Um... not quite correct... ESPECIALLY WRT to current development versions.
Two things:
A. You MUST make sure the ntop plugin is ACTIVE. With the change to allow
setting parameters while inactive, it's easy to miss that last step. If you
don't activate the plugin, you'll still have the device, but no data on
it...
B. Be sure and set the "Virtual NetFlow Interface" value. It's important
for pseudo-local classification, which would affect L R reporting. You need
to set it to the (network) and mask for the netFlow collector.
I think there's some cleanup that should occur to the code for that
setting - I'm not sure why it's not displayed until there's a
myGlobals.netFlowInPort value, and there is a report that if you set
"Virtual NetFlow Interface" you can't unset it. But the coding based on it
still works.
Let's see...
#1 - we now can eat v7 - translated to v5 internally to ntop. Export is v5
only.
#2 - works fine...
Flow Statistics
# Pkts Rcvd.value 6
# Flows Rcvd.value 180
# Flow with Bad Version 0
Flow Senders 192.168.42.34 [6 pkts]
If you're thinking of the Totals | netflows report line:
NetFlow 0 0
that's been discussed on-list before. The report is based on the # of
packets routed to the plugin via the handler function. Since that's not the
path, it's zero. But it's just not worth coding special logic to suppress 2
out of 8 plugins.
#3 - wrong.
There are a couple of things that we don't provide, such as Network load
(but the message, Network load statistics are not available for virtual
interfaces, is pretty clear)
Did you read the notes on the netFlow plugin?
NetFlow packets are associated with a virtual device and not mixed to
captured packets.
NetFlow activation may require ntop restart
^^^ doesn't usually - we fixed it so that the device
structures are always created (not just if you specified -M), but they're
not used nor available for reporting until netFlow is enabled.
A virtual NetFlow device is activated only when incoming flow capture is
enabled.
You can switch devices using this link.
^^^^ That's the Admin | Switch NIC item
Due to the way ntop works, NetFlow export capabilities are limited. If you
need a fast,
light, memory savvy, highly configurable NetFlow probe, you better give
nProbe a try.
And that's true - if you look at the contents of a netFlow packet, there's
not much data in it...
struct flow_ver5_rec {
u_int32_t srcaddr; /* Source IP Address */
u_int32_t dstaddr; /* Destination IP Address */
u_int32_t nexthop; /* Next hop router's IP Address */
u_int16_t input; /* Input interface index */
u_int16_t output; /* Output interface index */
u_int32_t dPkts; /* Packets sent in Duration (milliseconds between
1st
& last packet in this flow)*/
u_int32_t dOctets; /* Octets sent in Duration (milliseconds between
1st
& last packet in this flow)*/
u_int32_t First; /* SysUptime at start of flow */
u_int32_t Last; /* and of last packet of the flow */
u_int16_t srcport; /* TCP/UDP source port number (.e.g, FTP, Telnet,
etc.,or equivalent) */
u_int16_t dstport; /* TCP/UDP destination port number (.e.g, FTP,
Telnet, etc.,or equivalent) */
u_int8_t pad1; /* pad to word boundary */
u_int8_t tcp_flags; /* Cumulative OR of tcp flags */
u_int8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, etc... */
u_int8_t tos; /* IP Type-of-Service */
u_int16_t dst_as; /* dst peer/origin Autonomous System */
u_int16_t src_as; /* source peer/origin Autonomous System */
u_int8_t dst_mask; /* destination route's mask bits */
u_int8_t src_mask; /* source route's mask bits */
u_int16_t pad2; /* pad to word boundary */
};
typedef struct single_flow_ver5_rec {
struct flow_ver5_hdr flowHeader;
struct flow_ver5_rec flowRecord[CONST_V5FLOWS_PER_PAK+1 /* safe against
buffer overflows */];
} NetFlow5Record;
All that's useful to us is srcaddr:srcport -> dstaddr:dstport, prot, dPkts
and dOctets, oh yeah and the as #s
Instead of feeding a faked packet into ntop, the netFlow collector just adds
the counts to the relevant counters - see dissectFlow() in netflowPlugin.c.
Let's see...
Stats | Local Info is unavailable because we don't see the raw packets and
can't fingerprint the host. Improving the message is a five line change.
I think the only other thing that doesn't work is TCP sessions. I'd have to
research why. Everything else works...
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of RAR
Sent: Friday, February 21, 2003 8:35 AM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] Help with netflows?
I had lots of troubles too, but I finally got it sort of working.
1) Make sure you are exporting version 5 netflows.
2) I never saw the netflow counters going up, but it was capturing
data.
3) In the plugin area, you need to select the interface eth0 that the
flows are coming in on. Then there is a not that you need to restart
ntop.
I found that many features like remot to local, local to remote, etc
did not work.
Bob Roswell
[EMAIL PROTECTED]
System Source
338 Clubhouse Road
Hunt Valley, MD 21031
(410) 771-5544 ext 336
>>> [EMAIL PROTECTED] 02/21/03 09:20AM >>>
I'm having a lot of trouble finding how-to's/doc's on this. Could you
elaborate some perhaps? I have the router exporting netflow to this
machine in particular on 2055 but ntop doesnt see it, is there a command
line arg or something ? I'm listening for netflows on one of the
interfaces - with flowtools I can see that flows are coming in.
In Ntop there is a section where you list your interfaces, in my case i
have fxp0 ( in border mode ) and dc0 listening for netflows from a local
router. There is also a "Net Flow Device" listed there. I have tried
enabling that in ntop still with no results. Forgive me, im pretty new
to netflows... atleast a week old that is :)
-----Original Message-----
From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 20, 2003 5:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] Help with netflows?
Have you switched your reporting to the netflow pseudo-device?
Admin | Switch NIC
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Tony
Hernandez
Sent: Thursday, February 20, 2003 3:54 PM
To: [EMAIL PROTECTED]
Subject: [Ntop] Help with netflows?
Hi,
I have been trying to get netflow data from a router and have
not been able
to recieve anything as of yet. I setup Ntop to listen on port 2055:
Incoming
Local Collector UDP Port: 2055
Remote Collector IP Address
0.0.0.0:2055
I just dont seem to be getting anything to ntop. Is there something im
missing ? I have verified with flowtools that there is netflow data
bieng
sent to this machine on port 2055 just cant see it in ntop. Is anyone
else
doing netflow's with ntop?
as usual any help/comments are greatly appreciated.
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
