Thanks for the reply (even though you are on vacation) SO here is my current config, and it appears as though I am receiving NetFlow packets from the router. So, I should not enable any of the following devices unless I am exporting NetFlow data from that device to a remote NetFlow collector ... cigar?
In order to receive NetFlow from a router, I just need to enable the plugin and specify the UDP port. By the way, why is the NetFlow-device interface created when you turn on the plugin? Of course I saw NOTE: #4 A virtual NetFlow device is activated only when incoming flow capture is enabled --- but I dont understand its purpose. ############## CURRENT CONFIG ############## Interface Name NetFlow Enabled eth0 No eth1 No NetFlow-device No WARNING: as all the interfaces are disabled, no flows will be exported Flow Statistics # Pkts Rcvd.value 124 # Flows Rcvd.value 3,720 # Flow with Bad Version 0 Flow Senders 192.168.2.1 [124 pkts] --- "Burton M. Strauss III" <[EMAIL PROTECTED]> wrote: > Pick one: > > Wrongo dragon breath... > Close grasshopper, but no cigar... > > > Separate the two activities of netFlow in your mind. > THEY DO NOT OVERLAP! > > When ntop is acting as a receiver of netFlow data, > it receives the packets > on the specified port and stores the data in it's > internal structures just > like data collected off another network card. Hence > you switch "NICs" to > report on the netFlow data. > > When ntop is acting as a collector of netFlow data, > it collects information > from it's network cards and sends that off to some > netFlow receiver. You > can monitor the data ntop has received just like > normal, but you can't > monitor the data ntop has sent via netFlow to > another device, you have to > use that device to monitor it... > > You started ntop ... -i eth0 ... that's why you > only have the two devices, > eth0 and netFlow. Because that's all you've told > ntop to monitor... how > about ... -i eth0,eth1 ... ??? > > If you are only using ntop to receive netFlow data, > you may have a problem. > IIRC, it won't run without monitoring at least one > (real) NIC. I might be > wrong... I suppose you could always monitor the > local loopback (-i lo). > Once it's up? As I've said before, the data > collected by netFlow somewhere > else and sent to ntop is presented via the netFlow > pseudo-nic. > > You're right it won't have session and other > detailed data - that's not in > the flows (look at the header files, you'll see > what's being "recorded"). > > > -----Burton > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Blake > Sent: Friday, September 27, 2002 12:09 PM > To: [EMAIL PROTECTED] > Subject: [Ntop] NetFlow Overview > > > Hopefully someone can assist my ignorance in regards > to using NTOP as a NetFlow collector. If not ... > thats cool! Just thought I would ask. I just have > a > few basic questions, which are listed below after I > describe my environment. > > ------------------------- > My environment explained; > ------------------------- > > ########### > NTOP SERVER > ########### > > ./ntop -a ntop.access.log -i eth0 -w 10.4.4.51:3999 > -m > 10.0.0.0/255.0.0.0,192.168.0.0/255.255.0.0 -p > protocol.list -E -P /eth1/ -u ntopuser -d > > RH7.3 > ntop-02-09-25 > Dell Pentium PC -- 2 NICS > ETH0 10.4.4.51 (web server listening) > ETH1 1.1.1.1 (Cisco switch port monitoring router > port) > NetFLow pluging: enabled > Local Collector UDP port: 2055 > > Interface Name NetFlow Enabled > eth0 Yes > NetFlow-device No > > Flow Statistics > # Pkts Rcvd.value 366 > # Flows Rcvd.value 10,980 > # Flow with Bad Version 0 > Flow Senders 192.168.2.1 [366 pkts] > > > ############# > Router Config > ############# > > ip flow-export source FastEthernet0/0 > ip flow-export version 5 > ip flow-export destination 10.4.4.51 2055 > > interface FastEthernet0/0 > description <<GLASRTR01 User/Admin/Server Secondary > IP's>> > ip address 10.4.4.1 255.255.254.0 secondary > ip address 10.6.16.1 255.255.252.0 secondary > ip address 192.168.1.5 255.255.255.0 secondary > ip address 192.168.2.1 255.255.255.0 > ip directed-broadcast > ip route-cache flow > speed 100 > full-duplex > > ---------- > Questions: > ---------- > > 1) I have 2 options when switching NIC's; eth0 and > NetFLow-device. Im assuming eth1 (which is the > monitoring port) is labeled NetFlow-device because > since NetFlow is enabled ... it is the interface > which > can export NetFLow to another collector. However, > my > question is what interface should I select to view > NetFLow data received from the router I am sending > NetFlow data? eth0 (ip 10.4.4.51)? > > 2) Say for instance you are only using NTOP to view > NetFlow data received from a router. What & where > would you see NetFlow data presented in NTOP? Im > assuming I will not see sessions because NetFlow > data > are sessions which have ended? It seems like I > should > see everything else however it appears as though I > am > only seeing broadcasts NTOP is able to pickup off > that > port on the switch (and me connecting to it via 80 > and > 22). Hopefully I explained this so that you can > understand my question. > > > > > __________________________________________________ > Do you Yahoo!? > New DSL Internet Access from SBC & Yahoo! > http://sbc.yahoo.com > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://lists.ntop.org/mailman/listinfo/ntop > __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop
