Hello, To update I have shifted to community edition. I tried nprobe for .pcap setup and it works great. But when I switch it as
> nprobe /c --zmq "tcp://*:5556” -i none and -3 2055 Nothing comes, I'm getting netflows from cisco asa 5585. Is this because of because cisco asa sends flows in nsel format? Also, when I close nprobe I see exported values shows as 0/0. What I'm missing. One thing I'm confused how does nprobe detects the interface to be used? Does it go by defualt...? Thanks. On Wed, Aug 26, 2015 at 3:28 AM, Luca Deri <[email protected]> wrote: > Asad > /i <service name> <parameters> installa a service on windows with the > parameters you specified > > Luca > > On 25 Aug 2015, at 17:13, asad <[email protected]> wrote: > > Please find attached screenshot, I can't use /i switch the way I want. > > On Tue, Aug 25, 2015 at 7:52 PM, asad <[email protected]> wrote: > >> But should " -i tcp://127.0.0.1:5556" not meaning I'm connecting it as >> client so how can it use these parms as service? >> >> On Tue, Aug 25, 2015 at 7:28 PM, Yuri Francalacci <[email protected]> wrote: >> >>> reinstall the service with the configuration you would like to have. >>> >>> ############################################### >>> Yuri Francalacci - [email protected] - http://www.ntop.org >>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>> ############################################### >>> >>> On 25 Aug 2015, at 16:18, asad <[email protected]> wrote: >>> >>> Ok,I think I know where I'm messing it up. Your advice please. >>> >>> "ntopng /c -i tcp://127.0.0.1:5556". >>> >>> On UI, under "interface" tab i see it as "127.0.0.1:5556". >>> >>> When, I start it as service either through cmd line switch or service >>> manager in windows under "interfaces" tab I see the UID of available >>> interfaces. >>> >>> On second config, the netflows never reaches/ seen on the UI. So, I'm >>> thinking why I cannot start the service using the end-points option "ntopng >>> /c -i tcp://127.0.0.1:5556". Its difficult to keep a window open on >>> command prompt for /c switch. >>> >>> >>> >>> On Tue, Aug 25, 2015 at 6:59 PM, Yuri Francalacci <[email protected]> wrote: >>> >>>> each flow will have the original src/dst ip/port >>>> >>>> ############################################### >>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>> ############################################### >>>> >>>> On 25 Aug 2015, at 15:46, asad <[email protected]> wrote: >>>> >>>> Yuri, on your last post, I was referring to header info (srcip etc) >>>> which were not located on UI. When I made it work , I could search the IP >>>> exactly as shown in pcap files. >>>> >>>> Also, only layer 5 to layer 7 info should be discarded. Headers info >>>> should remain in contact? >>>> >>>> regards >>>> asad >>>> >>>> On Tue, Aug 25, 2015 at 6:44 PM, asad <[email protected]> wrote: >>>> >>>>> Yuri, your writing give me confidence to do fresh install of both >>>>> ntopng and nprobe. I followed the same steps and it worked:). >>>>> >>>>> In my office machine , I was restarting/starting the ntopng from the >>>>> windows service tab. This time , I started using command-line. >>>>> >>>>> Or what about local-fw does it have to be turned off? >>>>> >>>>> >>>>> Does ordering matters? Thanks. >>>>> >>>>> On Tue, Aug 25, 2015 at 6:05 PM, asad <[email protected]> wrote: >>>>> >>>>>> Sorry for confusion, that the problem I'm not seeing packets >>>>>> displayed on UI. Do nprobe re-write headers info. For e.g in search I >>>>>> cannot see packets that are seen in opening the pcap file alone. Where it >>>>>> goes? >>>>>> >>>>>> Thanks. >>>>>> >>>>>> On Tue, Aug 25, 2015 at 5:55 PM, Yuri Francalacci <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> nprobe “converts” packets into netflow. I do not understand why you >>>>>>> need this separate tool. >>>>>>> Once you have started nprobe, then you have just to access to the >>>>>>> ntopng web interface and see what nprobe has reported to it. >>>>>>> Yuri >>>>>>> ############################################### >>>>>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>>>> ############################################### >>>>>>> >>>>>>> On 25 Aug 2015, at 13:14, asad <[email protected]> wrote: >>>>>>> >>>>>>> Also, do I need a separate tool for pcap to netflows conversion or >>>>>>> the >>>>>>> switches described in the cmd above automatically does the conversion >>>>>>> for you. >>>>>>> >>>>>>> regards >>>>>>> asad >>>>>>> >>>>>>> On 8/25/15, asad <[email protected]> wrote: >>>>>>> >>>>>>> Right now, I just want to see how netflows packets are received by >>>>>>> ntopng, I'm think I would need collector mode once I'm in prod >>>>>>> environment? Thanks >>>>>>> >>>>>>> On 8/25/15, asad <[email protected]> wrote: >>>>>>> >>>>>>> Thanks Yuri, that was a bad mistake. I mixed two options. >>>>>>> >>>>>>> With this cmd "probe /c --zmq "tcp://*:5556" -i smallFlows.pcap" I >>>>>>> got >>>>>>> it worked and the output is different this time. >>>>>>> >>>>>>> "Flow export stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts >>>>>>> sent] >>>>>>> Flow drop stats: [0 bytes/0 pkts][0 flows] >>>>>>> Total flow stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts >>>>>>> sent]" >>>>>>> >>>>>>> Locating on GUI is problem? Is it pcap file problem or where the >>>>>>> exported packets are logged. >>>>>>> thanks >>>>>>> >>>>>>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>>>>>> >>>>>>> Do you need collector mode in nprobe? if not, you have to remove all >>>>>>> the >>>>>>> -3 >>>>>>> option (that you have specified with the wrong syntax - check nprobe >>>>>>> —help) >>>>>>> Yuri >>>>>>> ############################################### >>>>>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>>>> ############################################### >>>>>>> >>>>>>> On 25 Aug 2015, at 12:47, asad <[email protected]> wrote: >>>>>>> >>>>>>> Thanks a lot Yuri. >>>>>>> >>>>>>> I changed to "nprobe /c --zmq "tcp://*:5556" -i smallFlows.pcap -n >>>>>>> none -3 port 2055". >>>>>>> >>>>>>> But the output is same >>>>>>> >>>>>>> " >>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2402] Processed packets: 14261 (max >>>>>>> bucket search: 1) >>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2385] Fragment queue length: 0 >>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>>>>> pkts][0 flows/0 pkts sent] >>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>>>>> pkts][0 flows] >>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>>>>> pkts][0 flows/0 pkts sent] >>>>>>> >>>>>>> " >>>>>>> regards >>>>>>> >>>>>>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>>>>>> >>>>>>> to use ntopng as a graphical frontend for nprobe the way you started >>>>>>> ntopng >>>>>>> is almost fine >>>>>>> For nprobe is enough >>>>>>> >>>>>>> nprobe /c --zmq "tcp://*:5556” -n none >>>>>>> >>>>>>> then you have to decide what you would like to use to “feed” nprobe >>>>>>> - using a pcap file, you need to add -i <pcap file> and remove all >>>>>>> the >>>>>>> other >>>>>>> stuff >>>>>>> - using nprobe in collector mode, you have to add -i none and -3 >>>>>>> <port> >>>>>>> and >>>>>>> send Netflow (not raw packets) data to that port >>>>>>> >>>>>>> Yuri >>>>>>> ############################################### >>>>>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>>>> ############################################### >>>>>>> >>>>>>> On 25 Aug 2015, at 11:59, asad <[email protected]> wrote: >>>>>>> >>>>>>> To update, >>>>>>> >>>>>>> "ntopng /c -i tcp://127.0.0.1:5556" >>>>>>> >>>>>>> and >>>>>>> >>>>>>> "nprobe /c --zmq "tcp://*:5556" -u 5 -i none zeus-sample-3.pcap -n >>>>>>> none -nf --collector-port 2055:5 -V9 -b 2' >>>>>>> >>>>>>> both and running but output is >>>>>>> >>>>>>> "25/Aug/2015 14:59:54 [nprobe.c:4659] Pending buckets have been >>>>>>> exported... >>>>>>> 25/Aug/2015 14:59:56 [engine.c:3293] Export thread terminated >>>>>>> [exportQueue=0] >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4725] Flushing queued flows... >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4728] Freeing memory... >>>>>>> 25/Aug/2015 14:59:56 [plugin.c:277] Terminating plugins. >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4820] Still allocated 0 hash buckets >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2402] Processed packets: 1105 (max >>>>>>> bucket search: 0) >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2385] Fragment queue length: 0 >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>>>>> pkts][0 flows/0 pkts sent] >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2418] Flow collection: [collected >>>>>>> pkts: >>>>>>> 0][processed flows: 0] >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>>>>> pkts][0 flows] >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>>>>> pkts][0 flows/0 pkts sent] >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4833] Cleaning globals >>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4853] nProbe terminated." >>>>>>> >>>>>>> >>>>>>> What wrong I'm doing. >>>>>>> >>>>>>> regards >>>>>>> asad >>>>>>> >>>>>>> On 8/25/15, asad <[email protected]> wrote: >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I'm running "ntopng" on windows and want to point netflows data >>>>>>> directly. I see on "netstat" command that port 2055 is put in >>>>>>> established status. >>>>>>> >>>>>>> Nprobe is also installed. I want to use nprobe to send pcap files to >>>>>>> port 2055 for parsing. I see the nprobe change /re-write the headers >>>>>>> info when sending netflows data. Is there any way to avoid it? >>>>>>> >>>>>>> Also, If I want to use nprobe as a proxy collector does the cmds >>>>>>> works >>>>>>> in windows as well. I tried and it gives error >>>>>>> >>>>>>> " >>>>>>> nprobe --zmq "tcp://*:5556" -i ..... >>>>>>> ntopng -i "tcp://127.0.0.1:5556" >>>>>>> >>>>>>> >>>>>>> " >>>>>>> >>>>>>> Thanks. >>>>>>> regards >>>>>>> asad >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ntop mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ntop mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ntop mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ntop mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>> >>>>>> >>>>>> >>>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >> >> > <scr.PNG>_______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop >
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
