Robert Williams
2017-01-26 12:09:44 UTC
Hi,
I’ve just bought a license for nprobe so I can test without the 25k flow limit, the setup is simple:
[Cisco] -> Netflow V9 -> [nprobe] -> zmq -> [ntopng]
The Cisco uses 1 in 20 sampling for Netflow, but I can’t seem to find where to inform nprobe (or ntopng) of this sampling? The result of this is that all data in ntopng is shown as 1/20th of real rates.
One of the other programs we use to analyse Netflow data here has a parameter for it, which is:
netflow_sampling_ratio = 20
So that it knows to 'upscale' the flow data, essentially, I’m just looking for this parameter in nprobe/ntopng.
The only one I found is within nprobe and looks like this:
[--sample-rate|-S] : <pkt rate>:<flow rate>
| Packet capture sampling rate and flow
| sampling rate. If starts with
| '@' it means that nprobe will report
| the specified sampling rate but will
| not sample itself as incoming packets
| are already sampled on the specified
| capture device at the specified rate.
| Default: 1:1 [no sampling]
However – this doesn’t seem to let me configure a sampling rate for flows for ‘reporting only’. Just a sample ratio for mirrored traffic, which of course I’m not using.
Any input welcome - Cheers!
ROBERT WILLIAMS
TECHNICAL DIRECTOR
Custodian Data Centres
Tel: +44 (0) 1622 230382 || E-Mail: mailto:***@CustodianDC.com
http://www.CustodianDC.com
Disclaimer: https://www.CustodianDC.com/email-disclaimer
Registered Office: Vinters Business Park, New Cut Rd, Maidstone, ME14 5NZ.
Company Number: 07878023
I’ve just bought a license for nprobe so I can test without the 25k flow limit, the setup is simple:
[Cisco] -> Netflow V9 -> [nprobe] -> zmq -> [ntopng]
The Cisco uses 1 in 20 sampling for Netflow, but I can’t seem to find where to inform nprobe (or ntopng) of this sampling? The result of this is that all data in ntopng is shown as 1/20th of real rates.
One of the other programs we use to analyse Netflow data here has a parameter for it, which is:
netflow_sampling_ratio = 20
So that it knows to 'upscale' the flow data, essentially, I’m just looking for this parameter in nprobe/ntopng.
The only one I found is within nprobe and looks like this:
[--sample-rate|-S] : <pkt rate>:<flow rate>
| Packet capture sampling rate and flow
| sampling rate. If starts with
| '@' it means that nprobe will report
| the specified sampling rate but will
| not sample itself as incoming packets
| are already sampled on the specified
| capture device at the specified rate.
| Default: 1:1 [no sampling]
However – this doesn’t seem to let me configure a sampling rate for flows for ‘reporting only’. Just a sample ratio for mirrored traffic, which of course I’m not using.
Any input welcome - Cheers!
ROBERT WILLIAMS
TECHNICAL DIRECTOR
Custodian Data Centres
Tel: +44 (0) 1622 230382 || E-Mail: mailto:***@CustodianDC.com
http://www.CustodianDC.com
Disclaimer: https://www.CustodianDC.com/email-disclaimer
Registered Office: Vinters Business Park, New Cut Rd, Maidstone, ME14 5NZ.
Company Number: 07878023