Mailing List Archive: Assistance with nProbe with Accolade Cards

Assistance with nProbe with Accolade Cards

Sep 10, 2019, 8:05 AM

Post #1 of 5 (896 views)

Hello Everyone,

I am trying parse GTPv2 traffic using nProbe, PF_RING for Accolade Cards.
We also have purchased the GTPv2 plugin.

Currently, my nprobe config file looks like this:
-g=/var/run/nprobe.pid
-G=
-i=anic:0
-n=none
--dump-path=/var/log/nprobe
--cpu-affinity=2,3,4,5
--discard-unknown-flows=1
--verbose=2
--dump-format=b
--capture-direction=1
--drop-flow-no-plugin
--imsi-aggregation
--aggregate-gtp-tunnels

I am not sure how to check which accolade card is being used currently. Is
there is way someone can point me to figure out which accolade card number
to use in the interface section of the nprobe.conf file.

Also I need to see the entire IP packet after it has been parsed by nProbe.
I need to dump the file in the local disk as well.

I will be more than happy to provide more information if required.

Thanks and Regards,
-=Srijan Nandi

Re: Assistance with nProbe with Accolade Cards [ In reply to ]

cardigliano at ntop

Sep 10, 2019, 8:19 AM

Post #2 of 5 (896 views)

Permalink

Hi
please check https://www.ntop.org/guides/pf_ring/modules/accolade.html <https://www.ntop.org/guides/pf_ring/modules/accolade.html> for the port naming convention,
you can use pfcount on the same interface to check if traffic is flowing and print statistics.
As of the packet dump, do you mean raw packets to pcap files?

Alfredo

> On 10 Sep 2019, at 17:05, Srijan Nandi <srijan.nandi@gmail.com> wrote:
>
> Hello Everyone,
>
> I am trying parse GTPv2 traffic using nProbe, PF_RING for Accolade Cards. We also have purchased the GTPv2 plugin.
>
> Currently, my nprobe config file looks like this:
> -g=/var/run/nprobe.pid
> -G=
> -i=anic:0
> -n=none
> --dump-path=/var/log/nprobe
> --cpu-affinity=2,3,4,5
> --discard-unknown-flows=1
> --verbose=2
> --dump-format=b
> --capture-direction=1
> --drop-flow-no-plugin
> --imsi-aggregation
> --aggregate-gtp-tunnels
>
> I am not sure how to check which accolade card is being used currently. Is there is way someone can point me to figure out which accolade card number to use in the interface section of the nprobe.conf file.
>
> Also I need to see the entire IP packet after it has been parsed by nProbe. I need to dump the file in the local disk as well.
>
> I will be more than happy to provide more information if required.
>
> Thanks and Regards,
> -=Srijan Nandi
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

Re: Assistance with nProbe with Accolade Cards [ In reply to ]

cardigliano at ntop

Sep 10, 2019, 8:19 AM

Post #3 of 5 (896 views)

Permalink

Re: Assistance with nProbe with Accolade Cards [ In reply to ]

srijan.nandi at gmail

Sep 10, 2019, 8:24 AM

Post #4 of 5 (896 views)

Permalink

Thank you, Alfredo for the prompt response.

As of the packet dump, do you mean raw packets to pcap files?

--My setup is such that I need to capture the raw packets and then push
them to elasticsearch so that I can see them on the kibana dashboard.

Now if I get pcap files. I will have to run them through an application
that can read pcap's (like tcpdump or suricata) and then push it to
elasticsearch.

Thanks and regards,
-=Srijan Nandi

On Tue, 10 Sep 2019 at 20:49, Alfredo Cardigliano <cardigliano@ntop.org>
wrote:

> Hi
> please check https://www.ntop.org/guides/pf_ring/modules/accolade.html for
> the port naming convention,
> you can use pfcount on the same interface to check if traffic is flowing
> and print statistics.
> As of the packet dump, do you mean raw packets to pcap files?
>
> Alfredo
>
> On 10 Sep 2019, at 17:05, Srijan Nandi <srijan.nandi@gmail.com> wrote:
>
> Hello Everyone,
>
> I am trying parse GTPv2 traffic using nProbe, PF_RING for Accolade Cards.
> We also have purchased the GTPv2 plugin.
>
> Currently, my nprobe config file looks like this:
> -g=/var/run/nprobe.pid
> -G=
> -i=anic:0
> -n=none
> --dump-path=/var/log/nprobe
> --cpu-affinity=2,3,4,5
> --discard-unknown-flows=1
> --verbose=2
> --dump-format=b
> --capture-direction=1
> --drop-flow-no-plugin
> --imsi-aggregation
> --aggregate-gtp-tunnels
>
> I am not sure how to check which accolade card is being used currently. Is
> there is way someone can point me to figure out which accolade card number
> to use in the interface section of the nprobe.conf file.
>
> Also I need to see the entire IP packet after it has been parsed by
> nProbe. I need to dump the file in the local disk as well.
>
> I will be more than happy to provide more information if required.
>
> Thanks and Regards,
> -=Srijan Nandi
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

--
-=Srijan Nandi