Hi, I am trying to use nProbe as a flow filter & forwarder to filter out flows for customer prefixes and forward those flows to the customers Wansight but I am unable to get something useful on Wansight. Sometimes a few flows are recieved and a little bit is graphed but with each flow received, the timeout is increased until Wansight says the flow is too old and discards it.
This is the log from customer wansight: Severity Component Module Notification Text Date INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected INFO <sensor.name> Flow Collector Netflow v5 exporter detected. SysID: 2, engine id 181, type 0, IP: <nprobe.ip>, Sampling Mode: 0, Sampling Interval: 5000 INFO <sensor.name> Flow Parser Received flow from 113 seconds ago on interface "test-out". Adjusting flow delay from 30 to 113 INFO <sensor.name> Flow Collector NetFlow version 9 exporter detected INFO <sensor.name> Flow Parser Received flow from 82 seconds ago on interface "test-out". Adjusting flow delay from 30 to 82 INFO <sensor.name> Flow Collector Netflow v5 exporter detected. SysID: 1, engine id 87, type 0, IP: <nprobe.ip>, Sampling Mode: 0, Sampling Interval: 5000 Andrisoft support says that nProbe is at fault: >If the flow exporter respects the RFC and it's configured to export long flows >periodically, you only need to adjust the Flow Timeout(s) parameter from the >Flow Sensor configuration window to the same value. >All flows will be accepted, even if the start time is very long in the past. >We don't have a nProbe license to be able to test it, but not even Wireshark >can properly decode the start/end time of flows generated by it. So we can >only conclude that it's a nProbe issue. >We do have customers that are monitoring their routers with Netflow v9 and >IPFIX without any issues from Wanguard. Am I missing any parameters for nProbe? Am I misthinking something? This is the setup: 1. Juniper MX Routers sample and export Flows to our own Andrisoft Wansight 2. Our Wansight repeats the received flow to nProbe 3. nProbe filters the customer specific prefixes and forwards those flows to the customers Wansight. This is the configuration on the Juniper MX router: set forwarding-options sampling instance sampling input rate 5000 set forwarding-options sampling instance sampling family inet output flow-server <our.wansight.ip> port 23239 set forwarding-options sampling instance sampling family inet output flow-server <our.wansight.ip> autonomous-system-type origin set forwarding-options sampling instance sampling family inet output flow-server <our.wansight.ip> version-ipfix template ipv4 set forwarding-options sampling instance sampling family inet output inline-jflow source-address <router.ip.addr> set forwarding-options sampling instance sampling family inet output inline-jflow flow-export-rate 40 set forwarding-options sampling instance sampling family inet6 output flow-server <our.wansight.ip> port 23239 set forwarding-options sampling instance sampling family inet6 output flow-server <our.wansight.ip> autonomous-system-type origin set forwarding-options sampling instance sampling family inet6 output flow-server <our.wansight.ip> version-ipfix template ipv6 set forwarding-options sampling instance sampling family inet6 output inline-jflow source-address <router.ip.addr> set forwarding-options sampling instance sampling family inet6 output inline-jflow flow-export-rate 40 On our Wansight we use the following settings for the Flow Sensor: Listener IP:Port <our.wansight.ip>:23239 Repeater IP:Port <nprobe.ip>:2056 Flow Collector: Off Flow Protocol: NetFlow or IPFIX Flow Exporter IP: <router.ip.addr> Sampling (1/N): -5000 Flows Timeout (s): 60 seconds These are my nProbe parameters: --collector-port 2056 --sender-address <nprobe.ip>:2055 --collector <customer.wansight.ip>:10000 --in-iface-idx 910 --out-iface-idx 917 --flow-version 9 --sample-rate @5000:1:1 -i none --collection-filter <v4.prefix>/24 --collection-filter <v6.prefix>/48 --daemon-mode --json-to-syslog --flows-intra-templ 1 -T "%IN_BYTES %IN_PKTS %FLOWS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT %IPV4_SRC_ADDR %IPV4_SRC_MASK %INPUT_SNMP %L4_DST_PORT %IPV4_DST_ADDR %IPV4_DST_MASK %OUTPUT_SNMP %IPV4_NEXT_HOP %SRC_AS %DST_AS %LAST_SWITCHED %FIRST_SWITCHED %OUT_BYTES %OUT_PKTS %IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV6_SRC_MASK %IPV6_DST_MASK %ICMP_TYPE %SAMPLING_INTERVAL" On the customer Wansight, the following settings are used for the Flow Sensor: Listener IP:Port <customer.wansight.ip>:10000 Repeater IP:Port – Flow Collector: Off Flow Protocol: NetFlow or IPFIX Flow Exporter IP: <nprobe.ip> Sampling (1/N): -5000 Flows Timeout (s): Auto Monitored Interfaces: 910 test-in Downstream 917 test-out Upstream Best regards, Benjamin Weik
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
