Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
Nprobe: Filter netflow by VLAN tag
jnarvaez at loading
Nov 10, 2017, 5:16 AM
Post #1 of 7 (1429 views)
Permalink
Hi,

I am running nprobe as follows:
nprobe --collector=none --zmq="tcp://127.0.0.1:5556" --collector-port=9996 --interface=none -V 10 --verbose=2

And I get a lot of lines like this with several VLAN ids:
10/Nov/2017 14:14:24 [engine.c:2886] Emitting Flow: [->][tcp] 5.6.7.8:63826 -> 1.2.3.4:80 [1 pkt/52 bytes][ifIdx 1000001->1000010][0.0 sec][VLAN 190/190][init Unknown][AS: xxx -> xxx]

Would be possible to filter by VLAN and only send VLAN 190 to ntopng?

Thank you in advance, kind regards.
Javier Narváez

Attached Files:

Re: Nprobe: Filter netflow by VLAN tag [ In reply to ]
mainardi at ntop
Nov 10, 2017, 8:08 AM
Post #2 of 7 (1429 views)
Permalink
Javier,

VLAN -- or, more in general, BPF -- filters are not supported when nProbe is used in collector mode.


Simone

> On 10 Nov 2017, at 13:16, Javier Narváez <jnarvaez@loading.es> wrote:
>
> Hi,
>
> I am running nprobe as follows:
> nprobe --collector=none --zmq="tcp://127.0.0.1:5556" --collector-port=9996 --interface=none -V 10 --verbose=2
>
> And I get a lot of lines like this with several VLAN ids:
> 10/Nov/2017 14:14:24 [engine.c:2886] Emitting Flow: [->][tcp] 5.6.7.8:63826 -> 1.2.3.4:80 [1 pkt/52 bytes][ifIdx 1000001->1000010][0.0 sec][VLAN 190/190][init Unknown][AS: xxx -> xxx]
>
> Would be possible to filter by VLAN and only send VLAN 190 to ntopng?
>
> Thank you in advance, kind regards.
> Javier Narváez
> <logo-150-ancho.png>_______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: Nprobe: Filter netflow by VLAN tag [ In reply to ]
jnarvaez at loading
Nov 10, 2017, 9:06 AM
Post #3 of 7 (1427 views)
Permalink
Oh... And would be to possible to filter that vlan in ntopng? or configure nprobe in another mode?

The data comes in sflow from an Arista Switch and there is a lot of flows I do not need...

Thank you, kind regards.

----- Mensaje original -----
De: "Simone Mainardi" <mainardi@ntop.org>
Para: ntop-misc@listgateway.unipi.it
Enviados: Viernes, 10 de Noviembre 2017 17:08:16
Asunto: Re: [Ntop-misc] Nprobe: Filter netflow by VLAN tag

Javier,

VLAN -- or, more in general, BPF -- filters are not supported when nProbe is used in collector mode.


Simone

> On 10 Nov 2017, at 13:16, Javier Narváez <jnarvaez@loading.es> wrote:
>
> Hi,
>
> I am running nprobe as follows:
> nprobe --collector=none --zmq="tcp://127.0.0.1:5556" --collector-port=9996 --interface=none -V 10 --verbose=2
>
> And I get a lot of lines like this with several VLAN ids:
> 10/Nov/2017 14:14:24 [engine.c:2886] Emitting Flow: [->][tcp] 5.6.7.8:63826 -> 1.2.3.4:80 [1 pkt/52 bytes][ifIdx 1000001->1000010][0.0 sec][VLAN 190/190][init Unknown][AS: xxx -> xxx]
>
> Would be possible to filter by VLAN and only send VLAN 190 to ntopng?
>
> Thank you in advance, kind regards.
> Javier Narváez
> <logo-150-ancho.png>_______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: Nprobe: Filter netflow by VLAN tag [ In reply to ]
mainardi at ntop
Nov 10, 2017, 10:39 AM
Post #4 of 7 (1427 views)
Permalink
Yes, you can do that inside ntopng. See preferences / network interfaces and select VLAN disaggregation. then restart ntopng and you will have each VLAN as a separate interface.
> On 10 Nov 2017, at 17:06, Javier Narváez <jnarvaez@loading.es> wrote:
>
> Oh... And would be to possible to filter that vlan in ntopng? or configure nprobe in another mode?
>
> The data comes in sflow from an Arista Switch and there is a lot of flows I do not need...
>
> Thank you, kind regards.
>
> ----- Mensaje original -----
> De: "Simone Mainardi" <mainardi@ntop.org>
> Para: ntop-misc@listgateway.unipi.it
> Enviados: Viernes, 10 de Noviembre 2017 17:08:16
> Asunto: Re: [Ntop-misc] Nprobe: Filter netflow by VLAN tag
>
> Javier,
>
> VLAN -- or, more in general, BPF -- filters are not supported when nProbe is used in collector mode.
>
>
> Simone
>
>> On 10 Nov 2017, at 13:16, Javier Narváez <jnarvaez@loading.es> wrote:
>>
>> Hi,
>>
>> I am running nprobe as follows:
>> nprobe --collector=none --zmq="tcp://127.0.0.1:5556" --collector-port=9996 --interface=none -V 10 --verbose=2
>>
>> And I get a lot of lines like this with several VLAN ids:
>> 10/Nov/2017 14:14:24 [engine.c:2886] Emitting Flow: [->][tcp] 5.6.7.8:63826 -> 1.2.3.4:80 [1 pkt/52 bytes][ifIdx 1000001->1000010][0.0 sec][VLAN 190/190][init Unknown][AS: xxx -> xxx]
>>
>> Would be possible to filter by VLAN and only send VLAN 190 to ntopng?
>>
>> Thank you in advance, kind regards.
>> Javier Narváez
>> <logo-150-ancho.png>_______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: Nprobe: Filter netflow by VLAN tag [ In reply to ]
jnarvaez at loading
Nov 10, 2017, 11:55 AM
Post #5 of 7 (1427 views)
Permalink
Thank you Simone, that is great, however I cannot get it working, I have changed "Disaggregation Criterion" from "none" to "VLAN id", then restarted ntopng, and pressed F5 on my browser, however I cannot see any change, on the interfaces dropdown I only see "tcp://127.0.0.1:5556"

Hope you can help. Regards.

Javier Narváez

----- Mensaje original -----
De: "Simone Mainardi" <mainardi@ntop.org>
Para: ntop-misc@listgateway.unipi.it
Enviados: Viernes, 10 de Noviembre 2017 19:39:16
Asunto: Re: [Ntop-misc] Nprobe: Filter netflow by VLAN tag

Yes, you can do that inside ntopng. See preferences / network interfaces and select VLAN disaggregation. then restart ntopng and you will have each VLAN as a separate interface.
> On 10 Nov 2017, at 17:06, Javier Narváez <jnarvaez@loading.es> wrote:
>
> Oh... And would be to possible to filter that vlan in ntopng? or configure nprobe in another mode?
>
> The data comes in sflow from an Arista Switch and there is a lot of flows I do not need...
>
> Thank you, kind regards.
>
> ----- Mensaje original -----
> De: "Simone Mainardi" <mainardi@ntop.org>
> Para: ntop-misc@listgateway.unipi.it
> Enviados: Viernes, 10 de Noviembre 2017 17:08:16
> Asunto: Re: [Ntop-misc] Nprobe: Filter netflow by VLAN tag
>
> Javier,
>
> VLAN -- or, more in general, BPF -- filters are not supported when nProbe is used in collector mode.
>
>
> Simone
>
>> On 10 Nov 2017, at 13:16, Javier Narváez <jnarvaez@loading.es> wrote:
>>
>> Hi,
>>
>> I am running nprobe as follows:
>> nprobe --collector=none --zmq="tcp://127.0.0.1:5556" --collector-port=9996 --interface=none -V 10 --verbose=2
>>
>> And I get a lot of lines like this with several VLAN ids:
>> 10/Nov/2017 14:14:24 [engine.c:2886] Emitting Flow: [->][tcp] 5.6.7.8:63826 -> 1.2.3.4:80 [1 pkt/52 bytes][ifIdx 1000001->1000010][0.0 sec][VLAN 190/190][init Unknown][AS: xxx -> xxx]
>>
>> Would be possible to filter by VLAN and only send VLAN 190 to ntopng?
>>
>> Thank you in advance, kind regards.
>> Javier Narváez
>> <logo-150-ancho.png>_______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: Nprobe: Filter netflow by VLAN tag [ In reply to ]
mainardi at ntop
Nov 10, 2017, 12:11 PM
Post #6 of 7 (1427 views)
Permalink
Make sure you create an nProbe template with -T that contains VLAN information


-T="%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_SRC_MASK %IPV4_DST_MASK %L4_SRC_PORT %L4_DST_PORT %IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV6_SRC_MASK %IPV6_DST_MASK %IP_PROTOCOL_VERSION %SRC_TOS %PROTOCOL %ICMP_TYPE %INPUT_SNMP %SRC_AS %DST_AS %IPV4_NEXT_HOP %IPV6_NEXT_HOP %TCP_FLAGS %OUTPUT_SNMP %IN_BYTES %IN_PKTS %OUT_BYTES %OUT_PKTS %MIN_TTL %MAX_TTL %FIRST_SWITCHED %LAST_SWITCHED %SRC_VLAN %DST_VLAN %DOT1Q_SRC_VLAN %DOT1Q_DST_VLAN %EXPORTER_IPV4_ADDRESS %IN_SRC_MAC %OUT_DST_MAC" -V 9


Simone

> On 10 Nov 2017, at 19:55, Javier Narváez <jnarvaez@loading.es> wrote:
>
> Thank you Simone, that is great, however I cannot get it working, I have changed "Disaggregation Criterion" from "none" to "VLAN id", then restarted ntopng, and pressed F5 on my browser, however I cannot see any change, on the interfaces dropdown I only see "tcp://127.0.0.1:5556"
>
> Hope you can help. Regards.
>
> Javier Narváez
>
> ----- Mensaje original -----
> De: "Simone Mainardi" <mainardi@ntop.org>
> Para: ntop-misc@listgateway.unipi.it
> Enviados: Viernes, 10 de Noviembre 2017 19:39:16
> Asunto: Re: [Ntop-misc] Nprobe: Filter netflow by VLAN tag
>
> Yes, you can do that inside ntopng. See preferences / network interfaces and select VLAN disaggregation. then restart ntopng and you will have each VLAN as a separate interface.
>> On 10 Nov 2017, at 17:06, Javier Narváez <jnarvaez@loading.es> wrote:
>>
>> Oh... And would be to possible to filter that vlan in ntopng? or configure nprobe in another mode?
>>
>> The data comes in sflow from an Arista Switch and there is a lot of flows I do not need...
>>
>> Thank you, kind regards.
>>
>> ----- Mensaje original -----
>> De: "Simone Mainardi" <mainardi@ntop.org>
>> Para: ntop-misc@listgateway.unipi.it
>> Enviados: Viernes, 10 de Noviembre 2017 17:08:16
>> Asunto: Re: [Ntop-misc] Nprobe: Filter netflow by VLAN tag
>>
>> Javier,
>>
>> VLAN -- or, more in general, BPF -- filters are not supported when nProbe is used in collector mode.
>>
>>
>> Simone
>>
>>> On 10 Nov 2017, at 13:16, Javier Narváez <jnarvaez@loading.es> wrote:
>>>
>>> Hi,
>>>
>>> I am running nprobe as follows:
>>> nprobe --collector=none --zmq="tcp://127.0.0.1:5556" --collector-port=9996 --interface=none -V 10 --verbose=2
>>>
>>> And I get a lot of lines like this with several VLAN ids:
>>> 10/Nov/2017 14:14:24 [engine.c:2886] Emitting Flow: [->][tcp] 5.6.7.8:63826 -> 1.2.3.4:80 [1 pkt/52 bytes][ifIdx 1000001->1000010][0.0 sec][VLAN 190/190][init Unknown][AS: xxx -> xxx]
>>>
>>> Would be possible to filter by VLAN and only send VLAN 190 to ntopng?
>>>
>>> Thank you in advance, kind regards.
>>> Javier Narváez
>>> <logo-150-ancho.png>_______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: Nprobe: Filter netflow by VLAN tag [ In reply to ]
jnarvaez at loading
Nov 10, 2017, 12:25 PM
Post #7 of 7 (1427 views)
Permalink
Thank you!! It works perfectly now!


----- Mensaje original -----
De: "Simone Mainardi" <mainardi@ntop.org>
Para: ntop-misc@listgateway.unipi.it
Enviados: Viernes, 10 de Noviembre 2017 21:11:36
Asunto: Re: [Ntop-misc] Nprobe: Filter netflow by VLAN tag

Make sure you create an nProbe template with -T that contains VLAN information


-T="%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_SRC_MASK %IPV4_DST_MASK %L4_SRC_PORT %L4_DST_PORT %IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV6_SRC_MASK %IPV6_DST_MASK %IP_PROTOCOL_VERSION %SRC_TOS %PROTOCOL %ICMP_TYPE %INPUT_SNMP %SRC_AS %DST_AS %IPV4_NEXT_HOP %IPV6_NEXT_HOP %TCP_FLAGS %OUTPUT_SNMP %IN_BYTES %IN_PKTS %OUT_BYTES %OUT_PKTS %MIN_TTL %MAX_TTL %FIRST_SWITCHED %LAST_SWITCHED %SRC_VLAN %DST_VLAN %DOT1Q_SRC_VLAN %DOT1Q_DST_VLAN %EXPORTER_IPV4_ADDRESS %IN_SRC_MAC %OUT_DST_MAC" -V 9


Simone

> On 10 Nov 2017, at 19:55, Javier Narváez <jnarvaez@loading.es> wrote:
>
> Thank you Simone, that is great, however I cannot get it working, I have changed "Disaggregation Criterion" from "none" to "VLAN id", then restarted ntopng, and pressed F5 on my browser, however I cannot see any change, on the interfaces dropdown I only see "tcp://127.0.0.1:5556"
>
> Hope you can help. Regards.
>
> Javier Narváez
>
> ----- Mensaje original -----
> De: "Simone Mainardi" <mainardi@ntop.org>
> Para: ntop-misc@listgateway.unipi.it
> Enviados: Viernes, 10 de Noviembre 2017 19:39:16
> Asunto: Re: [Ntop-misc] Nprobe: Filter netflow by VLAN tag
>
> Yes, you can do that inside ntopng. See preferences / network interfaces and select VLAN disaggregation. then restart ntopng and you will have each VLAN as a separate interface.
>> On 10 Nov 2017, at 17:06, Javier Narváez <jnarvaez@loading.es> wrote:
>>
>> Oh... And would be to possible to filter that vlan in ntopng? or configure nprobe in another mode?
>>
>> The data comes in sflow from an Arista Switch and there is a lot of flows I do not need...
>>
>> Thank you, kind regards.
>>
>> ----- Mensaje original -----
>> De: "Simone Mainardi" <mainardi@ntop.org>
>> Para: ntop-misc@listgateway.unipi.it
>> Enviados: Viernes, 10 de Noviembre 2017 17:08:16
>> Asunto: Re: [Ntop-misc] Nprobe: Filter netflow by VLAN tag
>>
>> Javier,
>>
>> VLAN -- or, more in general, BPF -- filters are not supported when nProbe is used in collector mode.
>>
>>
>> Simone
>>
>>> On 10 Nov 2017, at 13:16, Javier Narváez <jnarvaez@loading.es> wrote:
>>>
>>> Hi,
>>>
>>> I am running nprobe as follows:
>>> nprobe --collector=none --zmq="tcp://127.0.0.1:5556" --collector-port=9996 --interface=none -V 10 --verbose=2
>>>
>>> And I get a lot of lines like this with several VLAN ids:
>>> 10/Nov/2017 14:14:24 [engine.c:2886] Emitting Flow: [->][tcp] 5.6.7.8:63826 -> 1.2.3.4:80 [1 pkt/52 bytes][ifIdx 1000001->1000010][0.0 sec][VLAN 190/190][init Unknown][AS: xxx -> xxx]
>>>
>>> Would be possible to filter by VLAN and only send VLAN 190 to ntopng?
>>>
>>> Thank you in advance, kind regards.
>>> Javier Narváez
>>> <logo-150-ancho.png>_______________________________________________
>>> Ntop-misc mailing list
>>> Ntop-misc@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal