Hi Simone,
Le ven. 12 oct. 2018 à 19:19, Simone Mainardi <maina...@ntop.org> a écrit : > Hello, > > On 12 Oct 2018, at 10:52, BASSAGET Cédric <cedric.bassaget...@gmail.com> > wrote: > > Hello, > I'm trying to make nprobe work with IPFIX and ntopng, but data displayed > by ntopng is inconsistent. > > Here's the path my netflow packets take : > router -> nprobe:6345 -> ntopNG:6445. > (nprobe and ntopng services are on the same host.) > > nprobe runs with : (cat /etc/nprobe/nprobe.conf) > -i=any > > > set to > > -i=none > > -n=none > --collector-port=6345 > --zmq tcp://*:6445 > > %EXPORTER_IPV4_ADDRESS > -T "@NTOPNG@" > > > exporter ipv4 address must go into the template:: > > -T "@NTOPNG@ %EXPORTER_IPV4_ADDRESS" > @NTOPNG@ already includes %EXPORTER_IPV4_ADDRESS > > > > ntopng runs with : (cat /etc/ntopng/ntopng.conf) > -i="tcp://127.0.0.1:6445" > -m=<my local subnet> > -F="mysql;/var/run/mysqld/mysqld.sock;ntopng;flows-%Y.%m.%d;ntopng;ntopng" > > > -F contains duplicated conf. Check that. > from man page : Example -F "mysql;localhost;ntopng;flows-%Y.%m.%d;root;". as the last "ntopng" is my password, I do not see what is duplicated. > > I have two hosts sending netflow to nprobe. I don't see two interfaces in > ntopng. any reason why ? > > > Visit ntopng preferences, enable interfaces disaggregation on the basis of > the probe ip, and then restart ntopng > Done, works fine. > > Trafic one one of the hosts which sends netflow to nprobe is always > >100mb/s. In ntopng graphs, I do not see this value. It moves between 1 and > 10mb/s. why ? > > > see this explanation: > https://github.com/ntop/ntopng/issues/1359#issuecomment-320949928 > I don't think it's related to this, as the host which sends netflows is a BGP router and handles a lot of trafic from different sources. TCP sessions may be relatively short. I'm still seeing a difference between real trafic on my bgp router and data gathered by nprobe from netflows. My netflow exporter has a samplign rate defined to 10, so has my ntopng interface. Running iftoip and other monitoring tools always shows more than 100mb/s RX. Graph at the bottom of ntopng page shows completely different values (often around 10Mb/s) Historical page of interface shows a max value of 54Mb/s but my max value on host is around 270Mb/s... My exporter is pmacct, how to check if it sends cumulative counters or not ? Regards, Cédric > > > Regards, > Simone > > > I'm running ntop/nprobe from ntop debian repositories, latest version > (upgraded this morning). > > Regards > Cédriic > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop > > > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
