Mailing List Archive: Collecting NetFlow data with nprobe

Collecting NetFlow data with nprobe

Aug 14, 2016, 11:00 PM

Post #1 of 6 (1742 views)

Our ISP has configured several internet routers to send NetFlow data on port 9996 to a particular machine. I have successfully configured PRTG to get the data to see lists of top recipients, etc, so I know this machine is receiving the NetFlow data ok, but it doesn't store the flows for later analysis, so I've disabled it. How do I configure nprobe to get the flow into a file I can analyse?

I'm confused about which mode nprobe needs to be used in to collect the data. I've tried this:
nprobe /c --collector 192.168.0.203:9996 -V9 -P c:\temp\nprobe
but it seems to be collecting local traffic. In among it, I can see that there are flows from the router to this machine on port 9996. What I need is the flow information inside those packets.

I tried this:
nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe
but it collects nothing.

Where am I going wrong? I'm not sure if I usderstand the differences between probe mode, collector mode and proxy mode. I need collector mode, don't I?

Peter Shute
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: Collecting NetFlow data with nprobe [ In reply to ]

Aug 16, 2016, 7:17 PM

Post #2 of 6 (1727 views)

I still haven't made any progress with this. I've now installed Wireshark, and followed these instructions to prove to myself that the NetFlow data is arriving at my PC:
https://communities.ca.com/docs/DOC-231149629

So why does this command collect no data?
nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe

> -----Original Message-----
> From: ntop-misc-bounces@listgateway.unipi.it [mailto:ntop-misc-
> bounces@listgateway.unipi.it] On Behalf Of Peter Shute
> Sent: Monday, 15 August 2016 4:00 PM
> To: 'ntop-misc@listgateway.unipi.it' <ntop-misc@listgateway.unipi.it>
> Subject: [Ntop-misc] Collecting NetFlow data with nprobe
>
> Our ISP has configured several internet routers to send NetFlow data on port
> 9996 to a particular machine. I have successfully configured PRTG to get the
> data to see lists of top recipients, etc, so I know this machine is receiving the
> NetFlow data ok, but it doesn't store the flows for later analysis, so I've
> disabled it. How do I configure nprobe to get the flow into a file I can
> analyse?
>
> I'm confused about which mode nprobe needs to be used in to collect the
> data. I've tried this:
> nprobe /c --collector 192.168.0.203:9996 -V9 -P c:\temp\nprobe but it seems
> to be collecting local traffic. In among it, I can see that there are flows from
> the router to this machine on port 9996. What I need is the flow information
> inside those packets.
>
> I tried this:
> nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe but it
> collects nothing.
>
> Where am I going wrong? I'm not sure if I usderstand the differences
> between probe mode, collector mode and proxy mode. I need collector
> mode, don't I?
>
> Peter Shute
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: Collecting NetFlow data with nprobe [ In reply to ]

Aug 17, 2016, 1:54 AM

Post #3 of 6 (1722 views)

Peter
please file an issue on https://github.com/ntop/nProbe/issues and attach a pcap file. I need to see what nprobe is receiving before commenting. Please make sure you also add â€œ-i noneâ€

Thanks Luca

> On 17 Aug 2016, at 04:17, Peter Shute <pshute@nuw.org.au> wrote:
>
> I still haven't made any progress with this. I've now installed Wireshark, and followed these instructions to prove to myself that the NetFlow data is arriving at my PC:
> https://communities.ca.com/docs/DOC-231149629
>
> So why does this command collect no data?
> nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe
>
>> -----Original Message-----
>> From: ntop-misc-bounces@listgateway.unipi.it [mailto:ntop-misc-
>> bounces@listgateway.unipi.it] On Behalf Of Peter Shute
>> Sent: Monday, 15 August 2016 4:00 PM
>> To: 'ntop-misc@listgateway.unipi.it' <ntop-misc@listgateway.unipi.it>
>> Subject: [Ntop-misc] Collecting NetFlow data with nprobe
>>
>> Our ISP has configured several internet routers to send NetFlow data on port
>> 9996 to a particular machine. I have successfully configured PRTG to get the
>> data to see lists of top recipients, etc, so I know this machine is receiving the
>> NetFlow data ok, but it doesn't store the flows for later analysis, so I've
>> disabled it. How do I configure nprobe to get the flow into a file I can
>> analyse?
>>
>> I'm confused about which mode nprobe needs to be used in to collect the
>> data. I've tried this:
>> nprobe /c --collector 192.168.0.203:9996 -V9 -P c:\temp\nprobe but it seems
>> to be collecting local traffic. In among it, I can see that there are flows from
>> the router to this machine on port 9996. What I need is the flow information
>> inside those packets.
>>
>> I tried this:
>> nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe but it
>> collects nothing.
>>
>> Where am I going wrong? I'm not sure if I usderstand the differences
>> between probe mode, collector mode and proxy mode. I need collector
>> mode, don't I?
>>
>> Peter Shute
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: Collecting NetFlow data with nprobe [ In reply to ]

Aug 17, 2016, 2:28 AM

Post #4 of 6 (1723 views)

Thanks, should I generate the pcap file with the --dump-pkts parameter? I suspect with -i none that there will be nothing dumped, but I'll check.

Sent from my iPad

> On 17 Aug 2016, at 6:54 PM, Luca Deri <deri@ntop.org> wrote:
>
> Peter
> please file an issue on https://github.com/ntop/nProbe/issues and attach a pcap file. I need to see what nprobe is receiving before commenting. Please make sure you also add â€œ-i noneâ€
>
> Thanks Luca
>
>> On 17 Aug 2016, at 04:17, Peter Shute <pshute@nuw.org.au> wrote:
>>
>> I still haven't made any progress with this. I've now installed Wireshark, and followed these instructions to prove to myself that the NetFlow data is arriving at my PC:
>> https://communities.ca.com/docs/DOC-231149629
>>
>> So why does this command collect no data?
>> nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe
>>
>>> -----Original Message-----
>>> From: ntop-misc-bounces@listgateway.unipi.it [mailto:ntop-misc-
>>> bounces@listgateway.unipi.it] On Behalf Of Peter Shute
>>> Sent: Monday, 15 August 2016 4:00 PM
>>> To: 'ntop-misc@listgateway.unipi.it' <ntop-misc@listgateway.unipi.it>
>>> Subject: [Ntop-misc] Collecting NetFlow data with nprobe
>>>
>>> Our ISP has configured several internet routers to send NetFlow data on port
>>> 9996 to a particular machine. I have successfully configured PRTG to get the
>>> data to see lists of top recipients, etc, so I know this machine is receiving the
>>> NetFlow data ok, but it doesn't store the flows for later analysis, so I've
>>> disabled it. How do I configure nprobe to get the flow into a file I can
>>> analyse?
>>>
>>> I'm confused about which mode nprobe needs to be used in to collect the
>>> data. I've tried this:
>>> nprobe /c --collector 192.168.0.203:9996 -V9 -P c:\temp\nprobe but it seems
>>> to be collecting local traffic. In among it, I can see that there are flows from
>>> the router to this machine on port 9996. What I need is the flow information
>>> inside those packets.
>>>
>>> I tried this:
>>> nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe but it
>>> collects nothing.
>>>
>>> Where am I going wrong? I'm not sure if I usderstand the differences
>>> between probe mode, collector mode and proxy mode. I need collector
>>> mode, don't I?
>>>
>>> Peter Shute
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: Collecting NetFlow data with nprobe [ In reply to ]

Aug 17, 2016, 2:36 AM

Post #5 of 6 (1723 views)

Peter,
for dumping packets please use tcodump -s 0 -w my.pcap â€¦ or wireshark.

Luca
> On 17 Aug 2016, at 11:28, Peter Shute <pshute@nuw.org.au> wrote:
>
> Thanks, should I generate the pcap file with the --dump-pkts parameter? I suspect with -i none that there will be nothing dumped, but I'll check.
>
> Sent from my iPad
>
>> On 17 Aug 2016, at 6:54 PM, Luca Deri <deri@ntop.org> wrote:
>>
>> Peter
>> please file an issue on https://github.com/ntop/nProbe/issues and attach a pcap file. I need to see what nprobe is receiving before commenting. Please make sure you also add â€œ-i noneâ€
>>
>> Thanks Luca
>>
>>> On 17 Aug 2016, at 04:17, Peter Shute <pshute@nuw.org.au> wrote:
>>>
>>> I still haven't made any progress with this. I've now installed Wireshark, and followed these instructions to prove to myself that the NetFlow data is arriving at my PC:
>>> https://communities.ca.com/docs/DOC-231149629
>>>
>>> So why does this command collect no data?
>>> nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe
>>>
>>>> -----Original Message-----
>>>> From: ntop-misc-bounces@listgateway.unipi.it [mailto:ntop-misc-
>>>> bounces@listgateway.unipi.it] On Behalf Of Peter Shute
>>>> Sent: Monday, 15 August 2016 4:00 PM
>>>> To: 'ntop-misc@listgateway.unipi.it' <ntop-misc@listgateway.unipi.it>
>>>> Subject: [Ntop-misc] Collecting NetFlow data with nprobe
>>>>
>>>> Our ISP has configured several internet routers to send NetFlow data on port
>>>> 9996 to a particular machine. I have successfully configured PRTG to get the
>>>> data to see lists of top recipients, etc, so I know this machine is receiving the
>>>> NetFlow data ok, but it doesn't store the flows for later analysis, so I've
>>>> disabled it. How do I configure nprobe to get the flow into a file I can
>>>> analyse?
>>>>
>>>> I'm confused about which mode nprobe needs to be used in to collect the
>>>> data. I've tried this:
>>>> nprobe /c --collector 192.168.0.203:9996 -V9 -P c:\temp\nprobe but it seems
>>>> to be collecting local traffic. In among it, I can see that there are flows from
>>>> the router to this machine on port 9996. What I need is the flow information
>>>> inside those packets.
>>>>
>>>> I tried this:
>>>> nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe but it
>>>> collects nothing.
>>>>
>>>> Where am I going wrong? I'm not sure if I usderstand the differences
>>>> between probe mode, collector mode and proxy mode. I need collector
>>>> mode, don't I?
>>>>
>>>> Peter Shute
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> Ntop-misc@listgateway.unipi.it
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: Collecting NetFlow data with nprobe [ In reply to ]

Aug 17, 2016, 3:26 AM

Post #6 of 6 (1723 views)

Thanks, I used the windows equivalent, windump, and have added the dump to the issue I created.

Peter Shute

Sent from my iPad

> On 17 Aug 2016, at 7:36 PM, Luca Deri <deri@ntop.org> wrote:
>
> Peter,
> for dumping packets please use tcodump -s 0 -w my.pcap â€¦ or wireshark.
>
> Luca
>> On 17 Aug 2016, at 11:28, Peter Shute <pshute@nuw.org.au> wrote:
>>
>> Thanks, should I generate the pcap file with the --dump-pkts parameter? I suspect with -i none that there will be nothing dumped, but I'll check.
>>
>> Sent from my iPad
>>
>>> On 17 Aug 2016, at 6:54 PM, Luca Deri <deri@ntop.org> wrote:
>>>
>>> Peter
>>> please file an issue on https://github.com/ntop/nProbe/issues and attach a pcap file. I need to see what nprobe is receiving before commenting. Please make sure you also add â€œ-i noneâ€
>>>
>>> Thanks Luca
>>>
>>>> On 17 Aug 2016, at 04:17, Peter Shute <pshute@nuw.org.au> wrote:
>>>>
>>>> I still haven't made any progress with this. I've now installed Wireshark, and followed these instructions to prove to myself that the NetFlow data is arriving at my PC:
>>>> https://communities.ca.com/docs/DOC-231149629
>>>>
>>>> So why does this command collect no data?
>>>> nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe
>>>>
>>>>> -----Original Message-----
>>>>> From: ntop-misc-bounces@listgateway.unipi.it [mailto:ntop-misc-
>>>>> bounces@listgateway.unipi.it] On Behalf Of Peter Shute
>>>>> Sent: Monday, 15 August 2016 4:00 PM
>>>>> To: 'ntop-misc@listgateway.unipi.it' <ntop-misc@listgateway.unipi.it>
>>>>> Subject: [Ntop-misc] Collecting NetFlow data with nprobe
>>>>>
>>>>> Our ISP has configured several internet routers to send NetFlow data on port
>>>>> 9996 to a particular machine. I have successfully configured PRTG to get the
>>>>> data to see lists of top recipients, etc, so I know this machine is receiving the
>>>>> NetFlow data ok, but it doesn't store the flows for later analysis, so I've
>>>>> disabled it. How do I configure nprobe to get the flow into a file I can
>>>>> analyse?
>>>>>
>>>>> I'm confused about which mode nprobe needs to be used in to collect the
>>>>> data. I've tried this:
>>>>> nprobe /c --collector 192.168.0.203:9996 -V9 -P c:\temp\nprobe but it seems
>>>>> to be collecting local traffic. In among it, I can see that there are flows from
>>>>> the router to this machine on port 9996. What I need is the flow information
>>>>> inside those packets.
>>>>>
>>>>> I tried this:
>>>>> nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe but it
>>>>> collects nothing.
>>>>>
>>>>> Where am I going wrong? I'm not sure if I usderstand the differences
>>>>> between probe mode, collector mode and proxy mode. I need collector
>>>>> mode, don't I?
>>>>>
>>>>> Peter Shute
>>>>> _______________________________________________
>>>>> Ntop-misc mailing list
>>>>> Ntop-misc@listgateway.unipi.it
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> Ntop-misc@listgateway.unipi.it
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>
>>> _______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc