Ok, so my first run generated nothing, but that’s with the log level at the default of “normal”.
Cranking up the log level to debug, I see a few bits that are interesting (stripping out all the logs that a function got called): 03/Mar/2017 10:16:17 [HTTPserver.cpp:620] [HTTP] /lua/hosts_stats.lua [/usr/share/ntopng/scripts/lua/hosts_stats.lua] 03/Mar/2017 10:16:17 [Utils.cpp:1829] Rule 0.0.0.0/0 03/Mar/2017 10:16:17 [Utils.cpp:1829] Rule ::/0 03/Mar/2017 10:16:17 [Lua.cpp:112] NULL interface: did you restart ntopng in the meantime? 03/Mar/2017 10:16:17 [Lua.cpp:143] [HTTP] Serving file /usr/share/ntopng/httpdocs/inc/header.inc 03/Mar/2017 10:16:17 [Ntop.cpp:804] No allowed interface found for tcp://127.0.0.1:5556 03/Mar/2017 10:16:17 [Lua.cpp:232] Returning name tcp://127.0.0.1:5556 03/Mar/2017 10:16:17 [Ntop.cpp:804] No allowed interface found for tcp://127.0.0.1:5556 03/Mar/2017 10:16:17 [Ntop.cpp:804] No allowed interface found for tcp://127.0.0.1:5556 03/Mar/2017 10:16:17 [Ntop.cpp:804] No allowed interface found for tcp://127.0.0.1:5556 03/Mar/2017 10:16:17 [Lua.cpp:232] Returning name tcp://127.0.0.1:5556 03/Mar/2017 10:16:17 [Ntop.cpp:804] No allowed interface found for tcp://127.0.0.1:5556 03/Mar/2017 10:16:17 [Ntop.cpp:804] No allowed interface found for tcp://127.0.0.1:5556 03/Mar/2017 10:16:17 [Lua.cpp:143] [HTTP] Serving file /usr/share/ntopng/httpdocs/inc/hosts_stats_id.inc 03/Mar/2017 10:16:17 [Lua.cpp:143] [HTTP] Serving file /usr/share/ntopng/httpdocs/inc/hosts_stats_top.inc 03/Mar/2017 10:16:17 [Lua.cpp:143] [HTTP] Serving file /usr/share/ntopng/httpdocs/inc/hosts_stats_bottom.inc Not sure if the “null interface” and “no allowed interface” bits are the issue. My browser-inspect isn’t showing any obvious errors. From: [email protected] [mailto:[email protected]] On Behalf Of Simone Mainardi Sent: Friday, March 03, 2017 8:55 AM To: [email protected] Cc: [email protected] Subject: Re: [Ntop] ntopng+nprobe+cisco asa netflow - no hosts.. Hi, On Fri, Mar 3, 2017 at 1:48 PM, Matt Kettler <[email protected]<mailto:[email protected]>> wrote: I don't think it is time. Both have more-or-less the same offset relative to one particular local NTP server and are both in the same timezone. The offsets suggests a less than 0.3 millisecond time difference. Also, wouldn't the same time problem apply to flows, which time out after 1 minute? And wouldn't that also cause the "hosts" counter to read "0 hosts" rather than "584 hosts"? no. The bottom-right counter show the number of hosts in cache, while the Hosts page gives only the currently active hosts. So it can be that the bottom counter is > of the current number of active hosts. If I go into a flow, and click on a client IP, I can see the first/last seen line suggest host was seen very recently: 03/03/2017 07:22:46 [17 min, 56 sec ago] 03/03/2017 07:39:46 [44 sec ago] It is also identifying the host as being local and belonging in one of the host pools I created. It's a shame it doesn't show up in the all hosts page. Regardless, I jacked up the local host timeout to 1 hour, which is as high as it will go. I am not using "delay flow-create" at all on my asa, and my template timeout is set to 15 minutes (which I think I may drop to 1-2 minutes soon). The above "last seen" of 44 seconds suggests they're being exported often. Please, start ntopng in foreground and inspect the console for any error that may occur when visiting the hosts page. Also use your browser to search for any possible JS errors (right-click and inspect element before visiting the empty hosts page). ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Simone Mainardi <[email protected]<mailto:[email protected]>> Sent: Friday, March 3, 2017 5:45 AM To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: Re: [Ntop] ntopng+nprobe+cisco asa netflow - no hosts.. Hi, Is the clock of the ASA set properly? How often flows are exported? My guess is that timestamps of received flows are not in sync with the ntopng clock and thus hosts are considered idle and not shown in the web UI. You may also want to increase idle timeouts from the ntopng preferences web page. Regards, Simone On Wed, Mar 1, 2017 at 6:46 PM, Matt Kettler <[email protected]<mailto:[email protected]>> wrote: I'm currently testing out a demo copy of nprobe/ntopng, on an Ubuntu LTS 16.04 to evaluate if it is worth purchasing. This seems to work partially, I can see flows, protocol breakdowns etc. However, the population of hosts doesn’t seem to be working so well. I generally see that there are hosts in the status block in the lower right, but when I go to "hosts" from the top menu, there are no hosts found. Flows on the other hand populate correctly, and I can even click on a host IP in there and get a summary of the host. I've tried tinkering with various things, like changing the idle timeouts, and adding local hosts as sticky, but that doesn't seem to help. At one point I got some local hosts to populate, and they stayed for a while as I was using sticky locals, but I realized no remotes were ever being added, so I tried restarting it with sticky-hosts=none, and now nothing is populated. I've also tried updating a few times, currently I am running: ntopng --version v.2.5.170301 [Enterprise/Professional Edition] and was running: v.2.5.170228 [Enterprise/Professional Edition] and prior to that I was running whatever was current on the apt repo last friday. Have I misconfigured something? Failing to understand a limit of the demo versions? I'm using this sending netflows from a Cisco ASA to nprobe, which then zmq's them to ntopng, so these are my conf files: (minor censoring of bits with xxx's) nprobe: --collector=none --interface=none --zmq="tcp://*:5556" --collector-port=2055 --lifetime-timeout=180 --idle-timeout=60 -g=/var/run/nprobe-none.pid --vlanid-as-iface-idx=none --as-list=/usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat --daemon-mode --dump-stats=/var/log/nprobe/none-0_flows_stats.txt --city-list=/usr/share/ntopng/httpdocs/geoip/GeoLiteCity.dat -V=5 ntopng: -G=/var/run/ntopng.pid --interface="tcp://127.0.0.1:5556<http://127.0.0.1:5556>" --local-networks="192.168.0.0/16,10.0.0.0/8,xx.xx.xx.xx/xx<http://192.168.0.0/16,10.0.0.0/8,xx.xx.xx.xx/xx>" --daemon --http-port=3000 --sticky-hosts=none --dump-hosts=none -F "mysql;xxxx;ntopng;flows;xxxxx;xxxxx" *This e-mail is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you have received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else.* *THE INFORMATION IN THIS EMAIL AND ANY ATTACHMENTS CONSTITUTE THE PROPRIETARY INFORMATION OF FOURTH DIMENSION ENGINEERING, LLC.* Any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Fourth Dimension is not responsible for any damages caused by your unauthorized use of the materials in this e-mail. _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop *This e-mail is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you have received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else.* *THE INFORMATION IN THIS EMAIL AND ANY ATTACHMENTS CONSTITUTE THE PROPRIETARY INFORMATION OF FOURTH DIMENSION ENGINEERING, LLC.* Any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Fourth Dimension is not responsible for any damages caused by your unauthorized use of the materials in this e-mail. _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop *This e-mail is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you have received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else.* *THE INFORMATION IN THIS EMAIL AND ANY ATTACHMENTS CONSTITUTE THE PROPRIETARY INFORMATION OF FOURTH DIMENSION ENGINEERING, LLC.* Any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Fourth Dimension is not responsible for any damages caused by your unauthorized use of the materials in this e-mail.
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
