Re: [Ntop-misc] nprobe + ntopng no active flows.
On 01/04/2015 04:32, Rahul Jain wrote: Hi, Hi Rahul, I am evaluating nprobe + ntopng as IPFIX collector. I have a router exporting IPFIX flows and I don't see any active flows, or top talkers on the ntopng GUI. I am running nprobe and ntopng on my Ubuntu server and my configuration is, nprobe --zmq tcp://*:5556 -i none -n none -b 2 -3 2055 ntopng -i tcp://127.0.0.1:5556 http://127.0.0.1:5556/ -d /var/tmp I am using nprobe v.7.0.141208 and ntopng v.1.2.2 Issues, a) No active flows seen. Some times active flows is seen but the duration of the flow is reported incorrectly, ~46 yrs. b) No top talker c) Host first seen is reported incorrectly. First seen at @2106 yr These bugs look like some that were recently fixed. Could you please try the latest SVN or nightly and report back to tell us if they stil occur? Thank you, Arianna Template exported: flowStartSeconds flowEndSeconds IP_SRC_ADDR IP_DST_ADDR PROTOCOL L4_SRC_PORT L4_DST_PORT PACKETS_TOTAL BYTES_TOTAL Please let me know, if I am missing any configuration or its a bug/known issue. Thanks Rahul ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- /* * Arianna Avanzini * avanz...@ntop.org * http://ava.webhop.me */ ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] pfring filtering fails or not clear
Hello, I’m using PF_RING-6.0.1. I’m trying to develop an application that runs some algorithm consisting on rules. I made some tests using the “pfcount” tester, and unfortunately, I don’t understand the behavior: I’m running the following command line: “./pfcount -i eth3 -u 2 -v 1 -r –m” which AFAIU, adds a wildcard filter for each incoming packet. If I get it correctly, once a rule was added, I should not expect other packets of the same session to receive, and this is not what I’m getting. For example: --- [root@CT10K10G examples]# ./pfcount -i eth3 -u 2 -v 1 -r -m Adding wildcard filtering rules Using PF_RING v.6.0.1 Capturing from eth3 [00:E0:ED:FE:18:19][ifIndex: 11] # Device RX channels: 6 # Polling threads:1 Dumping statistics on /proc/net/pf_ring/stats/11993-eth3.1074 18:52:35.956295950 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596843063] [caplen=128][len=1522][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 0 added successfully... 18:52:35.956301616 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596844523] [caplen=128][len=650][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 1 added successfully... 18:52:35.956303262 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596845111] [caplen=128][len=1086][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] Rule 2 added successfully... : --- How come, that once rule #0 was added for [10.61.10.9:52311 - 10.70.150.108:60189], I still see such packets in the next lines? Shouldn’t they be filtered by the rule that just as added? (BTW, when I use the command “./pfcount -i eth3 -u 1 -v 1 -r –m” (i.e. –u is 1 rather than 2), the tester uses hash filters, and in this case, I get errors: 18:53:19.052549112 [RX][if_index=11][00:08:E3:FF:FC:C8 - 00:01:02:03:04:05] [vlan 70] [direction 1] [IPv4][10.61.10.9:52311 - 10.70.150.108:60189] [l3_proto=TCP][hash=344283189][tos=0][tcp_seq_num=596847159] [caplen=128][len=1490][parsed_header_len=0][eth_offset=-14][l3_offset=18][l4_offset=38][payload_offset=58] pfring_add_hash_filtering_rule(1) failed) Any help will be appreciated. Thanks, Amir ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] nprobe + ntopng WLAN fields query
Rahul, do you have a pcap file (flows + template) to share? Luca On 02 Apr 2015, at 01:27, Rahul Jain jrahu...@gmail.com wrote: Hi Luca, These fields are used for Wireless LAN. Cisco supports these fields and there are some Netflow collectors will understands these fields. http://mrncciew.com/2013/02/13/who-really-support-wlc-netflow/ http://mrncciew.com/2013/02/13/who-really-support-wlc-netflow/ Thanks Rahul On Wed, Apr 1, 2015 at 3:56 PM, Luca Deri d...@ntop.org mailto:d...@ntop.org wrote: Rahul, we have never seen flows like these, but we can of course (with your help) support them Luca On 01 Apr 2015, at 22:46, Rahul Jain jrahu...@gmail.com mailto:jrahu...@gmail.com wrote: Hi All, Does nprobe + ntopng support WLAN fields. I am evaluating IPFIX collector for WLAN statistics. Template I have in mind is, wlanChannedlD wlanSSID staMacAddress staIPv4Address wtpMacAddress packetTotalCount octetTotalCount This template will give WLAN info, like CLIENT C1 (IP/MAC) connected to SSID on AP (AP MAC) and total packets sent and received. Can nprobe decode this template; and Ntopng consume this data, and show the statistics on GUI? Thanks Rahul ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it mailto:Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it mailto:Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] nprobe + ntopng WLAN fields query
Hi Luca, These fields are used for Wireless LAN. Cisco supports these fields and there are some Netflow collectors will understands these fields. http://mrncciew.com/2013/02/13/who-really-support-wlc-netflow/ Thanks Rahul On Wed, Apr 1, 2015 at 3:56 PM, Luca Deri d...@ntop.org wrote: Rahul, we have never seen flows like these, but we can of course (with your help) support them Luca On 01 Apr 2015, at 22:46, Rahul Jain jrahu...@gmail.com wrote: Hi All, Does nprobe + ntopng support WLAN fields. I am evaluating IPFIX collector for WLAN statistics. Template I have in mind is, wlanChannedlD wlanSSID staMacAddress staIPv4Address wtpMacAddress packetTotalCount octetTotalCount This template will give WLAN info, like CLIENT C1 (IP/MAC) connected to SSID on AP (AP MAC) and total packets sent and received. Can nprobe decode this template; and Ntopng consume this data, and show the statistics on GUI? Thanks Rahul ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] nprobe + ntopng no active flows.
Hi Arianna/all, I download the latest ntopng (v.1.99.150401). I can see active flows now. But still no top talkers and the active flow duration is reported incorrectly. Flow duration under active flows tab is 136 years 70 days 6h. I verified the export under Wireshark, and it decodes the duration correctly. Also, I see, few errors under ntopng, 01/Apr/2015 11:09:15 [Geolocation.cpp:59] WARNING: Unable to read GeoIP database /home/auto/ntop_sw/ntopng/httpdocs/geoip/GeoIPASNumv6.dat Error Opening file /home/auto/ntop_sw/ntopng/httpdocs/geoip/GeoLiteCity.dat 01/Apr/2015 11:09:15 [Geolocation.cpp:59] WARNING: Unable to read GeoIP database /home/auto/ntop_sw/ntopng/httpdocs/geoip/GeoLiteCity.dat Error Opening file /home/auto/ntop_sw/ntopng/httpdocs/geoip/GeoLiteCityv6.dat 01/Apr/2015 11:09:47 [Lua.cpp:4515] WARNING: Script failure [/home/auto/ntop_sw/ntopng/scripts/lua/iface_flows_sankey.lua][...e/auto/ntop_sw/ntopng/scripts/lua/iface_flows_sankey.lua:115: attempt to compare number with nil] Thanks Rahul On Wed, Apr 1, 2015 at 1:39 AM, Arianna Avanzini avanz...@ntop.org wrote: On 01/04/2015 04:32, Rahul Jain wrote: Hi, Hi Rahul, I am evaluating nprobe + ntopng as IPFIX collector. I have a router exporting IPFIX flows and I don't see any active flows, or top talkers on the ntopng GUI. I am running nprobe and ntopng on my Ubuntu server and my configuration is, nprobe --zmq tcp://*:5556 -i none -n none -b 2 -3 2055 ntopng -i tcp://127.0.0.1:5556 http://127.0.0.1:5556/ -d /var/tmp I am using nprobe v.7.0.141208 and ntopng v.1.2.2 Issues, a) No active flows seen. Some times active flows is seen but the duration of the flow is reported incorrectly, ~46 yrs. b) No top talker c) Host first seen is reported incorrectly. First seen at @2106 yr These bugs look like some that were recently fixed. Could you please try the latest SVN or nightly and report back to tell us if they stil occur? Thank you, Arianna Template exported: flowStartSeconds flowEndSeconds IP_SRC_ADDR IP_DST_ADDR PROTOCOL L4_SRC_PORT L4_DST_PORT PACKETS_TOTAL BYTES_TOTAL Please let me know, if I am missing any configuration or its a bug/known issue. Thanks Rahul ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- /* * Arianna Avanzini * avanz...@ntop.org * http://ava.webhop.me */ ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Ntopng BiFlow Issue
Hi All, Does nprobe + ntopng support IPFIX Biflow. Can it decode the fields of Biflow properly. Template for Biflow, flowStartSeconds flowStartSecond + PEN flowEndSeconds flowEndSeconds + PEN IP_SRC_ADDR IP_DST_ADDR L4_SRC_PORT L4_DST_PORT PROTOCOL biflowDirection PACKETS_TOTAL PACKETS_TOTAL + PEN BYTES_TOTAL BYTES_TOTAL + PEN Issues seen 1) Flow duration is not calculated properly 2) Counters are reported incorrectly. For ex: Host A is receiving traffic from Host B, GUI displays, Host A is sending traffic and acting as server, which means, biflowDirection field is ignored. Also TX and RX packets counts are reversed. Please let me know, if Biflow template is supported in nprobe + ntopng. Thanks Rahul ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Hardware timestamp with ZC
Alfredo Since .ts is the only timestamp in the ZC api, and the igb timestamp is a 20bit value, if you set the ts field to the hardware timestamp then there is no record of the actual date/time of arrival of a packet. Is this correct or am I missing something? Using DNA you have a function pfring_set_device_clock which was useful. Setting the clock to 0 at the start of a measurement meant I didnt have to deal with clock wrapping. Is there anyway to clear the clock using ZC? Thanks Laris On 27-Mar-15 1:15 PM, Alfredo Cardigliano wrote: The ZC packet handle has a .ts field with nsec resolution, the library fills that field with the hw timestamp when available. Alfredo On 16 Mar 2015, at 14:38, Laris Benkis la...@tpn.cc wrote: How do I access hardware timestamps with ZC? ZC provides no access to the pfring_extended_pkthdr which contains the timestamp_ns variable. Thanks Laris ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] nprobe + ntopng WLAN fields query
Hi All, Does nprobe + ntopng support WLAN fields. I am evaluating IPFIX collector for WLAN statistics. Template I have in mind is, wlanChannedlD wlanSSID staMacAddress staIPv4Address wtpMacAddress packetTotalCount octetTotalCount This template will give WLAN info, like CLIENT C1 (IP/MAC) connected to SSID on AP (AP MAC) and total packets sent and received. Can nprobe decode this template; and Ntopng consume this data, and show the statistics on GUI? Thanks Rahul ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Hardware timestamp with ZC
Hi Laris this is not yet available in ZC, we should add support for this. Alfredo On 01 Apr 2015, at 19:10, Laris Benkis la...@tpn.cc wrote: Alfredo Since .ts is the only timestamp in the ZC api, and the igb timestamp is a 20bit value, if you set the ts field to the hardware timestamp then there is no record of the actual date/time of arrival of a packet. Is this correct or am I missing something? Using DNA you have a function pfring_set_device_clock which was useful. Setting the clock to 0 at the start of a measurement meant I didnt have to deal with clock wrapping. Is there anyway to clear the clock using ZC? Thanks Laris On 27-Mar-15 1:15 PM, Alfredo Cardigliano wrote: The ZC packet handle has a .ts field with nsec resolution, the library fills that field with the hw timestamp when available. Alfredo On 16 Mar 2015, at 14:38, Laris Benkis la...@tpn.cc wrote: How do I access hardware timestamps with ZC? ZC provides no access to the pfring_extended_pkthdr which contains the timestamp_ns variable. Thanks Laris ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] nprobe + ntopng no active flows.
On 01/04/2015 20:21, Rahul Jain wrote: Hi Arianna/all, Hi Rahul, I download the latest ntopng (v.1.99.150401). I can see active flows now. But still no top talkers and the active flow duration is reported incorrectly. Flow duration under active flows tab is 136 years 70 days 6h. I verified the export under Wireshark, and it decodes the duration correctly. Also, I see, few errors under ntopng, 01/Apr/2015 11:09:15 [Geolocation.cpp:59] WARNING: Unable to read GeoIP database /home/auto/ntop_sw/ntopng/httpdocs/geoip/GeoIPASNumv6.dat Error Opening file /home/auto/ntop_sw/ntopng/httpdocs/geoip/GeoLiteCity.dat 01/Apr/2015 11:09:15 [Geolocation.cpp:59] WARNING: Unable to read GeoIP database /home/auto/ntop_sw/ntopng/httpdocs/geoip/GeoLiteCity.dat Error Opening file /home/auto/ntop_sw/ntopng/httpdocs/geoip/GeoLiteCityv6.dat 01/Apr/2015 11:09:47 [Lua.cpp:4515] WARNING: Script failure [/home/auto/ntop_sw/ntopng/scripts/lua/iface_flows_sankey.lua][...e/auto/ntop_sw/ntopng/scripts/lua/iface_flows_sankey.lua:115: attempt to compare number with nil] Thanks for trying the latest version. Have you used Biflow also for these tests as you mentioned in the other e-mail? Could you please post your configuration? Thank you, Arianna Thanks Rahul On Wed, Apr 1, 2015 at 1:39 AM, Arianna Avanzini avanz...@ntop.org mailto:avanz...@ntop.org wrote: On 01/04/2015 04:32, Rahul Jain wrote: Hi, Hi Rahul, I am evaluating nprobe + ntopng as IPFIX collector. I have a router exporting IPFIX flows and I don't see any active flows, or top talkers on the ntopng GUI. I am running nprobe and ntopng on my Ubuntu server and my configuration is, nprobe --zmq tcp://*:5556 -i none -n none -b 2 -3 2055 ntopng -i tcp://127.0.0.1:5556 http://127.0.0.1:5556 http://127.0.0.1:5556/ -d /var/tmp I am using nprobe v.7.0.141208 and ntopng v.1.2.2 Issues, a) No active flows seen. Some times active flows is seen but the duration of the flow is reported incorrectly, ~46 yrs. b) No top talker c) Host first seen is reported incorrectly. First seen at @2106 yr These bugs look like some that were recently fixed. Could you please try the latest SVN or nightly and report back to tell us if they stil occur? Thank you, Arianna Template exported: flowStartSeconds flowEndSeconds IP_SRC_ADDR IP_DST_ADDR PROTOCOL L4_SRC_PORT L4_DST_PORT PACKETS_TOTAL BYTES_TOTAL Please let me know, if I am missing any configuration or its a bug/known issue. Thanks Rahul _ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it mailto:Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/__mailman/listinfo/ntop-misc http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- /* * Arianna Avanzini * avanz...@ntop.org mailto:avanz...@ntop.org * http://ava.webhop.me */ _ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it mailto:Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/__mailman/listinfo/ntop-misc http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- /* * Arianna Avanzini * avanz...@ntop.org * http://ava.webhop.me */ ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] nprobe + ntopng WLAN fields query
Rahul, we have never seen flows like these, but we can of course (with your help) support them Luca On 01 Apr 2015, at 22:46, Rahul Jain jrahu...@gmail.com wrote: Hi All, Does nprobe + ntopng support WLAN fields. I am evaluating IPFIX collector for WLAN statistics. Template I have in mind is, wlanChannedlD wlanSSID staMacAddress staIPv4Address wtpMacAddress packetTotalCount octetTotalCount This template will give WLAN info, like CLIENT C1 (IP/MAC) connected to SSID on AP (AP MAC) and total packets sent and received. Can nprobe decode this template; and Ntopng consume this data, and show the statistics on GUI? Thanks Rahul ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
