Mailing List Archive

Jeff,

You need both nProbe and ntopng. nProbe interprets the IPFIX and outputs the data to ntopng that is in charge of visualisation.

A simple configuration is the following:

./nprobe -i none -n none --collector-port 9995 --zmq tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556>
./ntopng -i tcp://*:5556 <tcp://*:5556> -m <a list of networks of interest, e.g., 192.168.0.1/24>

The communication between ntopng and nprobe takes place over ZMQ.

Regards,
Simone

> On 12 Dec 2017, at 15:23, Kotch, Jeff <Jeff.Kotch@yrdsb.ca> wrote:
>
> Hi there,
> I’m new to ntopng and hoping to get some assistance or guidance.
>
> I’ve got an ntopng/nProbe server set up using a single interface
> I’ve got an Avaya switch sending IPFIX flow data to my ntopng server over port 9995. My understanding is I need to setup ntopng as a collector for that flow data.
>
> All I’m seeing in ntopng is a single flow from switch to server along with all other ‘local’ traffic hitting the server. I’d like to only see the flow data from the switch. I expected nProbe to create an interface for me to select as I’d seen in ntop but I haven’t seen that yet. I understand that I need to set nProbe with some sort of zmq command but I’m struggling to understand the context for that command. I’d like the desired configuration to remain persistent through reboots and start up automatically. Ntopng starts automatically now but I don’t think there’s currently any nProbe configuration. I am finding that as I enter an nProbe command now, the cli does not return me to a prompt to restart the ntopng service.
>
>
> Any assistance you can offer would be greatly appreciated.
> Thank you
>
>
> Jeff
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>

Thank you Simone!

I now seem to have everything working. A reboot was required before I could see what I was expecting to see in ntopng.

sudo netstat -tulpen | grep /n

tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 0 19865 1454/ntopng
tcp 0 0 127.0.0.1:5556 0.0.0.0:* LISTEN 0 19806 1456/nprobe
udp 0 0 0.0.0.0:9995 0.0.0.0:* 65534 18960 1456/nprobe
udp 0 0 172.17.20.221:123 0.0.0.0:* 0 19227 1551/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 0 19225 1551/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 0 19221 1551/ntpd


Here’s what my ntopng.conf file looks like

cat /etc/ntopng/ntopng.conf

--interface="tcp://127.0.0.1:5556"
--m="10.0.0.0/8,172.0.0.0/8"

ls /etc/ntopng/
ntopng.conf ntopng.start

Here’s what my nprobe.conf file looks like

cat /etc/nprobe/nprobe.conf

-G=
-i=none
--collector-port=9995
--zmq=tcp://127.0.0.1:5556

ls /etc/nprobe
nprobe.conf nprobe-none.conf nprobe-none.start


I confirmed using tcpdump that the server is receiving the flow from the switch, the switch IP address is 10.215.8.3

sudo tcpdump -c 6 -n dst port 9995
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:13:09.875239 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 132
06:13:10.804606 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 132
06:13:11.800001 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 76
06:13:12.810285 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 76
06:13:13.807210 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 76
06:13:13.811862 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 76

In the ntopng webui I only have one interface which I will rename for aesthetics
tcp://127.0.0.1:5556

This is wonderful!

Now I just need to figure out how to name much the “Unknown” traffic.

If I were to forward additional flows from additional switches, should I create another interface and probe?







Jeff

From: ntop-misc-bounces@listgateway.unipi.it [mailto:ntop-misc-bounces@listgateway.unipi.it] On Behalf Of Simone Mainardi
Sent: Wednesday, December 13, 2017 5:07 AM
To: ntop-misc@listgateway.unipi.it
Subject: Re: [Ntop-misc] Query regarding nProbe collector configuration

Jeff,

You need both nProbe and ntopng. nProbe interprets the IPFIX and outputs the data to ntopng that is in charge of visualisation.

A simple configuration is the following:

./nprobe -i none -n none --collector-port 9995 --zmq tcp://127.0.0.1:5556
./ntopng -i tcp://*:5556 -m <a list of networks of interest, e.g., 192.168.0.1/24>

The communication between ntopng and nprobe takes place over ZMQ.

Regards,
Simone

On 12 Dec 2017, at 15:23, Kotch, Jeff <Jeff.Kotch@yrdsb.ca<mailto:Jeff.Kotch@yrdsb.ca>> wrote:

Hi there,
I’m new to ntopng and hoping to get some assistance or guidance.

I’ve got an ntopng/nProbe server set up using a single interface
I’ve got an Avaya switch sending IPFIX flow data to my ntopng server over port 9995. My understanding is I need to setup ntopng as a collector for that flow data.

All I’m seeing in ntopng is a single flow from switch to server along with all other ‘local’ traffic hitting the server. I’d like to only see the flow data from the switch. I expected nProbe to create an interface for me to select as I’d seen in ntop but I haven’t seen that yet. I understand that I need to set nProbe with some sort of zmq command but I’m struggling to understand the context for that command. I’d like the desired configuration to remain persistent through reboots and start up automatically. Ntopng starts automatically now but I don’t think there’s currently any nProbe configuration. I am finding that as I enter an nProbe command now, the cli does not return me to a prompt to restart the ntopng service.


Any assistance you can offer would be greatly appreciated.
Thank you


Jeff

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it<mailto:Ntop-misc@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop-misc