Im gonna guess what the NetFLow-device is ... It is the virtual device NTOP uses to store the NetFlow data from the router?
--Blake --- Blake <[EMAIL PROTECTED]> wrote: > Thanks for the reply (even though you are on > vacation) > > SO here is my current config, and it appears as > though > I am receiving NetFlow packets from the router. So, > I > should not enable any of the following devices > unless > I am exporting NetFlow data from that device to a > remote NetFlow collector ... cigar? > > In order to receive NetFlow from a router, I just > need > to enable the plugin and specify the UDP port. > > By the way, why is the NetFlow-device interface > created when you turn on the plugin? Of course I > saw > NOTE: #4 A virtual NetFlow device is activated only > when incoming flow capture is enabled --- but I dont > understand its purpose. > > ############## > CURRENT CONFIG > ############## > > Interface Name NetFlow Enabled > eth0 No > eth1 No > NetFlow-device No > > > WARNING: as all the interfaces are disabled, no > flows > will be exported > > Flow Statistics > # Pkts Rcvd.value 124 > # Flows Rcvd.value 3,720 > # Flow with Bad Version 0 > Flow Senders 192.168.2.1 [124 pkts] > > > > > --- "Burton M. Strauss III" <[EMAIL PROTECTED]> > wrote: > > Pick one: > > > > Wrongo dragon breath... > > Close grasshopper, but no cigar... > > > > > > Separate the two activities of netFlow in your > mind. > > THEY DO NOT OVERLAP! > > > > When ntop is acting as a receiver of netFlow data, > > it receives the packets > > on the specified port and stores the data in it's > > internal structures just > > like data collected off another network card. > Hence > > you switch "NICs" to > > report on the netFlow data. > > > > When ntop is acting as a collector of netFlow > data, > > it collects information > > from it's network cards and sends that off to some > > netFlow receiver. You > > can monitor the data ntop has received just like > > normal, but you can't > > monitor the data ntop has sent via netFlow to > > another device, you have to > > use that device to monitor it... > > > > You started ntop ... -i eth0 ... that's why you > > only have the two devices, > > eth0 and netFlow. Because that's all you've told > > ntop to monitor... how > > about ... -i eth0,eth1 ... ??? > > > > If you are only using ntop to receive netFlow > data, > > you may have a problem. > > IIRC, it won't run without monitoring at least one > > (real) NIC. I might be > > wrong... I suppose you could always monitor the > > local loopback (-i lo). > > Once it's up? As I've said before, the data > > collected by netFlow somewhere > > else and sent to ntop is presented via the netFlow > > pseudo-nic. > > > > You're right it won't have session and other > > detailed data - that's not in > > the flows (look at the header files, you'll see > > what's being "recorded"). > > > > > > -----Burton > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Blake > > Sent: Friday, September 27, 2002 12:09 PM > > To: [EMAIL PROTECTED] > > Subject: [Ntop] NetFlow Overview > > > > > > Hopefully someone can assist my ignorance in > regards > > to using NTOP as a NetFlow collector. If not ... > > thats cool! Just thought I would ask. I just > have > > a > > few basic questions, which are listed below after > I > > describe my environment. > > > > ------------------------- > > My environment explained; > > ------------------------- > > > > ########### > > NTOP SERVER > > ########### > > > > ./ntop -a ntop.access.log -i eth0 -w > 10.4.4.51:3999 > > -m > > 10.0.0.0/255.0.0.0,192.168.0.0/255.255.0.0 -p > > protocol.list -E -P /eth1/ -u ntopuser -d > > > > RH7.3 > > ntop-02-09-25 > > Dell Pentium PC -- 2 NICS > > ETH0 10.4.4.51 (web server listening) > > ETH1 1.1.1.1 (Cisco switch port monitoring router > > port) > > NetFLow pluging: enabled > > Local Collector UDP port: 2055 > > > > Interface Name NetFlow Enabled > > eth0 Yes > > NetFlow-device No > > > > Flow Statistics > > # Pkts Rcvd.value 366 > > # Flows Rcvd.value 10,980 > > # Flow with Bad Version 0 > > Flow Senders 192.168.2.1 [366 pkts] > > > > > > ############# > > Router Config > > ############# > > > > ip flow-export source FastEthernet0/0 > > ip flow-export version 5 > > ip flow-export destination 10.4.4.51 2055 > > > > interface FastEthernet0/0 > > description <<GLASRTR01 User/Admin/Server > Secondary > > IP's>> > > ip address 10.4.4.1 255.255.254.0 secondary > > ip address 10.6.16.1 255.255.252.0 secondary > > ip address 192.168.1.5 255.255.255.0 secondary > > ip address 192.168.2.1 255.255.255.0 > > ip directed-broadcast > > ip route-cache flow > > speed 100 > > full-duplex > > > > ---------- > > Questions: > > ---------- > > > > 1) I have 2 options when switching NIC's; eth0 and > > NetFLow-device. Im assuming eth1 (which is the > > monitoring port) is labeled NetFlow-device because > > since NetFlow is enabled ... it is the interface > > which > > can export NetFLow to another collector. However, > > my > > question is what interface should I select to view > > NetFLow data received from the router I am sending > > NetFlow data? eth0 (ip 10.4.4.51)? > > > > 2) Say for instance you are only using NTOP to > view > > NetFlow data received from a router. What & where > > would you see NetFlow data presented in NTOP? Im > > assuming I will not see sessions because NetFlow > > data > > are sessions which have ended? It seems like I > > should > === message truncated === __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop
