Yuri, on your last post, I was referring to header info (srcip etc) which were not located on UI. When I made it work , I could search the IP exactly as shown in pcap files.
Also, only layer 5 to layer 7 info should be discarded. Headers info should remain in contact? regards asad On Tue, Aug 25, 2015 at 6:44 PM, asad <[email protected]> wrote: > Yuri, your writing give me confidence to do fresh install of both ntopng > and nprobe. I followed the same steps and it worked:). > > In my office machine , I was restarting/starting the ntopng from the > windows service tab. This time , I started using command-line. > > Or what about local-fw does it have to be turned off? > > > Does ordering matters? Thanks. > > On Tue, Aug 25, 2015 at 6:05 PM, asad <[email protected]> wrote: > >> Sorry for confusion, that the problem I'm not seeing packets displayed on >> UI. Do nprobe re-write headers info. For e.g in search I cannot see packets >> that are seen in opening the pcap file alone. Where it goes? >> >> Thanks. >> >> On Tue, Aug 25, 2015 at 5:55 PM, Yuri Francalacci <[email protected]> wrote: >> >>> nprobe “converts” packets into netflow. I do not understand why you need >>> this separate tool. >>> Once you have started nprobe, then you have just to access to the ntopng >>> web interface and see what nprobe has reported to it. >>> Yuri >>> ############################################### >>> Yuri Francalacci - [email protected] - http://www.ntop.org >>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>> ############################################### >>> >>> On 25 Aug 2015, at 13:14, asad <[email protected]> wrote: >>> >>> Also, do I need a separate tool for pcap to netflows conversion or the >>> switches described in the cmd above automatically does the conversion >>> for you. >>> >>> regards >>> asad >>> >>> On 8/25/15, asad <[email protected]> wrote: >>> >>> Right now, I just want to see how netflows packets are received by >>> ntopng, I'm think I would need collector mode once I'm in prod >>> environment? Thanks >>> >>> On 8/25/15, asad <[email protected]> wrote: >>> >>> Thanks Yuri, that was a bad mistake. I mixed two options. >>> >>> With this cmd "probe /c --zmq "tcp://*:5556" -i smallFlows.pcap" I got >>> it worked and the output is different this time. >>> >>> "Flow export stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent] >>> Flow drop stats: [0 bytes/0 pkts][0 flows] >>> Total flow stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent]" >>> >>> Locating on GUI is problem? Is it pcap file problem or where the >>> exported packets are logged. >>> thanks >>> >>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>> >>> Do you need collector mode in nprobe? if not, you have to remove all the >>> -3 >>> option (that you have specified with the wrong syntax - check nprobe >>> —help) >>> Yuri >>> ############################################### >>> Yuri Francalacci - [email protected] - http://www.ntop.org >>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>> ############################################### >>> >>> On 25 Aug 2015, at 12:47, asad <[email protected]> wrote: >>> >>> Thanks a lot Yuri. >>> >>> I changed to "nprobe /c --zmq "tcp://*:5556" -i smallFlows.pcap -n >>> none -3 port 2055". >>> >>> But the output is same >>> >>> " >>> 25/Aug/2015 15:46:03 [nprobe.c:2402] Processed packets: 14261 (max >>> bucket search: 1) >>> 25/Aug/2015 15:46:03 [nprobe.c:2385] Fragment queue length: 0 >>> 25/Aug/2015 15:46:03 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>> pkts][0 flows/0 pkts sent] >>> 25/Aug/2015 15:46:03 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>> pkts][0 flows] >>> 25/Aug/2015 15:46:03 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>> pkts][0 flows/0 pkts sent] >>> >>> " >>> regards >>> >>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>> >>> to use ntopng as a graphical frontend for nprobe the way you started >>> ntopng >>> is almost fine >>> For nprobe is enough >>> >>> nprobe /c --zmq "tcp://*:5556” -n none >>> >>> then you have to decide what you would like to use to “feed” nprobe >>> - using a pcap file, you need to add -i <pcap file> and remove all the >>> other >>> stuff >>> - using nprobe in collector mode, you have to add -i none and -3 >>> <port> >>> and >>> send Netflow (not raw packets) data to that port >>> >>> Yuri >>> ############################################### >>> Yuri Francalacci - [email protected] - http://www.ntop.org >>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>> ############################################### >>> >>> On 25 Aug 2015, at 11:59, asad <[email protected]> wrote: >>> >>> To update, >>> >>> "ntopng /c -i tcp://127.0.0.1:5556" >>> >>> and >>> >>> "nprobe /c --zmq "tcp://*:5556" -u 5 -i none zeus-sample-3.pcap -n >>> none -nf --collector-port 2055:5 -V9 -b 2' >>> >>> both and running but output is >>> >>> "25/Aug/2015 14:59:54 [nprobe.c:4659] Pending buckets have been >>> exported... >>> 25/Aug/2015 14:59:56 [engine.c:3293] Export thread terminated >>> [exportQueue=0] >>> 25/Aug/2015 14:59:56 [nprobe.c:4725] Flushing queued flows... >>> 25/Aug/2015 14:59:56 [nprobe.c:4728] Freeing memory... >>> 25/Aug/2015 14:59:56 [plugin.c:277] Terminating plugins. >>> 25/Aug/2015 14:59:56 [nprobe.c:4820] Still allocated 0 hash buckets >>> 25/Aug/2015 14:59:56 [nprobe.c:2402] Processed packets: 1105 (max >>> bucket search: 0) >>> 25/Aug/2015 14:59:56 [nprobe.c:2385] Fragment queue length: 0 >>> 25/Aug/2015 14:59:56 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>> pkts][0 flows/0 pkts sent] >>> 25/Aug/2015 14:59:56 [nprobe.c:2418] Flow collection: [collected >>> pkts: >>> 0][processed flows: 0] >>> 25/Aug/2015 14:59:56 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>> pkts][0 flows] >>> 25/Aug/2015 14:59:56 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>> pkts][0 flows/0 pkts sent] >>> 25/Aug/2015 14:59:56 [nprobe.c:4833] Cleaning globals >>> 25/Aug/2015 14:59:56 [nprobe.c:4853] nProbe terminated." >>> >>> >>> What wrong I'm doing. >>> >>> regards >>> asad >>> >>> On 8/25/15, asad <[email protected]> wrote: >>> >>> Hello, >>> >>> I'm running "ntopng" on windows and want to point netflows data >>> directly. I see on "netstat" command that port 2055 is put in >>> established status. >>> >>> Nprobe is also installed. I want to use nprobe to send pcap files to >>> port 2055 for parsing. I see the nprobe change /re-write the headers >>> info when sending netflows data. Is there any way to avoid it? >>> >>> Also, If I want to use nprobe as a proxy collector does the cmds >>> works >>> in windows as well. I tried and it gives error >>> >>> " >>> nprobe --zmq "tcp://*:5556" -i ..... >>> ntopng -i "tcp://127.0.0.1:5556" >>> >>> >>> " >>> >>> Thanks. >>> regards >>> asad >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >> >> >
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
