Pick one: Wrongo dragon breath... Close grasshopper, but no cigar...
Separate the two activities of netFlow in your mind. THEY DO NOT OVERLAP! When ntop is acting as a receiver of netFlow data, it receives the packets on the specified port and stores the data in it's internal structures just like data collected off another network card. Hence you switch "NICs" to report on the netFlow data. When ntop is acting as a collector of netFlow data, it collects information from it's network cards and sends that off to some netFlow receiver. You can monitor the data ntop has received just like normal, but you can't monitor the data ntop has sent via netFlow to another device, you have to use that device to monitor it... You started ntop ... -i eth0 ... that's why you only have the two devices, eth0 and netFlow. Because that's all you've told ntop to monitor... how about ... -i eth0,eth1 ... ??? If you are only using ntop to receive netFlow data, you may have a problem. IIRC, it won't run without monitoring at least one (real) NIC. I might be wrong... I suppose you could always monitor the local loopback (-i lo). Once it's up? As I've said before, the data collected by netFlow somewhere else and sent to ntop is presented via the netFlow pseudo-nic. You're right it won't have session and other detailed data - that's not in the flows (look at the header files, you'll see what's being "recorded"). -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Blake Sent: Friday, September 27, 2002 12:09 PM To: [EMAIL PROTECTED] Subject: [Ntop] NetFlow Overview Hopefully someone can assist my ignorance in regards to using NTOP as a NetFlow collector. If not ... thats cool! Just thought I would ask. I just have a few basic questions, which are listed below after I describe my environment. ------------------------- My environment explained; ------------------------- ########### NTOP SERVER ########### ./ntop -a ntop.access.log -i eth0 -w 10.4.4.51:3999 -m 10.0.0.0/255.0.0.0,192.168.0.0/255.255.0.0 -p protocol.list -E -P /eth1/ -u ntopuser -d RH7.3 ntop-02-09-25 Dell Pentium PC -- 2 NICS ETH0 10.4.4.51 (web server listening) ETH1 1.1.1.1 (Cisco switch port monitoring router port) NetFLow pluging: enabled Local Collector UDP port: 2055 Interface Name NetFlow Enabled eth0 Yes NetFlow-device No Flow Statistics # Pkts Rcvd.value 366 # Flows Rcvd.value 10,980 # Flow with Bad Version 0 Flow Senders 192.168.2.1 [366 pkts] ############# Router Config ############# ip flow-export source FastEthernet0/0 ip flow-export version 5 ip flow-export destination 10.4.4.51 2055 interface FastEthernet0/0 description <<GLASRTR01 User/Admin/Server Secondary IP's>> ip address 10.4.4.1 255.255.254.0 secondary ip address 10.6.16.1 255.255.252.0 secondary ip address 192.168.1.5 255.255.255.0 secondary ip address 192.168.2.1 255.255.255.0 ip directed-broadcast ip route-cache flow speed 100 full-duplex ---------- Questions: ---------- 1) I have 2 options when switching NIC's; eth0 and NetFLow-device. Im assuming eth1 (which is the monitoring port) is labeled NetFlow-device because since NetFlow is enabled ... it is the interface which can export NetFLow to another collector. However, my question is what interface should I select to view NetFLow data received from the router I am sending NetFlow data? eth0 (ip 10.4.4.51)? 2) Say for instance you are only using NTOP to view NetFlow data received from a router. What & where would you see NetFlow data presented in NTOP? Im assuming I will not see sessions because NetFlow data are sessions which have ended? It seems like I should see everything else however it appears as though I am only seeing broadcasts NTOP is able to pickup off that port on the switch (and me connecting to it via 80 and 22). Hopefully I explained this so that you can understand my question. __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop
