[Ntop-misc] Using nProbe as a collector for a device equipped with multiple interfaces

Mon, 04 Apr 2016 16:22:34 -0700 

When I point a NetFlow sender at an nProbe instance, I would like to send flows 
from each interface on that device:

Nexus9396PX# show run | include sflow
feature sflow
hardware access-list tcam region sflow 256
sflow collector-ip 10.12.4.12 vrf default source 10.12.0.10
sflow agent-ip 10.12.0.10
sflow data-source interface port-channel1
sflow data-source interface port-channel2
sflow data-source interface port-channel3
sflow data-source interface port-channel16
sflow data-source interface port-channel24
sflow data-source interface port-channel28
sflow data-source interface port-channel36
[...]

In my configuration, the nProbe instance receives those flows and makes them 
available to ntopng for consumption via zmq:

/usr/local/sbin/ntopng --local-networks=10.0.0.0/8 --redis=localhost 
--aggregation 1/1/1/1/0/0 --zmq=tcp://*:5551 -i none -n none -b 0 
--collector-port=5551 --pid-file=/var/tmp/nprobe-5551.pid

But it seems to me that ntopng has no mechanism for separating those per 
interface flows:
cat /etc/ntopng/ntopng.conf
--pid-path=/var/tmp/ntopng.pid
--dns-mode=1
--interface=tcp://127.0.0.1:5551
--interface=tcp://127.0.0.1:5552
--interface=tcp://127.0.0.1:5553
--interface=tcp://127.0.0.1:5554
--interface=tcp://127.0.0.1:5561
--interface=tcp://127.0.0.1:5562
--interface=tcp://127.0.0.1:5563
--interface=tcp://127.0.0.1:5564
--interface=tcp://127.0.0.1:5565
--interface=tcp://127.0.0.1:5566
--interface=tcp://127.0.0.1:5567
--interface=tcp://127.0.0.1:5568
--interface=tcp://127.0.0.1:5569
--interface=tcp://127.0.0.1:5570
--interface=tcp://127.0.0.1:5571
--categorization-key=[...]
--daemon
--http-port=8080
--disable-login=1
--local-networks=10.0.0.0/8
--redis=localhost

So the result is an 'aggregation' of all the flows into a single view of the 
box.


?  Is this the current state-of-the-product?  Or is there a way to configure 
ntopng to display traffic on a per device interface basis?

Seems to me that:

(a)   Ntopng could be enhanced to pay attention to {device}:{source interface} 
tags in the NetFlow input stream and present this distinction in the GUI ... 
although that sounds to me like a substantial enhancement

(b)   The NetFlow sender could be enhanced to permit specifying different 
collectors for each interface, e.g.
sflow data-source interface port-channel1 collector 10.12.4.12
sflow data-source interface port-channel1 collector 10.12.4.13
sflow data-source interface port-channel1 collector 10.12.4.14
[...]
             And then I would set-up an nProbe instance at 10.12.4.12, 
10.12.4.13, 10.12.4.14 ...

(c)   Something I haven't thought of

--sk


_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Reply via email to