Mailing List Archive: Understanding nprobe

Hello everybody,

i have build up a virtual test environment to get familiar with flow
monitoring. I installed ntop on a server and nprobe on a gateway
(provides access to the internet). I hoped that nprobe is collecting all
the traffic/flows and send it to the ntop server. But it does not work
work me. I don't see any flows if i check it on the ntop web gui. Both
machines could ping each other and no firewall is between them.

I used the following configuration:

Ntop-server (ip-address: 194.95.66.100, interface: enp0s8):

- ntopng -i enp0s8 -i tcp://8.8.8.1:5556

Gateway (ip-address: 8.8.8.1, interface: enp0s8):

- nprobe --zmq tcp://8.8.8.1:5556 -i enp0s8 -n none -T @NTOPNG@

If i check the sockets with "ss" there is a established zmq connection
listed between this to server. I also can choose the interface
"tcp://8.8.8.1:5556" in the ntop web gui. But no traffic will be
reported to ntop. I generated traffic with iperf, which comes from a
third server. This traffic transited the gateway interface enp0s8 with
the ip address 8.8.8.1.

It is possible that i missundertood the function of nprobe? Can i use
only nprobe instead of sflow to collect flows or it is necessary to
combine them? I hope anyone could help me. Thank you very much in advance.

Regard,

Andreas
<https://dict.leo.org/german-english/misunderstood>

Hi Andreas,

> On 28 Jun 2019, at 10:50, Andreas Brück <andreas.brueck@its.h-brs.de> wrote:
>
> Hello everybody,
>
> i have build up a virtual test environment to get familiar with flow monitoring. I installed ntop on a server and nprobe on a gateway (provides access to the internet). I hoped that nprobe is collecting all the traffic/flows and send it to the ntop server. But it does not work work me. I don't see any flows if i check it on the ntop web gui. Both machines could ping each other and no firewall is between them.
>
> I used the following configuration:
>
> Ntop-server (ip-address: 194.95.66.100, interface: enp0s8):
>
> - ntopng -i enp0s8 -i tcp://8.8.8.1:5556
>
> Gateway (ip-address: 8.8.8.1, interface: enp0s8):
>
> - nprobe --zmq tcp://8.8.8.1:5556 -i enp0s8 -n none -T @NTOPNG@
>
>

I think it could just be something related to the address of the ZMQ endpoint. Check if ntopng can connect to address 8.8.8.1 port 5556 and also check if nprobe can bind to address 8.8.8.1 port 5556 on the machine where it's running. Just look at the output of both software and you'll see if there are errors. If ntopng and nprobe are communicating successfully you should see increasing counters for flows and updates, in the interface details page in the ntopng UI.

Note that you can also use nprobe in the so-called --zmq-probe-mode if necessary. Have a look at https://www.ntop.org/nprobe/best-practices-for-the-collection-of-flows-with-ntopng-and-nprobe/ <https://www.ntop.org/nprobe/best-practices-for-the-collection-of-flows-with-ntopng-and-nprobe/>

> If i check the sockets with "ss" there is a established zmq connection listed between this to server. I also can choose the interface "tcp://8.8.8.1:5556" in the ntop web gui. But no traffic will be reported to ntop. I generated traffic with iperf, which comes from a third server. This traffic transited the gateway interface enp0s8 with the ip address 8.8.8.1.
>
> It is possible that i missundertood the function of nprobe? Can i use only nprobe instead of sflow to collect flows or it is necessary to combine them? I hope anyone could help me. Thank you very much in advance.
>
> Regard,
>
> Andreas
> <https://dict.leo.org/german-english/misunderstood>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop