Mailing List Archive: ntopng/nprobe as IPFIX collector

All,

I'm interested in using ntopng and nProbe to collect IPFIX flow data from multiple routers. When using ntop (or other network analyzer tools) which directly collect IPFIX data, when IPFIX data came in, I will see multiple interfaces created - even for data coming from the same router, which is sending flow data for multiple interfaces. I can them name the interfaces with logical names and choose with interface I want to monitor/investigate. As an example, I have a Mikrotik router that sends IPFIX data for all interfaces - when I collect the data with NTOP, I see three interfaces created as data starts coming in.

I have installed ntopng and nProbe on a test server, with nProbe running as a collector with zmq backend to ntopng. But all data coming in is lumped together as one interface. I have been searching and researching for a couple of hours and trying some different configuration options for nProbe, but an not getting anywhere.

Is there a way to use ntopgn with nProbe in a way that I have an interface in ntopng for each interface sent in the IPFIX data?

Sincerely,

Dave Redmore

Hi Dave,

Presently, ntopng allows you to create virtual interfaces on the basis of
the IPFIX exporter. That is, if you have multiple routers sending IPFIX on
nProbe 2055, ntopng is able to keep their traffic separated. There's also
some experimental code to create virtual interfaces on the basis of the
flow exporter + interface, but we are not sure we will include it in the
code.

However, in the Enterprise edition, ntopng aggregates interfaces data
received from IPFIX sources so that you will be able to see for example
aggregate IN and OUT bytes for every interface. This feature is available
automatically from the Interfaces dropdown menu. I think this can partially
provide the information you are looking for.

If you are interested in evaluating an Enterprise license, please contact
our sales dept. and ask for a trial.

Regards,
Simone

On Sat, Apr 15, 2017 at 4:57 PM, Dave Redmore <dave.redmore@elon.cloud>
wrote:

> All,
>
> I'm interested in using ntopng and nProbe to collect IPFIX flow data from
> multiple routers. When using ntop (or other network analyzer tools) which
> directly collect IPFIX data, when IPFIX data came in, I will see multiple
> interfaces created - even for data coming from the same router, which is
> sending flow data for multiple interfaces. I can them name the interfaces
> with logical names and choose with interface I want to
> monitor/investigate. As an example, I have a Mikrotik router that sends
> IPFIX data for all interfaces - when I collect the data with NTOP, I see
> three interfaces created as data starts coming in.
>
> I have installed ntopng and nProbe on a test server, with nProbe running
> as a collector with zmq backend to ntopng. But all data coming in is
> lumped together as one interface. I have been searching and researching
> for a couple of hours and trying some different configuration options for
> nProbe, but an not getting anywhere.
>
> Is there a way to use ntopgn with nProbe in a way that I have an interface
> in ntopng for each interface sent in the IPFIX data?
>
>
> Sincerely,
>
> Dave Redmore
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>