Also, to update nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055 -b 1
if i use -i as none the nprobe won't proceed i want to know why "-i none" is necessary why can't I specific interface is it because nprobe doesn't capture traffic from an interface just the port i.e 2055? On 9/8/15, asad <[email protected]> wrote: > Hello, > > To update I have shifted to community edition. I tried nprobe for .pcap > setup and it works great. But when I switch it as > >> nprobe /c --zmq "tcp://*:5556” -i none and -3 2055 > > > > Nothing comes, I'm getting netflows from cisco asa 5585. Is this because of > because cisco asa sends flows in nsel format? Also, when I close nprobe I > see exported values shows as 0/0. What I'm missing. > > One thing I'm confused how does nprobe detects the interface to be used? > Does it go by defualt...? > > Thanks. > > On Wed, Aug 26, 2015 at 3:28 AM, Luca Deri <[email protected]> wrote: > >> Asad >> /i <service name> <parameters> installa a service on windows with the >> parameters you specified >> >> Luca >> >> On 25 Aug 2015, at 17:13, asad <[email protected]> wrote: >> >> Please find attached screenshot, I can't use /i switch the way I want. >> >> On Tue, Aug 25, 2015 at 7:52 PM, asad <[email protected]> wrote: >> >>> But should " -i tcp://127.0.0.1:5556" not meaning I'm connecting it as >>> client so how can it use these parms as service? >>> >>> On Tue, Aug 25, 2015 at 7:28 PM, Yuri Francalacci <[email protected]> wrote: >>> >>>> reinstall the service with the configuration you would like to have. >>>> >>>> ############################################### >>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>> ############################################### >>>> >>>> On 25 Aug 2015, at 16:18, asad <[email protected]> wrote: >>>> >>>> Ok,I think I know where I'm messing it up. Your advice please. >>>> >>>> "ntopng /c -i tcp://127.0.0.1:5556". >>>> >>>> On UI, under "interface" tab i see it as "127.0.0.1:5556". >>>> >>>> When, I start it as service either through cmd line switch or service >>>> manager in windows under "interfaces" tab I see the UID of available >>>> interfaces. >>>> >>>> On second config, the netflows never reaches/ seen on the UI. So, I'm >>>> thinking why I cannot start the service using the end-points option >>>> "ntopng >>>> /c -i tcp://127.0.0.1:5556". Its difficult to keep a window open on >>>> command prompt for /c switch. >>>> >>>> >>>> >>>> On Tue, Aug 25, 2015 at 6:59 PM, Yuri Francalacci <[email protected]> >>>> wrote: >>>> >>>>> each flow will have the original src/dst ip/port >>>>> >>>>> ############################################### >>>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>> ############################################### >>>>> >>>>> On 25 Aug 2015, at 15:46, asad <[email protected]> wrote: >>>>> >>>>> Yuri, on your last post, I was referring to header info (srcip etc) >>>>> which were not located on UI. When I made it work , I could search the >>>>> IP >>>>> exactly as shown in pcap files. >>>>> >>>>> Also, only layer 5 to layer 7 info should be discarded. Headers info >>>>> should remain in contact? >>>>> >>>>> regards >>>>> asad >>>>> >>>>> On Tue, Aug 25, 2015 at 6:44 PM, asad <[email protected]> wrote: >>>>> >>>>>> Yuri, your writing give me confidence to do fresh install of both >>>>>> ntopng and nprobe. I followed the same steps and it worked:). >>>>>> >>>>>> In my office machine , I was restarting/starting the ntopng from the >>>>>> windows service tab. This time , I started using command-line. >>>>>> >>>>>> Or what about local-fw does it have to be turned off? >>>>>> >>>>>> >>>>>> Does ordering matters? Thanks. >>>>>> >>>>>> On Tue, Aug 25, 2015 at 6:05 PM, asad <[email protected]> wrote: >>>>>> >>>>>>> Sorry for confusion, that the problem I'm not seeing packets >>>>>>> displayed on UI. Do nprobe re-write headers info. For e.g in search >>>>>>> I >>>>>>> cannot see packets that are seen in opening the pcap file alone. >>>>>>> Where it >>>>>>> goes? >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> On Tue, Aug 25, 2015 at 5:55 PM, Yuri Francalacci <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> nprobe “converts” packets into netflow. I do not understand why you >>>>>>>> need this separate tool. >>>>>>>> Once you have started nprobe, then you have just to access to the >>>>>>>> ntopng web interface and see what nprobe has reported to it. >>>>>>>> Yuri >>>>>>>> ############################################### >>>>>>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>>>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>>>>> ############################################### >>>>>>>> >>>>>>>> On 25 Aug 2015, at 13:14, asad <[email protected]> wrote: >>>>>>>> >>>>>>>> Also, do I need a separate tool for pcap to netflows conversion or >>>>>>>> the >>>>>>>> switches described in the cmd above automatically does the >>>>>>>> conversion >>>>>>>> for you. >>>>>>>> >>>>>>>> regards >>>>>>>> asad >>>>>>>> >>>>>>>> On 8/25/15, asad <[email protected]> wrote: >>>>>>>> >>>>>>>> Right now, I just want to see how netflows packets are received by >>>>>>>> ntopng, I'm think I would need collector mode once I'm in prod >>>>>>>> environment? Thanks >>>>>>>> >>>>>>>> On 8/25/15, asad <[email protected]> wrote: >>>>>>>> >>>>>>>> Thanks Yuri, that was a bad mistake. I mixed two options. >>>>>>>> >>>>>>>> With this cmd "probe /c --zmq "tcp://*:5556" -i smallFlows.pcap" I >>>>>>>> got >>>>>>>> it worked and the output is different this time. >>>>>>>> >>>>>>>> "Flow export stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts >>>>>>>> sent] >>>>>>>> Flow drop stats: [0 bytes/0 pkts][0 flows] >>>>>>>> Total flow stats: [9007321 bytes/14243 pkts][1209 flows/41 pkts >>>>>>>> sent]" >>>>>>>> >>>>>>>> Locating on GUI is problem? Is it pcap file problem or where the >>>>>>>> exported packets are logged. >>>>>>>> thanks >>>>>>>> >>>>>>>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>>>>>>> >>>>>>>> Do you need collector mode in nprobe? if not, you have to remove >>>>>>>> all >>>>>>>> the >>>>>>>> -3 >>>>>>>> option (that you have specified with the wrong syntax - check >>>>>>>> nprobe >>>>>>>> —help) >>>>>>>> Yuri >>>>>>>> ############################################### >>>>>>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>>>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>>>>> ############################################### >>>>>>>> >>>>>>>> On 25 Aug 2015, at 12:47, asad <[email protected]> wrote: >>>>>>>> >>>>>>>> Thanks a lot Yuri. >>>>>>>> >>>>>>>> I changed to "nprobe /c --zmq "tcp://*:5556" -i smallFlows.pcap -n >>>>>>>> none -3 port 2055". >>>>>>>> >>>>>>>> But the output is same >>>>>>>> >>>>>>>> " >>>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2402] Processed packets: 14261 (max >>>>>>>> bucket search: 1) >>>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2385] Fragment queue length: 0 >>>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>>>>>> pkts][0 flows/0 pkts sent] >>>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>>>>>> pkts][0 flows] >>>>>>>> 25/Aug/2015 15:46:03 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>>>>>> pkts][0 flows/0 pkts sent] >>>>>>>> >>>>>>>> " >>>>>>>> regards >>>>>>>> >>>>>>>> On 8/25/15, Yuri Francalacci <[email protected]> wrote: >>>>>>>> >>>>>>>> to use ntopng as a graphical frontend for nprobe the way you >>>>>>>> started >>>>>>>> ntopng >>>>>>>> is almost fine >>>>>>>> For nprobe is enough >>>>>>>> >>>>>>>> nprobe /c --zmq "tcp://*:5556” -n none >>>>>>>> >>>>>>>> then you have to decide what you would like to use to “feed” nprobe >>>>>>>> - using a pcap file, you need to add -i <pcap file> and remove all >>>>>>>> the >>>>>>>> other >>>>>>>> stuff >>>>>>>> - using nprobe in collector mode, you have to add -i none and -3 >>>>>>>> <port> >>>>>>>> and >>>>>>>> send Netflow (not raw packets) data to that port >>>>>>>> >>>>>>>> Yuri >>>>>>>> ############################################### >>>>>>>> Yuri Francalacci - [email protected] - http://www.ntop.org >>>>>>>> "Simplicity is the ultimate sophistication" - Leonardo da Vinci >>>>>>>> ############################################### >>>>>>>> >>>>>>>> On 25 Aug 2015, at 11:59, asad <[email protected]> wrote: >>>>>>>> >>>>>>>> To update, >>>>>>>> >>>>>>>> "ntopng /c -i tcp://127.0.0.1:5556" >>>>>>>> >>>>>>>> and >>>>>>>> >>>>>>>> "nprobe /c --zmq "tcp://*:5556" -u 5 -i none zeus-sample-3.pcap -n >>>>>>>> none -nf --collector-port 2055:5 -V9 -b 2' >>>>>>>> >>>>>>>> both and running but output is >>>>>>>> >>>>>>>> "25/Aug/2015 14:59:54 [nprobe.c:4659] Pending buckets have been >>>>>>>> exported... >>>>>>>> 25/Aug/2015 14:59:56 [engine.c:3293] Export thread terminated >>>>>>>> [exportQueue=0] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4725] Flushing queued flows... >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4728] Freeing memory... >>>>>>>> 25/Aug/2015 14:59:56 [plugin.c:277] Terminating plugins. >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4820] Still allocated 0 hash buckets >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2402] Processed packets: 1105 (max >>>>>>>> bucket search: 0) >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2385] Fragment queue length: 0 >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2411] Flow export stats: [0 bytes/0 >>>>>>>> pkts][0 flows/0 pkts sent] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2418] Flow collection: [collected >>>>>>>> pkts: >>>>>>>> 0][processed flows: 0] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2421] Flow drop stats: [0 bytes/0 >>>>>>>> pkts][0 flows] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:2426] Total flow stats: [0 bytes/0 >>>>>>>> pkts][0 flows/0 pkts sent] >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4833] Cleaning globals >>>>>>>> 25/Aug/2015 14:59:56 [nprobe.c:4853] nProbe terminated." >>>>>>>> >>>>>>>> >>>>>>>> What wrong I'm doing. >>>>>>>> >>>>>>>> regards >>>>>>>> asad >>>>>>>> >>>>>>>> On 8/25/15, asad <[email protected]> wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I'm running "ntopng" on windows and want to point netflows data >>>>>>>> directly. I see on "netstat" command that port 2055 is put in >>>>>>>> established status. >>>>>>>> >>>>>>>> Nprobe is also installed. I want to use nprobe to send pcap files >>>>>>>> to >>>>>>>> port 2055 for parsing. I see the nprobe change /re-write the >>>>>>>> headers >>>>>>>> info when sending netflows data. Is there any way to avoid it? >>>>>>>> >>>>>>>> Also, If I want to use nprobe as a proxy collector does the cmds >>>>>>>> works >>>>>>>> in windows as well. I tried and it gives error >>>>>>>> >>>>>>>> " >>>>>>>> nprobe --zmq "tcp://*:5556" -i ..... >>>>>>>> ntopng -i "tcp://127.0.0.1:5556" >>>>>>>> >>>>>>>> >>>>>>>> " >>>>>>>> >>>>>>>> Thanks. >>>>>>>> regards >>>>>>>> asad >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ntop mailing list >>>>>>>> [email protected] >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ntop mailing list >>>>>>>> [email protected] >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ntop mailing list >>>>>>>> [email protected] >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ntop mailing list >>>>>>>> [email protected] >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Ntop mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Ntop mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>> >>> >> <scr.PNG>_______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
