Mailing List Archive: Nprobe flow export number

Nprobe flow export number

lara.giovannozzi at iptelecom

Jan 21, 2020, 3:55 AM

Post #1 of 7 (1381 views)

Hi,
I have installed nprobe and successfully get a Netflow flow.

Where I view the current flow export number?

Regards
—
Laragio
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Re: Nprobe flow export number [ In reply to ]

mainardi at ntop

Jan 21, 2020, 10:20 AM

Post #2 of 7 (1380 views)

Hi,

Use the following template element (see option -T)

[ 42][Len 4] %TOTAL_FLOWS_EXP %exportedFlowRecordTotalCount Total number of exported flows

Simone

> On 21 Jan 2020, at 12:55, Laragio <lara.giovannozzi@iptelecom.it> wrote:
>
> Hi,
> I have installed nprobe and successfully get a Netflow flow.
>
> Where I view the current flow export number?
>
> Regards
> —
> Laragio
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Re: Nprobe flow export number [ In reply to ]

mainardi at ntop

Jan 21, 2020, 10:20 AM

Post #3 of 7 (1380 views)

Hi,

Use the following template element (see option -T)

[ 42][Len 4] %TOTAL_FLOWS_EXP %exportedFlowRecordTotalCount Total number of exported flows

Simone

> On 21 Jan 2020, at 12:55, Laragio <lara.giovannozzi@iptelecom.it> wrote:
>
> Hi,
> I have installed nprobe and successfully get a Netflow flow.
>
> Where I view the current flow export number?
>
> Regards
> —
> Laragio
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Re: Nprobe flow export number [ In reply to ]

lara.giovannozzi at iptelecom

Jan 22, 2020, 1:05 AM

Post #4 of 7 (1378 views)

Hi Simone,

> Il giorno 21 gen 2020, alle ore 19:20,21/01/2020, Simone Mainardi <mainardi@ntop.org> ha scritto:
>
> [ 42][Len 4] %TOTAL_FLOWS_EXP %exportedFlowRecordTotalCount Total number of exported flows

I added the template %TOTAL_FLOWS_EXP and dumped the collected flow to the disk.

In the file I see this lines

————————————————————————————————
L7_PROTO|IPV4_SRC_ADDR|IPV4_DST_ADDR|L4_SRC_PORT|L4_DST_PORT|IPV6_SRC_ADDR|IPV6_DST_ADDR|IP_PROTOCOL_VERSION|PROTOCOL|IN_BYTES|IN_PKTS|OUT_BYTES|OUT_PKTS|FIRST_SWITCHED|LAST_SWITCHED|SRC_VLAN|TOTAL_FLOWS_EXP
7|x.x.x.x|x.x.x.x|1243|80|::|::|4|6|160|4|0|0|1579682964|1579683001|0|0
91.140|x.x.x.x|x.x.x.x|443|32841|::|::|4|6|76|1|0|0|1579682964|1579682964|0|0
91.178|x.x.x.x|x.x.x.x|443|62260|::|::|4|6|151|3|151|3|1579682964|1579682965|0|0
5.126|x.x.x.x|8.8.8.8|65095|53|::|::|4|17|68|1|108|1|1579682964|1579682964|0|0
0|x.x.x.x|x.x.x.x|49559|8194|::|::|4|6|213|2|132|1|1579682964|1579682964|0|0
91.119|x.x.x.x|x.x.x.x|33434|443|::|::|4|6|607|7|3351|5|1579682964|1579682964|0|0
5.126|x.x.x.x|8.8.8.8|17406|53|::|::|4|17|87|1|143|1|1579682964|1579682964|0|0
————————————————————————————————

The nprobe get the flows but total flows exp is always 0.

Is correct?
—
Laragio
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Re: Nprobe flow export number [ In reply to ]

lara.giovannozzi at iptelecom

Jan 22, 2020, 1:05 AM

Post #5 of 7 (1378 views)

Hi Simone,

> Il giorno 21 gen 2020, alle ore 19:20,21/01/2020, Simone Mainardi <mainardi@ntop.org> ha scritto:
>
> [ 42][Len 4] %TOTAL_FLOWS_EXP %exportedFlowRecordTotalCount Total number of exported flows

I added the template %TOTAL_FLOWS_EXP and dumped the collected flow to the disk.

In the file I see this lines

————————————————————————————————
L7_PROTO|IPV4_SRC_ADDR|IPV4_DST_ADDR|L4_SRC_PORT|L4_DST_PORT|IPV6_SRC_ADDR|IPV6_DST_ADDR|IP_PROTOCOL_VERSION|PROTOCOL|IN_BYTES|IN_PKTS|OUT_BYTES|OUT_PKTS|FIRST_SWITCHED|LAST_SWITCHED|SRC_VLAN|TOTAL_FLOWS_EXP
7|x.x.x.x|x.x.x.x|1243|80|::|::|4|6|160|4|0|0|1579682964|1579683001|0|0
91.140|x.x.x.x|x.x.x.x|443|32841|::|::|4|6|76|1|0|0|1579682964|1579682964|0|0
91.178|x.x.x.x|x.x.x.x|443|62260|::|::|4|6|151|3|151|3|1579682964|1579682965|0|0
5.126|x.x.x.x|8.8.8.8|65095|53|::|::|4|17|68|1|108|1|1579682964|1579682964|0|0
0|x.x.x.x|x.x.x.x|49559|8194|::|::|4|6|213|2|132|1|1579682964|1579682964|0|0
91.119|x.x.x.x|x.x.x.x|33434|443|::|::|4|6|607|7|3351|5|1579682964|1579682964|0|0
5.126|x.x.x.x|8.8.8.8|17406|53|::|::|4|17|87|1|143|1|1579682964|1579682964|0|0
————————————————————————————————

The nprobe get the flows but total flows exp is always 0.

Is correct?
—
Laragio
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Re: Nprobe flow export number [ In reply to ]

mainardi at ntop

Jan 23, 2020, 6:19 AM

Post #6 of 7 (1371 views)

Counter is only increased when nProbe exports to NetFlow, not to text files.

Alternatively, you can run nProbe with option -b=1 to have periodic stats printed. Stats will include also the total number of flows exported. Example:

23/Jan/2020 15:18:52 [nprobe.c:3505] Flows exports (including drops) [15 flows][avg: 0.5 flows/sec][latest 30 sec avg: 0.5 flows/sec]
23/Jan/2020 15:18:52 [nprobe.c:3512] Flow drops [export queue full: 0]
23/Jan/2020 15:18:52 [nprobe.c:3515] Packet drops [too many flow buckets: 0]
23/Jan/2020 15:18:52 [nprobe.c:3518] Flow Buckets [active: 25][allocated: 25][toBeExported: 0]
23/Jan/2020 15:18:52 [nprobe.c:3522] Export Queue [current: 0][max: 512000][fill level: 0.0%]
23/Jan/2020 15:18:52 [nprobe.c:3280] Processed packets: 765 (max bucket search: 1)

Simone

> On 22 Jan 2020, at 10:05, Laragio <lara.giovannozzi@iptelecom.it> wrote:
>
> Hi Simone,
>
>
>> Il giorno 21 gen 2020, alle ore 19:20,21/01/2020, Simone Mainardi <mainardi@ntop.org> ha scritto:
>>
>> [ 42][Len 4] %TOTAL_FLOWS_EXP %exportedFlowRecordTotalCount Total number of exported flows
>
> I added the template %TOTAL_FLOWS_EXP and dumped the collected flow to the disk.
>
> In the file I see this lines
>
> ————————————————————————————————
> L7_PROTO|IPV4_SRC_ADDR|IPV4_DST_ADDR|L4_SRC_PORT|L4_DST_PORT|IPV6_SRC_ADDR|IPV6_DST_ADDR|IP_PROTOCOL_VERSION|PROTOCOL|IN_BYTES|IN_PKTS|OUT_BYTES|OUT_PKTS|FIRST_SWITCHED|LAST_SWITCHED|SRC_VLAN|TOTAL_FLOWS_EXP
> 7|x.x.x.x|x.x.x.x|1243|80|::|::|4|6|160|4|0|0|1579682964|1579683001|0|0
> 91.140|x.x.x.x|x.x.x.x|443|32841|::|::|4|6|76|1|0|0|1579682964|1579682964|0|0
> 91.178|x.x.x.x|x.x.x.x|443|62260|::|::|4|6|151|3|151|3|1579682964|1579682965|0|0
> 5.126|x.x.x.x|8.8.8.8|65095|53|::|::|4|17|68|1|108|1|1579682964|1579682964|0|0
> 0|x.x.x.x|x.x.x.x|49559|8194|::|::|4|6|213|2|132|1|1579682964|1579682964|0|0
> 91.119|x.x.x.x|x.x.x.x|33434|443|::|::|4|6|607|7|3351|5|1579682964|1579682964|0|0
> 5.126|x.x.x.x|8.8.8.8|17406|53|::|::|4|17|87|1|143|1|1579682964|1579682964|0|0
> ————————————————————————————————
>
>
> The nprobe get the flows but total flows exp is always 0.
>
> Is correct?
> —
> Laragio

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Re: Nprobe flow export number [ In reply to ]

mainardi at ntop

Jan 23, 2020, 6:19 AM

Post #7 of 7 (1371 views)

Counter is only increased when nProbe exports to NetFlow, not to text files.

Alternatively, you can run nProbe with option -b=1 to have periodic stats printed. Stats will include also the total number of flows exported. Example:

23/Jan/2020 15:18:52 [nprobe.c:3505] Flows exports (including drops) [15 flows][avg: 0.5 flows/sec][latest 30 sec avg: 0.5 flows/sec]
23/Jan/2020 15:18:52 [nprobe.c:3512] Flow drops [export queue full: 0]
23/Jan/2020 15:18:52 [nprobe.c:3515] Packet drops [too many flow buckets: 0]
23/Jan/2020 15:18:52 [nprobe.c:3518] Flow Buckets [active: 25][allocated: 25][toBeExported: 0]
23/Jan/2020 15:18:52 [nprobe.c:3522] Export Queue [current: 0][max: 512000][fill level: 0.0%]
23/Jan/2020 15:18:52 [nprobe.c:3280] Processed packets: 765 (max bucket search: 1)

Simone

> On 22 Jan 2020, at 10:05, Laragio <lara.giovannozzi@iptelecom.it> wrote:
>
> Hi Simone,
>
>
>> Il giorno 21 gen 2020, alle ore 19:20,21/01/2020, Simone Mainardi <mainardi@ntop.org> ha scritto:
>>
>> [ 42][Len 4] %TOTAL_FLOWS_EXP %exportedFlowRecordTotalCount Total number of exported flows
>
> I added the template %TOTAL_FLOWS_EXP and dumped the collected flow to the disk.
>
> In the file I see this lines
>
> ————————————————————————————————
> L7_PROTO|IPV4_SRC_ADDR|IPV4_DST_ADDR|L4_SRC_PORT|L4_DST_PORT|IPV6_SRC_ADDR|IPV6_DST_ADDR|IP_PROTOCOL_VERSION|PROTOCOL|IN_BYTES|IN_PKTS|OUT_BYTES|OUT_PKTS|FIRST_SWITCHED|LAST_SWITCHED|SRC_VLAN|TOTAL_FLOWS_EXP
> 7|x.x.x.x|x.x.x.x|1243|80|::|::|4|6|160|4|0|0|1579682964|1579683001|0|0
> 91.140|x.x.x.x|x.x.x.x|443|32841|::|::|4|6|76|1|0|0|1579682964|1579682964|0|0
> 91.178|x.x.x.x|x.x.x.x|443|62260|::|::|4|6|151|3|151|3|1579682964|1579682965|0|0
> 5.126|x.x.x.x|8.8.8.8|65095|53|::|::|4|17|68|1|108|1|1579682964|1579682964|0|0
> 0|x.x.x.x|x.x.x.x|49559|8194|::|::|4|6|213|2|132|1|1579682964|1579682964|0|0
> 91.119|x.x.x.x|x.x.x.x|33434|443|::|::|4|6|607|7|3351|5|1579682964|1579682964|0|0
> 5.126|x.x.x.x|8.8.8.8|17406|53|::|::|4|17|87|1|143|1|1579682964|1579682964|0|0
> ————————————————————————————————
>
>
> The nprobe get the flows but total flows exp is always 0.
>
> Is correct?
> —
> Laragio

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop