Re: [Ntop-misc] nProbe and Andrisoft compatibility

[Simone Mainardi]

Benjamin,

As you want to use nProbe as as flow filter-and-forward, you can try and add 
option --disable-cache to make sure every flow received is output as-is without 
any caching/aggregation. Also note that  --collection-filter does not currently 
support IPV6 filters.

In addition add option -b=1 to see periodic updates on the flows 
received/exported. This will help in understanding if flows are properly 
repeated by the Wansight to nProbe and/or if they are properly forwarded to the 
customer's Wansight.

I would also run tcpdump (possibly attach pcap files or send them privately) on 
port 1 and 2056 of the nProbe host to inspect the two netflow streams (that 
is, your Wansight -> nProbe and nProbe -> customer's Wansight, respectively).

Simone

> On 12 Mar 2018, at 11:18, Benjamin Weik  
> wrote:
> 
> Hi,
>  
> I am trying to use nProbe as a flow filter & forwarder to filter out flows 
> for customer prefixes and forward those flows to the customers Wansight but I 
> am unable to get something useful on Wansight.
> Sometimes a few flows are recieved and a little bit is graphed but with each 
> flow received, the timeout is increased until Wansight says the flow is too 
> old and discards it.
>  
> This is the log from customer wansight:
> Severity Component   Module Notification Text   Date
> INFO Flow Collector NetFlow version 9 exporter 
> detected
> INFO Flow Collector NetFlow version 9 exporter 
> detected
> INFO Flow Collector NetFlow version 9 exporter 
> detected
> INFO Flow Collector NetFlow version 9 exporter 
> detected
> INFO Flow Collector Netflow v5 exporter 
> detected. SysID: 2, engine id 181, type 0, IP: , Sampling Mode: 0, 
> Sampling Interval: 5000
> INFO Flow ParserReceived flow from 113 
> seconds ago on interface "test-out". Adjusting flow delay from 30 to 113
> INFO Flow Collector NetFlow version 9 exporter 
> detected
> INFO Flow ParserReceived flow from 82 
> seconds ago on interface "test-out". Adjusting flow delay from 30 to 82
> INFO Flow Collector Netflow v5 exporter 
> detected. SysID: 1, engine id 87, type 0, IP: , Sampling Mode: 0, 
> Sampling Interval: 5000
>  
> Andrisoft support says that nProbe is at fault:
>  
> >If the flow exporter respects the RFC and it's configured to export long 
> >flows periodically, you only need to adjust the Flow Timeout(s) parameter 
> >from the Flow Sensor configuration window to the same value. 
> >All flows will be accepted, even if the start time is very long in the past.
>  
> >We don't have a nProbe license to be able to test it, but not even Wireshark 
> >can properly decode the start/end time of flows generated by it. So we can 
> >only conclude that it's a nProbe issue.
> >We do have customers that are monitoring their routers with Netflow v9 and 
> >IPFIX without any issues from Wanguard.
>  
> Am I missing any parameters for nProbe? Am I misthinking something?
>  
> This is the setup:
> 1. Juniper MX Routers sample and export Flows to our own Andrisoft 
> Wansight
> 2. Our Wansight repeats the received flow to nProbe
> 3. nProbe filters the customer specific prefixes and forwards those flows 
> to the customers Wansight.
>  
> This is the configuration on the Juniper MX router:
> set forwarding-options sampling instance sampling input rate 5000
> set forwarding-options sampling instance sampling family inet output 
> flow-server  port 23239
> set forwarding-options sampling instance sampling family inet output 
> flow-server  autonomous-system-type origin
> set forwarding-options sampling instance sampling family inet output 
> flow-server  version-ipfix template ipv4
> set forwarding-options sampling instance sampling family inet output 
> inline-jflow source-address 
> set forwarding-options sampling instance sampling family inet output 
> inline-jflow flow-export-rate 40
> set forwarding-options sampling instance sampling family inet6 output 
> flow-server  port 23239
> set forwarding-options sampling instance sampling family inet6 output 
> flow-server  autonomous-system-type origin
> set forwarding-options sampling instance sampling family inet6 output 
> flow-server  version-ipfix template ipv6
> set forwarding-options sampling instance sampling family inet6 output 
> inline-jflow source-address 
> set forwarding-options sampling instance sampling family inet6 output 
> inline-jflow flow-export-rate 40
>  
>  
> On our Wansight we use the following settings for the Flow Sensor:
> Listener IP:Port :23239
> Repeater IP:Port :2056
> Flow Collector: Off
> Flow Protocol: NetFlow or IPFIX
> Flow Exporter IP: 
> Sampling (1/N): -5000
> Flows Timeout (s): 60 seconds
>  
> These are my nProbe parameters:
> --collector-port 2056
> --sender-address :2055
> --collector :1
> --in-iface-idx 910
> 

Re: [Ntop-misc] nProbe and Andrisoft compatibility

[Luca Deri]

Benjaminall I did is this:I have started "nprobe nprobe.conf” (basically is your config file) and sent some flows to nprobe, then captured the emitted flows with wireshark. I enclose the pcap with such flows. If you open them with wireshark everything looks good with no decoding errors whatsoever.Please tell the Wansight folks to contact us and report the exact issue (so that we can reproduce it an fix it), so we can use to reproduce the issues they mentioned you.Regards Luca 

nprobe.tgz
Description: Binary data
On 12 Mar 2018, at 11:18, Benjamin Weik  wrote:Hi, I am trying to use nProbe as a flow filter & forwarder to filter out flows for customer prefixes and forward those flows to the customers Wansight but I am unable to get something useful on Wansight.Sometimes a few flows are recieved and a little bit is graphed but with each flow received, the timeout is increased until Wansight says the flow is too old and discards it...Andrisoft support says that nProbe is at fault: >If the flow exporter respects the RFC and it's configured to export long flows periodically, you only need to adjust the Flow Timeout(s) parameter from the Flow Sensor configuration window to the same value. >All flows will be accepted, even if the start time is very long in the past. >We don't have a nProbe license to be able to test it, but not even Wireshark can properly decode the start/end time of flows generated by it. So we can only conclude that it's a nProbe issue.>We do have customers that are monitoring their routers with Netflow v9 and IPFIX without any issues from Wanguard. Am I missing any parameters for nProbe? Am I misthinking something? ___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

[Ntop-misc] nProbe and Andrisoft compatibility

[Benjamin Weik]

Hi,

I am trying to use nProbe as a flow filter & forwarder to filter out flows for 
customer prefixes and forward those flows to the customers Wansight but I am 
unable to get something useful on Wansight.
Sometimes a few flows are recieved and a little bit is graphed but with each 
flow received, the timeout is increased until Wansight says the flow is too old 
and discards it.

This is the log from customer wansight:
Severity Component   Module Notification Text   Date
INFO Flow Collector NetFlow version 9 exporter 
detected
INFO Flow Collector NetFlow version 9 exporter 
detected
INFO Flow Collector NetFlow version 9 exporter 
detected
INFO Flow Collector NetFlow version 9 exporter 
detected
INFO Flow Collector Netflow v5 exporter detected. 
SysID: 2, engine id 181, type 0, IP: , Sampling Mode: 0, Sampling 
Interval: 5000
INFO Flow ParserReceived flow from 113 seconds 
ago on interface "test-out". Adjusting flow delay from 30 to 113
INFO Flow Collector NetFlow version 9 exporter 
detected
INFO Flow ParserReceived flow from 82 seconds 
ago on interface "test-out". Adjusting flow delay from 30 to 82
INFO Flow Collector Netflow v5 exporter detected. 
SysID: 1, engine id 87, type 0, IP: , Sampling Mode: 0, Sampling 
Interval: 5000

Andrisoft support says that nProbe is at fault:

>If the flow exporter respects the RFC and it's configured to export long flows 
>periodically, you only need to adjust the Flow Timeout(s) parameter from the 
>Flow Sensor configuration window to the same value.
>All flows will be accepted, even if the start time is very long in the past.

>We don't have a nProbe license to be able to test it, but not even Wireshark 
>can properly decode the start/end time of flows generated by it. So we can 
>only conclude that it's a nProbe issue.
>We do have customers that are monitoring their routers with Netflow v9 and 
>IPFIX without any issues from Wanguard.

Am I missing any parameters for nProbe? Am I misthinking something?

This is the setup:

1. Juniper MX Routers sample and export Flows to our own Andrisoft Wansight

2. Our Wansight repeats the received flow to nProbe

3. nProbe filters the customer specific prefixes and forwards those flows 
to the customers Wansight.

This is the configuration on the Juniper MX router:
set forwarding-options sampling instance sampling input rate 5000
set forwarding-options sampling instance sampling family inet output 
flow-server  port 23239
set forwarding-options sampling instance sampling family inet output 
flow-server  autonomous-system-type origin
set forwarding-options sampling instance sampling family inet output 
flow-server  version-ipfix template ipv4
set forwarding-options sampling instance sampling family inet output 
inline-jflow source-address 
set forwarding-options sampling instance sampling family inet output 
inline-jflow flow-export-rate 40
set forwarding-options sampling instance sampling family inet6 output 
flow-server  port 23239
set forwarding-options sampling instance sampling family inet6 output 
flow-server  autonomous-system-type origin
set forwarding-options sampling instance sampling family inet6 output 
flow-server  version-ipfix template ipv6
set forwarding-options sampling instance sampling family inet6 output 
inline-jflow source-address 
set forwarding-options sampling instance sampling family inet6 output 
inline-jflow flow-export-rate 40


On our Wansight we use the following settings for the Flow Sensor:
Listener IP:Port :23239
Repeater IP:Port :2056
Flow Collector: Off
Flow Protocol: NetFlow or IPFIX
Flow Exporter IP: 
Sampling (1/N): -5000
Flows Timeout (s): 60 seconds

These are my nProbe parameters:
--collector-port 2056
--sender-address :2055
--collector :1
--in-iface-idx 910
--out-iface-idx 917
--flow-version 9
--sample-rate @5000:1:1
-i none
--collection-filter /24
--collection-filter /48
--daemon-mode
--json-to-syslog
--flows-intra-templ 1
-T "%IN_BYTES %IN_PKTS %FLOWS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT 
%IPV4_SRC_ADDR %IPV4_SRC_MASK %INPUT_SNMP %L4_DST_PORT %IPV4_DST_ADDR 
%IPV4_DST_MASK %OUTPUT_SNMP %IPV4_NEXT_HOP %SRC_AS %DST_AS %LAST_SWITCHED 
%FIRST_SWITCHED %OUT_BYTES %OUT_PKTS %IPV6_SRC_ADDR %IPV6_DST_ADDR 
%IPV6_SRC_MASK %IPV6_DST_MASK %ICMP_TYPE %SAMPLING_INTERVAL"

On the customer Wansight, the following settings are used for the Flow Sensor:
Listener IP:Port :1
Repeater IP:Port –
Flow Collector: Off
Flow Protocol: NetFlow or IPFIX
Flow Exporter IP: 
Sampling (1/N): -5000
Flows Timeout (s): Auto

Monitored Interfaces:
910 test-in Downstream
917 test-out Upstream

Best regards,

Benjamin Weik

___
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc