Right now, I just want to see how netflows packets are received by ntopng, I'm think I would need collector mode once I'm in prod environment? Thanks
On 8/25/15, asad <[email protected]> wrote: > Thanks Yuri, that was a bad mistake. I mixed two options. > > With this cmd "probe /c --zmq "tcp://*:5556" -i smallFlows.pcap" I got > it worked and the output is different this time. > > "Flow export stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent] > Flow drop stats: [0 bytes/0 pkts][0 flows] > Total flow stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent]" > > Locating on GUI is problem? Is it pcap file problem or where the > exported packets are logged. > thanks > > On 8/25/15, Yuri Francalacci <[email protected]> wrote: >> Do you need collector mode in nprobe? if not, you have to remove all the >> -3 >> option (that you have specified with the wrong syntax - check nprobe >> —help) >> Yuri >> ############################################### >> Yuri Francalacci - [email protected] - http://www.ntop.org >> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >> ############################################### >> >>> On 25 Aug 2015, at 12:47, asad <[email protected]> wrote: >>> >>> Thanks a lot Yuri. >>> >>> I changed to "nprobe /c --zmq "tcp://*:5556" -i smallFlows.pcap -n >>> none -3 port 2055". >>> >>> But the output is same >>> >>> " >>> 25/Aug/2015 15:46:03 [nprobe.c:2402] Processed packets: 14261 (max >>> bucket search: 1) >>> 25/Aug/2015 15:46:03 [nprobe.c:2385] Fragment queue length: 0 >>> 25/Aug/2015 15:46:03 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>> pkts][0 flows/0 pkts sent] >>> 25/Aug/2015 15:46:03 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>> pkts][0 flows] >>> 25/Aug/2015 15:46:03 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>> pkts][0 flows/0 pkts sent] >>> >>> " >>> regards >>> >>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>>> to use ntopng as a graphical frontend for nprobe the way you started >>>> ntopng >>>> is almost fine >>>> For nprobe is enough >>>>> nprobe /c --zmq "tcp://*:5556” -n none >>>> then you have to decide what you would like to use to “feed” nprobe >>>> - using a pcap file, you need to add -i <pcap file> and remove all the >>>> other >>>> stuff >>>> - using nprobe in collector mode, you have to add -i none and -3 <port> >>>> and >>>> send Netflow (not raw packets) data to that port >>>> >>>> Yuri >>>> ############################################### >>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>> ############################################### >>>> >>>>> On 25 Aug 2015, at 11:59, asad <[email protected]> wrote: >>>>> >>>>> To update, >>>>> >>>>> "ntopng /c -i tcp://127.0.0.1:5556" >>>>> >>>>> and >>>>> >>>>> "nprobe /c --zmq "tcp://*:5556" -u 5 -i none zeus-sample-3.pcap -n >>>>> none -nf --collector-port 2055:5 -V9 -b 2' >>>>> >>>>> both and running but output is >>>>> >>>>> "25/Aug/2015 14:59:54 [nprobe.c:4659] Pending buckets have been >>>>> exported... >>>>> 25/Aug/2015 14:59:56 [engine.c:3293] Export thread terminated >>>>> [exportQueue=0] >>>>> 25/Aug/2015 14:59:56 [nprobe.c:4725] Flushing queued flows... >>>>> 25/Aug/2015 14:59:56 [nprobe.c:4728] Freeing memory... >>>>> 25/Aug/2015 14:59:56 [plugin.c:277] Terminating plugins. >>>>> 25/Aug/2015 14:59:56 [nprobe.c:4820] Still allocated 0 hash buckets >>>>> 25/Aug/2015 14:59:56 [nprobe.c:2402] Processed packets: 1105 (max >>>>> bucket search: 0) >>>>> 25/Aug/2015 14:59:56 [nprobe.c:2385] Fragment queue length: 0 >>>>> 25/Aug/2015 14:59:56 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>>> pkts][0 flows/0 pkts sent] >>>>> 25/Aug/2015 14:59:56 [nprobe.c:2418] Flow collection: [collected pkts: >>>>> 0][processed flows: 0] >>>>> 25/Aug/2015 14:59:56 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>>> pkts][0 flows] >>>>> 25/Aug/2015 14:59:56 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>>> pkts][0 flows/0 pkts sent] >>>>> 25/Aug/2015 14:59:56 [nprobe.c:4833] Cleaning globals >>>>> 25/Aug/2015 14:59:56 [nprobe.c:4853] nProbe terminated." >>>>> >>>>> >>>>> What wrong I'm doing. >>>>> >>>>> regards >>>>> asad >>>>> >>>>> On 8/25/15, asad <[email protected]> wrote: >>>>>> Hello, >>>>>> >>>>>> I'm running "ntopng" on windows and want to point netflows data >>>>>> directly. I see on "netstat" command that port 2055 is put in >>>>>> established status. >>>>>> >>>>>> Nprobe is also installed. I want to use nprobe to send pcap files to >>>>>> port 2055 for parsing. I see the nprobe change /re-write the headers >>>>>> info when sending netflows data. Is there any way to avoid it? >>>>>> >>>>>> Also, If I want to use nprobe as a proxy collector does the cmds >>>>>> works >>>>>> in windows as well. I tried and it gives error >>>>>> >>>>>> " >>>>>> nprobe --zmq "tcp://*:5556" -i ..... >>>>>> ntopng -i "tcp://127.0.0.1:5556" >>>>>> >>>>>> >>>>>> " >>>>>> >>>>>> Thanks. >>>>>> regards >>>>>> asad >>>>>> >>>>> _______________________________________________ >>>>> Ntop mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
