Mailing List Archive

Robert,

See option

[--collector-sample-rate] <value> | Specify the bytes/pkts collection
sample rate (NetFlow only).


Regards,
Simone

On Thu, Jan 26, 2017 at 1:09 PM, Robert Williams <Robert@custodiandc.com>
wrote:

> Hi,
>
> I’ve just bought a license for nprobe so I can test without the 25k flow
> limit, the setup is simple:
>
> [Cisco] -> Netflow V9 -> [nprobe] -> zmq -> [ntopng]
>
> The Cisco uses 1 in 20 sampling for Netflow, but I can’t seem to find
> where to inform nprobe (or ntopng) of this sampling? The result of this is
> that all data in ntopng is shown as 1/20th of real rates.
>
> One of the other programs we use to analyse Netflow data here has a
> parameter for it, which is:
>
> netflow_sampling_ratio = 20
>
> So that it knows to 'upscale' the flow data, essentially, I’m just looking
> for this parameter in nprobe/ntopng.
>
> The only one I found is within nprobe and looks like this:
>
> [--sample-rate|-S] : <pkt rate>:<flow rate>
> | Packet capture sampling rate and flow
> | sampling rate. If starts with
> | '@' it means that nprobe will report
> | the specified sampling rate but will
> | not sample itself as incoming packets
> | are already sampled on the specified
> | capture device at the specified rate.
> | Default: 1:1 [no sampling]
>
> However – this doesn’t seem to let me configure a sampling rate for flows
> for ‘reporting only’. Just a sample ratio for mirrored traffic, which of
> course I’m not using.
>
> Any input welcome - Cheers!
>
> ROBERT WILLIAMS
> TECHNICAL DIRECTOR
>
> Custodian Data Centres
> Tel: +44 (0) 1622 230382 || E-Mail: mailto:Robert@CustodianDC.com
> http://www.CustodianDC.com
>
> Disclaimer: https://www.CustodianDC.com/email-disclaimer
> Registered Office: Vinters Business Park, New Cut Rd, Maidstone, ME14 5NZ.
> Company Number: 07878023
>
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

Hi Simone,

Many thanks for that! All sorted now, although I can’t see it in my documentation here unless I’ve got an old version of the docs perhaps?

Cheers!!

From: ntop-bounces@listgateway.unipi.it [mailto:ntop-bounces@listgateway.unipi.it] On Behalf Of Simone Mainardi
Sent: 26 January 2017 14:44
To: ntop@unipi.it
Subject: Re: [Ntop] Sampling factor for Flows

Robert,

See option

[--collector-sample-rate] <value> | Specify the bytes/pkts collection sample rate (NetFlow only).


Regards,
Simone

On Thu, Jan 26, 2017 at 1:09 PM, Robert Williams <Robert@custodiandc.com<mailto:Robert@custodiandc.com>> wrote:
Hi,

I’ve just bought a license for nprobe so I can test without the 25k flow limit, the setup is simple:

[Cisco] -> Netflow V9 -> [nprobe] -> zmq -> [ntopng]

The Cisco uses 1 in 20 sampling for Netflow, but I can’t seem to find where to inform nprobe (or ntopng) of this sampling? The result of this is that all data in ntopng is shown as 1/20th of real rates.

One of the other programs we use to analyse Netflow data here has a parameter for it, which is:

netflow_sampling_ratio = 20

So that it knows to 'upscale' the flow data, essentially, I’m just looking for this parameter in nprobe/ntopng.

The only one I found is within nprobe and looks like this:

[--sample-rate|-S] : <pkt rate>:<flow rate>
| Packet capture sampling rate and flow
| sampling rate. If starts with
| '@' it means that nprobe will report
| the specified sampling rate but will
| not sample itself as incoming packets
| are already sampled on the specified
| capture device at the specified rate.
| Default: 1:1 [no sampling]

However – this doesn’t seem to let me configure a sampling rate for flows for ‘reporting only’. Just a sample ratio for mirrored traffic, which of course I’m not using.

Any input welcome - Cheers!

ROBERT WILLIAMS
TECHNICAL DIRECTOR

Custodian Data Centres
Tel: +44 (0) 1622 230382 || E-Mail: mailto:Robert@CustodianDC.com<mailto:Robert@CustodianDC.com>
http://www.CustodianDC.com

Disclaimer: https://www.CustodianDC.com/email-disclaimer
Registered Office: Vinters Business Park, New Cut Rd, Maidstone, ME14 5NZ.
Company Number: 07878023





[Custodian Data Centres]<https://www.custodiandc.com>
Robert Williams
Technical Director
Custodian Data Centres
T: +44 (0) 1622 230382
E: Robert@CustodianDC.com<mailto:Robert@CustodianDC.com> W: www.CustodianDC.com<https://www.custodiandc.com>
ISO 27001 Certified - 100% Uptime

Data Floor 4 Launch - 2nd Feb 2017 - Book Now<https://www.custodiandc.com/DF4-launch-booking>

Registered Office: Vinters Business Park, New Cut Rd, Maidstone, Kent ME14 5NZ Company Number 07878023
Click here to view our email disclaimer<https://www.custodiandc.com/email-disclaimer>

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

Hi Robert,

On Thu, Jan 26, 2017 at 5:35 PM, Robert Williams <Robert@custodiandc.com>
wrote:

> Hi Simone,
>
>
>
> Many thanks for that! All sorted now, although I can’t see it in my
> documentation here unless I’ve got an old version of the docs perhaps?
>

Actually the latest nProbe User Guide contain that option so very likely
you have an outdated guide.

Regards,


Simone


>
> Cheers!!
>
>
>
> *From:* ntop-bounces@listgateway.unipi.it [mailto:ntop-bounces@
> listgateway.unipi.it] *On Behalf Of *Simone Mainardi
> *Sent:* 26 January 2017 14:44
> *To:* ntop@unipi.it
> *Subject:* Re: [Ntop] Sampling factor for Flows
>
>
>
> Robert,
>
>
>
> See option
>
>
>
> [--collector-sample-rate] <value> | Specify the bytes/pkts collection
> sample rate (NetFlow only).
>
>
>
>
>
> Regards,
>
> Simone
>
>
>
> On Thu, Jan 26, 2017 at 1:09 PM, Robert Williams <Robert@custodiandc.com>
> wrote:
>
> Hi,
>
> I’ve just bought a license for nprobe so I can test without the 25k flow
> limit, the setup is simple:
>
> [Cisco] -> Netflow V9 -> [nprobe] -> zmq -> [ntopng]
>
> The Cisco uses 1 in 20 sampling for Netflow, but I can’t seem to find
> where to inform nprobe (or ntopng) of this sampling? The result of this is
> that all data in ntopng is shown as 1/20th of real rates.
>
> One of the other programs we use to analyse Netflow data here has a
> parameter for it, which is:
>
> netflow_sampling_ratio = 20
>
> So that it knows to 'upscale' the flow data, essentially, I’m just looking
> for this parameter in nprobe/ntopng.
>
> The only one I found is within nprobe and looks like this:
>
> [--sample-rate|-S] : <pkt rate>:<flow rate>
> | Packet capture sampling rate and flow
> | sampling rate. If starts with
> | '@' it means that nprobe will report
> | the specified sampling rate but will
> | not sample itself as incoming packets
> | are already sampled on the specified
> | capture device at the specified rate.
> | Default: 1:1 [no sampling]
>
> However – this doesn’t seem to let me configure a sampling rate for flows
> for ‘reporting only’. Just a sample ratio for mirrored traffic, which of
> course I’m not using.
>
> Any input welcome - Cheers!
>
> ROBERT WILLIAMS
> TECHNICAL DIRECTOR
>
> Custodian Data Centres
> Tel: +44 (0) 1622 230382 <+44%201622%20230382> || E-Mail: mailto:
> Robert@CustodianDC.com
> http://www.CustodianDC.com
>
> Disclaimer: https://www.CustodianDC.com/email-disclaimer
> Registered Office: Vinters Business Park, New Cut Rd, Maidstone, ME14 5NZ.
> Company Number: 07878023
>
>
>
>
>
> [image: Custodian Data Centres] <https://www.custodiandc.com>
> Robert Williams
> Technical Director
> Custodian Data Centres
> T: +44 (0) 1622 230382 <+44%201622%20230382>
> E: Robert@CustodianDC.com W: www.CustodianDC.com
> <https://www.custodiandc.com>
> *ISO 27001 Certified - 100% Uptime*
> Data Floor 4 Launch - 2nd Feb 2017 - Book Now
> <https://www.custodiandc.com/DF4-launch-booking>
>
> Registered Office: Vinters Business Park, New Cut Rd, Maidstone, Kent ME14
> 5NZ Company Number 07878023
> Click here to view our email disclaimer
> <https://www.custodiandc.com/email-disclaimer>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>

On 26/01/17 15:09, Robert Williams wrote:
> The Cisco uses 1 in 20 sampling for Netflow
Sorry for deviation, do you know what Ciscos use it? I have very strange
results with ntop+netflow on Cisco ASA here (fw 9.6.2), but cannot find
time to investigate. No Cisco ASA documents on netflow mention any
sampling rate.

With Best Regards,
Marat Khalili
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Marat,

Typically Cisco ASA emits flows on the basis of an event such as, for
example, "a Flow is deleted" or "a Flow is denied". You have to configure
your ASA in order to get proper flow exports for the events you care.

This is the Cisco ASA NetFlow implementation that explains in detail:
https://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html

Regards,
Simone

On Mon, Jan 30, 2017 at 9:01 AM, Marat Khalili <mkh@rqc.ru> wrote:

> On 26/01/17 15:09, Robert Williams wrote:
>
>> The Cisco uses 1 in 20 sampling for Netflow
>>
> Sorry for deviation, do you know what Ciscos use it? I have very strange
> results with ntop+netflow on Cisco ASA here (fw 9.6.2), but cannot find
> time to investigate. No Cisco ASA documents on netflow mention any sampling
> rate.
>
> With Best Regards,
> Marat Khalili
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>