Actually, I'm back ... survived Mom and "The Great Mouse Debate".
Assuming you only care about netFlow, you are correct. You only need to monitor (real) NICs that you want to collect data from. Whether you use that data only to display ntop's web pages or to forward to a netFlow receiver is irrelevant. Cigarillo... "why is the NetFlow-device interface created when you turn on the plugin?" Basically, there is a large, dynamic data structure in ntop that holds all the information about a device, collected, sniffed, etc. from the packets. ntop creates one if it's merging data or multiples if it's not merging data, one per "device". So, ntop creates another one of these structures to hold the information it receives via netFlow packets when it's acting as a netFlow receiver. That way, all the reporting logic just works... it doesn't know the difference. The structure has to be created before the first netFlow packet is received, i.e. when we KNOW -- based on the persistent settings for the plugin, or your setting the port # -- that we'll be dealing with inbound netFlow data. -----Burton -----Original Message----- From: Blake [mailto:[EMAIL PROTECTED]] Sent: Friday, September 27, 2002 2:08 PM To: Burton M. Strauss III; [EMAIL PROTECTED] Subject: RE: [Ntop] NetFlow Overview Thanks for the reply (even though you are on vacation) SO here is my current config, and it appears as though I am receiving NetFlow packets from the router. So, I should not enable any of the following devices unless I am exporting NetFlow data from that device to a remote NetFlow collector ... cigar? In order to receive NetFlow from a router, I just need to enable the plugin and specify the UDP port. By the way, why is the NetFlow-device interface created when you turn on the plugin? Of course I saw NOTE: #4 A virtual NetFlow device is activated only when incoming flow capture is enabled --- but I dont understand its purpose. ############## CURRENT CONFIG ############## Interface Name NetFlow Enabled eth0 No eth1 No NetFlow-device No WARNING: as all the interfaces are disabled, no flows will be exported Flow Statistics # Pkts Rcvd.value 124 # Flows Rcvd.value 3,720 # Flow with Bad Version 0 Flow Senders 192.168.2.1 [124 pkts] --- "Burton M. Strauss III" <[EMAIL PROTECTED]> wrote: > Pick one: > > Wrongo dragon breath... > Close grasshopper, but no cigar... > > > Separate the two activities of netFlow in your mind. > THEY DO NOT OVERLAP! > > When ntop is acting as a receiver of netFlow data, > it receives the packets > on the specified port and stores the data in it's > internal structures just > like data collected off another network card. Hence > you switch "NICs" to > report on the netFlow data. > > When ntop is acting as a collector of netFlow data, > it collects information > from it's network cards and sends that off to some > netFlow receiver. You > can monitor the data ntop has received just like > normal, but you can't > monitor the data ntop has sent via netFlow to > another device, you have to > use that device to monitor it... > > You started ntop ... -i eth0 ... that's why you > only have the two devices, > eth0 and netFlow. Because that's all you've told > ntop to monitor... how > about ... -i eth0,eth1 ... ??? > > If you are only using ntop to receive netFlow data, > you may have a problem. > IIRC, it won't run without monitoring at least one > (real) NIC. I might be > wrong... I suppose you could always monitor the > local loopback (-i lo). > Once it's up? As I've said before, the data > collected by netFlow somewhere > else and sent to ntop is presented via the netFlow > pseudo-nic. > > You're right it won't have session and other > detailed data - that's not in > the flows (look at the header files, you'll see > what's being "recorded"). > > > -----Burton > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Blake > Sent: Friday, September 27, 2002 12:09 PM > To: [EMAIL PROTECTED] > Subject: [Ntop] NetFlow Overview > > > Hopefully someone can assist my ignorance in regards > to using NTOP as a NetFlow collector. If not ... > thats cool! Just thought I would ask. I just have > a > few basic questions, which are listed below after I > describe my environment. > > ------------------------- > My environment explained; > ------------------------- > > ########### > NTOP SERVER > ########### > > ./ntop -a ntop.access.log -i eth0 -w 10.4.4.51:3999 > -m > 10.0.0.0/255.0.0.0,192.168.0.0/255.255.0.0 -p > protocol.list -E -P /eth1/ -u ntopuser -d > > RH7.3 > ntop-02-09-25 > Dell Pentium PC -- 2 NICS > ETH0 10.4.4.51 (web server listening) > ETH1 1.1.1.1 (Cisco switch port monitoring router > port) > NetFLow pluging: enabled > Local Collector UDP port: 2055 > > Interface Name NetFlow Enabled > eth0 Yes > NetFlow-device No > > Flow Statistics > # Pkts Rcvd.value 366 > # Flows Rcvd.value 10,980 > # Flow with Bad Version 0 > Flow Senders 192.168.2.1 [366 pkts] > > > ############# > Router Config > ############# > > ip flow-export source FastEthernet0/0 > ip flow-export version 5 > ip flow-export destination 10.4.4.51 2055 > > interface FastEthernet0/0 > description <<GLASRTR01 User/Admin/Server Secondary > IP's>> > ip address 10.4.4.1 255.255.254.0 secondary > ip address 10.6.16.1 255.255.252.0 secondary > ip address 192.168.1.5 255.255.255.0 secondary > ip address 192.168.2.1 255.255.255.0 > ip directed-broadcast > ip route-cache flow > speed 100 > full-duplex > > ---------- > Questions: > ---------- > > 1) I have 2 options when switching NIC's; eth0 and > NetFLow-device. Im assuming eth1 (which is the > monitoring port) is labeled NetFlow-device because > since NetFlow is enabled ... it is the interface > which > can export NetFLow to another collector. However, > my > question is what interface should I select to view > NetFLow data received from the router I am sending > NetFlow data? eth0 (ip 10.4.4.51)? > > 2) Say for instance you are only using NTOP to view > NetFlow data received from a router. What & where > would you see NetFlow data presented in NTOP? Im > assuming I will not see sessions because NetFlow > data > are sessions which have ended? It seems like I > should > see everything else however it appears as though I > am > only seeing broadcasts NTOP is able to pickup off > that > port on the switch (and me connecting to it via 80 > and > 22). Hopefully I explained this so that you can > understand my question. > > > > > __________________________________________________ > Do you Yahoo!? > New DSL Internet Access from SBC & Yahoo! > http://sbc.yahoo.com > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://lists.ntop.org/mailman/listinfo/ntop > __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop
