I'm realizing that I don't understand how NetFlow records flow from an agent through nProbe to nTopng
Here's what I think I'm doing:
Sflow Agents ---------- > nProbe ---------- > ntopng
dc-a-rtr ganesh ganesh
dc-b-rtr
where 'dc-a-rtr' and 'dc-b-rtr' are Cisco Nexus and 'ganesh' is a CentOS 7 box running both nprobe and ntopng
wireshark on ganesh verifies that dc-a-rtr is sending sflow records to ganesh on UDP Port 6343
dc-a-rtr: show config
sflow data-source interface port-channel1
sflow data-source interface port-channel2
sflow data-source interface port-channel3
[...]
ganesh# ps -ef | grep nprobe
root 13330 12349 0 13:28 pts/0 00:00:49 nprobe --syslog ganesh --zmq=tcp://127.0.0.1:5556 -i none -n none -b 0 --collector-port=6343 --redis=localhost --local-networks=10.0.0.0/8
ganesh# cat /etc/ntopng/ntopng.conf
--pid-path=/var/tmp/ntopng.pid
--dns-mode=1
--interface=tcp://127.0.0.1:5556
--categorization-key={...}
--daemon
--http-port=8080
--disable-login=1
--local-networks=10.0.0.0/8
--redis=localhost
Ganesh#
Pointing a browser at ganesh:8080 gives me a GUI updating statistics in real-time. So far, so good. And I have a mental model for how data is flowing from the agents (via UDP Port 6343) to nprobe (receives data on UDP Port 6343, transforms it into JSON and transmits it via ZMQ to 127.0.0.1:5556. Ntopng is listening via ZMQ on 127.0.0.1:5556, consumes the JSON it receives there, and does neat things with it.
But as I examine the GUI, I don't see a way to distinguish between dc-a-rtr and dc-b-rtr ... nor a way to distinguish between each interface on each box. The only Interface available via the GUI is "tcp://127.0.0.1:5556"
Seems like all the sflow records I am sending to ntopng get combined into one display. I can see advantages to this display ... but for the moment, I would prefer to split out each interface from each agent and thus examine traffic flows on a more granular level, i.e. "per interface per agent". I was imagining that I would get this by default, that agent & interface information is encoded in the sflow records and that ntopng would magically split them out. But clearly, my imagination is outpacing reality.
Conceptually, what is happening here?
- Is ntopng combining all the sflow records it is receiving and presenting a 'summary' of them all?
- How would I go about separating by box?
o Would I spin up multiple instances of nprobe, say, one instance per agent?
--sk
Stuart Kendrick
System Engineer
Allen Institute
615 Westlake Ave. N.
Seattle, WA 98109
T: 206.548.8465
E: stuartk@alleninstitute.org<mailto:stuartk@alleninstitute.org>
www.alleninstitute.org<http://www.alleninstitute.org/>
Here's what I think I'm doing:
Sflow Agents ---------- > nProbe ---------- > ntopng
dc-a-rtr ganesh ganesh
dc-b-rtr
where 'dc-a-rtr' and 'dc-b-rtr' are Cisco Nexus and 'ganesh' is a CentOS 7 box running both nprobe and ntopng
wireshark on ganesh verifies that dc-a-rtr is sending sflow records to ganesh on UDP Port 6343
dc-a-rtr: show config
sflow data-source interface port-channel1
sflow data-source interface port-channel2
sflow data-source interface port-channel3
[...]
ganesh# ps -ef | grep nprobe
root 13330 12349 0 13:28 pts/0 00:00:49 nprobe --syslog ganesh --zmq=tcp://127.0.0.1:5556 -i none -n none -b 0 --collector-port=6343 --redis=localhost --local-networks=10.0.0.0/8
ganesh# cat /etc/ntopng/ntopng.conf
--pid-path=/var/tmp/ntopng.pid
--dns-mode=1
--interface=tcp://127.0.0.1:5556
--categorization-key={...}
--daemon
--http-port=8080
--disable-login=1
--local-networks=10.0.0.0/8
--redis=localhost
Ganesh#
Pointing a browser at ganesh:8080 gives me a GUI updating statistics in real-time. So far, so good. And I have a mental model for how data is flowing from the agents (via UDP Port 6343) to nprobe (receives data on UDP Port 6343, transforms it into JSON and transmits it via ZMQ to 127.0.0.1:5556. Ntopng is listening via ZMQ on 127.0.0.1:5556, consumes the JSON it receives there, and does neat things with it.
But as I examine the GUI, I don't see a way to distinguish between dc-a-rtr and dc-b-rtr ... nor a way to distinguish between each interface on each box. The only Interface available via the GUI is "tcp://127.0.0.1:5556"
Seems like all the sflow records I am sending to ntopng get combined into one display. I can see advantages to this display ... but for the moment, I would prefer to split out each interface from each agent and thus examine traffic flows on a more granular level, i.e. "per interface per agent". I was imagining that I would get this by default, that agent & interface information is encoded in the sflow records and that ntopng would magically split them out. But clearly, my imagination is outpacing reality.
Conceptually, what is happening here?
- Is ntopng combining all the sflow records it is receiving and presenting a 'summary' of them all?
- How would I go about separating by box?
o Would I spin up multiple instances of nprobe, say, one instance per agent?
--sk
Stuart Kendrick
System Engineer
Allen Institute
615 Westlake Ave. N.
Seattle, WA 98109
T: 206.548.8465
E: stuartk@alleninstitute.org<mailto:stuartk@alleninstitute.org>
www.alleninstitute.org<http://www.alleninstitute.org/>