each flow will have the original src/dst ip/port ############################################### Yuri Francalacci - [email protected] - http://www.ntop.org "Simplicity is the ultimate sophistication" - Leonardo da Vinci ###############################################
> On 25 Aug 2015, at 15:46, asad <[email protected]> wrote: > > Yuri, on your last post, I was referring to header info (srcip etc) which > were not located on UI. When I made it work , I could search the IP exactly > as shown in pcap files. > > Also, only layer 5 to layer 7 info should be discarded. Headers info should > remain in contact? > > regards > asad > > On Tue, Aug 25, 2015 at 6:44 PM, asad <[email protected] > <mailto:[email protected]>> wrote: > Yuri, your writing give me confidence to do fresh install of both ntopng and > nprobe. I followed the same steps and it worked:). > > In my office machine , I was restarting/starting the ntopng from the windows > service tab. This time , I started using command-line. > > Or what about local-fw does it have to be turned off? > > > Does ordering matters? Thanks. > > On Tue, Aug 25, 2015 at 6:05 PM, asad <[email protected] > <mailto:[email protected]>> wrote: > Sorry for confusion, that the problem I'm not seeing packets displayed on UI. > Do nprobe re-write headers info. For e.g in search I cannot see packets that > are seen in opening the pcap file alone. Where it goes? > > Thanks. > > On Tue, Aug 25, 2015 at 5:55 PM, Yuri Francalacci <[email protected] > <mailto:[email protected]>> wrote: > nprobe “converts” packets into netflow. I do not understand why you need this > separate tool. > Once you have started nprobe, then you have just to access to the ntopng web > interface and see what nprobe has reported to it. > Yuri > ############################################### > Yuri Francalacci - [email protected] <mailto:[email protected]> - > http://www.ntop.org <http://www.ntop.org/> > "Simplicity is the ultimate sophistication" - Leonardo da Vinci > ############################################### > >> On 25 Aug 2015, at 13:14, asad <[email protected] >> <mailto:[email protected]>> wrote: >> >> Also, do I need a separate tool for pcap to netflows conversion or the >> switches described in the cmd above automatically does the conversion >> for you. >> >> regards >> asad >> >> On 8/25/15, asad <[email protected] <mailto:[email protected]>> wrote: >>> Right now, I just want to see how netflows packets are received by >>> ntopng, I'm think I would need collector mode once I'm in prod >>> environment? Thanks >>> >>> On 8/25/15, asad <[email protected] <mailto:[email protected]>> wrote: >>>> Thanks Yuri, that was a bad mistake. I mixed two options. >>>> >>>> With this cmd "probe /c --zmq "tcp://*:5556 <>" -i smallFlows.pcap" I got >>>> it worked and the output is different this time. >>>> >>>> "Flow export stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent] >>>> Flow drop stats: [0 bytes/0 pkts][0 flows] >>>> Total flow stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent]" >>>> >>>> Locating on GUI is problem? Is it pcap file problem or where the >>>> exported packets are logged. >>>> thanks >>>> >>>> On 8/25/15, Yuri Francalacci <[email protected] <mailto:[email protected]>> wrote: >>>>> Do you need collector mode in nprobe? if not, you have to remove all the >>>>> -3 >>>>> option (that you have specified with the wrong syntax - check nprobe >>>>> —help) >>>>> Yuri >>>>> ############################################### >>>>> Yuri Francalacci - [email protected] <mailto:[email protected]> - >>>>> http://www.ntop.org <http://www.ntop.org/> >>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>> ############################################### >>>>> >>>>>> On 25 Aug 2015, at 12:47, asad <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> Thanks a lot Yuri. >>>>>> >>>>>> I changed to "nprobe /c --zmq "tcp://*:5556 <>" -i smallFlows.pcap -n >>>>>> none -3 port 2055". >>>>>> >>>>>> But the output is same >>>>>> >>>>>> " >>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2402] Processed packets: 14261 (max >>>>>> bucket search: 1) >>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2385] Fragment queue length: 0 >>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>>>> pkts][0 flows/0 pkts sent] >>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>>>> pkts][0 flows] >>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>>>> pkts][0 flows/0 pkts sent] >>>>>> >>>>>> " >>>>>> regards >>>>>> >>>>>> On 8/25/15, Yuri Francalacci <[email protected] <mailto:[email protected]>> >>>>>> wrote: >>>>>>> to use ntopng as a graphical frontend for nprobe the way you started >>>>>>> ntopng >>>>>>> is almost fine >>>>>>> For nprobe is enough >>>>>>>> nprobe /c --zmq "tcp://*:5556 <>” -n none >>>>>>> then you have to decide what you would like to use to “feed” nprobe >>>>>>> - using a pcap file, you need to add -i <pcap file> and remove all the >>>>>>> other >>>>>>> stuff >>>>>>> - using nprobe in collector mode, you have to add -i none and -3 >>>>>>> <port> >>>>>>> and >>>>>>> send Netflow (not raw packets) data to that port >>>>>>> >>>>>>> Yuri >>>>>>> ############################################### >>>>>>> Yuri Francalacci - [email protected] <mailto:[email protected]> - >>>>>>> http://www.ntop.org <http://www.ntop.org/> >>>>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>>>> ############################################### >>>>>>> >>>>>>>> On 25 Aug 2015, at 11:59, asad <[email protected] >>>>>>>> <mailto:[email protected]>> wrote: >>>>>>>> >>>>>>>> To update, >>>>>>>> >>>>>>>> "ntopng /c -i tcp://127.0.0.1:5556 <>" >>>>>>>> >>>>>>>> and >>>>>>>> >>>>>>>> "nprobe /c --zmq "tcp://*:5556 <>" -u 5 -i none zeus-sample-3.pcap -n >>>>>>>> none -nf --collector-port 2055:5 -V9 -b 2' >>>>>>>> >>>>>>>> both and running but output is >>>>>>>> >>>>>>>> "25/Aug/2015 14:59:54 [nprobe.c:4659] Pending buckets have been >>>>>>>> exported... >>>>>>>> 25/Aug/2015 14:59:56 [engine.c:3293] Export thread terminated >>>>>>>> [exportQueue=0] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4725] Flushing queued flows... >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4728] Freeing memory... >>>>>>>> 25/Aug/2015 14:59:56 [plugin.c:277] Terminating plugins. >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4820] Still allocated 0 hash buckets >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2402] Processed packets: 1105 (max >>>>>>>> bucket search: 0) >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2385] Fragment queue length: 0 >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>>>>>> pkts][0 flows/0 pkts sent] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2418] Flow collection: [collected >>>>>>>> pkts: >>>>>>>> 0][processed flows: 0] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>>>>>> pkts][0 flows] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>>>>>> pkts][0 flows/0 pkts sent] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4833] Cleaning globals >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4853] nProbe terminated." >>>>>>>> >>>>>>>> >>>>>>>> What wrong I'm doing. >>>>>>>> >>>>>>>> regards >>>>>>>> asad >>>>>>>> >>>>>>>> On 8/25/15, asad <[email protected] <mailto:[email protected]>> >>>>>>>> wrote: >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I'm running "ntopng" on windows and want to point netflows data >>>>>>>>> directly. I see on "netstat" command that port 2055 is put in >>>>>>>>> established status. >>>>>>>>> >>>>>>>>> Nprobe is also installed. I want to use nprobe to send pcap files to >>>>>>>>> port 2055 for parsing. I see the nprobe change /re-write the headers >>>>>>>>> info when sending netflows data. Is there any way to avoid it? >>>>>>>>> >>>>>>>>> Also, If I want to use nprobe as a proxy collector does the cmds >>>>>>>>> works >>>>>>>>> in windows as well. I tried and it gives error >>>>>>>>> >>>>>>>>> " >>>>>>>>> nprobe --zmq "tcp://*:5556 <>" -i ..... >>>>>>>>> ntopng -i "tcp://127.0.0.1:5556 <>" >>>>>>>>> >>>>>>>>> >>>>>>>>> " >>>>>>>>> >>>>>>>>> Thanks. >>>>>>>>> regards >>>>>>>>> asad >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ntop mailing list >>>>>>>> [email protected] <mailto:[email protected]> >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> Ntop mailing list >>>>>> [email protected] <mailto:[email protected]> >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >>>>> >>>>> >>>> >>> >> _______________________________________________ >> Ntop mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop >> <http://listgateway.unipi.it/mailman/listinfo/ntop> > > _______________________________________________ > Ntop mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop > <http://listgateway.unipi.it/mailman/listinfo/ntop> > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
