My timezone was set wrong. I changed that. Seems to have fixed the issue. Thanks.
Still have the problem of not seeing top talkers for a particular host and no VLAN information. Is there anyway using the demo version of nprobe to utilize some of the layer7 functionality of ntopng? Like the DNS queries or SIP stats or HTTP requests? Also does anyone have any advice on Cisco timeout settings or monitoring both ingress & egress on WAN side in combination with ingress/egress of my vlan interfaces? I know monitoring ingress is kind of a new thing in NetFlow? Dan From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Dudkin Sent: Thursday, May 08, 2014 12:41 PM To: [email protected] Subject: Re: [Ntop] NtopNG woes It is one in the same box in this case. Daniel From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of [email protected]<mailto:[email protected]> Sent: Thursday, May 08, 2014 11:17 AM To: [email protected]<mailto:[email protected]> Subject: Re: [Ntop] NtopNG woes Daniel, It caused by machine time issue, your nprobe machine is not sync with ntopng box, it makes the time duration calculation overflow.... So most simple way is using your NTP server to correct it. br, kaiser ✉ Daniel Dudkin <[email protected]<mailto:[email protected]>> 於 2014/5/8 下午10:48 寫道: I did that and I'm back at the problem that caused me to add all those options myself. See screenshot #1: <image001.jpg> And per my thread yesterday, I’m unable to identify with whom or what a host was talking to when viewing their history. This makes it hard to yell at people for consuming too much bandwidth. <image002.jpg> Daniel Dudkin IT Business/System Specialist // American Auto-Matrix One Technology Lane // Export, PA 15632 www.aamatrix.com<http://www.aamatrix.com/> • [email protected]<mailto:[email protected]> Ph #: 724-733-0381 -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Luca Deri Sent: Wednesday, April 30, 2014 1:03 PM To: [email protected]<mailto:[email protected]> Subject: Re: [Ntop] NtopNG woes Daniel, if you use nProbe in proxy mode , you do not need to pass all the options as the best nProbe can do is to convert your flows. In essence nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055 should be enough. Please provide screenshots that demonstrate the problem Thanks Luca On 29 Apr 2014, at 20:57, Daniel Dudkin <[email protected]<mailto:[email protected]>> wrote: > Hi all, > > Per recommendations on the mailing list, I went ahead and took the jump to > ntopng + nprobe (demo). I have a Cisco 891 producing netflows and sending > them to my nprobe collector, which then feeds ntopng with ZMQ flow. It is > exporting NetFlow v9. > > I’m also having a hard time identifying traffic and top talkers. I’m not > finding it as easy as it was with ntop. I fire off test downloads and have a > hard time identifying the result as a top talker (which it most def is). > > Nprobe start (tried to get every flag I could in there. %PROTOCOL_MAP > was removed because ntopng didn’t like it): nprobe --zmq > "tcp://*:5556" -i none -n none -t 120 -d 15 -l 60 --tunnel > --bi-directional -L > 192.168.50.0/24,192.168.99.0/24,192.168.23.0/24,192.168.59.0/24,XX.XX. > Y59.16/28 -r --collector-port 2055 -V 9 -T '%IN_PKTS %IN_BYTES > %SRC_TOS %IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %FIRST_SWITCHED > %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_AS > %DST_AS %IPV4_SRC_MASK %IPV4_DST_MASK %OUT_BYTES %INPUT_SNMP > %OUTPUT_SNMP %OUT_PKTS %IN_SRC_MAC %OUT_DST_MAC %SRC_VLAN %DST_VLAN > %DIRECTION %FLOW_ID %FLOW_START_SEC %FLOW_END_SEC %BIFLOW_DIRECTION > %FRAME_LENGTH %DHCP_CLIENT_MAC %DHCP_CLIENT_IP %DHCP_CLIENT_NAME > %HTTP_URL %MYSQL_USERNAME %MYSQL_DB %SMTP_MAIL_FROM %SMTP_RCPT_TO > %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_SIP_CALL_ID %POP_USER %SIP_CALL_ID > %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_CODECS %FTP_LOGIN > %FTP_PASSWORD %FLOWS %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC > %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC > %APPL_LATENCY_USEC %L7_PROTO %L7_PROTO_NAME' -b 2 --account-l2 > --vlanid-as-iface-idx > > > Ntopng start: ntopng -i tcp://localhost:5556 -l -w 3000 -m > 192.168.50.0/24,192.168.99.0/24,192.168.23.0/24,192.168.59.0/24,XX.XX. > Y9.16/28 > > When I fire off my test download, I expect the dashboard to show my hostname > in the pretty flow table until the download stops. That is not the case. > > I have an easier time tracking it down in Active Flows, but the stats seem > weird. For starters – VLAN tags aren’t coming through. All report as 0. > > Second, throughput seems to be just flat out wrong. A few dozen bytes per > second on a flow I’m downloading at 300-600 KB/sec? Doesn’t seem right. > > Third, all of a sudden my Durations are listed as 136 years?! > > Fourth (and I just tried increasing flow timeout to try and fix this), I’d > like my 2GB file download to come up as a single flow. Sometimes, when > testing this even on a 100MB file, the flow will disappear and reappear with > a new total counter. If I add the two flows, they equal out to be the size of > the file. > > Fifth, since nprobe is in demo mode and supports a max of 25,000 flows – how > do I make ntopng/nprobe forget about the first flows and continue rolling the > window? Sort of on a FIFO basis? My main task is being able to identify top > talkers within the last few hours. Not deep historical analysis or packet > inspection beyond identifying the traffic. > > Here are some relevant lines from my cisco config > > ip flow-capture fragment-offset > ip flow-capture packet-length > ip flow-capture ttl > ip flow-capture vlan-id > ip flow-capture icmp > ip flow-capture ip-id > ip flow-capture mac-addresses > ip flow-export source Vlan50 > ip flow-export version 9 > ip flow-export template options timeout-rate 1 ip flow-export template > timeout-rate 1 ip flow-export destination 192.168.50.150 2055 > ip flow-export destination 192.168.50.51 2055 ß two ntop test boxes. > ip flow-top-talkers > top 25 > sort-by bytes > > ip flow-cache timeout inactive 45 > ip flow-cache timeout active 1 > > my interfaces have “ip flow ingress” and “ip flow egress” on them > (including vlan50) > > Daniel > > > > Confidential: This electronic message and all contents contained may be > privileged, confidential or otherwise protected from disclosure. The > information is intended to be for the addressee only. If you are not the > addressee, any disclosure, copy, distribution or use of the contents of this > message is prohibited. If you have received this electronic message in error, > please notify me immediately by return email and destroy the original message > and all copies. > > _______________________________________________ > Ntop mailing list > [email protected]<mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
