Thank you Simone! I now seem to have everything working. A reboot was required before I could see what I was expecting to see in ntopng.
sudo netstat -tulpen | grep /n tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 0 19865 1454/ntopng tcp 0 0 127.0.0.1:5556 0.0.0.0:* LISTEN 0 19806 1456/nprobe udp 0 0 0.0.0.0:9995 0.0.0.0:* 65534 18960 1456/nprobe udp 0 0 172.17.20.221:123 0.0.0.0:* 0 19227 1551/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 0 19225 1551/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 0 19221 1551/ntpd Here’s what my ntopng.conf file looks like cat /etc/ntopng/ntopng.conf --interface="tcp://127.0.0.1:5556" --m="10.0.0.0/8,172.0.0.0/8" ls /etc/ntopng/ ntopng.conf ntopng.start Here’s what my nprobe.conf file looks like cat /etc/nprobe/nprobe.conf -G= -i=none --collector-port=9995 --zmq=tcp://127.0.0.1:5556 ls /etc/nprobe nprobe.conf nprobe-none.conf nprobe-none.start I confirmed using tcpdump that the server is receiving the flow from the switch, the switch IP address is 10.215.8.3 sudo tcpdump -c 6 -n dst port 9995 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 06:13:09.875239 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 132 06:13:10.804606 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 132 06:13:11.800001 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 76 06:13:12.810285 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 76 06:13:13.807210 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 76 06:13:13.811862 IP 10.215.8.3.51364 > 172.17.20.221.9995: UDP, length 76 In the ntopng webui I only have one interface which I will rename for aesthetics tcp://127.0.0.1:5556 This is wonderful! Now I just need to figure out how to name much the “Unknown” traffic. If I were to forward additional flows from additional switches, should I create another interface and probe? Jeff From: [email protected] [mailto:[email protected]] On Behalf Of Simone Mainardi Sent: Wednesday, December 13, 2017 5:07 AM To: [email protected] Subject: Re: [Ntop-misc] Query regarding nProbe collector configuration Jeff, You need both nProbe and ntopng. nProbe interprets the IPFIX and outputs the data to ntopng that is in charge of visualisation. A simple configuration is the following: ./nprobe -i none -n none --collector-port 9995 --zmq tcp://127.0.0.1:5556 ./ntopng -i tcp://*:5556 -m <a list of networks of interest, e.g., 192.168.0.1/24> The communication between ntopng and nprobe takes place over ZMQ. Regards, Simone On 12 Dec 2017, at 15:23, Kotch, Jeff <[email protected]<mailto:[email protected]>> wrote: Hi there, I’m new to ntopng and hoping to get some assistance or guidance. I’ve got an ntopng/nProbe server set up using a single interface I’ve got an Avaya switch sending IPFIX flow data to my ntopng server over port 9995. My understanding is I need to setup ntopng as a collector for that flow data. All I’m seeing in ntopng is a single flow from switch to server along with all other ‘local’ traffic hitting the server. I’d like to only see the flow data from the switch. I expected nProbe to create an interface for me to select as I’d seen in ntop but I haven’t seen that yet. I understand that I need to set nProbe with some sort of zmq command but I’m struggling to understand the context for that command. I’d like the desired configuration to remain persistent through reboots and start up automatically. Ntopng starts automatically now but I don’t think there’s currently any nProbe configuration. I am finding that as I enter an nProbe command now, the cli does not return me to a prompt to restart the ntopng service. Any assistance you can offer would be greatly appreciated. Thank you Jeff _______________________________________________ Ntop-misc mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
