Cédric, Currently, we don't handle that for IPFIX. We handle multiple rates only for sFlow as the actual sampling rate is carried right into in the packets. If you need this feature for IPFIX, please file an issue on our nProbe GitHub issue tracker and we'll see if we can accomodate it.
Simone > On 24 Oct 2018, at 16:12, BASSAGET Cédric <cedric.bassaget...@gmail.com> > wrote: > > Hello Simone, > If I have multiple exporters which send flows with different sampling rates > to ZMQ nprobe, do I have a solution ? > Regards > > Le lun. 22 oct. 2018 à 12:53, Simone Mainardi <maina...@ntop.org > <mailto:maina...@ntop.org>> a écrit : > Cédric, > > You mentioned the exporter is doing 1:10 sampling. I am assuming you are > talking about the flow collection sampling rate. So I think you have to use > option -S in nProbe to upscale the incoming traffic. > > -S <pkt rate>:<flow collection rate>:<flow export rate> > > In your case: > > -S 1:10:1 > > Have a look at > https://www.ntop.org/guides/nProbe/cli_options.html?highlight=sampling > <https://www.ntop.org/guides/nProbe/cli_options.html?highlight=sampling> for > a detailed description. > > > Simone > > > > >> On 15 Oct 2018, at 11:47, BASSAGET Cédric <cedric.bassaget...@gmail.com >> <mailto:cedric.bassaget...@gmail.com>> wrote: >> >> Hi Simone, >> >> >> Le ven. 12 oct. 2018 à 19:19, Simone Mainardi <maina...@ntop.org >> <mailto:maina...@ntop.org>> a écrit : >> Hello, >> >>> On 12 Oct 2018, at 10:52, BASSAGET Cédric <cedric.bassaget...@gmail.com >>> <mailto:cedric.bassaget...@gmail.com>> wrote: >>> >>> Hello, >>> I'm trying to make nprobe work with IPFIX and ntopng, but data displayed by >>> ntopng is inconsistent. >>> >>> Here's the path my netflow packets take : >>> router -> nprobe:6345 -> ntopNG:6445. >>> (nprobe and ntopng services are on the same host.) >>> >>> nprobe runs with : (cat /etc/nprobe/nprobe.conf) >>> -i=any >> >> set to >> >> -i=none >> >>> -n=none >>> --collector-port=6345 >>> --zmq tcp://*:6445 <>%EXPORTER_IPV4_ADDRESS >>> -T "@NTOPNG@" >> >> exporter ipv4 address must go into the template:: >> >> -T "@NTOPNG@ %EXPORTER_IPV4_ADDRESS" >> @NTOPNG@ already includes %EXPORTER_IPV4_ADDRESS >> >>> >>> >>> ntopng runs with : (cat /etc/ntopng/ntopng.conf) >>> -i="tcp://127.0.0.1:6445 <http://127.0.0.1:6445/>" >>> -m=<my local subnet> >>> -F="mysql;/var/run/mysqld/mysqld.sock;ntopng;flows-%Y.%m.%d;ntopng;ntopng" >> >> -F contains duplicated conf. Check that. >> from man page : >> Example -F "mysql;localhost;ntopng;flows-%Y.%m.%d;root;". >> >> as the last "ntopng" is my password, I do not see what is duplicated. >> >> >>> >>> I have two hosts sending netflow to nprobe. I don't see two interfaces in >>> ntopng. any reason why ? >> >> Visit ntopng preferences, enable interfaces disaggregation on the basis of >> the probe ip, and then restart ntopng >> Done, works fine. >> >>> Trafic one one of the hosts which sends netflow to nprobe is always >>> >100mb/s. In ntopng graphs, I do not see this value. It moves between 1 and >>> 10mb/s. why ? >> >> see this explanation: >> https://github.com/ntop/ntopng/issues/1359#issuecomment-320949928 >> <https://github.com/ntop/ntopng/issues/1359#issuecomment-320949928> >> I don't think it's related to this, as the host which sends netflows is a >> BGP router and handles a lot of trafic from different sources. TCP sessions >> may be relatively short. >> >> I'm still seeing a difference between real trafic on my bgp router and data >> gathered by nprobe from netflows. My netflow exporter has a samplign rate >> defined to 10, so has my ntopng interface. >> Running iftoip and other monitoring tools always shows more than 100mb/s RX. >> Graph at the bottom of ntopng page shows completely different values (often >> around 10Mb/s) >> Historical page of interface shows a max value of 54Mb/s but my max value on >> host is around 270Mb/s... >> >> My exporter is pmacct, how to check if it sends cumulative counters or not ? >> Regards, >> Cédric >> >> >> Regards, >> Simone >> >>> >>> I'm running ntop/nprobe from ntop debian repositories, latest version >>> (upgraded this morning). >>> >>> Regards >>> Cédriic >>> _______________________________________________ >>> Ntop mailing list >>> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it> >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> <http://listgateway.unipi.it/mailman/listinfo/ntop> >> _______________________________________________ >> Ntop mailing list >> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it> >> http://listgateway.unipi.it/mailman/listinfo/ntop >> <http://listgateway.unipi.it/mailman/listinfo/ntop>_______________________________________________ >> Ntop mailing list >> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it> >> http://listgateway.unipi.it/mailman/listinfo/ntop >> <http://listgateway.unipi.it/mailman/listinfo/ntop> > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it> > http://listgateway.unipi.it/mailman/listinfo/ntop > <http://listgateway.unipi.it/mailman/listinfo/ntop>_______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
