RE: [Ntop] [newbie alert!]Basic setup questions...

Tue, 22 Feb 2005 12:57:56 -0800

See [BMSIII] in-line

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore
Sent: Tuesday, February 22, 2005 12:30 PM
To: [email protected]
Subject: RE: [Ntop] [newbie alert!]Basic setup questions...

No need to configure a second NIC as the NetFlow comes in in UDP packets to the interface its addressed to. You can start Ntop to only point at the NetFlow virtual interface if you don't want to sniff on a physical NIC (see back traffic).  
 
[BMSIII] -i none
 
The physical NIC analysis won't do anything with the contents of the NetFlow packets - just count how many come to the interface, time periods, etc - like any other hosts that NIC sees. So you're not seeing the Video Conference stuff on the physical NIC since the Video Conference is not pointed at the Ntop box (making an assumption here....).
 
That being said, you have the first step in troubleshooting right in front of you. Look at your physical NIC's traffic. Do you see the NetFlow coming in? Look for UDP packets from the router to your collector on the port you have configured. Do you see them? Yes? then you need to troubleshoot Ntop. No? Your problem is elsewhere. Check your router config and routing back to the collector.
 
The Virtual interface address should be an address on a network you wish to be seen as "local" by Ntop. 
 
[BMSIII] As it says in docs/FAQ:
 
Q. What's Virtual NetFlow Interface?
A. Be sure and set it.  It's important for pseudo-local classification, which
   affects L R reporting.  You need to set it to the (network) and mask for
   the netFlow collector.  So ntop knows 'where' the data is coming from.
 
Q. 'splain some more, Lucy...
A. OK.
 
   It's best to think of netFlow like this:
 
   The physical interface which is monitoring the packets is like a
   temperature probe you stick into a roast.
 
   Even though the display of the data can be right there at the probe, or
   the other end of a (long) wire, or somewhere entirely elsewhere via a
   wireless connection, the probe is monitoring at the tip.  If it says 145F,
   that's the temperature of the meat - not the oven and not the kitchen.
 
   Similarly, the netFlow data ntop is receiving is based on the probe
   location.
 
   So, if you have a router and are monitoring a single interface to collect
   netFlow data, then the ip address you want to give to ntop is that of
   the router interface.
 
   If you are monitoring a router with more than one interface, you will
   need to give ntop ONE of those addresses and use the -m | --local-subnets
   option to tell it that the other addresses are also local. 
 
Chris 
 
Also, check the stats - in the netFlow plugin configuration page.  The trick?  If there is at least one packet received, you'll get up to 1/2 a page of statistics.  If there's nothing received, no stats... (which is, itself, a big clue).  It's simple - the stats show what came it, why we rejected them and finally how many were processed.  As Chris says, no packets received is usually a router side configuration problem.
 
-----Burton 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wixted, Joe
Sent: Tuesday, February 22, 2005 11:20 AM
To: [email protected]
Subject: [Ntop] [newbie alert!]Basic setup questions...

Please be gentle….  I’ve googled and hovered here for a while, but haven’t seen an answer to my questions.  I’ll be happy to read more, just point me in the proper direction…

 

I’ve got 3.1.1 running on a Windows 2003 server (no *nix here).  I’ve got my Cisco 2600 router configured to send netflow traffic to this box.  Ntop appears to be listening to the correct port (netstat –an shows listening on that port), and I’ve configured the netflow plugin to listen on that port.  When I switch nics, and have netflow use the new netflow nic, I don’t get any traffic.  If I switch back to the real nic, I get lots of traffic, but I don’t see the traffic I’m looking for.

 

I’d like to see the traffic generated by our video conference equipment.  Using SNMPTrafficGrapher, I can see the spikes in traffic when the VC equipment is in use, but ntop doesn’t seem to pick up on it (ports 1718, 1719 and 1720, I believe)…

 

Also, when configuring the netflow device, the “virtual netflow interface network address” – should this be the IP address of the nic?  Or should I use a second physical nic in the box to collect netflow data?

 

Joe Wixted MCSE, MCP+I

Manager, Publishing Business Systems

Our Sunday Visitor, Inc.

 



**********************************************************************
Confidential/Proprietary Note

The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you.
Guardian Mortgage Documents, Inc.
225 Union Boulevard, Suite 200
Lakewood, CO 80228.
**********************************************************************
 
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to