Mailing List Archive: nprobe biflows

nprobe biflows

Aug 23, 2017, 2:27 AM

Post #1 of 3 (654 views)

Dear ntop team,

I am using nprobe pro (8.1.170821) with the http plugin.
The nprobe manual (8.1) states that to force flows to be bidirectional
one should use the "--bi-directional" switch.
If I run:

sudo nprobe -n tcp://10.0.0.2:4740 -i /mynetworktrace.pcap
--bi-directional -V10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %PROTOCOL
%L4_SRC_PORT %L4_DST_PORT %FIRST_SWITCHED %LAST_SWITCHED %HTTP_URL
%HTTP_METHOD"

it works fine but no IPFIX biflows are exported and the output says
"nprobe: unrecognized option '--bi-directional'".
I also tried adding the "--biflows-export-policy 2" switch to the above
command, but still the above "unrecognized option" error appears.

Am I missing something obvious?
Are there any other options to export IPFIX biflows?

thanks and regards

Felix
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: nprobe biflows [ In reply to ]

deri at ntop

Aug 23, 2017, 2:39 AM

Post #2 of 3 (654 views)

Permalink

Felix
please see (-h) but in general the option below

[--biflows-export-policy|-N] <pol> | Bi-directional flows export policy:
| 1 - export bi-directional flows only
| 2 - export mono-directional flows only

allows you to export only biflows or uniflows. THis is not what you want to do (export bi-directional flows). To do so please
1. in the -T use at lest the basic information elements such as protocols and bytes. nprobe should have reported this in the startup log
2. you need to use both IN and OUT as in the example below

nprobe -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_PKTS %IN_BYTES %OUT_PKTS %OUT_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL ..."

Regards Luca

@Simone: please fix the nProbe manual

> On 23 Aug 2017, at 11:27, Felix Erlacher <felix.erlacher@uibk.ac.at> wrote:
>
> Dear ntop team,
>
> I am using nprobe pro (8.1.170821) with the http plugin.
> The nprobe manual (8.1) states that to force flows to be bidirectional
> one should use the "--bi-directional" switch.
> If I run:
>
> sudo nprobe -n tcp://10.0.0.2:4740 -i /mynetworktrace.pcap
> --bi-directional -V10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %PROTOCOL
> %L4_SRC_PORT %L4_DST_PORT %FIRST_SWITCHED %LAST_SWITCHED %HTTP_URL
> %HTTP_METHOD"
>
> it works fine but no IPFIX biflows are exported and the output says
> "nprobe: unrecognized option '--bi-directional'".
> I also tried adding the "--biflows-export-policy 2" switch to the above
> command, but still the above "unrecognized option" error appears.
>
> Am I missing something obvious?
> Are there any other options to export IPFIX biflows?
>
> thanks and regards
>
> Felix
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: nprobe biflows [ In reply to ]

felix.erlacher at uibk

Aug 23, 2017, 2:57 AM

Post #3 of 3 (654 views)

Permalink

Thanks for the very fast reply!
Indeed, adding the four IEs you highlighted solved the problem. IPFIX
biflows are now exported. Thank you very much!

As a sidenode: For me adding the above four IEs to the template is
enough to export biflows. It is not necessary to add the
"--bi-directional" switch. The only effect that this switch has is the
warning message that its unrecognized.

regards

Felix

On 23/08/17 11:39, Luca Deri wrote:
> Felix
> please see (-h) but in general the option below
>
> [--biflows-export-policy|-N] <pol> | Bi-directional flows export policy:
> | 1 - export bi-directional flows only
> | 2 - export mono-directional flows only
>
> allows you to export only biflows or uniflows. THis is not what you want
> to do (export bi-directional flows). To do so please
> 1. in the -T use at lest the basic information elements such as
> protocols and bytes. nprobe should have reported this in the startup log
> 2. you need to use both IN and OUT as in the example below
>
> nprobe -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR *%IN_PKTS
> %IN_BYTES **%OUT_PKTS %OUT_BYTES*%FIRST_SWITCHED %LAST_SWITCHED
> %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL ..."
>
> Regards Luca
>
> @Simone: please fix the nProbe manual
>
>
>> On 23 Aug 2017, at 11:27, Felix Erlacher <felix.erlacher@uibk.ac.at
>> <mailto:felix.erlacher@uibk.ac.at>> wrote:
>>
>> Dear ntop team,
>>
>> I am using nprobe pro (8.1.170821) with the http plugin.
>> The nprobe manual (8.1) states that to force flows to be bidirectional
>> one should use the "--bi-directional" switch.
>> If I run:
>>
>> sudo nprobe -n tcp://10.0.0.2:4740 -i /mynetworktrace.pcap
>> --bi-directional -V10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %PROTOCOL
>> %L4_SRC_PORT %L4_DST_PORT %FIRST_SWITCHED %LAST_SWITCHED %HTTP_URL
>> %HTTP_METHOD"
>>
>> it works fine but no IPFIX biflows are exported and the output says
>> "nprobe: unrecognized option '--bi-directional'".
>> I also tried adding the "--biflows-export-policy 2" switch to the above
>> command, but still the above "unrecognized option" error appears.
>>
>> Am I missing something obvious?
>> Are there any other options to export IPFIX biflows?
>>
>> thanks and regards
>>
>> Felix
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc