Sorry for confusion, that the problem I'm not seeing packets displayed on UI. Do nprobe re-write headers info. For e.g in search I cannot see packets that are seen in opening the pcap file alone. Where it goes?
Thanks. On Tue, Aug 25, 2015 at 5:55 PM, Yuri Francalacci <[email protected]> wrote: > nprobe “converts” packets into netflow. I do not understand why you need > this separate tool. > Once you have started nprobe, then you have just to access to the ntopng > web interface and see what nprobe has reported to it. > Yuri > ############################################### > Yuri Francalacci - [email protected] - http://www.ntop.org > "Simplicity is the ultimate sophistication" - Leonardo da Vinci > ############################################### > > On 25 Aug 2015, at 13:14, asad <[email protected]> wrote: > > Also, do I need a separate tool for pcap to netflows conversion or the > switches described in the cmd above automatically does the conversion > for you. > > regards > asad > > On 8/25/15, asad <[email protected]> wrote: > > Right now, I just want to see how netflows packets are received by > ntopng, I'm think I would need collector mode once I'm in prod > environment? Thanks > > On 8/25/15, asad <[email protected]> wrote: > > Thanks Yuri, that was a bad mistake. I mixed two options. > > With this cmd "probe /c --zmq "tcp://*:5556" -i smallFlows.pcap" I got > it worked and the output is different this time. > > "Flow export stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent] > Flow drop stats: [0 bytes/0 pkts][0 flows] > Total flow stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent]" > > Locating on GUI is problem? Is it pcap file problem or where the > exported packets are logged. > thanks > > On 8/25/15, Yuri Francalacci <[email protected]> wrote: > > Do you need collector mode in nprobe? if not, you have to remove all the > -3 > option (that you have specified with the wrong syntax - check nprobe > —help) > Yuri > ############################################### > Yuri Francalacci - [email protected] - http://www.ntop.org > "Simplicity is the ultimate sophistication" - Leonardo da Vinci > ############################################### > > On 25 Aug 2015, at 12:47, asad <[email protected]> wrote: > > Thanks a lot Yuri. > > I changed to "nprobe /c --zmq "tcp://*:5556" -i smallFlows.pcap -n > none -3 port 2055". > > But the output is same > > " > 25/Aug/2015 15:46:03 [nprobe.c:2402] Processed packets: 14261 (max > bucket search: 1) > 25/Aug/2015 15:46:03 [nprobe.c:2385] Fragment queue length: 0 > 25/Aug/2015 15:46:03 [nprobe.c:2411] Flow export stats: [0 bytes/0 > pkts][0 flows/0 pkts sent] > 25/Aug/2015 15:46:03 [nprobe.c:2421] Flow drop stats: [0 bytes/0 > pkts][0 flows] > 25/Aug/2015 15:46:03 [nprobe.c:2426] Total flow stats: [0 bytes/0 > pkts][0 flows/0 pkts sent] > > " > regards > > On 8/25/15, Yuri Francalacci <[email protected]> wrote: > > to use ntopng as a graphical frontend for nprobe the way you started > ntopng > is almost fine > For nprobe is enough > > nprobe /c --zmq "tcp://*:5556” -n none > > then you have to decide what you would like to use to “feed” nprobe > - using a pcap file, you need to add -i <pcap file> and remove all the > other > stuff > - using nprobe in collector mode, you have to add -i none and -3 > <port> > and > send Netflow (not raw packets) data to that port > > Yuri > ############################################### > Yuri Francalacci - [email protected] - http://www.ntop.org > "Simplicity is the ultimate sophistication" - Leonardo da Vinci > ############################################### > > On 25 Aug 2015, at 11:59, asad <[email protected]> wrote: > > To update, > > "ntopng /c -i tcp://127.0.0.1:5556" > > and > > "nprobe /c --zmq "tcp://*:5556" -u 5 -i none zeus-sample-3.pcap -n > none -nf --collector-port 2055:5 -V9 -b 2' > > both and running but output is > > "25/Aug/2015 14:59:54 [nprobe.c:4659] Pending buckets have been > exported... > 25/Aug/2015 14:59:56 [engine.c:3293] Export thread terminated > [exportQueue=0] > 25/Aug/2015 14:59:56 [nprobe.c:4725] Flushing queued flows... > 25/Aug/2015 14:59:56 [nprobe.c:4728] Freeing memory... > 25/Aug/2015 14:59:56 [plugin.c:277] Terminating plugins. > 25/Aug/2015 14:59:56 [nprobe.c:4820] Still allocated 0 hash buckets > 25/Aug/2015 14:59:56 [nprobe.c:2402] Processed packets: 1105 (max > bucket search: 0) > 25/Aug/2015 14:59:56 [nprobe.c:2385] Fragment queue length: 0 > 25/Aug/2015 14:59:56 [nprobe.c:2411] Flow export stats: [0 bytes/0 > pkts][0 flows/0 pkts sent] > 25/Aug/2015 14:59:56 [nprobe.c:2418] Flow collection: [collected > pkts: > 0][processed flows: 0] > 25/Aug/2015 14:59:56 [nprobe.c:2421] Flow drop stats: [0 bytes/0 > pkts][0 flows] > 25/Aug/2015 14:59:56 [nprobe.c:2426] Total flow stats: [0 bytes/0 > pkts][0 flows/0 pkts sent] > 25/Aug/2015 14:59:56 [nprobe.c:4833] Cleaning globals > 25/Aug/2015 14:59:56 [nprobe.c:4853] nProbe terminated." > > > What wrong I'm doing. > > regards > asad > > On 8/25/15, asad <[email protected]> wrote: > > Hello, > > I'm running "ntopng" on windows and want to point netflows data > directly. I see on "netstat" command that port 2055 is put in > established status. > > Nprobe is also installed. I want to use nprobe to send pcap files to > port 2055 for parsing. I see the nprobe change /re-write the headers > info when sending netflows data. Is there any way to avoid it? > > Also, If I want to use nprobe as a proxy collector does the cmds > works > in windows as well. I tried and it gives error > > " > nprobe --zmq "tcp://*:5556" -i ..... > ntopng -i "tcp://127.0.0.1:5556" > > > " > > Thanks. > regards > asad > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop >
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
