Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
nProbe and Andrisoft compatibility
Benjamin.Weik at core-backbone
Mar 12, 2018, 3:18 AM
Post #1 of 4 (780 views)
Permalink
Hi,

I am trying to use nProbe as a flow filter & forwarder to filter out flows for customer prefixes and forward those flows to the customers Wansight but I am unable to get something useful on Wansight.
Sometimes a few flows are recieved and a little bit is graphed but with each flow received, the timeout is increased until Wansight says the flow is too old and discards it.

This is the log from customer wansight:
Severity Component Module Notification Text Date
INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
INFO <sensor.name> Flow Collector Netflow v5 exporter detected. SysID: 2, engine id 181, type 0, IP: <nprobe.ip>, Sampling Mode: 0, Sampling Interval: 5000
INFO <sensor.name> Flow Parser Received flow from 113 seconds ago on interface "test-out". Adjusting flow delay from 30 to 113
INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
INFO <sensor.name> Flow Parser Received flow from 82 seconds ago on interface "test-out". Adjusting flow delay from 30 to 82
INFO <sensor.name> Flow Collector Netflow v5 exporter detected. SysID: 1, engine id 87, type 0, IP: <nprobe.ip>, Sampling Mode: 0, Sampling Interval: 5000

Andrisoft support says that nProbe is at fault:

>If the flow exporter respects the RFC and it's configured to export long flows periodically, you only need to adjust the Flow Timeout(s) parameter from the Flow Sensor configuration window to the same value.
>All flows will be accepted, even if the start time is very long in the past.

>We don't have a nProbe license to be able to test it, but not even Wireshark can properly decode the start/end time of flows generated by it. So we can only conclude that it's a nProbe issue.
>We do have customers that are monitoring their routers with Netflow v9 and IPFIX without any issues from Wanguard.

Am I missing any parameters for nProbe? Am I misthinking something?

This is the setup:

1. Juniper MX Routers sample and export Flows to our own Andrisoft Wansight

2. Our Wansight repeats the received flow to nProbe

3. nProbe filters the customer specific prefixes and forwards those flows to the customers Wansight.

This is the configuration on the Juniper MX router:
set forwarding-options sampling instance sampling input rate 5000
set forwarding-options sampling instance sampling family inet output flow-server <our.wansight.ip> port 23239
set forwarding-options sampling instance sampling family inet output flow-server <our.wansight.ip> autonomous-system-type origin
set forwarding-options sampling instance sampling family inet output flow-server <our.wansight.ip> version-ipfix template ipv4
set forwarding-options sampling instance sampling family inet output inline-jflow source-address <router.ip.addr>
set forwarding-options sampling instance sampling family inet output inline-jflow flow-export-rate 40
set forwarding-options sampling instance sampling family inet6 output flow-server <our.wansight.ip> port 23239
set forwarding-options sampling instance sampling family inet6 output flow-server <our.wansight.ip> autonomous-system-type origin
set forwarding-options sampling instance sampling family inet6 output flow-server <our.wansight.ip> version-ipfix template ipv6
set forwarding-options sampling instance sampling family inet6 output inline-jflow source-address <router.ip.addr>
set forwarding-options sampling instance sampling family inet6 output inline-jflow flow-export-rate 40


On our Wansight we use the following settings for the Flow Sensor:
Listener IP:Port <our.wansight.ip>:23239
Repeater IP:Port <nprobe.ip>:2056
Flow Collector: Off
Flow Protocol: NetFlow or IPFIX
Flow Exporter IP: <router.ip.addr>
Sampling (1/N): -5000
Flows Timeout (s): 60 seconds

These are my nProbe parameters:
--collector-port 2056
--sender-address <nprobe.ip>:2055
--collector <customer.wansight.ip>:10000
--in-iface-idx 910
--out-iface-idx 917
--flow-version 9
--sample-rate @5000:1:1
-i none
--collection-filter <v4.prefix>/24
--collection-filter <v6.prefix>/48
--daemon-mode
--json-to-syslog
--flows-intra-templ 1
-T "%IN_BYTES %IN_PKTS %FLOWS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT %IPV4_SRC_ADDR %IPV4_SRC_MASK %INPUT_SNMP %L4_DST_PORT %IPV4_DST_ADDR %IPV4_DST_MASK %OUTPUT_SNMP %IPV4_NEXT_HOP %SRC_AS %DST_AS %LAST_SWITCHED %FIRST_SWITCHED %OUT_BYTES %OUT_PKTS %IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV6_SRC_MASK %IPV6_DST_MASK %ICMP_TYPE %SAMPLING_INTERVAL"

On the customer Wansight, the following settings are used for the Flow Sensor:
Listener IP:Port <customer.wansight.ip>:10000
Repeater IP:Port ?
Flow Collector: Off
Flow Protocol: NetFlow or IPFIX
Flow Exporter IP: <nprobe.ip>
Sampling (1/N): -5000
Flows Timeout (s): Auto

Monitored Interfaces:
910 test-in Downstream
917 test-out Upstream

Best regards,

Benjamin Weik
Re: nProbe and Andrisoft compatibility [ In reply to ]
deri at ntop
Mar 12, 2018, 3:45 AM
Post #2 of 4 (780 views)
Permalink
Benjamin
all I did is this:

I have started "nprobe nprobe.conf” (basically is your config file) and sent some flows to nprobe, then captured the emitted flows with wireshark. I enclose the pcap with such flows. If you open them with wireshark everything looks good with no decoding errors whatsoever.

Please tell the Wansight folks to contact us and report the exact issue (so that we can reproduce it an fix it), so we can use to reproduce the issues they mentioned you.

Regards Luca







> On 12 Mar 2018, at 11:18, Benjamin Weik <Benjamin.Weik@core-backbone.com <mailto:Benjamin.Weik@core-backbone.com>> wrote:
>
> Hi,
>
> I am trying to use nProbe as a flow filter & forwarder to filter out flows for customer prefixes and forward those flows to the customers Wansight but I am unable to get something useful on Wansight.
> Sometimes a few flows are recieved and a little bit is graphed but with each flow received, the timeout is increased until Wansight says the flow is too old and discards it.
..
> Andrisoft support says that nProbe is at fault:
>
> >If the flow exporter respects the RFC and it's configured to export long flows periodically, you only need to adjust the Flow Timeout(s) parameter from the Flow Sensor configuration window to the same value.
> >All flows will be accepted, even if the start time is very long in the past.
>
> >We don't have a nProbe license to be able to test it, but not even Wireshark can properly decode the start/end time of flows generated by it. So we can only conclude that it's a nProbe issue.
> >We do have customers that are monitoring their routers with Netflow v9 and IPFIX without any issues from Wanguard.
>
> Am I missing any parameters for nProbe? Am I misthinking something?
>

Attached Files:

Re: nProbe and Andrisoft compatibility [ In reply to ]
mainardi at ntop
Mar 12, 2018, 4:07 AM
Post #3 of 4 (780 views)
Permalink
Benjamin,

As you want to use nProbe as as flow filter-and-forward, you can try and add option --disable-cache to make sure every flow received is output as-is without any caching/aggregation. Also note that --collection-filter does not currently support IPV6 filters.

In addition add option -b=1 to see periodic updates on the flows received/exported. This will help in understanding if flows are properly repeated by the Wansight to nProbe and/or if they are properly forwarded to the customer's Wansight.

I would also run tcpdump (possibly attach pcap files or send them privately) on port 10000 and 2056 of the nProbe host to inspect the two netflow streams (that is, your Wansight -> nProbe and nProbe -> customer's Wansight, respectively).

Simone

> On 12 Mar 2018, at 11:18, Benjamin Weik <Benjamin.Weik@core-backbone.com> wrote:
>
> Hi,
>
> I am trying to use nProbe as a flow filter & forwarder to filter out flows for customer prefixes and forward those flows to the customers Wansight but I am unable to get something useful on Wansight.
> Sometimes a few flows are recieved and a little bit is graphed but with each flow received, the timeout is increased until Wansight says the flow is too old and discards it.
>
> This is the log from customer wansight:
> Severity Component Module Notification Text Date
> INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
> INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
> INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
> INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
> INFO <sensor.name> Flow Collector Netflow v5 exporter detected. SysID: 2, engine id 181, type 0, IP: <nprobe.ip>, Sampling Mode: 0, Sampling Interval: 5000
> INFO <sensor.name> Flow Parser Received flow from 113 seconds ago on interface "test-out". Adjusting flow delay from 30 to 113
> INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected
> INFO <sensor.name> Flow Parser Received flow from 82 seconds ago on interface "test-out". Adjusting flow delay from 30 to 82
> INFO <sensor.name> Flow Collector Netflow v5 exporter detected. SysID: 1, engine id 87, type 0, IP: <nprobe.ip>, Sampling Mode: 0, Sampling Interval: 5000
>
> Andrisoft support says that nProbe is at fault:
>
> >If the flow exporter respects the RFC and it's configured to export long flows periodically, you only need to adjust the Flow Timeout(s) parameter from the Flow Sensor configuration window to the same value.
> >All flows will be accepted, even if the start time is very long in the past.
>
> >We don't have a nProbe license to be able to test it, but not even Wireshark can properly decode the start/end time of flows generated by it. So we can only conclude that it's a nProbe issue.
> >We do have customers that are monitoring their routers with Netflow v9 and IPFIX without any issues from Wanguard.
>
> Am I missing any parameters for nProbe? Am I misthinking something?
>
> This is the setup:
> 1. Juniper MX Routers sample and export Flows to our own Andrisoft Wansight
> 2. Our Wansight repeats the received flow to nProbe
> 3. nProbe filters the customer specific prefixes and forwards those flows to the customers Wansight.
>
> This is the configuration on the Juniper MX router:
> set forwarding-options sampling instance sampling input rate 5000
> set forwarding-options sampling instance sampling family inet output flow-server <our.wansight.ip> port 23239
> set forwarding-options sampling instance sampling family inet output flow-server <our.wansight.ip> autonomous-system-type origin
> set forwarding-options sampling instance sampling family inet output flow-server <our.wansight.ip> version-ipfix template ipv4
> set forwarding-options sampling instance sampling family inet output inline-jflow source-address <router.ip.addr>
> set forwarding-options sampling instance sampling family inet output inline-jflow flow-export-rate 40
> set forwarding-options sampling instance sampling family inet6 output flow-server <our.wansight.ip> port 23239
> set forwarding-options sampling instance sampling family inet6 output flow-server <our.wansight.ip> autonomous-system-type origin
> set forwarding-options sampling instance sampling family inet6 output flow-server <our.wansight.ip> version-ipfix template ipv6
> set forwarding-options sampling instance sampling family inet6 output inline-jflow source-address <router.ip.addr>
> set forwarding-options sampling instance sampling family inet6 output inline-jflow flow-export-rate 40
>
>
> On our Wansight we use the following settings for the Flow Sensor:
> Listener IP:Port <our.wansight.ip>:23239
> Repeater IP:Port <nprobe.ip>:2056
> Flow Collector: Off
> Flow Protocol: NetFlow or IPFIX
> Flow Exporter IP: <router.ip.addr>
> Sampling (1/N): -5000
> Flows Timeout (s): 60 seconds
>
> These are my nProbe parameters:
> --collector-port 2056
> --sender-address <nprobe.ip>:2055
> --collector <customer.wansight.ip>:10000
> --in-iface-idx 910
> --out-iface-idx 917
> --flow-version 9
> --sample-rate @5000:1:1
> -i none
> --collection-filter <v4.prefix>/24
> --collection-filter <v6.prefix>/48
> --daemon-mode
> --json-to-syslog
> --flows-intra-templ 1
> -T "%IN_BYTES %IN_PKTS %FLOWS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT %IPV4_SRC_ADDR %IPV4_SRC_MASK %INPUT_SNMP %L4_DST_PORT %IPV4_DST_ADDR %IPV4_DST_MASK %OUTPUT_SNMP %IPV4_NEXT_HOP %SRC_AS %DST_AS %LAST_SWITCHED %FIRST_SWITCHED %OUT_BYTES %OUT_PKTS %IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV6_SRC_MASK %IPV6_DST_MASK %ICMP_TYPE %SAMPLING_INTERVAL"
>
> On the customer Wansight, the following settings are used for the Flow Sensor:
> Listener IP:Port <customer.wansight.ip>:10000
> Repeater IP:Port –
> Flow Collector: Off
> Flow Protocol: NetFlow or IPFIX
> Flow Exporter IP: <nprobe.ip>
> Sampling (1/N): -5000
> Flows Timeout (s): Auto
>
> Monitored Interfaces:
> 910 test-in Downstream
> 917 test-out Upstream
>
> Best regards,
>
> Benjamin Weik
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
Re: nProbe and Andrisoft compatibility [ In reply to ]
Benjamin.Weik at core-backbone
Mar 19, 2018, 4:52 AM
Post #4 of 4 (765 views)
Permalink
Hi,

another question that arose during the debugging. How do the
--in-iface-idx 910
--out-iface-idx 917

switches work? From the help text, I was under the impression that nProbe will modify/fake the corresponding snmp interface id, which is useful when dealing with flows from multiple routers and interfaces.
So when setting interface ids to 910 and 917 I assumed that when configuring Wansight and specifying those IDs for the Flow Probe, all traffic would show up.

But it seems it does not work that way? The SNMP ID is still the ID from the interfaces on our routers so our customer would need to specific each Interface that we sample so that Wansight shows the traffic.
Otherwise only the traffic which actually runs over these snmp interface ids will show up in Wansight.

In my captures from nProbe, Wireshark shows for InputInt and OutputInt the original value from our router.
In the capture provided by you, both fields show 0.

Viele Grüße, best regards,

Benjamin Weik

--------------------------------------
Core-Backbone GmbH
Hans-Sachs-Str.14
93138 Lappersdorf

Internet: www.core-backbone.com
eMail: info@core-backbone.com

Telefon: +49 (0)911-310432-00 ( werktags von 9 - 17 Uhr )
Hotline 24/7: Bitte entnehmen Sie diese Rufnummer Ihrem Kundeninterface
Fax: +49 (0)911-310432-99

Registernummer (HR): HRB 10189
Registergericht: Amtsgericht Regensburg
Geschäftsführung: Daniel Maresch
Umsatzsteuer-Identifikationsnummer: DE249028038

Von: ntop-misc-bounces@listgateway.unipi.it <ntop-misc-bounces@listgateway.unipi.it> Im Auftrag von Luca Deri
Gesendet: Montag, 12. März 2018 11:46
An: ntop-misc@listgateway.unipi.it
Betreff: Re: [Ntop-misc] nProbe and Andrisoft compatibility

Benjamin
all I did is this:

I have started "nprobe nprobe.conf” (basically is your config file) and sent some flows to nprobe, then captured the emitted flows with wireshark. I enclose the pcap with such flows. If you open them with wireshark everything looks good with no decoding errors whatsoever.

Please tell the Wansight folks to contact us and report the exact issue (so that we can reproduce it an fix it), so we can use to reproduce the issues they mentioned you.

Regards Luca

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal