Ok,I think I know where I'm messing it up. Your advice please. "ntopng /c -i tcp://127.0.0.1:5556".
On UI, under "interface" tab i see it as "127.0.0.1:5556". When, I start it as service either through cmd line switch or service manager in windows under "interfaces" tab I see the UID of available interfaces. On second config, the netflows never reaches/ seen on the UI. So, I'm thinking why I cannot start the service using the end-points option "ntopng /c -i tcp://127.0.0.1:5556". Its difficult to keep a window open on command prompt for /c switch. On Tue, Aug 25, 2015 at 6:59 PM, Yuri Francalacci <[email protected]> wrote: > each flow will have the original src/dst ip/port > > ############################################### > Yuri Francalacci - [email protected] - http://www.ntop.org > "Simplicity is the ultimate sophistication" - Leonardo da Vinci > ############################################### > > On 25 Aug 2015, at 15:46, asad <[email protected]> wrote: > > Yuri, on your last post, I was referring to header info (srcip etc) which > were not located on UI. When I made it work , I could search the IP exactly > as shown in pcap files. > > Also, only layer 5 to layer 7 info should be discarded. Headers info > should remain in contact? > > regards > asad > > On Tue, Aug 25, 2015 at 6:44 PM, asad <[email protected]> wrote: > >> Yuri, your writing give me confidence to do fresh install of both ntopng >> and nprobe. I followed the same steps and it worked:). >> >> In my office machine , I was restarting/starting the ntopng from the >> windows service tab. This time , I started using command-line. >> >> Or what about local-fw does it have to be turned off? >> >> >> Does ordering matters? Thanks. >> >> On Tue, Aug 25, 2015 at 6:05 PM, asad <[email protected]> wrote: >> >>> Sorry for confusion, that the problem I'm not seeing packets displayed >>> on UI. Do nprobe re-write headers info. For e.g in search I cannot see >>> packets that are seen in opening the pcap file alone. Where it goes? >>> >>> Thanks. >>> >>> On Tue, Aug 25, 2015 at 5:55 PM, Yuri Francalacci <[email protected]> wrote: >>> >>>> nprobe “converts” packets into netflow. I do not understand why you >>>> need this separate tool. >>>> Once you have started nprobe, then you have just to access to the >>>> ntopng web interface and see what nprobe has reported to it. >>>> Yuri >>>> ############################################### >>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>> ############################################### >>>> >>>> On 25 Aug 2015, at 13:14, asad <[email protected]> wrote: >>>> >>>> Also, do I need a separate tool for pcap to netflows conversion or the >>>> switches described in the cmd above automatically does the conversion >>>> for you. >>>> >>>> regards >>>> asad >>>> >>>> On 8/25/15, asad <[email protected]> wrote: >>>> >>>> Right now, I just want to see how netflows packets are received by >>>> ntopng, I'm think I would need collector mode once I'm in prod >>>> environment? Thanks >>>> >>>> On 8/25/15, asad <[email protected]> wrote: >>>> >>>> Thanks Yuri, that was a bad mistake. I mixed two options. >>>> >>>> With this cmd "probe /c --zmq "tcp://*:5556" -i smallFlows.pcap" I got >>>> it worked and the output is different this time. >>>> >>>> "Flow export stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent] >>>> Flow drop stats: [0 bytes/0 pkts][0 flows] >>>> Total flow stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts sent]" >>>> >>>> Locating on GUI is problem? Is it pcap file problem or where the >>>> exported packets are logged. >>>> thanks >>>> >>>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>>> >>>> Do you need collector mode in nprobe? if not, you have to remove all the >>>> -3 >>>> option (that you have specified with the wrong syntax - check nprobe >>>> —help) >>>> Yuri >>>> ############################################### >>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>> ############################################### >>>> >>>> On 25 Aug 2015, at 12:47, asad <[email protected]> wrote: >>>> >>>> Thanks a lot Yuri. >>>> >>>> I changed to "nprobe /c --zmq "tcp://*:5556" -i smallFlows.pcap -n >>>> none -3 port 2055". >>>> >>>> But the output is same >>>> >>>> " >>>> 25/Aug/2015 15:46:03 [nprobe.c:2402] Processed packets: 14261 (max >>>> bucket search: 1) >>>> 25/Aug/2015 15:46:03 [nprobe.c:2385] Fragment queue length: 0 >>>> 25/Aug/2015 15:46:03 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>> pkts][0 flows/0 pkts sent] >>>> 25/Aug/2015 15:46:03 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>> pkts][0 flows] >>>> 25/Aug/2015 15:46:03 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>> pkts][0 flows/0 pkts sent] >>>> >>>> " >>>> regards >>>> >>>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>>> >>>> to use ntopng as a graphical frontend for nprobe the way you started >>>> ntopng >>>> is almost fine >>>> For nprobe is enough >>>> >>>> nprobe /c --zmq "tcp://*:5556” -n none >>>> >>>> then you have to decide what you would like to use to “feed” nprobe >>>> - using a pcap file, you need to add -i <pcap file> and remove all the >>>> other >>>> stuff >>>> - using nprobe in collector mode, you have to add -i none and -3 >>>> <port> >>>> and >>>> send Netflow (not raw packets) data to that port >>>> >>>> Yuri >>>> ############################################### >>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>> ############################################### >>>> >>>> On 25 Aug 2015, at 11:59, asad <[email protected]> wrote: >>>> >>>> To update, >>>> >>>> "ntopng /c -i tcp://127.0.0.1:5556" >>>> >>>> and >>>> >>>> "nprobe /c --zmq "tcp://*:5556" -u 5 -i none zeus-sample-3.pcap -n >>>> none -nf --collector-port 2055:5 -V9 -b 2' >>>> >>>> both and running but output is >>>> >>>> "25/Aug/2015 14:59:54 [nprobe.c:4659] Pending buckets have been >>>> exported... >>>> 25/Aug/2015 14:59:56 [engine.c:3293] Export thread terminated >>>> [exportQueue=0] >>>> 25/Aug/2015 14:59:56 [nprobe.c:4725] Flushing queued flows... >>>> 25/Aug/2015 14:59:56 [nprobe.c:4728] Freeing memory... >>>> 25/Aug/2015 14:59:56 [plugin.c:277] Terminating plugins. >>>> 25/Aug/2015 14:59:56 [nprobe.c:4820] Still allocated 0 hash buckets >>>> 25/Aug/2015 14:59:56 [nprobe.c:2402] Processed packets: 1105 (max >>>> bucket search: 0) >>>> 25/Aug/2015 14:59:56 [nprobe.c:2385] Fragment queue length: 0 >>>> 25/Aug/2015 14:59:56 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>> pkts][0 flows/0 pkts sent] >>>> 25/Aug/2015 14:59:56 [nprobe.c:2418] Flow collection: [collected >>>> pkts: >>>> 0][processed flows: 0] >>>> 25/Aug/2015 14:59:56 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>> pkts][0 flows] >>>> 25/Aug/2015 14:59:56 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>> pkts][0 flows/0 pkts sent] >>>> 25/Aug/2015 14:59:56 [nprobe.c:4833] Cleaning globals >>>> 25/Aug/2015 14:59:56 [nprobe.c:4853] nProbe terminated." >>>> >>>> >>>> What wrong I'm doing. >>>> >>>> regards >>>> asad >>>> >>>> On 8/25/15, asad <[email protected]> wrote: >>>> >>>> Hello, >>>> >>>> I'm running "ntopng" on windows and want to point netflows data >>>> directly. I see on "netstat" command that port 2055 is put in >>>> established status. >>>> >>>> Nprobe is also installed. I want to use nprobe to send pcap files to >>>> port 2055 for parsing. I see the nprobe change /re-write the headers >>>> info when sending netflows data. Is there any way to avoid it? >>>> >>>> Also, If I want to use nprobe as a proxy collector does the cmds >>>> works >>>> in windows as well. I tried and it gives error >>>> >>>> " >>>> nprobe --zmq "tcp://*:5556" -i ..... >>>> ntopng -i "tcp://127.0.0.1:5556" >>>> >>>> >>>> " >>>> >>>> Thanks. >>>> regards >>>> asad >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>> >>> >> > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop >
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
