Well, my thought was I could use that as a way to debug down further. I'd also like my management interface to not accept the flows - just out of pure configuration management. I could always specify firewall rules - but that adds a level of overhead when I could just say:
from x.y.z.a/32 to any on udp/2055 Where then I would have to say... from x.y.z.a/32 to b.c.d.e on udp/2055 So now instead of having generic rules I can run on all my collectors I have to have specific rules per interfaces on those boxes... Just an example of why having that would be nice for collectors that are multihomed to an environment. My typical deployment will be 1 x management and 4 x dedicated sink interfaces. Eventually that will change going to 10G later this year, but - for now... Thanks gents! -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Luca Deri Sent: Tuesday, August 02, 2011 7:38 AM To: [email protected] Subject: Re: [Ntop] Ntop & v9 Netflow On 08/02/2011 02:29 PM, David Meier wrote: > Interestingly enough I found out that even though the UDP listener is binding > to, supposedly, everything: > > udp 0 0 0.0.0.0:2055 0.0.0.0:* > 1174/ntop > > ...the particular interface I'm directing the traffic to is getting the > traffic (known via tcpdump), but the ntop listener is not accepting it. Is > there any way to force the listener to a specific interface instead of having > it start on 0.0.0.0? > No it is not at the moment. Would you like to specify something like a.b.c.d:2055 where a.b.c.d is one IP address you have? Luca > I tried running a Netflow generator and pointed it at both my management > interface (i.e. ntop web / ssh) which then showed the Netflow traffic and > then moved it back over to the interface I want to sink the traffic towards > and it stops showing up. > > Thanks, > --Dave > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Gary Gatten > Sent: Monday, August 01, 2011 4:50 PM > To: '[email protected]' > Subject: Re: [Ntop] Ntop& v9 Netflow > > Does netstat -an show a listener for netflow? Rarely it appears like it > started correctly, but dies without notice. > > If a thread is "running" on your host for netflow, then I have no idea what > your prob is. What are your startup args and any custom prefs? > > ----- Original Message ----- > From: David Meier [mailto:[email protected]] > Sent: Monday, August 01, 2011 04:08 PM > To: [email protected]<[email protected]> > Subject: Re: [Ntop] Ntop& v9 Netflow > > Yes. I'm viewing the traffic (or lack thereof) via the 'Netflow-device.x'. > The 'netflow statistics' state: 'No Data to Display (yet)'. > > I have a router pushing v5 flows to it as well - no dice. Very odd that I > see the traffic via tcpdump. > > </stumped> > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Gary Gatten > Sent: Monday, August 01, 2011 3:19 PM > To: '[email protected]' > Subject: Re: [Ntop] Ntop& v9 Netflow > > I know this will sound basic, but did you "switch NIC" in the "Admin" tools > and select your netflow interface? > > What if you view the netflow statistics? Anything interesting there? > > When using v9 there has been some issues with templates. Can you try v5 and > see if that works? > > G > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of David Meier > Sent: Monday, August 01, 2011 3:07 PM > To: [email protected] > Subject: [Ntop] Ntop& v9 Netflow > > I'm currently trying to deploy some Ntop boxes which will ultimately be > Netflow v9 collectors. I have two interfaces on each box; one is used for > SSH management / Ntop web interface and the other is a specialized interface > to act as the Netflow 'sink'. > > The problem I'm running into is that the netflow seems to be getting to the > 'sink' interface (if I tcpdump it out to pcap I see that it's Netflow v9 > records), however nothing ever shows up in Ntop even though I have the > Netflow plugin configured. I've tried turning debug on (for the plugin) but > I don't see any additional information in the log. > > Is there any better way to run the daemon to get better debug? > > The version I'm running is: > > ntop v.4.1.0 (64 bit) [x86_64-2.6.32-33-server-linux-gnu] > > Thanks in advance!!! > > ________________________________ > > Note: This e-mail and any attachments may be privileged and confidential and > protected from disclosure. If the reader of this message is not the intended > recipient, or an employee or agent responsible for delivering this message to > the intended recipient, you are hereby notified that any disclosure, copying, > distribution or use of this e-mail and any attachments is strictly > prohibited. If you have received this e-mail in error, please notify us > immediately by returning it to the sender and deleting it from your computer > system. Thank you for your cooperation. > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > <font size="1"> > <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in > 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the > intended recipient and may contain information that is privileged and/or > confidential. > If you are not the intended recipient, you are hereby notified that any > review, use, dissemination, disclosure or copying of this email and its > attachments, if any, is strictly prohibited. If you have received this > email in error, please immediately notify the sender by return email and > delete this email from your system." > </font> > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > <font size="1"> > <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in > 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the > intended recipient and may contain information that is privileged and/or > confidential. > If you are not the intended recipient, you are hereby notified that any > review, use, dissemination, disclosure or copying of this email and its > attachments, if any, is strictly prohibited. If you have received this > email in error, please immediately notify the sender by return email and > delete this email from your system." > </font> > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
