Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Users
How is --ignore-vlans supposed to work?
gbeekmans at tsag
Jan 16, 2019, 10:41 AM
Post #1 of 4 (809 views)
Permalink
Hi,

In an attempt to fix the issues I mentioned a few days ago, I am trying to validate the theory that nprobe and/or ntopng are doubling up flows due to certain traffic (not all traffic) passes through our equipment twice on different VLANs. When looking at the flows in ntopng, I see two flows for everything. They only difference is the VLAN; source IP, dest IP, packets, bytes, speed, etc are all identical as expected.

Some posts online suggest there are ways to ignore VLANs and I have tried the following.

In /etc/nprobe/nprobe.conf:
-p=0/1/1/1/0/0/0

In /etc/ntopng/ntopng.conf:
--ignore-vlans=

Perhaps the options don't function as I assumed they would. At any rate, the end result is that ntopng still shows duplicate flows and the list under Hosts -> VLANs continues to populate with data.

Here are the entire nprobe and ntopng configuration files. I am not able to spot a typo such as a missing '=' that would might cause a line to be interpreted as the option to the line right above it. Maybe I've overlooked something.

nprobe.conf
-i=none
-n=none
-3=2055
--zmq=tcp://127.0.0.1:5556
-T="@NTOPNG@"
-V=9
--idle-timeout=30
--lifetime-timeout=600
--disable-cache=
--enable-ipv4-deduplication=
--verbose=1
-p=0/1/1/1/0/0/0
--local-networks=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,208.118.68.0/24,208.118.95.34/32
--local-traffic-direction=

ntopng.conf
-G=/var/run/ntopng.pid
-i=tcp://127.0.0.1:5556
--local-networks="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,208.118.68.0/24,208.118.95.34/32"
--ignore-vlans=


Thanks,
Gerard Beekmans
Sr. Network Engineer
First Nations Technical Services Advisory Group Inc.
Phone: 780-638-2739
Fax: 780-483-8632
Helpdesk: 1-888-999-3356
Email: gbeekmans@tsag.net<mailto:gbeekmans@tsag.net>
Santa Fe Plaza
18232 - 102 Avenue NW
Edmonton, AB T5S 1S7
http://www.tsag.net<http://www.tsag.net/>
Re: How is --ignore-vlans supposed to work? [ In reply to ]
faranda at ntop
Jan 18, 2019, 1:23 AM
Post #2 of 4 (805 views)
Permalink
Gerard,

You may try to enable disaggregation by VLAN id. Please check out
https://www.ntop.org/guides/ntopng/advanced_features/dynamic_interfaces_disaggregation.html
.

If you still have traffic duplication troubles, please send us a pcap
file with some Netflow traffic to replay in our lab. Please contact me
privately for this and I'll send you instructions.

Regards,

Emanuele

On 1/16/19 7:41 PM, Gerard Beekmans wrote:
>
> Hi,
>
> In an attempt to fix the issues I mentioned a few days ago, I am
> trying to validate the theory that nprobe and/or ntopng are doubling
> up flows due to certain traffic (not all traffic) passes through our
> equipment twice on different VLANs. When looking at the flows in
> ntopng, I see two flows for everything. They only difference is the
> VLAN; source IP, dest IP, packets, bytes, speed, etc are all identical
> as expected.
>
> Some posts online suggest there are ways to ignore VLANs and I have
> tried the following.
>
> In /etc/nprobe/nprobe.conf:
>
> -p=0/1/1/1/0/0/0
>
> In /etc/ntopng/ntopng.conf:
>
> --ignore-vlans=
>
> Perhaps the options don?t function as I assumed they would. At any
> rate, the end result is that ntopng still shows duplicate flows and
> the list under Hosts -> VLANs continues to populate with data.
>
> Here are the entire nprobe and ntopng configuration files. I am not
> able to spot a typo such as a missing ?=? that would might cause a
> line to be interpreted as the option to the line right above it. Maybe
> I?ve overlooked something.
>
> nprobe.conf
>
> -i=none
>
> -n=none
>
> -3=2055
>
> --zmq=tcp://127.0.0.1:5556
>
> -T="@NTOPNG@"
>
> -V=9
>
> --idle-timeout=30
>
> --lifetime-timeout=600
>
> --disable-cache=
>
> --enable-ipv4-deduplication=
>
> --verbose=1
>
> -p=0/1/1/1/0/0/0
>
> --local-networks=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,208.118.68.0/24,208.118.95.34/32
>
> --local-traffic-direction=
>
> ntopng.conf
>
> -G=/var/run/ntopng.pid
>
> -i=tcp://127.0.0.1:5556
>
> --local-networks="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,208.118.68.0/24,208.118.95.34/32"
>
> --ignore-vlans=
>
> Thanks,
>
> Gerard Beekmans
> Sr. Network Engineer
> First Nations Technical Services Advisory Group Inc.
> Phone: 780-638-2739
> Fax: 780-483-8632
> Helpdesk: 1-888-999-3356
> Email: gbeekmans@tsag.net <mailto:gbeekmans@tsag.net>
>
> Santa Fe Plaza
> 18232 - 102 Avenue NW
> Edmonton, AB T5S 1S7
> http://www.tsag.net <http://www.tsag.net/>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
Re: How is --ignore-vlans supposed to work? [ In reply to ]
mainardi at ntop
Jan 18, 2019, 1:30 AM
Post #3 of 4 (805 views)
Permalink
Hi,

> On 16 Jan 2019, at 19:41, Gerard Beekmans <gbeekmans@tsag.net> wrote:
>
> Hi,
>
> In an attempt to fix the issues I mentioned a few days ago, I am trying to validate the theory that nprobe and/or ntopng are doubling up flows due to certain traffic (not all traffic) passes through our equipment twice on different VLANs. When looking at the flows in ntopng, I see two flows for everything. They only difference is the VLAN; source IP, dest IP, packets, bytes, speed, etc are all identical as expected.
>
> Some posts online suggest there are ways to ignore VLANs and I have tried the following.
>
> In /etc/nprobe/nprobe.conf:
> -p=0/1/1/1/0/0/0

to ignore VLANs

-p="0/1/1/1/1/1/1"

>
> In /etc/ntopng/ntopng.conf:
> --ignore-vlans=

OK, this option was ignored when ntopng was collecting from nProbe. I've fixed it, a new build should be available in the next couple of hours.

>
> Perhaps the options don’t function as I assumed they would. At any rate, the end result is that ntopng still shows duplicate flows and the list under Hosts -> VLANs continues to populate with data.
>
> Here are the entire nprobe and ntopng configuration files. I am not able to spot a typo such as a missing ‘=’ that would might cause a line to be interpreted as the option to the line right above it. Maybe I’ve overlooked something.
>
> nprobe.conf
> -i=none
> -n=none
> -3=2055
> --zmq=tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556>
> -T="@NTOPNG@"
> -V=9
> --idle-timeout=30
> --lifetime-timeout=600
> --disable-cache=
> --enable-ipv4-deduplication=
> --verbose=1
> -p=0/1/1/1/0/0/0
> --local-networks=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,208.118.68.0/24,208.118.95.34/32
> --local-traffic-direction=
>
> ntopng.conf
> -G=/var/run/ntopng.pid
> -i=tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556>
> --local-networks="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,208.118.68.0/24,208.118.95.34/32"
> --ignore-vlans=
>
>
> Thanks,
> Gerard Beekmans
> Sr. Network Engineer
> First Nations Technical Services Advisory Group Inc.
> Phone: 780-638-2739 <tel:780-638-2739>
> Fax: 780-483-8632 <tel:780-483-8632>
> Helpdesk: 1-888-999-3356 <tel:1-888-999-3356>
> Email: gbeekmans@tsag.net <mailto:gbeekmans@tsag.net>
> Santa Fe Plaza
> 18232 - 102 Avenue NW
> Edmonton, AB T5S 1S7
> http://www.tsag.net <http://www.tsag.net/>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>
Re: How is --ignore-vlans supposed to work? [ In reply to ]
mainardi at ntop
Jan 18, 2019, 1:30 AM
Post #4 of 4 (805 views)
Permalink
Hi,

> On 16 Jan 2019, at 19:41, Gerard Beekmans <gbeekmans@tsag.net> wrote:
>
> Hi,
>
> In an attempt to fix the issues I mentioned a few days ago, I am trying to validate the theory that nprobe and/or ntopng are doubling up flows due to certain traffic (not all traffic) passes through our equipment twice on different VLANs. When looking at the flows in ntopng, I see two flows for everything. They only difference is the VLAN; source IP, dest IP, packets, bytes, speed, etc are all identical as expected.
>
> Some posts online suggest there are ways to ignore VLANs and I have tried the following.
>
> In /etc/nprobe/nprobe.conf:
> -p=0/1/1/1/0/0/0

to ignore VLANs

-p="0/1/1/1/1/1/1"

>
> In /etc/ntopng/ntopng.conf:
> --ignore-vlans=

OK, this option was ignored when ntopng was collecting from nProbe. I've fixed it, a new build should be available in the next couple of hours.

>
> Perhaps the options don’t function as I assumed they would. At any rate, the end result is that ntopng still shows duplicate flows and the list under Hosts -> VLANs continues to populate with data.
>
> Here are the entire nprobe and ntopng configuration files. I am not able to spot a typo such as a missing ‘=’ that would might cause a line to be interpreted as the option to the line right above it. Maybe I’ve overlooked something.
>
> nprobe.conf
> -i=none
> -n=none
> -3=2055
> --zmq=tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556>
> -T="@NTOPNG@"
> -V=9
> --idle-timeout=30
> --lifetime-timeout=600
> --disable-cache=
> --enable-ipv4-deduplication=
> --verbose=1
> -p=0/1/1/1/0/0/0
> --local-networks=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,208.118.68.0/24,208.118.95.34/32
> --local-traffic-direction=
>
> ntopng.conf
> -G=/var/run/ntopng.pid
> -i=tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556>
> --local-networks="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,208.118.68.0/24,208.118.95.34/32"
> --ignore-vlans=
>
>
> Thanks,
> Gerard Beekmans
> Sr. Network Engineer
> First Nations Technical Services Advisory Group Inc.
> Phone: 780-638-2739 <tel:780-638-2739>
> Fax: 780-483-8632 <tel:780-483-8632>
> Helpdesk: 1-888-999-3356 <tel:1-888-999-3356>
> Email: gbeekmans@tsag.net <mailto:gbeekmans@tsag.net>
> Santa Fe Plaza
> 18232 - 102 Avenue NW
> Edmonton, AB T5S 1S7
> http://www.tsag.net <http://www.tsag.net/>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal