Charles, can you please send me (not to the list) a pcap file (full packet size) so I can see what type of info Juniper sends to nprobe. Please make sure that wireshark can decode the file (i.e. it includes flows and templates).
Thanks Luca > On 24 Apr 2015, at 22:09, Charles Dunbar <[email protected]> wrote: > > I'm trying to use nProbe (v.7.0.141203 (r4553)) with the following setup: > > juniper ex switch --- sflow/jflow udp 6343 ---> nProbe --- udp 2055 --> > collector > > I'd eventually like to convert from junipers sflow/jflow to netflow v9, but > from what I can tell, nProbe isn't sending anything to the collector. > > I've found http://www.gossamer-threads.com/lists/ntop/misc/31468 > <http://www.gossamer-threads.com/lists/ntop/misc/31468> and given a similar > command a try, but even after running nprobe for a few minutes and seeing > sflow come into the box from tcpdump, when I close nprobe, it claims: > > 24/Apr/2015 12:51:28 [plugin.c:270] Terminating plugins. > 24/Apr/2015 12:51:28 [nprobe.c:4570] Still allocated 0 hash buckets > 24/Apr/2015 12:51:28 [nprobe.c:2294] Processed packets: 0 (max bucket search: > 0) > 24/Apr/2015 12:51:28 [nprobe.c:2277] Fragment queue length: 0 > 24/Apr/2015 12:51:28 [nprobe.c:2303] Flow export stats: [0 bytes/0 pkts][0 > flows/0 pkts sent] > 24/Apr/2015 12:51:28 [nprobe.c:2310] Flow collection: [collected pkts: > 0][processed flows: 0] > 24/Apr/2015 12:51:28 [nprobe.c:2313] Flow drop stats: [0 bytes/0 pkts][0 > flows] > 24/Apr/2015 12:51:28 [nprobe.c:2318] Total flow stats: [0 bytes/0 pkts][0 > flows/0 pkts sent] > > I've tried a handful of commands, including: > > nprobe --collector-port 6343 -n <ip>:2055 > nprobe -3 6343 -i none -n <ip>:2055 -m 1 -z 1 > nprobe --collector-port 6343 -i none -n none -P /tmp/flows -D t > > When I add -i and my interface, my collector does receive some occasional > flows, due to me being ssh'd into the machine. > > I can't seem to get any output from nprobe once it has started until I close > the program. Again, I'm seeing traffic from the switch to 6343 on the nprobe > server from tcpdump, but even with -b 2 and --debug, I simply get: > > 24/Apr/2015 13:01:53 [collect.c:99] Created UDP sockets > 24/Apr/2015 13:01:53 [collect.c:158] Flow collector listening on port 6343 > (IPv4/v6) > 24/Apr/2015 13:01:53 [nprobe.c:6553] WARNING: > ***************************************** > 24/Apr/2015 13:01:53 [nprobe.c:6554] WARNING: ** You're running nprobe in > DEBUG mode ** > 24/Apr/2015 13:01:53 [nprobe.c:6555] WARNING: > ***************************************** > 24/Apr/2015 13:01:53 [nprobe.c:6572] Starting 1 packet fetch thread(s) > 24/Apr/2015 13:01:53 [nprobe.c:6660] nProbe started successfully > 24/Apr/2015 13:01:53 [engine.c:3073] Starting bucket dequeue thread > > The only thing I could think of that may be the issue is my sampling from the > Juniper is currently set to 1 in every 5000, as I'm not trying to stress the > production network at the moment. Has anyone gotten a setup like this to > work, or know any additional debugging tips to see why nprobe is ignoring the > flows? > > Thanks, > > Charles > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
