Hello Simone,
> Please, generate a pcap of what nprobe is getting on port 6343 and upload it somewhere for our inspection.
I've the cap file, where do you want me to upload it ?
> Note that typically port 6343 (the one you're using with nprobe) is used by sFlow exporters. So maybe there's some other exporter and you are collecting its traffic rather than the one of meraki?
No, he's me that have configured the meraki to send to this port number.
Gerhard,
On May 24, 2018, at 6:07 AM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Gerard,
On 22 May 2018, at 14:32, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
Simone,
There is no so much configuration available on the Meraki device to setup Netflow. Only, enable it, define IP of the collector and port (
https://documentation.meraki.com/MX-Z/Monitoring_and_Reporting/NetFlow_Overview).
Please, generate a pcap of what nprobe is getting on port 6343 and upload it somewhere for our inspection. The command is the following (let it run for a minute):
tcpdump -i any port 6343 -s 0 -w port6343.pcap
According to the Cisco documentation, Meraki use Netflow v9 but ntopng report that sFlow is received and returned to the Meraki device !
Note that typically port 6343 (the one you're using with nprobe) is used by sFlow exporters. So maybe there's some other exporter and you are collecting its traffic rather than the one of meraki?
Also, if I'm correct here, nProbe use Netflow to send to ntopng, so how can Netflow v9 to Netflow collector (nProbe) to ntopng become sFlow ?
Gerhard,
On May 20, 2018, at 3:59 AM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Gerhard,
So that looks more like a Meraki configuration issue. It seems that the Meraki is doing sFlow on its own generated sFlow traffic. Basically it sends sFlow packets, then the sFlow process samples sFlow packets and, in turn, it triggers the generation of additional sFlow packets and so on. This 'amplification' also explain why you are seeing a huge amount of 100% sent sFlow traffic. Please check that config.
Simone
On 17 May 2018, at 15:10, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
Yes
On May 17, 2018, at 9:03 AM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
On 17 May 2018, at 14:30, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
Hi Simone,
Here the ntopng and nNrobe configuration used.
Ntopng:
--interface eth0
--interface tcp://127.0.0.1:5556
--local-networks 172.22.9.0/24,192.168.0.0/16,172.22.0.0/16,10.0.0.0/8
--daemon
--user ntopng
--pid /var/run/ntopng/ntopng.pid
--http-port 0
--https-port :3001
--data-dir /var/lib/nst/ntopng
--dns-mode 1
--disable-autologout
--disable-login 0
--sticky-hosts none
--http-prefix /ntopng
--ndpi-protocols /etc/ntopng/protos.txt
nProbe:
/usr/local/bin/nprobe -i none -n none --zmq tcp://*:5556 -b 2 -3 6343 --online-license-check --as-list=/usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat --city-list=/usr/share/ntopng/httpdocs/geoip/GeoLiteCity.dat -G --pid-file /var/run/nprobe/nprobe.pid -V 9 --disable-cache --zmq-disable-buffering
I don't know if I can attach pictures to this message to explain what I mean by saying that my collector ntopng return sflow to the remote Meraki device.
Traffic from my collector IP is almost 100% sent and when I check the Protocol detail, it show that it's sFlow (Sent 100%) to my remote Meraki device under the Peers tab!
Are you sure you have selected interface tcp://127.0.0.1:5556 from the ntopng interfaces dropdown menu?
Gerhard,
On May 17, 2018, at 3:53 AM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Gerhard,
Can you enclose nProbe and ntopng configurations used as well as an example of what you mean with 'my collector return the flow to the Meraki device'?
Thank you
On 16 May 2018, at 19:59, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
Hello,
I've activated Netflow v9 on Cisco Meraki and receive flow on nProbe (v 8.2.171206-5975) correctly. The problem is that my collector (ntopng v 3.2) return the flow to the Meraki device and I don't understand why? This generate lot of data in our case ~1TB per hour for sflow!.
Regards,
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop