Hello, I have ntopng running fine capturing packets redirected from my ASA via a SNAP port. Since I cannot use this setup in a VM (now it is running in real hardware), I would like to use either ntopng or nprobe as a Netflow collector.
I have confirmed that Netflow flows are coming from the ASA unit on UDP:2055 with tcpdump I was unable to find a way/command to start ntopng as a pure Netflow collector (listening to UDP:2055), tried the following options with different errors: ntopng -i "tcp://127.0.0.1:2055" [no info displayed in the web interface] ntopng -i "udp://127.0.0.1:2055" [ERROR: could not open pcap file: udp:// 127.0.0.1:2055: No such file or directory] For what I read at http://www.ntop.org/nprobe/why-nprobejsonzmq-instead-of-native-sflownetflow-support-in-ntopng/it seems that ntopng will not consume NetFlow flows, but rather ZQM flows from nprobe. I have tried that setup with nprobe v.6.15.131213, and while I get it to listen (shows "Flow collector listening on port 2055 (IPv4/v6)"), and I see port TCP:5556 open, ntopng does not seem to consume/connect to nprobe, in spite of stating "Collecting flows..." after initialization. The web interface for ntopng reads "No packet has been received yet on interface [email protected]:5556", which is confusing, as I thought that actually ntopng would poll packets from nprobe as stated in the document referenced above Command line used: ntopng -i "nprobe-collector.lua@tcp://127.0.0.1:5556" nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055 --city-list /usr/local/nprobe/GeoLiteCity.dat Note: just ran nprobe with -b 1 and apparently is not getting any data from the Netflow flows (checked after a few minutes). It collecting packets, but not processing any: 13/Dec/2013 16:39:25 [nprobe.c:2178] Average traffic: [0.00 pps][0 b/sec] 13/Dec/2013 16:39:25 [nprobe.c:2185] Current traffic: [0.00 pps][0 b/sec] 13/Dec/2013 16:39:25 [nprobe.c:2191] Current flow export rate: [0.0 flows/sec] 13/Dec/2013 16:39:25 [nprobe.c:2194] Flow drops: [export queue too long=0][too many flows=0] 13/Dec/2013 16:39:25 [nprobe.c:2198] Export Queue: 0/512000 [0.0 %] 13/Dec/2013 16:39:25 [nprobe.c:2203] Flow Buckets: [active=0][allocated=0][toBeExported=0] 13/Dec/2013 16:39:25 [cache.c:850] Redis Cache [0 total/0.0 get/sec][0 total/0.0 set/sec] 13/Dec/2013 16:39:25 [nprobe.c:2221] Collector Threads: [644 pkts@0] 13/Dec/2013 16:39:25 [nprobe.c:2045] Processed packets: 0 (max bucket search: 0) 13/Dec/2013 16:39:25 [nprobe.c:2028] Fragment queue length: 0 13/Dec/2013 16:39:25 [nprobe.c:2054] Flow export stats: [0 bytes/0 pkts][0 flows/0 pkts sent] 13/Dec/2013 16:39:25 [nprobe.c:2061] Flow collection: [collected pkts: 644][processed flows: 0] <------- See here 13/Dec/2013 16:39:25 [nprobe.c:2064] Flow drop stats: [0 bytes/0 pkts][0 flows] 13/Dec/2013 16:39:25 [nprobe.c:2069] Total flow stats: [0 bytes/0 pkts][0 flows/0 pkts sent] Versions: nProbe.x86_64 6.15.131213-3810 @ntop ntopng.x86_64 1.1.1_7107-7107 @ntop ntopng-data.x86_64 1.1.1_7107-7107 @ntop pfring.x86_64 5.6.2-7113 @ntop ntopng-data.x86_64 _7113-7113 ntop Based on this: Is it possible to use ntopng to receive Netflow flows from an ASA unit? Can you provide an example command line? Is the nprobe/ntopng setup correct? Why would ntopng not collect any data? Thank you for your help, Pablo Destefanis ------ Startup screens follow: NPROBE [root@hqsys2 ntopng]# nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055 --city-list /usr/local/nprobe/GeoLiteCity.dat 13/Dec/2013 16:41:19 [nprobe.c:5673] ERROR: Invalid or missing nProbe license (/etc/nprobe.license) 13/Dec/2013 16:41:19 [nprobe.c:5683] ERROR: for 6F087510910461D2 13/Dec/2013 16:41:19 [nprobe.c:5688] ERROR: *************************************************** 13/Dec/2013 16:41:19 [nprobe.c:5689] ERROR: ** ** 13/Dec/2013 16:41:19 [nprobe.c:5690] ERROR: ** Switching to DEMO MODE due to license error ** 13/Dec/2013 16:41:19 [nprobe.c:5691] ERROR: ** ** 13/Dec/2013 16:41:19 [nprobe.c:5692] ERROR: ** Create your nProbe license at ** 13/Dec/2013 16:41:19 [nprobe.c:5693] ERROR: ** http://www.nmon.net/mklicense/ ** 13/Dec/2013 16:41:19 [nprobe.c:5694] ERROR: ** ** 13/Dec/2013 16:41:19 [nprobe.c:5695] ERROR: *************************************************** 13/Dec/2013 16:41:19 [nprobe.c:5715] ERROR: *************************************************************** 13/Dec/2013 16:41:19 [nprobe.c:5716] ERROR: * NOTE: This is a DEMO version limited to 25000 flows export. * 13/Dec/2013 16:41:19 [nprobe.c:5717] ERROR: *************************************************************** 13/Dec/2013 16:41:19 [plugin.c:161] No plugins found in ./plugins 13/Dec/2013 16:41:19 [nprobe.c:3628] Succesfully created ZMQ endpoint tcp://*:5556 13/Dec/2013 16:41:19 [util.c:344] GeoIP: loaded cities config file /usr/local/nprobe/GeoLiteCity.dat 13/Dec/2013 16:41:19 [util.c:353] GeoIP: loaded IPv6 cities config file /usr/local/nprobe/GeoLiteCityv6.dat 13/Dec/2013 16:41:19 [nprobe.c:3795] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ? 13/Dec/2013 16:41:19 [nprobe.c:3798] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ? 13/Dec/2013 16:41:19 [nprobe.c:3802] WARNING: You have specified --zmq and not specified -n. 13/Dec/2013 16:41:19 [nprobe.c:3803] WARNING: We believe you want to use just ZMQ and no netflow export 13/Dec/2013 16:41:19 [nprobe.c:3804] WARNING: Setting flow export to -n none 13/Dec/2013 16:41:19 [nprobe.c:3858] Welcome to nprobe v.6.15.131213 ($Revision: 3810 $) for x86_64-unknown-linux-gnu with native PF_RING acceleration 13/Dec/2013 16:41:19 [nprobe.c:3871] nProbe SystemId: 6F087510910461D2 13/Dec/2013 16:41:19 [dbPlugin.c:78] Initializing DB plugin 13/Dec/2013 16:41:19 [nprobe.c:5733] Welcome to nprobe v.6.15.131213 for x86_64-unknown-linux-gnu 13/Dec/2013 16:41:19 [nprobe.c:4943] GEO-533LITE 20090701 Build 1 Copyright (c) 2007 MaxMind LLC All Rights Reserved 13/Dec/2013 16:41:19 [plugin.c:872] 0 plugin(s) enabled 13/Dec/2013 16:41:19 [util.c:308] GeoIP: loaded AS config file /usr/local/nprobe/GeoIPASNum.dat 13/Dec/2013 16:41:19 [util.c:317] GeoIP: loaded AS IPv6 config file /usr/local/nprobe/GeoIPASNumv6.dat 13/Dec/2013 16:41:19 [nprobe.c:4379] Using packet capture length 128 13/Dec/2013 16:41:19 [nprobe.c:5909] IPv6 traffic will NOT be exported/accounted by this probe 13/Dec/2013 16:41:19 [nprobe.c:5910] due to configuration options (e.g. use NetFlow v9) 13/Dec/2013 16:41:19 [nprobe.c:6038] Not capturing packet from interface (collector mode) 13/Dec/2013 16:41:19 [collect.c:156] Flow collector listening on port 2055 (IPv4/v6) NTOPNG: [root@hqsys2 ~]# ntopng -i "tcp://127.0.0.1:5556" 13/Dec/2013 16:59:46 [Ntop.cpp:457] Setting local networks to 192.168.1.0/24,0.0.0.0/32,224.0.0.0/8,239.0.0.0/8,255.255.255.255/32,127.0.0.0/8 13/Dec/2013 16:59:46 [Ntop.cpp:564] Registered interface [email protected]:5556 [id: 0] 13/Dec/2013 16:59:46 [Utils.cpp:238] User changed to nobody 13/Dec/2013 16:59:46 [main.cpp:147] PID stored in file /var/tmp/ntopng.pid 13/Dec/2013 16:59:46 [HTTPserver.cpp:363] HTTP server listening on port 3000 [/usr/local/share/ntopng/httpdocs][/usr/local/share/ntopng/scripts] 13/Dec/2013 16:59:46 [main.cpp:179] Using RRD version 1.4.7 13/Dec/2013 16:59:46 [main.cpp:188] Working directory: /var/tmp/ntopng 13/Dec/2013 16:59:46 [main.cpp:190] Scripts/HTML pages directory: /usr/local/share/ntopng 13/Dec/2013 16:59:46 [Ntop.cpp:161] Welcome to ntopng x86_64 v.1.1.1 (r) - (C) 1998-13 ntop.org 13/Dec/2013 16:59:46 [Redis.cpp:47] Successfully connected to Redis 127.0.0.1:6379 13/Dec/2013 16:59:46 [PeriodicActivities.cpp:53] Started periodic activities loop... 13/Dec/2013 16:59:46 [NetworkInterface.cpp:634] Started packet polling on interface [email protected]:5556... 13/Dec/2013 16:59:46 [CollectorInterface.cpp:100] Collecting flows...
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
