Warren, what about use different collector port and, of course, reconfigure your ASAs to send the traffic to the right port. Something like ASA #1 to port 2055 nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055 ASA #2 to port 2056 nprobe --zmq tcp://*:5557 -i none -n none --collector-port 2056 ASA #3 to port 2057 nprobe --zmq tcp://*:5558 -i none -n none --collector-port 2057
and then ntopng as you did. Regards, Yuri ############################################### Yuri Francalacci - [email protected] - http://www.ntop.org "Simplicity is the ultimate sophistication" - Leonardo da Vinci ############################################### > On 11 Aug 2015, at 13:18, Warren Daly (OPUS) <[email protected]> wrote: > > Hello, > Goal: Multiple Netflow senders sending to Nprobe and Ntop on same server. > Ability to view traffic in each subnet, or view traffic from individual > netflow sources. > > I would like some assistance please. I have read the user guide (ntop & > nprobe) > I have also read this thread > http://www.gossamer-threads.com/lists/ntop/misc/38960 > <http://www.gossamer-threads.com/lists/ntop/misc/38960> > and this excellent article > http://www.ntop.org/ntopng/creating-a-hierarchical-cluster-of-ntopng-instances/ > > <http://www.ntop.org/ntopng/creating-a-hierarchical-cluster-of-ntopng-instances/> > > This is what I have, and what I would like to achieve. > > Remote Network A - 192.168.0.0/24 > Netflow streams from Cisco ASA (192.168.0.254) sending to nprobe on > 192.168.2.1:2055 > > Remote Network B - 192.168.1.0/24 > Netflow streams from Cisco ASA (192.168.1.254) sending to nprobe on > 192.168.2.1:2055 > > Local Network C - 192.168.2.0/24 > Netflow streams from Cisco ASA (192.168.2.254) sending to nprobe on > 192.168.2.1:2055 > > The server 192.168.2.1 runs both nprobe and ntopng > > I would like to check on traffic in each subnet. So I want to check which > nodes are doing what in each subnet. > I don't want all the traffic mix together. > > This is what I have tried. > > Start ntopng using > -i=tcp://127.0.0.1:5556 > -i=tcp://127.0.0.1:5557 > -i=tcp://127.0.0.1:5558 > > I try to start multiple nprobes to listen on port 2055. But I need to filter > traffic so I tried > > nprobe -f src ip 192.168.0.254 --zmq tcp://*:5556 -i none -n none > --collector-port 2055 -b 2 > But you can't use BPF filtering as a collector... > > if I use this > nprobe --zmq tcp://*:5556 -i eth1 -n none --collector-port 2055 -b 2 > This shows all traffic in all the netflows... if I select the interface *5556 > in ntop it shows me all traffic.... > > I also tried this > nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055 -b 2 > but this will *not* show any incoming netflows being decoded on port 2055. A > tcpdump shows they are arriving. > > So I decided, to change the ports of each netflow stream to make it easier > for nprobe. > > Remote Network A - 192.168.0.0/24 > Netflow streams from Cisco ASA (192.168.0.254) sending to nprobe on > 192.168.2.1:2055 > > Remote Network B - 192.168.1.0/24 > Netflow streams from Cisco ASA (192.168.1.254) sending to nprobe on > 192.168.2.1:2056 > > Local Network C - 192.168.2.0/24 > Netflow streams from Cisco ASA (192.168.2.254) sending to nprobe on > 192.168.2.1:2057 > > But again if I do this > nprobe --zmq tcp://*:5556 -i eth1 -n none --collector-port 2055 -b 2 > nprobe --zmq tcp://*:5557 -i eth1 -n none --collector-port 2056 -b 2 > nprobe --zmq tcp://*:5558 -i eth1 -n none --collector-port 2057 -b 2 > > no matter which interface I select on the ntopng interface I see all traffic > aggregated. I can't view the traffic from just one nprobe instance. > e.g if I select *5556 interface in ntopng, I should only see traffic in the > 192.168.0.0 subnet, but I see all traffic. > e.g if I select *5557 interface in ntopng, I should only see traffic in the > 192.168.1.0 subnet, but I see all traffic. > e.g if I select *5558 interface in ntopng, I should only see traffic in the > 192.168.2.0 subnet, but I see all traffic. > > I'm obviously doing something silly. Any assistance is greatly appreciated. I > am about to purchase a pro license, and a nprobe license, I just want to show > management this works before proceeding. > > Best Regards, > Warren > > > > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
