Hi Sergey nprobe is not a general-purpose collector. At the moment we collect only the base IPFIX/NetFlow files plus something extra such as the PaloAlto L7 protocol Id.
Regards Luca > On 29 Jun 2015, at 10:13, Сергей Башлыкевич <[email protected]> wrote: > > Hello! > > It seems that nprobe-collector do not process some fields in IPFIX flow. > > My steps: > 1. nprobe is running as probe: > ./nprobe -n 127.0.0.1:2055 <http://127.0.0.1:2055/> -i eth1 -f "tcp and (port > 80 or 443)" -u 1 -Q 2 -F 600 -t 60 -d 15 -D t -V 10 -T > "%FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %IPV4_SRC_ADDR %L4_SRC_PORT > %IPV4_DST_ADDR %L4_DST_PORT %IN_PKTS %IN_BYTES %OUT_PKTS %OUT_BYTES %PROTOCOL > %HTTP_HOST %HTTP_URL" -G > > 2. nprobe is running as IPFIX collector: > ./nprobe -n none -3 2055 -P /var/flows -D t --dont-nest-dump-dirs -V 10 -T " > %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %IPV4_SRC_ADDR %L4_SRC_PORT > %IPV4_DST_ADDR %L4_DST_PORT %IN_PKTS %IN_BYTES %OUT_PKTS %OUT_BYTES %PROTOCOL > %HTTP_HOST %HTTP_URL" -G > > The result: nprobe#2 doesn't save to disk last two fields of IPFIX statistics > (%HTTP_HOST %HTTP_URL). It's notable that these fields are sent & received > (tcpdump proves it). > FLOW_START_MILLISECONDS|FLOW_END_MILLISECONDS|IPV4_SRC_ADDR|L4_SRC_PORT|IPV4_DST_ADDR|L4_DST_PORT|IN_PKTS|IN_BYTES|OUT_PKTS|OUT_BYTES|PROTOCOL|HTTP_HOST|HTTP_URL > 1435056783000|1435056783000|192.168.17.222|17233|178.124.129.14|80|6|2394|9|3670|6|| > 1435056783000|1435056783000|192.168.17.222|17219|178.124.129.14|80|8|3691|21|18886|6|| > > How can I get HTTP_HOST & HTTP_URL at collector's side? Is it a bug? > > Thanks! > > Best regards, > Sergey Bashlykevich, > Minsk, Belarus. > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
