Gerhard, > On 1 Jun 2018, at 20:19, Gerhard Mourani <[email protected]> wrote: > > Hello Simone, > > > Please, generate a pcap of what nprobe is getting on port 6343 and upload > > it somewhere for our inspection. > I've the cap file, where do you want me to upload it ?
Wherever you like. Just send me the download link once uploaded. Simone > > > Note that typically port 6343 (the one you're using with nprobe) is used by > > sFlow exporters. So maybe there's some other exporter and you are > > collecting its traffic rather than the one of meraki? > No, he's me that have configured the meraki to send to this port number. > > Gerhard, > > >> On May 24, 2018, at 6:07 AM, Simone Mainardi <[email protected] >> <mailto:[email protected]>> wrote: >> >> Gerard, >> >>> On 22 May 2018, at 14:32, Gerhard Mourani <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Simone, >>> >>> There is no so much configuration available on the Meraki device to setup >>> Netflow. Only, enable it, define IP of the collector and port >>> (https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/NetFlow_Overview >>> >>> <https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/NetFlow_Overview>). >> >> Please, generate a pcap of what nprobe is getting on port 6343 and upload it >> somewhere for our inspection. The command is the following (let it run for a >> minute): >> >> tcpdump -i any port 6343 -s 0 -w port6343.pcap >> >> >>> >>> According to the Cisco documentation, Meraki use Netflow v9 but ntopng >>> report that sFlow is received and returned to the Meraki device ! >> >> Note that typically port 6343 (the one you're using with nprobe) is used by >> sFlow exporters. So maybe there's some other exporter and you are collecting >> its traffic rather than the one of meraki? >> >>> Also, if I'm correct here, nProbe use Netflow to send to ntopng, so how can >>> Netflow v9 to Netflow collector (nProbe) to ntopng become sFlow ? >>> >>> Gerhard, >>> >>> >>>> On May 20, 2018, at 3:59 AM, Simone Mainardi <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Gerhard, >>>> >>>> So that looks more like a Meraki configuration issue. It seems that the >>>> Meraki is doing sFlow on its own generated sFlow traffic. Basically it >>>> sends sFlow packets, then the sFlow process samples sFlow packets and, in >>>> turn, it triggers the generation of additional sFlow packets and so on. >>>> This 'amplification' also explain why you are seeing a huge amount of 100% >>>> sent sFlow traffic. Please check that config. >>>> >>>> Simone >>>> >>>>> On 17 May 2018, at 15:10, Gerhard Mourani <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Yes >>>>> >>>>>> On May 17, 2018, at 9:03 AM, Simone Mainardi <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>>> >>>>>>> On 17 May 2018, at 14:30, Gerhard Mourani <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> Hi Simone, >>>>>>> >>>>>>> Here the ntopng and nNrobe configuration used. >>>>>>> >>>>>>> Ntopng: >>>>>>> --interface eth0 >>>>>>> --interface tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556> >>>>>>> --local-networks 172.22.9.0/24,192.168.0.0/16,172.22.0.0/16,10.0.0.0/8 >>>>>>> --daemon >>>>>>> --user ntopng >>>>>>> --pid /var/run/ntopng/ntopng.pid >>>>>>> --http-port 0 >>>>>>> --https-port :3001 >>>>>>> --data-dir /var/lib/nst/ntopng >>>>>>> --dns-mode 1 >>>>>>> --disable-autologout >>>>>>> --disable-login 0 >>>>>>> --sticky-hosts none >>>>>>> --http-prefix /ntopng >>>>>>> --ndpi-protocols /etc/ntopng/protos.txt >>>>>>> >>>>>>> nProbe: >>>>>>> /usr/local/bin/nprobe -i none -n none --zmq tcp://*:5556 <tcp://*:5556> >>>>>>> -b 2 -3 6343 --online-license-check >>>>>>> --as-list=/usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat >>>>>>> --city-list=/usr/share/ntopng/httpdocs/geoip/GeoLiteCity.dat -G >>>>>>> --pid-file /var/run/nprobe/nprobe.pid -V 9 --disable-cache >>>>>>> --zmq-disable-buffering >>>>>>> >>>>>>> I don't know if I can attach pictures to this message to explain what I >>>>>>> mean by saying that my collector ntopng return sflow to the remote >>>>>>> Meraki device. >>>>>>> >>>>>>> Traffic from my collector IP is almost 100% sent and when I check the >>>>>>> Protocol detail, it show that it's sFlow (Sent 100%) to my remote >>>>>>> Meraki device under the Peers tab! >>>>>> >>>>>> Are you sure you have selected interface tcp://127.0.0.1:5556 >>>>>> <tcp://127.0.0.1:5556> from the ntopng interfaces dropdown menu? >>>>>> >>>>>>> >>>>>>> Gerhard, >>>>>>> >>>>>>> >>>>>>>> On May 17, 2018, at 3:53 AM, Simone Mainardi <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> >>>>>>>> Gerhard, >>>>>>>> >>>>>>>> Can you enclose nProbe and ntopng configurations used as well as an >>>>>>>> example of what you mean with 'my collector return the flow to the >>>>>>>> Meraki device'? >>>>>>>> >>>>>>>> Thank you >>>>>>>> >>>>>>>>> On 16 May 2018, at 19:59, Gerhard Mourani <[email protected] >>>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I've activated Netflow v9 on Cisco Meraki and receive flow on nProbe >>>>>>>>> (v 8.2.171206-5975) correctly. The problem is that my collector >>>>>>>>> (ntopng v 3.2) return the flow to the Meraki device and I don't >>>>>>>>> understand why? This generate lot of data in our case ~1TB per hour >>>>>>>>> for sflow!. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> _______________________________________________ >>>>>>>>> Ntop mailing list >>>>>>>>> [email protected] <mailto:[email protected]> >>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ntop mailing list >>>>>>>> [email protected] <mailto:[email protected]> >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ntop mailing list >>>>>>> [email protected] <mailto:[email protected]> >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>>>> >>>>>> _______________________________________________ >>>>>> Ntop mailing list >>>>>> [email protected] <mailto:[email protected]> >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>>> _______________________________________________ >>>>> Ntop mailing list >>>>> [email protected] <mailto:[email protected]> >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] <mailto:[email protected]> >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] <mailto:[email protected]> >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >> _______________________________________________ >> Ntop mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop >> <http://listgateway.unipi.it/mailman/listinfo/ntop> > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
