Mailing List Archive: nprobe proxy mode - not working with templates

nprobe proxy mode - not working with templates

Dec 7, 2016, 7:10 PM

Post #1 of 3 (926 views)

All,

Adding a -T template argument appears to break my nprobe in proxy mode.
The setup is:

[nprobe-probe-mode1] ---> [nprobe-proxy-mode] -->
final_netflow_collector

[nprobe-probe-mode2] ------------------^

When a template argument is added, such as: -T "%IPV4_SRC_ADDR
%IPV4_DST_ADDR %PROTOCOL %L4_SRC_PORT %L4_DST_PORT", the proxy still
receives netflow records, but doesn't pass them on to the final collector.

Any suggestions for troubleshooting this?

nprobe commands used:

netflow generation w/o template argument

nprobe -i myri:A1R1P0 -b 1 -n 127.0.0.1:3000

netfllow generation with template argument

nprobe -i myri:A1R1P0 -b 1 -n 127.0.0.1:3000 -T "%IPV4_SRC_ADDR
%IPV4_DST_ADDR %PROTOCOL %L4_SRC_PORT %L4_DST_PORT "

nprobe proxy (unchanged)

nprobe -S 1:1 -i none --collector-port 3000 -n 10.1.1.1:5555 -b 1 -V 9

Thanks.

- Troy

--

Troy Jordan
t r o y j @ m a i n e . e d u
GIAC GCIH,GCIA
------------------------------------------------------------
Network Systems Security Analyst
Information Technology Security Office
University of Maine System
------------------------------------------------------------
233 Science Building | voice: 207.561.3590
Portland, ME 04103 | fax: 509.351.3650

"As you all know, Security Is Mortals chiefest Enemy"
William Shakespeare, Macbeth

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: nprobe proxy mode - not working with templates [ In reply to ]

deri at ntop

Dec 8, 2016, 12:51 AM

Post #2 of 3 (919 views)

Permalink

Troy,
the template you have used lacks core fields such as time, bytes and packets. This is the problem. Please add them to it

Regards Luca

> On 8 Dec 2016, at 04:10, Troy Jordan <troyj@maine.edu> wrote:
>
> All,
>
> Adding a -T template argument appears to break my nprobe in proxy mode.
> The setup is:
>
> [nprobe-probe-mode1] ---> [nprobe-proxy-mode] -->
> final_netflow_collector
>
> [nprobe-probe-mode2] ------------------^
>
> When a template argument is added, such as: -T "%IPV4_SRC_ADDR
> %IPV4_DST_ADDR %PROTOCOL %L4_SRC_PORT %L4_DST_PORT", the proxy still
> receives netflow records, but doesn't pass them on to the final collector.
>
> Any suggestions for troubleshooting this?
>
>
> nprobe commands used:
>
> netflow generation w/o template argument
>
> nprobe -i myri:A1R1P0 -b 1 -n 127.0.0.1:3000
>
> netfllow generation with template argument
>
> nprobe -i myri:A1R1P0 -b 1 -n 127.0.0.1:3000 -T "%IPV4_SRC_ADDR
> %IPV4_DST_ADDR %PROTOCOL %L4_SRC_PORT %L4_DST_PORT "
>
> nprobe proxy (unchanged)
>
> nprobe -S 1:1 -i none --collector-port 3000 -n 10.1.1.1:5555 -b 1 -V 9
>
>
> Thanks.
>
>
> - Troy
>
>
>
> --
>
>
> Troy Jordan
> t r o y j @ m a i n e . e d u
> GIAC GCIH,GCIA
> ------------------------------------------------------------
> Network Systems Security Analyst
> Information Technology Security Office
> University of Maine System
> ------------------------------------------------------------
> 233 Science Building | voice: 207.561.3590
> Portland, ME 04103 | fax: 509.351.3650
>
>
>
> "As you all know, Security Is Mortals chiefest Enemy"
> William Shakespeare, Macbeth
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: nprobe proxy mode - not working with templates [ In reply to ]

troyj at maine

Dec 8, 2016, 7:38 AM

Post #3 of 3 (918 views)

Permalink

Thanks, Luca. The error message only complained when those 5 fields
were not specified, but it makes sense that others are required too.

I'll add others and give it a try.

- Troy

On 8 Dec 2016 09:51:24 +0100, Luca Deri wrote:
> Troy,
> the template you have used lacks core fields such as time, bytes and packets. This is the problem. Please add them to it
>
> Regards Luca

--

Troy Jordan
t r o y j @ m a i n e . e d u
GIAC GCIH,GCIA
------------------------------------------------------------
Network Systems Security Analyst
Information Technology Security Office
University of Maine System
------------------------------------------------------------
233 Science Building | voice: 207.561.3590
Portland, ME 04103 | fax: 509.351.3650

"As you all know, Security Is Mortals chiefest Enemy"
William Shakespeare, Macbeth

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc