Andres in the “Recently Active Flows” you will see only nDPI info, so you cannot see any PaloAlto Info. Instead if you click on the “Info” button this information is reported. As using email we can hardly provide support, if you will have an issue, please file a bug on https://github.com/ntop/ntopng/issues <https://github.com/ntop/ntopng/issues>
Thank you Luca > On 08 Aug 2016, at 12:59, Andrés Salesa <andres.sal...@sanlucar.com> wrote: > > Hi, > > I don’t see anything > > I explain you: > > > I see that If I run nprobe to collect parameters Palo Alto with next > instruction: > > nprobe --zmq "tcp://*:5556 <tcp://*:5556>" -V 9 -i none -n none > --collector-port 2055 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP > %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED > %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS > %IPV4_SRC_MASK %IPV4_DST_MASK %L7_PROTO %L7_PROTO_NAME %APPLICATION_NAME > %USER_NAME" > > > In Palo Alto, the networks that have these fields %APPLICATION_NAME > %USER_NAME", in nprobe I can see them > > <image001.png> > > > but in Ntopng does not show them in Recently Active Flows or any other site. > > <image003.png> > > > > But I could see them in console If I run (I remove the fields > %APPLICATION_NAME %USER_NAME") > > > nprobe --zmq "tcp://*:5556 <tcp://*:5556>" -i none -n none --collector-port > 2055 -D b -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP > %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT > %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS %IPV4_SRC_MASK > %IPV4_DST_MASK %L7_PROTO %L7_PROTO_NAME %USER_NAME %L7_PROTO %L7_PROTO_NAME" > -b 2 > > or > > nprobe --zmq "tcp://*:5556 <tcp://*:5556>" -i none -n none --collector-port > 2055 > > > Ntopng shows again the information and flows of these networks > > <image002.png> > If I add these fields the flows that arrives to nprobe with extra-information > does not appears in ntopng. > > > Regards > > > <image007.jpg> > <http://www.sanlucar.com/ernaehrung/ernte-sei-dank-unsere-trauben-sind-wieder-da/> > Andrés Salesa | Systems Administrator - Information Systems Department > Phone: +34 96 142 40 40 | Extn.2292 > Mobile: +34 639 475 231 | > andres.sal...@sanlucar.com <mailto:andres.sal...@sanlucar.com> > SanLucar Fruit S.L. > Serra Llarga, 24 | 46530 Puzol | Valencia | Spain > www.sanlucar.com <http://www.sanlucar.com/> > Este correo y cualquier fichero adjunto contiene información confidencial y > se dirige exclusivamente a su destinatario. Si ha recibido este mensaje por > error, por favor notifíquelo a off...@sanlucar.com > <mailto:off...@sanlucar.com>. Si Vd. no es el destinatario, por favor, > elimínelo y notifíquelo al remitente. > This email and any attached files are confidential and intended solely for > the use of the individual or entity to whom they are addressed. If you have > received this email by error please notify to off...@sanlucar.com > <mailto:off...@sanlucar.com>. If you are not the named recipient, you should > return this message without reading further and delete it from your system. > Diese E-Mail und sämtliche angehängten Dateien enthalten vertrauliche > Informationen und sind ausschließlich für den Adressaten bestimmt. Falls Sie > diese E-Mail irrtümlich erhalten haben, bitten wir Sie uns unter > off...@sanlucar.com <mailto:off...@sanlucar.com> über diesen Vorgang zu > informieren, die E-Mail ungelesen an uns zurückzusenden und aus Ihrem System > zu löschen. > > From: ntop-boun...@listgateway.unipi.it > <mailto:ntop-boun...@listgateway.unipi.it> > [mailto:ntop-boun...@listgateway.unipi.it > <mailto:ntop-boun...@listgateway.unipi.it>] On Behalf Of Simone Mainardi > Sent: lunes, 08 de agosto de 2016 12:23 > To: n...@unipi.it <mailto:n...@unipi.it> > Subject: Re: [Ntop] %L7_PROTO %L7_PROTO_NAME %APPLICATION_NAME %USER_NAME" > Palo Alto - nprobe > > Andrés, > > Can you confirm that, if you navigate to the "flow info" page, you don't get > the information APPLICATION_NAME and USER_NAME? Please, enclose a screenshot. > That information should appear in the flow extra fields. > > > Simone > > On Fri, Aug 5, 2016 at 8:41 AM, Andrés Salesa <andres.sal...@sanlucar.com > <mailto:andres.sal...@sanlucar.com>> wrote: > Hi, > > I see that If I run nprobe to collect parameters Palo Alto: > > nprobe --zmq "tcp://*:5556 <tcp://*:5556>" -V 9 -i none -n none > --collector-port 2055 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP > %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED > %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS > %IPV4_SRC_MASK %IPV4_DST_MASK %L7_PROTO %L7_PROTO_NAME %APPLICATION_NAME > %USER_NAME" > > > In Palo Alto the flows that have these fields %APPLICATION_NAME %USER_NAME", > Ntop does not show them in Recently Active Flows and other site. > > But I could see them in console: > > > <image008.png> > > If I run > > nprobe --zmq "tcp://*:5556 <tcp://*:5556>" -i none -n none --collector-port > 2055 -D b -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP > %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT > %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS %IPV4_SRC_MASK > %IPV4_DST_MASK %L7_PROTO %L7_PROTO_NAME %USER_NAME %L7_PROTO %L7_PROTO_NAME" > -b 2 > > I see all flows. > > When Ntop shows these flows when I run > > nprobe --zmq "tcp://*:5556 <tcp://*:5556>" -V 9 -i none -n none > --collector-port 2055 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP > %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED > %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS > %IPV4_SRC_MASK %IPV4_DST_MASK %L7_PROTO %L7_PROTO_NAME %APPLICATION_NAME > %USER_NAME" > > > I could confirm if details flow have these extra-information. > > Regards > > <image009.jpg> <http://www.sanlucar.com/aktionen/ice-age/> > > Andrés Salesa | Systems Administrator - Information Systems Department > Phone: +34 96 142 40 40 <tel:%2B34%2096%20142%2040%2040> | Extn.2292 > Mobile: +34 639 475 231 <tel:%2B34%20639%20475%20231> | > andres.sal...@sanlucar.com <mailto:andres.sal...@sanlucar.com> > SanLucar Fruit S.L. > Serra Llarga, 24 | 46530 Puzol | Valencia | Spain > www.sanlucar.com <http://www.sanlucar.com/> > Este correo y cualquier fichero adjunto contiene información confidencial y > se dirige exclusivamente a su destinatario. Si ha recibido este mensaje por > error, por favor notifíquelo a off...@sanlucar.com > <mailto:off...@sanlucar.com>. Si Vd. no es el destinatario, por favor, > elimínelo y notifíquelo al remitente. > This email and any attached files are confidential and intended solely for > the use of the individual or entity to whom they are addressed. If you have > received this email by error please notify to off...@sanlucar.com > <mailto:off...@sanlucar.com>. If you are not the named recipient, you should > return this message without reading further and delete it from your system. > Diese E-Mail und sämtliche angehängten Dateien enthalten vertrauliche > Informationen und sind ausschließlich für den Adressaten bestimmt. Falls Sie > diese E-Mail irrtümlich erhalten haben, bitten wir Sie uns unter > off...@sanlucar.com <mailto:off...@sanlucar.com> über diesen Vorgang zu > informieren, die E-Mail ungelesen an uns zurückzusenden und aus Ihrem System > zu löschen. > > From: ntop-boun...@listgateway.unipi.it > <mailto:ntop-boun...@listgateway.unipi.it> > [mailto:ntop-boun...@listgateway.unipi.it > <mailto:ntop-boun...@listgateway.unipi.it>] On Behalf Of Simone Mainardi > Sent: miércoles, 03 de agosto de 2016 11:34 > To: n...@unipi.it <mailto:n...@unipi.it> > Subject: Re: [Ntop] %L7_PROTO %L7_PROTO_NAME %APPLICATION_NAME %USER_NAME" > Palo Alto - nprobe > > Andrés, > > App layer 7 (field "57590") is interpreted, translated in the corresponding > application name, and shown by ntopng for each flow. You should be able to > see it as a column in the flows list table as well as on every flow details > page. > > Palo alto user-id and application-id are reported -- if present -- in the > flow details page. You reach the flow details page by clicking on the 'info' > badge of every flow. > > > If you still have issues, then please file an issue on github and enclose a > pcap of the netflow that includes templates. > > > > Simone > > > On Tue, Aug 2, 2016 at 1:14 PM, Andrés Salesa <andres.sal...@sanlucar.com > <mailto:andres.sal...@sanlucar.com>> wrote: > Hi, > > > I use the option -b 2 and I see that this information arrives > <image010.png> > You can see in attached image. > > Sanlucar\meiyi.hou à user-id > Ms-lync-online à App-id > App layer 7 à SSL > > How could I see in Ntopng? > > Regards > > From: ntop-boun...@listgateway.unipi.it > <mailto:ntop-boun...@listgateway.unipi.it> > [mailto:ntop-boun...@listgateway.unipi.it > <mailto:ntop-boun...@listgateway.unipi.it>] On Behalf Of Simone Mainardi > Sent: lunes, 01 de agosto de 2016 21:04 > To: n...@unipi.it <mailto:n...@unipi.it> > Cc: ntop@listgateway.unipi.it <mailto:ntop@listgateway.unipi.it> > Subject: Re: [Ntop] %L7_PROTO %L7_PROTO_NAME %APPLICATION_NAME %USER_NAME" > Palo Alto - nprobe > > Hi, > > I am not sure palo alto gives you %L7_PROTO %L7_PROTO_NAME . Those fields > are based on the nDPI l7 application detection library. As you are using > nProbe to collect flows, protocol detection is guessed based on port numbers > as nprobe (and, thus, nDPI) can't see the real packets. > > Anyway, you should be able to see those fields in ntopng. I don't understand > why you enclosed a couple of screenshots, one with flows and the other > without flows. Do you mean that flows are missing if you add extra fields in > the template? > > I would recommend to use nProbe option -D to export to file and see if you > get results > > [--dump-format|-D] <format> | <format>: flows are saved as: > | b : raw/uncompressed flows > | B : raw core flow fields (152 > bytes) > | t : text flows > | Example: -D b. Note: this flag has no > | effect without -P. > > if results are dumped to file, then it may be something related to the zmq > communication between ntopng and nprobe. In that case check for firewall > configurations that may be preventing the communication. You can also run > nprobe behind a firewall with > option --zmq-probe-mode > > > If flows are missing when you add extra template fields, then please report > the exact fields that cause nprobe to stop reporting flows. Also enclose a > pcap of the netflow traffic (with templates) between your palo alto and the > nprobe. > > > > Simone > > > On Mon, Aug 1, 2016 at 4:06 PM, Andrés Salesa <andres.sal...@sanlucar.com > <mailto:andres.sal...@sanlucar.com>> wrote: > Hi, > > > > I’m using the license Community. > > > > I run this command and shows information > > nprobe --zmq "tcp://*:5556 <tcp://*:5556>" -V 9 -i none -n none > --collector-port 2055 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP > %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED > %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS > %IPV4_SRC_MASK %IPV4_DST_MASK" > > <image011.png> > > > > I have a Palo Alto Firewall I want to see the fields “MASK %L7_PROTO > %L7_PROTO_NAME %APPLICATION_NAME %USER_NAME" > > > > Palo Alto gives these information but It does not show. > > > > Palo Alto gives information with Netflow v.9.0 > > > > > > I tried to use this command to collect it but it does not work: > > > > nprobe --zmq "tcp://*:5556 <tcp://*:5556>" -V 9 -i none -n none > --collector-port 2055 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP > %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED > %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS > %IPV4_SRC_MASK %IPV4_DST_MASK %L7_PROTO %L7_PROTO_NAME %APPLICATION_NAME > %USER_NAME" > > > > nprobe --zmq "tcp://*:5556 <tcp://*:5556>" -i none -n none --collector-port > 2055 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP > %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT > %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS %IPV4_SRC_MASK > %IPV4_DST_MASK %L7_PROTO %L7_PROTO_NAME %APPLICATION_NAME %USER_NAME" > > <image012.png> > > Why does it not show these information? > > <image013.png> > > Thank you > > > > > > > > > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it> > http://listgateway.unipi.it/mailman/listinfo/ntop > <http://listgateway.unipi.it/mailman/listinfo/ntop> > > > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it> > http://listgateway.unipi.it/mailman/listinfo/ntop > <http://listgateway.unipi.it/mailman/listinfo/ntop> > > > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it> > http://listgateway.unipi.it/mailman/listinfo/ntop > <http://listgateway.unipi.it/mailman/listinfo/ntop> > > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it> > http://listgateway.unipi.it/mailman/listinfo/ntop > <http://listgateway.unipi.it/mailman/listinfo/ntop>
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
