Hello, Simone
I tried: C:\Program Files\nProbe>nprobe /c -i none -n none --collector-port 2055 -D t -P E:\nprobe -V 10 Running nProbe for Windows. 31/Oct/2016 19:57:23 [nprobe.c:3404] Valid nProbe Pro license found 31/Oct/2016 19:57:23 [nprobe.c:4867] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ? 31/Oct/2016 19:57:23 [nprobe.c:4870] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ? 31/Oct/2016 19:57:23 [nprobe.c:4970] Welcome to nProbe Pro v.7.4.160623 ($Revision: 4384 $) for Windows 31/Oct/2016 19:57:23 [nprobe.c:4980] Running on Windows 31/Oct/2016 19:57:23 [nprobe.c:4991] [LICENSE] nProbe SystemId: 2364757858-76046ad1 31/Oct/2016 19:57:23 [nprobe.c:5075] Dumping flow files every 60 sec into directory E:\nprobe 31/Oct/2016 19:57:23 [nprobe.c:7307] Welcome to nProbe v.7.4.160623 for Windows 31/Oct/2016 19:57:23 [nprobe.c:6406] WARNING: You selected v9/IPFIX without specifying a template (-T). 31/Oct/2016 19:57:23 [nprobe.c:6407] WARNING: The default template will be used 31/Oct/2016 19:57:23 [nprobe.c:6412] Using NetFlow Packet Payload Len: 1472 31/Oct/2016 19:57:23 [plugin.c:1030] 0 plugin(s) enabled 31/Oct/2016 19:57:23 [nprobe.c:6813] Each flow is 97 bytes long 31/Oct/2016 19:57:23 [nprobe.c:6814] The # packets per flow has been set to 14 31/Oct/2016 19:57:23 [nprobe.c:6833] Non IPv4/v6 traffic is discarded according to the template 31/Oct/2016 19:57:23 [nprobe.c:5490] Using packet capture length 128 31/Oct/2016 19:57:23 [nprobe.c:7529] Flows ASs will not be computed (missing GeoIP support) 31/Oct/2016 19:57:23 [nprobe.c:7630] Not capturing packet from interface (collector mode) 31/Oct/2016 19:57:23 [collect.c:147] Flow collector listening on port 2055 (IPv4/v6) 31/Oct/2016 19:57:23 [nprobe.c:7855] nProbe started successfully ... with marginally better results (below)IPV4_SRC_ADDR IPV4_DST_ADDR IPV4_NEXT_HOP INPUT_SNMP OUTPUT_SNMP IN_PKTS IN_BYTES xx.xxx.xx.xx xxx.xxx.xx.xx 0.0.0.0 0 5 2 92 xx.xx.x.xx xx.xxx.xx.xxx 0.0.0.0 5 0 265 24371
< continues> But - only 0/5 interface numbers are represented - no other interface numbers appear5 is a legitimate interface number - but there are many more active interface on the router supplying the netflow data
I need to see those as well - and I know they are active from wireshark captures and from past results with a commercial tool I am being forced to abandon:
Example from commercial product:Source IP Source Port Destination IP Destination Port State Protocol Last Time Duration Input Interface Output Interface Total Packets Source Bytes Destination Bytes xxxxxxxxxxxxx 7800 xxxxxxxxxxx 22818 tcp 10/12/2016 22:52 0:19:03 2 5 133 3640 3276 xxxxxxxxxxxxx rtsp xxxxxxxxxxx 56528 tcp 10/12/2016 22:52 0:10:01 11 2 18874 19889754 0 xxxxxxxxxxxxx 62826 xxxxxxxxxxx 5401 tcp 10/12/2016 22:52 0:10:54 2 11 1044 176352 187134
The behavior I am seeing with nprobe is similar to what I have experienced with the most recent version of nfdump/nfcapd.
I only see a small subset on interfaces being identified by snmp interface index in the output.
And getting accurate association of flow to interface is my entire goal.Is this possible with nprobe functioning as the collector - and if so - how?
Thanks.... I can supply additional information if needed. On 10/31/2016 05:04 PM, Simone Mainardi wrote:
James, you are using an obsolete parameter for nProbe. See this issue: https://github.com/ntop/nProbe/issues/96Please, use the new parameter --collector-port Regards, SimoneOn Mon, Oct 31, 2016 at 8:59 PM, James A. Klun <[email protected] <mailto:[email protected]>> wrote:I am currently working with nprobe - a new user. nProbe v.7.4.160623 (r4597) for Windows I am specifically interested in capturing the snmp index number associated with flows My startup: C:\Program Files\nProbe>nprobe /c -nf-collector-port 2055 -D t -P E:\nprobe Running nProbe for Windows. 31/Oct/2016 13:05:57 [nprobe.c:3404] Valid nProbe Pro license found 31/Oct/2016 13:05:57 [nprobe.c:4867] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ? 31/Oct/2016 13:05:57 [nprobe.c:4870] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ? 31/Oct/2016 13:05:57 [nprobe.c:4970] Welcome to nProbe Pro v.7.4.160623 ($Revision: 4384 $) for Windows 31/Oct/2016 13:05:57 [nprobe.c:4980] Running on Windows 31/Oct/2016 13:05:57 [nprobe.c:4991] [LICENSE] nProbe SystemId: 2364757858-76046ad1 31/Oct/2016 13:05:57 [nprobe.c:50http://listgateway.unipi.it/75 <http://listgateway.unipi.it/75>] Dumping flow files every 60 sec into directory E:\nprobe 31/Oct/2016 13:05:57 [nprobe.c:5080] WARNING: -n parameter is missing. 127.0.0.1:2055 <http://127.0.0.1:2055> will be used. 31/Oct/2016 13:05:57 [nprobe.c:7307] Welcome to nProbe v.7.4.160623 for Windows 31/Oct/2016 13:05:57 [plugin.c:1030] 0 plugin(s) enabled 31/Oct/2016 13:05:57 [nprobe.c:6833] Non IPv4/v6 traffic is discarded according to the template 31/Oct/2016 13:05:57 [nprobe.c:5490] Using packet capture length 128 31/Oct/2016 13:05:57 [nprobe.c:7483] IPv6 traffic will NOT be exported/accounted by this probe 31/Oct/2016 13:05:57 [nprobe.c:7484] due to configuration options (e.g. use NetFlow v9) 31/Oct/2016 13:05:57 [nprobe.c:7529] Flows ASs will not be computed (missing GeoIP support) 31/Oct/2016 13:05:57 [nprobe.c:7632] Capturing packets from interface \Device\NPF_{1AECA7A0-923C-4ADF-BB31-46E5A3C131F7} [snaplen: 128 bytes] 31/Oct/2016 13:05:57 [nprobe.c:7855] nProbe started successfully The resulting text files look like below:IPV4_SRC_ADDR IPV4_DST_ADDR IPV4_NEXT_HOP INPUT_SNMP OUTPUT_SNMP IN_PKTS IN_BYTES FIRST_SWITCHED LAST_SWITCHED L4_SRC_PORT 10.x.x.x 10.x.x.x 0.0.0.0 0 0 2 1314 1477937430 1477937430 64567 10.x.x.x 10.x.x.x 0.0.0.0 0 0 1 132 1477937430 1477937430 1918...... continues ...... ALL input interfaces show as "0" Using wireshark I have verified the V9/IPFIX netflow data IS being delivered and the interface information is in the flowsets. >> Cisco NetFlow/IPFIX >> Version: 9 >> Count: 38 >> SysUptime: 261103507 >> Timestamp: Oct 28, 2016 21:12:22.000000000 EDT >> CurrentSecs: 1477703542 >> FlowSequence: 159997 >> SourceId: 2304 >> FlowSet 1 >> FlowSet Id: (Data) (264) >> FlowSet Length: 1336 >> Flow 1 >> SrcAddr: 122.x.x.x.(122.x.x.x) >> DstAddr: 122.x.x.x (122.x.x.x) >> IP ToS: 0x68 >> Protocol: 17 >> SrcPort: 20903 >> DstPort: 53 >> OutputInt: 9 ===> interface number appears (and interface is in fact active ) >> Direction: Egress (1) >> Octets: 79 >> Packets: 1 What's required to get the interface numbers to be recognized and recorded by nprobe? _______________________________________________ Ntop mailing list [email protected] <mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
-- James A. Klun [email protected] Security Engineer (614) 351 - 1237 PGP Key Available by Request MicroSolved is security expertise you can trust! HoneyPoint Security Server Attackers get stung, instead of you! http://www.microsolved.com/honeypoint
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
