assistance is greatly
appreciated. I am about to purchase a pro license, and a nprobe
license, I just want to show management this works before proceeding.
Best Regards,
Warren
_______________________________________________
Ntop mailing list
[email protected] <mailto:[email protected]>
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
--
Warren Daly
Chief Technical Officer
+855 (0) 89 288 107 Skype: warrendaly
OPUS
+855 (0) 23 987 014
www.opus.com.kh
Suite 3FN1 - VTrust Office Centre
Parkway Square | Phnom Penh, Cambodia
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
