Gerard,
I've replayed the pcap enclosed in my lab. Actually ntopng shows many many
flows (more than 1k) with several application protocols and not just sFlow.
However, you're right, there's a massive, long lived (35 days, 17:02:11) flow
that is continuously reported by the Meraki netflow. See a couple of records
extracted from the pcap:
Flow 17
SrcAddr: 172.22.9.58
DstAddr: 10.36.43.1
SrcPort: 6343
DstPort: 5557
Octets: 1367205289
Post Octets: 0
Packets: 4523579
Post Packets: 0
Protocol: UDP (17)
InputInt: 45
OutputInt: 0
[Duration: 3085227.349000000 seconds (switched)]
Flow 16
SrcAddr: 172.22.9.58
DstAddr: 10.36.43.1
SrcPort: 6343
DstPort: 5557
Octets: 1367206552
Post Octets: 0
Packets: 4523582
Post Packets: 0
Protocol: UDP (17)
InputInt: 45
OutputInt: 0
[Duration: 3085233.349000000 seconds (switched)]
That flow happens to have src port 6343 and thus nProbe guesses it is sFlow.
The point is that data shown is accurate ntopng-wise. You just have to figure
out why the Meraki is reporting that massive flow.
Simone
> On 4 Jun 2018, at 16:29, Gerhard Mourani <[email protected]> wrote:
>
> Simone,
>
> Here the link to get the pcap, thanks.
>
> http://www.prival.ca/port6343.pcap <http://www.prival.ca/port6343.pcap>
>
> Gerhard,
>
>> On May 24, 2018, at 6:07 AM, Simone Mainardi <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> Gerard,
>>
>>> On 22 May 2018, at 14:32, Gerhard Mourani <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>> Simone,
>>>
>>> There is no so much configuration available on the Meraki device to setup
>>> Netflow. Only, enable it, define IP of the collector and port
>>> (https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/NetFlow_Overview
>>>
>>> <https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/NetFlow_Overview>).
>>
>> Please, generate a pcap of what nprobe is getting on port 6343 and upload it
>> somewhere for our inspection. The command is the following (let it run for a
>> minute):
>>
>> tcpdump -i any port 6343 -s 0 -w port6343.pcap
>>
>>
>>>
>>> According to the Cisco documentation, Meraki use Netflow v9 but ntopng
>>> report that sFlow is received and returned to the Meraki device !
>>
>> Note that typically port 6343 (the one you're using with nprobe) is used by
>> sFlow exporters. So maybe there's some other exporter and you are collecting
>> its traffic rather than the one of meraki?
>>
>>> Also, if I'm correct here, nProbe use Netflow to send to ntopng, so how can
>>> Netflow v9 to Netflow collector (nProbe) to ntopng become sFlow ?
>>>
>>> Gerhard,
>>>
>>>
>>>> On May 20, 2018, at 3:59 AM, Simone Mainardi <[email protected]
>>>> <mailto:[email protected]>> wrote:
>>>>
>>>> Gerhard,
>>>>
>>>> So that looks more like a Meraki configuration issue. It seems that the
>>>> Meraki is doing sFlow on its own generated sFlow traffic. Basically it
>>>> sends sFlow packets, then the sFlow process samples sFlow packets and, in
>>>> turn, it triggers the generation of additional sFlow packets and so on.
>>>> This 'amplification' also explain why you are seeing a huge amount of 100%
>>>> sent sFlow traffic. Please check that config.
>>>>
>>>> Simone
>>>>
>>>>> On 17 May 2018, at 15:10, Gerhard Mourani <[email protected]
>>>>> <mailto:[email protected]>> wrote:
>>>>>
>>>>> Yes
>>>>>
>>>>>> On May 17, 2018, at 9:03 AM, Simone Mainardi <[email protected]
>>>>>> <mailto:[email protected]>> wrote:
>>>>>>
>>>>>>>
>>>>>>> On 17 May 2018, at 14:30, Gerhard Mourani <[email protected]
>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>
>>>>>>> Hi Simone,
>>>>>>>
>>>>>>> Here the ntopng and nNrobe configuration used.
>>>>>>>
>>>>>>> Ntopng:
>>>>>>> --interface eth0
>>>>>>> --interface tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556>
>>>>>>> --local-networks 172.22.9.0/24,192.168.0.0/16,172.22.0.0/16,10.0.0.0/8
>>>>>>> --daemon
>>>>>>> --user ntopng
>>>>>>> --pid /var/run/ntopng/ntopng.pid
>>>>>>> --http-port 0
>>>>>>> --https-port :3001
>>>>>>> --data-dir /var/lib/nst/ntopng
>>>>>>> --dns-mode 1
>>>>>>> --disable-autologout
>>>>>>> --disable-login 0
>>>>>>> --sticky-hosts none
>>>>>>> --http-prefix /ntopng
>>>>>>> --ndpi-protocols /etc/ntopng/protos.txt
>>>>>>>
>>>>>>> nProbe:
>>>>>>> /usr/local/bin/nprobe -i none -n none --zmq tcp://*:5556 <tcp://*:5556>
>>>>>>> -b 2 -3 6343 --online-license-check
>>>>>>> --as-list=/usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat
>>>>>>> --city-list=/usr/share/ntopng/httpdocs/geoip/GeoLiteCity.dat -G
>>>>>>> --pid-file /var/run/nprobe/nprobe.pid -V 9 --disable-cache
>>>>>>> --zmq-disable-buffering
>>>>>>>
>>>>>>> I don't know if I can attach pictures to this message to explain what I
>>>>>>> mean by saying that my collector ntopng return sflow to the remote
>>>>>>> Meraki device.
>>>>>>>
>>>>>>> Traffic from my collector IP is almost 100% sent and when I check the
>>>>>>> Protocol detail, it show that it's sFlow (Sent 100%) to my remote
>>>>>>> Meraki device under the Peers tab!
>>>>>>
>>>>>> Are you sure you have selected interface tcp://127.0.0.1:5556
>>>>>> <tcp://127.0.0.1:5556> from the ntopng interfaces dropdown menu?
>>>>>>
>>>>>>>
>>>>>>> Gerhard,
>>>>>>>
>>>>>>>
>>>>>>>> On May 17, 2018, at 3:53 AM, Simone Mainardi <[email protected]
>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>
>>>>>>>> Gerhard,
>>>>>>>>
>>>>>>>> Can you enclose nProbe and ntopng configurations used as well as an
>>>>>>>> example of what you mean with 'my collector return the flow to the
>>>>>>>> Meraki device'?
>>>>>>>>
>>>>>>>> Thank you
>>>>>>>>
>>>>>>>>> On 16 May 2018, at 19:59, Gerhard Mourani <[email protected]
>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I've activated Netflow v9 on Cisco Meraki and receive flow on nProbe
>>>>>>>>> (v 8.2.171206-5975) correctly. The problem is that my collector
>>>>>>>>> (ntopng v 3.2) return the flow to the Meraki device and I don't
>>>>>>>>> understand why? This generate lot of data in our case ~1TB per hour
>>>>>>>>> for sflow!.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> _______________________________________________
>>>>>>>>> Ntop mailing list
>>>>>>>>> [email protected] <mailto:[email protected]>
>>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Ntop mailing list
>>>>>>>> [email protected] <mailto:[email protected]>
>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Ntop mailing list
>>>>>>> [email protected] <mailto:[email protected]>
>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ntop mailing list
>>>>>> [email protected] <mailto:[email protected]>
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop>
>>>>> _______________________________________________
>>>>> Ntop mailing list
>>>>> [email protected] <mailto:[email protected]>
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop>
>>>> _______________________________________________
>>>> Ntop mailing list
>>>> [email protected] <mailto:[email protected]>
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop>
>>> _______________________________________________
>>> Ntop mailing list
>>> [email protected] <mailto:[email protected]>
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>> <http://listgateway.unipi.it/mailman/listinfo/ntop>
>> _______________________________________________
>> Ntop mailing list
>> [email protected] <mailto:[email protected]>
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>> <http://listgateway.unipi.it/mailman/listinfo/ntop>
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
