Re: [Ntop] Confusion on if nProbe is required

Tue, 02 Aug 2016 07:52:10 -0700 

Hi Simone,
Thanks for the help, it appears using nprobe on the rpi has given us correct results. 


We did notice that if using a symbol ($) in the password for  
--zmq-encrypt-pwd it would cause it to crash and report that it wasn't  
able to decrypt correctly. Is using a symbol in the password not  
allowed?



With the demo mode of nprobe is the only limitation apart from no  
plugins that it has a 25000 flow export limit? If so is this limit for  
every time we run nprobe or is it accumulative across multiple runs of  
nprobe?


Is there any issue running nprobe in demo mode to achieve what we need?


Thanks,
CTSG


Quoting Simone Mainardi <maina...@ntop.org>:


Hi, see below

On Sat, Jul 30, 2016 at 3:46 PM, <questi...@ctsg.com.au> wrote:


Hi Simone,

We've tried running the raspberry pi "offsite" (on a different network
range) to see if the results retrieved to the windows laptop would be more
accurate but they weren't. Please see the screenshots below:

Raspberry Pi Terminal and Web interface (monitoring bridged network
traffic):
https://www.dropbox.com/s/dd8f20q04y8krfv/raspberry_pi.jpg?dl=0

Windows Laptop retrieving data from raspberry pi outside/offsite of
network:
https://www.dropbox.com/s/zcjubx65m43bqxz/windows_laptop.jpg?dl=0



Can you try and use the nProbe on the rpi in this second case? you don't
have to buy the license, you can try it in demo mode. Please compare the
results and explain if you see differences. Also, remember -- i quote --

Note that you should expect some delay on the windows ntopng as flows are
exported once expired. This is natural and part of the design.







Note that we have tried with and without the -m command for the windows
laptop, we get the same output. Notice how it's not showing the 16.78 Mbit
download traffic. Also not showing server/client breakdown just client.
Plus other data not shown either.

What do we need to do to get the same information as the raspberry pi on
the windows laptop that's offsite.

We also found that on the windows laptop when using --zmq-encrypt-pwd at
the same time as the raspberry pi to encrypt the traffic it would cause the
ntopng process to crash on the windows laptop, is there a way to fix this?



zmq encryption is only supported by ntopng when receiving flows from the
nprobe, not when exporting them.




Thanks for the help.


CTSG



Quoting Simone Mainardi <maina...@ntop.org>:

Hi, see below


On Wed, Jul 27, 2016 at 4:04 PM, <questi...@ctsg.com.au> wrote:

Hi Simone,


We've been able to get ntopng to work by bridging the two ethernet
interfaces using the raspbian operating system instead of through ntopng.

We're able to get the correct data by running the following command line:

ntopng -i br0 -m "192.168.99.0/24"

We're now trying to get ntopng on the raspberry pi to send the data to an
offsite pc running ntopng as well (currently we're testing this locally
between a raspberry pi and a windows laptop).

It appears we're able to get them to talk to each other but the data
shown
on the windows laptop (receiver) is not showing all data while the
raspberry pi appears to be showing all data. It also takes a while to
update.

The command we're running on the raspberry pi is:

ntopng -i br0 -m "192.168.99.0/24" -I tcp://*3456 --zmq-encrypt-pwd
TestPass

On the windows laptop the command we're running is:

ntopng /c -i tcp://<local address of raspberry pi>:3456 --zmq-encrypt-pwd
TestPass

Are these the correct commands to run so that the windows laptop receives
the data from the raspberry pi so that we can setup the raspberry pi
onsite
and view the data via our windows laptop (keep in mind we would adjust
the
address of the raspberry pi to the wan address of the site it's at when
onsite)?



Commands look correct. Also see this tutorial post:

http://www.ntop.org/ntopng/creating-a-hierarchical-cluster-of-ntopng-instances/

Note that you should expect some delay on the windows ntopng as flows are
exported once expired. This is natural and part of the design.





If not can you provide the correct full command line to achieve this for
both the windows laptop and raspberry pi?

We also noticed that while running it like this the windows laptop
console
reports "Collecting flows on tcp://<local address of raspberry pi>:3456
[ntopng->nprobe]" Does this mean it's expecting an nprobe on the
raspberry
pi or is this information incorrect?



this is normal you don't have to worry




It is possible to pull data from an offsite ntopng to a local ntopng, no
nprobes needed?



yes you already did that




Is it possible to adjust how often the offsite ntopng updates it's
information to our ntopng install?



You don't have to tune this. Delays experienced are due to the fact that
flows are exported once expired.





Thanks for the assistance.


CTSG



Quoting Simone Mainardi <maina...@ntop.org>:

Hi,



On Mon, Jul 25, 2016 at 2:55 PM, <questi...@ctsg.com.au> wrote:


Hi Simone,


-Would the PI3 would be OK for a full 24mbps ADSL2+ connection if
placed
between the modem and the first switch in series at full speed?


I would say yes although I recommend you to do some testing.




-I understand the PI3 would work using mirror port on the switch, but

for
customers without a managed switch what steps, if any are required to
make
the PI3 work in series like the EdgeRouter. I would add 2x ethernet
adapters. 1 for modem, 1 for switch and 1 for management if required
and
any config steps?


in that case, I would set the rpi with a bridge interface

-i<modem>,<switch> so that you can intercept all internet traffic and
use
the management interface to control the rpi



-I plan on using only ntopng at all sites using PI3s with a licensed

version at our office with individual adapters configured for each
off-site
ntopng.

-Im hoping the PI3 in series will not slow down connections up above
100mbps? In which case it would be future proof for our up coming
national
internet connections upgrades and could be used in series between the
modem
and the switch. I guess the only way to achieve this, if a slow down is
present is using a managed switch and mirror port.

-If a slow down is present as above, and the PI3 is used via a mirror
port
and not in series, does it provide a full ntopng experience or are the
flow
etc limited?


if ntopng is used in passive mode, that is, it receives traffic from a

mirror port, then it won't affect network performance at all.



-I notice the command for the PI3 starts nprobe also. I will be trying

to
use ntopng on the PI3 without nprobe if possible. Is the paid nprobe
required for the ability to use the PI3 in series between the modem and
the
switch?


no it is not required, you can just use ntopng.




Thank you!



CTSG



Quoting Simone Mainardi <maina...@ntop.org>:

Hi,




On Sat, Jul 23, 2016 at 4:10 PM, <questi...@ctsg.com.au> wrote:

Thank you very much Simone,



Currently we are not using nProbe and did not see any SMB traffic. I
will
test this again on Monday but we have the ntopng installed on a 20+
PC
network and did not see any SMB traffic.

OK Thank you 1 license move is allow. We better confirm the hardware
we
would like to use as the server before purchasing.

Our Goal is:

We run a small business IT support company. I would like to put
remote
probes at approx 5 to 10 customer locations to monitor their network
as
they are often limited to 6 to 10mbps internet connections. We are
looking
to monitor high bandwidth users.

-If ntopng is used at remote locations does it support encryption of
the
data like nprobe?


yes, see option


--zmq-encrypt-pwd <pwd>             | Encrypt the ZMQ data using the
specified password



-Would you recommend a pi3, UBNT EdgeRouter or a PC to be used for the


remote probes to provide a good full speed service?


for 6-10Mbps all the options are good.





-I am assuming the EdgeRouter does not need a switch with a mirror
port


and would act in series between the modem and the first switch?




correct, this is a common way to place the edge router. In this way
you
will be able to catch all the traffic from (and to) the internet.
Other
additional setups are possible using the same edge router.

Note that only nprobe is presently available for the edgerouters.


Does the Pi3 with extra Ethernet adapters act the same or do they
require

a mirror port attached?



You should be able to use the rpi3 as if it was an edgerouter
provided


you
add an extra ethernet adapter.



-When using a pi3 or UBNT EdgeRouter do they slow the network down?




Typically no. Clearly this depends on the traffic. For 6-10Mbps no
slow


down will be perceived.



-If ntopng does support encryption and we are not needing flow data,
do


we
use the community version on all of the remote sites and collect this
data
with a licensed version at our office? Or when using ntopng at remote
sites
instead of the nprobe is a license required?


you may want to use a licensed version of ntopng at your office to
have


extra features such as reporting and a realtime dashboard. However
this
is
not strictly necessary and you can implement your solution using just
community versions.



I like the software and the output so i am just trying to sort out
which


versions are best used and the hardware required.

Once i have the remote sites planned and hardware selected what email
should i use to discuss license orders?




you can use the contact form on the ntopng website. Your email will be
routed properly.




Thank you


CTSG


Quoting Simone Mainardi <maina...@ntop.org>:

Hi, see below inserted reply


On Fri, Jul 22, 2016 at 5:30 AM, <questi...@ctsg.com.au> wrote:


Hi Simone,


Thank you again for your time.


We have defined the local network and also the correct adapter on
the
service. We now have usable current data. Though we do notice ntop
does
not
seem to be capturing any local SMB traffic. So if we copy a large
file
from
1 PC to another on the same subnet it doesn't seem to show anywhere
in
ntop. I see an old reference to IP Mon section with local to local
traffics
in help guides but i cannot find any such data when making the file
copy.
Also no flows or devices represent the amount of data or speed we
are
transferring.


If you are using ntopng in combination with nProbe, then this is

normal.

File transfert are typically long-flows and nProbe will wait flow
completion before reporting that data to ntopng. You can tune nProbe
export
frequency using :

[--lifetime-timeout|-t] <timeout>   | It specifies the maximum
(seconds)
flow
                                   | lifetime [default=120]
[--idle-timeout|-d] <timeout>       | It specifies the maximum
(seconds)
flow
                                   | idle lifetime [default=30]



Small Business License: From looking it appears this is tied to the

hardware? If we change the PC running ntop do we need to purchase

another
license? or just request a new key?


license is tied to the hardware. We may allow up to une hardware
switch

per

license but this has to be decided on a case-by-case basis.



We want to use ntop on cheap a laptop for now until looking at
embedded

style devices.



that's fine. Did you know you can also run ntopng on embedded
devices

such

as ARM (raspberry pi), MIPSEL, etc.?



Thank you




CTSG



Quoting Simone Mainardi <maina...@ntop.org>:

Hi, see below


On Thu, Jul 21, 2016 at 1:42 AM, <questi...@ctsg.com.au> wrote:



Hi Simone,


Thank you for your time.



Thank you. We would like the best possible data from the capture
so
we
should at least check the outcome using nProbe.

We are using version 2.4.270616

I had a look through the interface to see if any configuration
needed
to
be pointed to local network. Can you advise what config you were
referring
to please?


see option -m





If we would like to try nProbe using a Windows PC could you please

provide


the install commands to get both services talking on the same
required
port
etc.



here is a good example







http://www.ntop.org/ntopng/creating-a-hierarchical-cluster-of-ntopng-instances/
there are just few small differences in the way you execute the
command
on
windows. This is documented in the manual.


Will only mainly be used off mirror ports on a single subnet with
both

probe and ntopng on the same host. Rarely will we be looking at

anything

more than a single switch and network when using ntopng.

Thank you again

CTSG





Quoting Simone Mainardi <maina...@ntop.org>:

Hi, please see below


On Wed, Jul 20, 2016 at 7:05 AM, <questi...@ctsg.com.au> wrote:



Hi All,


We would like to use ntopng installed on a windows laptop
connected

to

a
mirror port on a network switch to monitor and report on
network
traffic
to
determine issues across the network.

Using ntopng connected to a switch port with mirror configured;
is
nProbe
required?


it is not strictly necessary in your case. Provided that you
don't
need

deep packet dissection features (e.g., to dissect DNSm BGP,
VoIP,

etc),

then ntopng may suffice.


We appear to still get some flows shown in ntopng with nprobe
removed
but

i'm not positive the flow data is complete. Also I notice the

interface


total bandwidth graph at the bottom of the pages is not
displaying
any
data.


- update ntopng to version >= 2.4

- make sure to define local networks in the configuration





Could someone please let us know the basic setup for a >Smart

Switch>?nprobe?>ntopng>Windows laptop.




if you are mirroring a switch port, then nprobe is not strictly

necessary

provided that you don't need information extracted by nprobe

plugins
http://www.ntop.org/products/netflow/nprobe/



Is nProbe only required when trying to source data from a
netflow
or

sflow

compatible router device?



this is just one case. nprobe is required also for deep traffic

dissection

features. It is also useful to decouple monitoring from

visualization.
For
example, you can deploy multiple nprobes on the vantage points
of
your
network and collect their results on a remote ntopng.



Knowing the above intended use what would be the best install
command

for

either service please?





Thank you




CTSG





_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop




_______________________________________________

Ntop mailing list



Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop




_______________________________________________


Ntop mailing list

Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop




_______________________________________________

Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop



_______________________________________________

Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop





_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop





_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop





_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop



























					Reply via email to