Exactly what I am referring to. Your plight sounds exactly like mine as I just got bit by this and wasted Luca and crew's time sorting it out. Ubuntu runs RPF check in the kernel and if the Netflow traffic arrives on an interface that doesn't have a route back to the source via the interface it was received on, the kernel rejects it.
You can verify by running netcat -lu 2055 | hexdump -C after starting the netflow feed from the router. Tcpdump runs at the interface pre RPF check, Netcat will bind to the port and tell you if the kernel passed the traffic. If you do not see traffic data, it's being dropped before nProbe can capture it. On Mon, Dec 21, 2015 at 3:54 PM, Yasser Slarmie <[email protected]> wrote: > Ntop and nprobe are on the same server. Are you perhaps alluding to urpf > that may be breaking things? The netflow packets arrive on the server, so I > believe nprobe should be able to interpret it without any routing back to > the source or requiring to do so. > > Sent from my Windows Phone > ------------------------------ > From: Erik Schmersal <[email protected]> > Sent: 2015-12-21 07:37 PM > > To: [email protected] > Subject: Re: [Ntop-misc] nprobe + ntopng WLAN fields query > > Is netflow being received on the same interface where Ubuntu's default > route pointing out of? Or is the route back to the flow source pointing out > the same interface that the flows are coming in on? > > On Mon, Dec 21, 2015 at 9:24 AM, Yasser Slarmie <[email protected]> > wrote: > > Hi Eric, > > My commands are: > > ntopng -i tcp://127.0.0.1:2055 & > > nprobe --zmq "tcp://127.0.0.1:2055" --collector-port 9991 -i none -n none > -b 1 & > > Regards, > Yasser > > ------------------------------ > From: [email protected] > Date: Mon, 21 Dec 2015 07:59:00 -0600 > To: [email protected] > Subject: Re: [Ntop-misc] nprobe + ntopng WLAN fields query > > > Can you post your nProbe and nTop commands? > > On Dec 21, 2015, at 03:29, Yasser Slarmie <[email protected]> wrote: > > Hello guys, > > I don't know how to bottom-post on a thread from April 2015, but the above > subject line is still the same. > > I'm implementing ntopng and nprobe for a University (so professional > license is installed and working) and they want to test it specifically for > netflow exports coming from their 6 Cisco Wireless LAN Controllers. > > I have ntopng and nprobe setup but the GUI doesn't interpret any of the > received netflow data. The packets do arrive on the Ubuntu server though. > As a test, I exported traffic from their Cisco 6500 switch, and the GUI > displays the data correctly. > > I took a pcap dump of the received WLC traffic. It's available here: > http://1drv.ms/1mf2iuC > > Could someone please help with what I should do to get the data to display? > > Kind regards, > Yasser > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > _______________________________________________ Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc >
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
