Benjamin, As you want to use nProbe as as flow filter-and-forward, you can try and add option --disable-cache to make sure every flow received is output as-is without any caching/aggregation. Also note that --collection-filter does not currently support IPV6 filters.
In addition add option -b=1 to see periodic updates on the flows received/exported. This will help in understanding if flows are properly repeated by the Wansight to nProbe and/or if they are properly forwarded to the customer's Wansight. I would also run tcpdump (possibly attach pcap files or send them privately) on port 10000 and 2056 of the nProbe host to inspect the two netflow streams (that is, your Wansight -> nProbe and nProbe -> customer's Wansight, respectively). Simone > On 12 Mar 2018, at 11:18, Benjamin Weik <[email protected]> > wrote: > > Hi, > > I am trying to use nProbe as a flow filter & forwarder to filter out flows > for customer prefixes and forward those flows to the customers Wansight but I > am unable to get something useful on Wansight. > Sometimes a few flows are recieved and a little bit is graphed but with each > flow received, the timeout is increased until Wansight says the flow is too > old and discards it. > > This is the log from customer wansight: > Severity Component Module Notification Text Date > INFO <sensor.name> Flow Collector NetFlow version 9 exporter > detected > INFO <sensor.name> Flow Collector NetFlow version 9 exporter > detected > INFO <sensor.name> Flow Collector NetFlow version 9 exporter > detected > INFO <sensor.name> Flow Collector NetFlow version 9 exporter > detected > INFO <sensor.name> Flow Collector Netflow v5 exporter > detected. SysID: 2, engine id 181, type 0, IP: <nprobe.ip>, Sampling Mode: 0, > Sampling Interval: 5000 > INFO <sensor.name> Flow Parser Received flow from 113 > seconds ago on interface "test-out". Adjusting flow delay from 30 to 113 > INFO <sensor.name> Flow Collector NetFlow version 9 exporter > detected > INFO <sensor.name> Flow Parser Received flow from 82 > seconds ago on interface "test-out". Adjusting flow delay from 30 to 82 > INFO <sensor.name> Flow Collector Netflow v5 exporter > detected. SysID: 1, engine id 87, type 0, IP: <nprobe.ip>, Sampling Mode: 0, > Sampling Interval: 5000 > > Andrisoft support says that nProbe is at fault: > > >If the flow exporter respects the RFC and it's configured to export long > >flows periodically, you only need to adjust the Flow Timeout(s) parameter > >from the Flow Sensor configuration window to the same value. > >All flows will be accepted, even if the start time is very long in the past. > > >We don't have a nProbe license to be able to test it, but not even Wireshark > >can properly decode the start/end time of flows generated by it. So we can > >only conclude that it's a nProbe issue. > >We do have customers that are monitoring their routers with Netflow v9 and > >IPFIX without any issues from Wanguard. > > Am I missing any parameters for nProbe? Am I misthinking something? > > This is the setup: > 1. Juniper MX Routers sample and export Flows to our own Andrisoft > Wansight > 2. Our Wansight repeats the received flow to nProbe > 3. nProbe filters the customer specific prefixes and forwards those flows > to the customers Wansight. > > This is the configuration on the Juniper MX router: > set forwarding-options sampling instance sampling input rate 5000 > set forwarding-options sampling instance sampling family inet output > flow-server <our.wansight.ip> port 23239 > set forwarding-options sampling instance sampling family inet output > flow-server <our.wansight.ip> autonomous-system-type origin > set forwarding-options sampling instance sampling family inet output > flow-server <our.wansight.ip> version-ipfix template ipv4 > set forwarding-options sampling instance sampling family inet output > inline-jflow source-address <router.ip.addr> > set forwarding-options sampling instance sampling family inet output > inline-jflow flow-export-rate 40 > set forwarding-options sampling instance sampling family inet6 output > flow-server <our.wansight.ip> port 23239 > set forwarding-options sampling instance sampling family inet6 output > flow-server <our.wansight.ip> autonomous-system-type origin > set forwarding-options sampling instance sampling family inet6 output > flow-server <our.wansight.ip> version-ipfix template ipv6 > set forwarding-options sampling instance sampling family inet6 output > inline-jflow source-address <router.ip.addr> > set forwarding-options sampling instance sampling family inet6 output > inline-jflow flow-export-rate 40 > > > On our Wansight we use the following settings for the Flow Sensor: > Listener IP:Port <our.wansight.ip>:23239 > Repeater IP:Port <nprobe.ip>:2056 > Flow Collector: Off > Flow Protocol: NetFlow or IPFIX > Flow Exporter IP: <router.ip.addr> > Sampling (1/N): -5000 > Flows Timeout (s): 60 seconds > > These are my nProbe parameters: > --collector-port 2056 > --sender-address <nprobe.ip>:2055 > --collector <customer.wansight.ip>:10000 > --in-iface-idx 910 > --out-iface-idx 917 > --flow-version 9 > --sample-rate @5000:1:1 > -i none > --collection-filter <v4.prefix>/24 > --collection-filter <v6.prefix>/48 > --daemon-mode > --json-to-syslog > --flows-intra-templ 1 > -T "%IN_BYTES %IN_PKTS %FLOWS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT > %IPV4_SRC_ADDR %IPV4_SRC_MASK %INPUT_SNMP %L4_DST_PORT %IPV4_DST_ADDR > %IPV4_DST_MASK %OUTPUT_SNMP %IPV4_NEXT_HOP %SRC_AS %DST_AS %LAST_SWITCHED > %FIRST_SWITCHED %OUT_BYTES %OUT_PKTS %IPV6_SRC_ADDR %IPV6_DST_ADDR > %IPV6_SRC_MASK %IPV6_DST_MASK %ICMP_TYPE %SAMPLING_INTERVAL" > > On the customer Wansight, the following settings are used for the Flow Sensor: > Listener IP:Port <customer.wansight.ip>:10000 > Repeater IP:Port – > Flow Collector: Off > Flow Protocol: NetFlow or IPFIX > Flow Exporter IP: <nprobe.ip> > Sampling (1/N): -5000 > Flows Timeout (s): Auto > > Monitored Interfaces: > 910 test-in Downstream > 917 test-out Upstream > > Best regards, > > Benjamin Weik > > _______________________________________________ > Ntop-misc mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
