Mailing List Archive

James, you are using an obsolete parameter for nProbe. See this issue:
https://github.com/ntop/nProbe/issues/96

Please, use the new parameter --collector-port

Regards,
Simone

On Mon, Oct 31, 2016 at 8:59 PM, James A. Klun <jklun@microsolved.com>
wrote:

>
> I am currently working with nprobe - a new user.
>
> nProbe v.7.4.160623 (r4597) for Windows
>
> I am specifically interested in capturing the snmp index number
> associated with flows
>
> My startup:
>
> C:\Program Files\nProbe>nprobe /c -nf-collector-port 2055 -D t -P E:\nprobe
> Running nProbe for Windows.
> 31/Oct/2016 13:05:57 [nprobe.c:3404] Valid nProbe Pro license found
> 31/Oct/2016 13:05:57 [nprobe.c:4867] WARNING: The output interfaceId is
> set to 0: did you forget to use -Q perhaps ?
> 31/Oct/2016 13:05:57 [nprobe.c:4870] WARNING: The input interfaceId is set
> to 0: did you forget to use -u perhaps ?
> 31/Oct/2016 13:05:57 [nprobe.c:4970] Welcome to nProbe Pro v.7.4.160623
> ($Revision: 4384 $) for Windows
> 31/Oct/2016 13:05:57 [nprobe.c:4980] Running on Windows
> 31/Oct/2016 13:05:57 [nprobe.c:4991] [LICENSE] nProbe SystemId:
> 2364757858-76046ad1
> 31/Oct/2016 13:05:57 [nprobe.c:50http://listgateway.unipi.it/75] Dumping
> flow files every 60 sec into directory E:\nprobe
> 31/Oct/2016 13:05:57 [nprobe.c:5080] WARNING: -n parameter is missing.
> 127.0.0.1:2055 will be used.
> 31/Oct/2016 13:05:57 [nprobe.c:7307] Welcome to nProbe v.7.4.160623 for
> Windows
> 31/Oct/2016 13:05:57 [plugin.c:1030] 0 plugin(s) enabled
> 31/Oct/2016 13:05:57 [nprobe.c:6833] Non IPv4/v6 traffic is discarded
> according to the template
> 31/Oct/2016 13:05:57 [nprobe.c:5490] Using packet capture length 128
> 31/Oct/2016 13:05:57 [nprobe.c:7483] IPv6 traffic will NOT be
> exported/accounted by this probe
> 31/Oct/2016 13:05:57 [nprobe.c:7484] due to configuration options (e.g.
> use NetFlow v9)
> 31/Oct/2016 13:05:57 [nprobe.c:7529] Flows ASs will not be computed
> (missing GeoIP support)
> 31/Oct/2016 13:05:57 [nprobe.c:7632] Capturing packets from interface
> \Device\NPF_{1AECA7A0-923C-4ADF-BB31-46E5A3C131F7} [snaplen: 128 bytes]
> 31/Oct/2016 13:05:57 [nprobe.c:7855] nProbe started successfully
>
>
> The resulting text files look like below:
>
> IPV4_SRC_ADDR IPV4_DST_ADDR IPV4_NEXT_HOP INPUT_SNMP
> OUTPUT_SNMP IN_PKTS IN_BYTES FIRST_SWITCHED
> LAST_SWITCHED L4_SRC_PORT
> 10.x.x.x 10.x.x.x 0.0.0.0
> 0 0 2
> 1314 1477937430 1477937430 64567
> 10.x.x.x 10.x.x.x 0.0.0.0
> 0 0 1 132
> 1477937430 1477937430 1918
> ...... continues ......
>
>
> ALL input interfaces show as "0"
>
> Using wireshark I have verified the V9/IPFIX netflow data IS being
> delivered and the interface information is in the flowsets.
>
> >> Cisco NetFlow/IPFIX
> >> Version: 9
> >> Count: 38
> >> SysUptime: 261103507
> >> Timestamp: Oct 28, 2016 21:12:22.000000000 EDT
> >> CurrentSecs: 1477703542
> >> FlowSequence: 159997
> >> SourceId: 2304
> >> FlowSet 1
> >> FlowSet Id: (Data) (264)
> >> FlowSet Length: 1336
> >> Flow 1
> >> SrcAddr: 122.x.x.x.(122.x.x.x)
> >> DstAddr: 122.x.x.x (122.x.x.x)
> >> IP ToS: 0x68
> >> Protocol: 17
> >> SrcPort: 20903
> >> DstPort: 53
> >> OutputInt: 9 ===> interface number appears
> (and interface is in fact active )
> >> Direction: Egress (1)
> >> Octets: 79
> >> Packets: 1
>
>
> What's required to get the interface numbers to be recognized and
> recorded by nprobe?
>
>
>
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>

Hello, Simone

I tried:

C:\Program Files\nProbe>nprobe /c -i none -n none --collector-port
2055 -D t -P E:\nprobe -V 10
Running nProbe for Windows.
31/Oct/2016 19:57:23 [nprobe.c:3404] Valid nProbe Pro license found
31/Oct/2016 19:57:23 [nprobe.c:4867] WARNING: The output interfaceId
is set to 0: did you forget to use -Q perhaps ?
31/Oct/2016 19:57:23 [nprobe.c:4870] WARNING: The input interfaceId
is set to 0: did you forget to use -u perhaps ?
31/Oct/2016 19:57:23 [nprobe.c:4970] Welcome to nProbe Pro
v.7.4.160623 ($Revision: 4384 $) for Windows
31/Oct/2016 19:57:23 [nprobe.c:4980] Running on Windows
31/Oct/2016 19:57:23 [nprobe.c:4991] [LICENSE] nProbe SystemId:
2364757858-76046ad1
31/Oct/2016 19:57:23 [nprobe.c:5075] Dumping flow files every 60 sec
into directory E:\nprobe
31/Oct/2016 19:57:23 [nprobe.c:7307] Welcome to nProbe v.7.4.160623
for Windows
31/Oct/2016 19:57:23 [nprobe.c:6406] WARNING: You selected v9/IPFIX
without specifying a template (-T).
31/Oct/2016 19:57:23 [nprobe.c:6407] WARNING: The default template
will be used
31/Oct/2016 19:57:23 [nprobe.c:6412] Using NetFlow Packet Payload
Len: 1472
31/Oct/2016 19:57:23 [plugin.c:1030] 0 plugin(s) enabled
31/Oct/2016 19:57:23 [nprobe.c:6813] Each flow is 97 bytes long
31/Oct/2016 19:57:23 [nprobe.c:6814] The # packets per flow has been
set to 14
31/Oct/2016 19:57:23 [nprobe.c:6833] Non IPv4/v6 traffic is
discarded according to the template
31/Oct/2016 19:57:23 [nprobe.c:5490] Using packet capture length 128
31/Oct/2016 19:57:23 [nprobe.c:7529] Flows ASs will not be computed
(missing GeoIP support)
31/Oct/2016 19:57:23 [nprobe.c:7630] Not capturing packet from
interface (collector mode)
31/Oct/2016 19:57:23 [collect.c:147] Flow collector listening on
port 2055 (IPv4/v6)
31/Oct/2016 19:57:23 [nprobe.c:7855] nProbe started successfully


... with marginally better results (below)

IPV4_SRC_ADDR IPV4_DST_ADDR IPV4_NEXT_HOP INPUT_SNMP
OUTPUT_SNMP IN_PKTS IN_BYTES
xx.xxx.xx.xx xxx.xxx.xx.xx 0.0.0.0
0 5 2 92
xx.xx.x.xx xx.xxx.xx.xxx 0.0.0.0 5
0 265 24371
< continues>

But - only 0/5 interface numbers are represented - no other
interface numbers appear


5 is a legitimate interface number - but there are many more active
interface on the router supplying the netflow data

I need to see those as well - and I know they are active from wireshark
captures and from past results with a commercial tool I am being forced
to abandon:

Example from commercial product:

Source IP Source Port Destination IP Destination Port
State Protocol Last Time Duration Input
Interface Output Interface Total Packets Source Bytes
Destination Bytes
xxxxxxxxxxxxx 7800 xxxxxxxxxxx 22818
tcp 10/12/2016 22:52 0:19:03 2
5 133 3640 3276
xxxxxxxxxxxxx rtsp xxxxxxxxxxx 56528
tcp 10/12/2016 22:52 0:10:01 11
2 18874 19889754 0
xxxxxxxxxxxxx 62826 xxxxxxxxxxx 5401
tcp 10/12/2016 22:52 0:10:54 2
11 1044 176352 187134



The behavior I am seeing with nprobe is similar to what I have
experienced with the most recent version of nfdump/nfcapd.

I only see a small subset on interfaces being identified by snmp
interface index in the output.

And getting accurate association of flow to interface is my entire goal.

Is this possible with nprobe functioning as the collector - and if so -
how?

Thanks.... I can supply additional information if needed.





On 10/31/2016 05:04 PM, Simone Mainardi wrote:
> James, you are using an obsolete parameter for nProbe. See this issue:
> https://github.com/ntop/nProbe/issues/96
>
> Please, use the new parameter --collector-port
>
> Regards,
> Simone
>
> On Mon, Oct 31, 2016 at 8:59 PM, James A. Klun <jklun@microsolved.com
> <mailto:jklun@microsolved.com>> wrote:
>
>
> I am currently working with nprobe - a new user.
>
> nProbe v.7.4.160623 (r4597) for Windows
>
> I am specifically interested in capturing the snmp index number
> associated with flows
>
> My startup:
>
> C:\Program Files\nProbe>nprobe /c -nf-collector-port 2055
> -D t -P E:\nprobe
> Running nProbe for Windows.
> 31/Oct/2016 13:05:57 [nprobe.c:3404] Valid nProbe Pro
> license found
> 31/Oct/2016 13:05:57 [nprobe.c:4867] WARNING: The output
> interfaceId is set to 0: did you forget to use -Q perhaps ?
> 31/Oct/2016 13:05:57 [nprobe.c:4870] WARNING: The input
> interfaceId is set to 0: did you forget to use -u perhaps ?
> 31/Oct/2016 13:05:57 [nprobe.c:4970] Welcome to nProbe Pro
> v.7.4.160623 ($Revision: 4384 $) for Windows
> 31/Oct/2016 13:05:57 [nprobe.c:4980] Running on Windows
> 31/Oct/2016 13:05:57 [nprobe.c:4991] [LICENSE] nProbe
> SystemId: 2364757858-76046ad1
> 31/Oct/2016 13:05:57
> [nprobe.c:50http://listgateway.unipi.it/75
> <http://listgateway.unipi.it/75>] Dumping flow files every
> 60 sec into directory E:\nprobe
> 31/Oct/2016 13:05:57 [nprobe.c:5080] WARNING: -n parameter
> is missing. 127.0.0.1:2055 <http://127.0.0.1:2055> will be
> used.
> 31/Oct/2016 13:05:57 [nprobe.c:7307] Welcome to nProbe
> v.7.4.160623 for Windows
> 31/Oct/2016 13:05:57 [plugin.c:1030] 0 plugin(s) enabled
> 31/Oct/2016 13:05:57 [nprobe.c:6833] Non IPv4/v6 traffic
> is discarded according to the template
> 31/Oct/2016 13:05:57 [nprobe.c:5490] Using packet capture
> length 128
> 31/Oct/2016 13:05:57 [nprobe.c:7483] IPv6 traffic will NOT
> be exported/accounted by this probe
> 31/Oct/2016 13:05:57 [nprobe.c:7484] due to configuration
> options (e.g. use NetFlow v9)
> 31/Oct/2016 13:05:57 [nprobe.c:7529] Flows ASs will not be
> computed (missing GeoIP support)
> 31/Oct/2016 13:05:57 [nprobe.c:7632] Capturing packets
> from interface
> \Device\NPF_{1AECA7A0-923C-4ADF-BB31-46E5A3C131F7}
> [snaplen: 128 bytes]
> 31/Oct/2016 13:05:57 [nprobe.c:7855] nProbe started
> successfully
>
>
> The resulting text files look like below:
>
> IPV4_SRC_ADDR IPV4_DST_ADDR IPV4_NEXT_HOP
> INPUT_SNMP OUTPUT_SNMP IN_PKTS IN_BYTES
> FIRST_SWITCHED LAST_SWITCHED L4_SRC_PORT
> 10.x.x.x 10.x.x.x 0.0.0.0
> 0 0 2 1314
> 1477937430 1477937430 64567
> 10.x.x.x 10.x.x.x 0.0.0.0
> 0 0 1 132
> 1477937430 1477937430 1918
> ...... continues ......
>
>
> ALL input interfaces show as "0"
>
> Using wireshark I have verified the V9/IPFIX netflow data IS being
> delivered and the interface information is in the flowsets.
>
> >> Cisco NetFlow/IPFIX
> >> Version: 9
> >> Count: 38
> >> SysUptime: 261103507
> >> Timestamp: Oct 28, 2016 21:12:22.000000000 EDT
> >> CurrentSecs: 1477703542
> >> FlowSequence: 159997
> >> SourceId: 2304
> >> FlowSet 1
> >> FlowSet Id: (Data) (264)
> >> FlowSet Length: 1336
> >> Flow 1
> >> SrcAddr: 122.x.x.x.(122.x.x.x)
> >> DstAddr: 122.x.x.x (122.x.x.x)
> >> IP ToS: 0x68
> >> Protocol: 17
> >> SrcPort: 20903
> >> DstPort: 53
> >> OutputInt: 9 ===> interface number appears
> (and interface is in fact active )
> >> Direction: Egress (1)
> >> Octets: 79
> >> Packets: 1
>
>
> What's required to get the interface numbers to be recognized and
> recorded by nprobe?
>
>
>
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop
> <http://listgateway.unipi.it/mailman/listinfo/ntop>
>
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop


--
James A. Klun jklun@microsolved.com
Security Engineer (614) 351 - 1237
PGP Key Available by Request
MicroSolved is security expertise you can trust!

HoneyPoint Security Server
Attackers get stung, instead of you!
http://www.microsolved.com/honeypoint