I'm realizing that I don't understand how NetFlow records flow from an agent
through nProbe to nTopng
Here's what I think I'm doing:
Sflow Agents ---------- > nProbe ---------- > ntopng
dc-a-rtr ganesh ganesh
dc-b-rtr
where 'dc-a-rtr' and 'dc-b-rtr' are Cisco Nexus and 'ganesh' is a CentOS 7 box
running both nprobe and ntopng
wireshark on ganesh verifies that dc-a-rtr is sending sflow records to ganesh
on UDP Port 6343
dc-a-rtr: show config
sflow data-source interface port-channel1
sflow data-source interface port-channel2
sflow data-source interface port-channel3
[...]
ganesh# ps -ef | grep nprobe
root 13330 12349 0 13:28 pts/0 00:00:49 nprobe --syslog ganesh
--zmq=tcp://127.0.0.1:5556 -i none -n none -b 0 --collector-port=6343
--redis=localhost --local-networks=10.0.0.0/8
ganesh# cat /etc/ntopng/ntopng.conf
--pid-path=/var/tmp/ntopng.pid
--dns-mode=1
--interface=tcp://127.0.0.1:5556
--categorization-key={...}
--daemon
--http-port=8080
--disable-login=1
--local-networks=10.0.0.0/8
--redis=localhost
Ganesh#
Pointing a browser at ganesh:8080 gives me a GUI updating statistics in
real-time. So far, so good. And I have a mental model for how data is flowing
from the agents (via UDP Port 6343) to nprobe (receives data on UDP Port 6343,
transforms it into JSON and transmits it via ZMQ to 127.0.0.1:5556. Ntopng is
listening via ZMQ on 127.0.0.1:5556, consumes the JSON it receives there, and
does neat things with it.
But as I examine the GUI, I don't see a way to distinguish between dc-a-rtr and
dc-b-rtr ... nor a way to distinguish between each interface on each box. The
only Interface available via the GUI is "tcp://127.0.0.1:5556"
Seems like all the sflow records I am sending to ntopng get combined into one
display. I can see advantages to this display ... but for the moment, I would
prefer to split out each interface from each agent and thus examine traffic
flows on a more granular level, i.e. "per interface per agent". I was
imagining that I would get this by default, that agent & interface information
is encoded in the sflow records and that ntopng would magically split them out.
But clearly, my imagination is outpacing reality.
Conceptually, what is happening here?
- Is ntopng combining all the sflow records it is receiving and
presenting a 'summary' of them all?
- How would I go about separating by box?
o Would I spin up multiple instances of nprobe, say, one instance per agent?
--sk
Stuart Kendrick
System Engineer
Allen Institute
615 Westlake Ave. N.
Seattle, WA 98109
T: 206.548.8465
E: [email protected]<mailto:[email protected]>
www.alleninstitute.org<http://www.alleninstitute.org/>
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
