Hello! It seems that nprobe-collector do not process some fields in IPFIX flow.
My steps: 1. nprobe is running as probe: *./nprobe -n 127.0.0.1:2055 <http://127.0.0.1:2055/> -i eth1 -f "tcp and (port 80 or 443)" -u 1 -Q 2 -F 600 -t 60 -d 15 -D t -V 10 -T "%FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %IN_PKTS %IN_BYTES %OUT_PKTS %OUT_BYTES %PROTOCOL %HTTP_HOST %HTTP_URL" -G* 2. nprobe is running as IPFIX collector: *./nprobe -n none -3 2055 -P /var/flows -D t --dont-nest-dump-dirs -V 10 -T " %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %IN_PKTS %IN_BYTES %OUT_PKTS %OUT_BYTES %PROTOCOL %HTTP_HOST %HTTP_URL" -G* The result: nprobe#2 doesn't save to disk last two fields of IPFIX statistics (%HTTP_HOST %HTTP_URL). It's notable that these fields are sent & received (tcpdump proves it). *FLOW_START_MILLISECONDS|FLOW_END_MILLISECONDS|IPV4_SRC_ADDR|L4_SRC_PORT|IPV4_DST_ADDR|L4_DST_PORT|IN_PKTS|IN_BYTES|OUT_PKTS|OUT_BYTES|PROTOCOL|HTTP_HOST|HTTP_URL* *1435056783000|1435056783000|192.168.17.222|17233|178.124.129.14|80|6|2394|9|3670|6||* *1435056783000|1435056783000|192.168.17.222|17219|178.124.129.14|80|8|3691|21|18886|6||* How can I get HTTP_HOST & HTTP_URL at collector's side? Is it a bug? Thanks! Best regards, Sergey Bashlykevich, Minsk, Belarus.
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
