Also, do I need a separate tool for pcap to netflows conversion or the switches described in the cmd above automatically does the conversion for you.
regards asad On 8/25/15, asad <[email protected]> wrote: > Right now, I just want to see how netflows packets are received by > ntopng, I'm think I would need collector mode once I'm in prod > environment? Thanks > > On 8/25/15, asad <[email protected]> wrote: >> Thanks Yuri, that was a bad mistake. I mixed two options. >> >> With this cmd "probe /c --zmq "tcp://*:5556" -i smallFlows.pcap" I got >> it worked and the output is different this time. >> >> "Flow export stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent] >> Flow drop stats: [0 bytes/0 pkts][0 flows] >> Total flow stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent]" >> >> Locating on GUI is problem? Is it pcap file problem or where the >> exported packets are logged. >> thanks >> >> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>> Do you need collector mode in nprobe? if not, you have to remove all the >>> -3 >>> option (that you have specified with the wrong syntax - check nprobe >>> —help) >>> Yuri >>> ############################################### >>> Yuri Francalacci - [email protected] - http://www.ntop.org >>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>> ############################################### >>> >>>> On 25 Aug 2015, at 12:47, asad <[email protected]> wrote: >>>> >>>> Thanks a lot Yuri. >>>> >>>> I changed to "nprobe /c --zmq "tcp://*:5556" -i smallFlows.pcap -n >>>> none -3 port 2055". >>>> >>>> But the output is same >>>> >>>> " >>>> 25/Aug/2015 15:46:03 [nprobe.c:2402] Processed packets: 14261 (max >>>> bucket search: 1) >>>> 25/Aug/2015 15:46:03 [nprobe.c:2385] Fragment queue length: 0 >>>> 25/Aug/2015 15:46:03 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>> pkts][0 flows/0 pkts sent] >>>> 25/Aug/2015 15:46:03 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>> pkts][0 flows] >>>> 25/Aug/2015 15:46:03 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>> pkts][0 flows/0 pkts sent] >>>> >>>> " >>>> regards >>>> >>>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>>>> to use ntopng as a graphical frontend for nprobe the way you started >>>>> ntopng >>>>> is almost fine >>>>> For nprobe is enough >>>>>> nprobe /c --zmq "tcp://*:5556” -n none >>>>> then you have to decide what you would like to use to “feed” nprobe >>>>> - using a pcap file, you need to add -i <pcap file> and remove all the >>>>> other >>>>> stuff >>>>> - using nprobe in collector mode, you have to add -i none and -3 >>>>> <port> >>>>> and >>>>> send Netflow (not raw packets) data to that port >>>>> >>>>> Yuri >>>>> ############################################### >>>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>> ############################################### >>>>> >>>>>> On 25 Aug 2015, at 11:59, asad <[email protected]> wrote: >>>>>> >>>>>> To update, >>>>>> >>>>>> "ntopng /c -i tcp://127.0.0.1:5556" >>>>>> >>>>>> and >>>>>> >>>>>> "nprobe /c --zmq "tcp://*:5556" -u 5 -i none zeus-sample-3.pcap -n >>>>>> none -nf --collector-port 2055:5 -V9 -b 2' >>>>>> >>>>>> both and running but output is >>>>>> >>>>>> "25/Aug/2015 14:59:54 [nprobe.c:4659] Pending buckets have been >>>>>> exported... >>>>>> 25/Aug/2015 14:59:56 [engine.c:3293] Export thread terminated >>>>>> [exportQueue=0] >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4725] Flushing queued flows... >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4728] Freeing memory... >>>>>> 25/Aug/2015 14:59:56 [plugin.c:277] Terminating plugins. >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4820] Still allocated 0 hash buckets >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2402] Processed packets: 1105 (max >>>>>> bucket search: 0) >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2385] Fragment queue length: 0 >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>>>> pkts][0 flows/0 pkts sent] >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2418] Flow collection: [collected >>>>>> pkts: >>>>>> 0][processed flows: 0] >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>>>> pkts][0 flows] >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>>>> pkts][0 flows/0 pkts sent] >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4833] Cleaning globals >>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4853] nProbe terminated." >>>>>> >>>>>> >>>>>> What wrong I'm doing. >>>>>> >>>>>> regards >>>>>> asad >>>>>> >>>>>> On 8/25/15, asad <[email protected]> wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I'm running "ntopng" on windows and want to point netflows data >>>>>>> directly. I see on "netstat" command that port 2055 is put in >>>>>>> established status. >>>>>>> >>>>>>> Nprobe is also installed. I want to use nprobe to send pcap files to >>>>>>> port 2055 for parsing. I see the nprobe change /re-write the headers >>>>>>> info when sending netflows data. Is there any way to avoid it? >>>>>>> >>>>>>> Also, If I want to use nprobe as a proxy collector does the cmds >>>>>>> works >>>>>>> in windows as well. I tried and it gives error >>>>>>> >>>>>>> " >>>>>>> nprobe --zmq "tcp://*:5556" -i ..... >>>>>>> ntopng -i "tcp://127.0.0.1:5556" >>>>>>> >>>>>>> >>>>>>> " >>>>>>> >>>>>>> Thanks. >>>>>>> regards >>>>>>> asad >>>>>>> >>>>>> _______________________________________________ >>>>>> Ntop mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>> >>>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >> > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
