Discussion:
[Ntop] Cento: (1) How to set interface IDs and (2) duplicate source/destination IPs
Jesse Alexander
2017-02-10 13:08:15 UTC
Permalink
First issue:
We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.

Bytes 12-13, and 14-15 in the flow record
12-13 | input | SNMP index of input interface
14-15 | output | SNMP index of output interface
All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.

It appears this has been brought up before, but there isn't a solution mentioned.
http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/

How do we get cento to correctly report the interface ID?

Second issue.
We are seeing tcp traffic reported by cento sourcing and destined to the same IP, which is not physically possible. src_ip = dst_ip = same IP

Any ideas how to prevent this?
Matěj Grégr
2017-11-18 20:21:59 UTC
Permalink
Hello,
Hi Jesse
please see below
Post by Jesse Alexander
We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
Bytes 12-13, and 14-15 in the flow record
12-13 | input | SNMP index of input interface
14-15 | output | SNMP index of output interface
All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
It appears this has been brought up before, but there isn't a solution mentioned.
http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
How do we get cento to correctly report the interface ID?
In the current cento (devel) you can do
--iface-id <in>:<out> | Set input/output interfaceId
in exported flows
where
- interface indexes and (router) MAC/IP addresses
Flag --iface-id is used to specify the SNMP interface identifiers
for emitted flows.
However using --if-networks it is possible to specify an interface
identifier to which
by a comma (,).
the networks
specified using the above format.
It doesn't work for me. I have the same issue as Jesse - all flows from
cento are exported with if interface 1, out interface 2.

I mirror traffic from router to the following two interfaces on cento box:

3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff

I tried to set the interface indexes to 5 and 6 using:
--if-networks "68:05:ca:34:89:***@5,68:05:ca:34:89:***@6"

However, I still see only 1 for incomming and 2 for outgoing index in
flow data:

Flow Record:
Flags = 0x00 FLOW, Unsampled
<snip>
input = 1
output = 2

Running cento --version
v.1.3.171116

Any idea what I am doing wrong?

Thanks,
Matej
Matěj Grégr
2017-11-20 16:21:39 UTC
Permalink
Hello Luca,
I tried to use the following cento.conf:

# cat /etc/cento/cento.conf
-p=/var/run/cento.pid
-t=30
-d=20
-9=x.x.x.x:9998
-i=fge1
-i=fge2
-g=0,1
-G=2,3
-D=0
--syslog=cento
-b
--if-networks=68:05:CA:34:89:***@5,68:05:CA:34:89:***@6

M.
Matej,
can you please share the flow command line you are using?
Luca
Post by Matěj Grégr
Hello,
Hi Jesse
please see below
Post by Jesse Alexander
We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
Bytes 12-13, and 14-15 in the flow record
12-13 | input | SNMP index of input interface
14-15 | output | SNMP index of output interface
All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
It appears this has been brought up before, but there isn't a solution mentioned.
http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
How do we get cento to correctly report the interface ID?
In the current cento (devel) you can do
--iface-id <in>:<out> | Set input/output interfaceId
in exported flows
where
- interface indexes and (router) MAC/IP addresses
Flag --iface-id is used to specify the SNMP interface identifiers
for emitted flows.
However using --if-networks it is possible to specify an interface
identifier to which
by a comma (,).
the networks
specified using the above format.
It doesn't work for me. I have the same issue as Jesse - all flows from
cento are exported with if interface 1, out interface 2.
3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
However, I still see only 1 for incomming and 2 for outgoing index in
Flags = 0x00 FLOW, Unsampled
<snip>
input = 1
output = 2
Running cento --version
v.1.3.171116
Any idea what I am doing wrong?
Thanks,
Matej
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
Matěj Grégr
2017-11-23 20:42:50 UTC
Permalink
Hello Luca,
hm, I don't see any difference. I tried to run cento from command line
using the following command:

cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1
--syslog cento -D 0 --if-networks 68:05:CA:34:89:***@5,68:05:CA:34:89:***@6

fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5.
However, I still see input and output interface set to 1 and 2.

Tried also with --if-networks @cento-networks
# cat cento-networks
68:05:CA:34:89:***@5

But without success.

M.
Hi Matěj,
please change
D=0
--syslog=cento
-b *<=== REMOVE*
(remove -b)
and it will work
Regards Luca
Post by Matěj Grégr
Hello Luca,
# cat /etc/cento/cento.conf
-p=/var/run/cento.pid
-t=30
-d=20
-9=x.x.x.x:9998
-i=fge1
-i=fge2
-g=0,1
-G=2,3
-D=0
--syslog=cento
-b
M.
Matej,
can you please share the flow command line you are using?
Luca
Post by Matěj Grégr
Hello,
Hi Jesse
please see below
Post by Jesse Alexander
We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
Bytes 12-13, and 14-15 in the flow record
12-13 | input | SNMP index of input interface
14-15 | output | SNMP index of output interface
All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
It appears this has been brought up before, but there isn't a solution mentioned.
http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
How do we get cento to correctly report the interface ID?
In the current cento (devel) you can do
--iface-id <in>:<out> | Set input/output interfaceId
in exported flows
where
- interface indexes and (router) MAC/IP addresses
Flag --iface-id is used to specify the SNMP interface identifiers
for emitted flows.
However using --if-networks it is possible to specify an interface
identifier to which
by a comma (,).
the networks
specified using the above format.
It doesn't work for me. I have the same issue as Jesse - all flows from
cento are exported with if interface 1, out interface 2.
3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
However, I still see only 1 for incomming and 2 for outgoing index in
Flags = 0x00 FLOW, Unsampled
<snip>
input = 1
output = 2
Running cento --version
v.1.3.171116
Any idea what I am doing wrong?
Thanks,
Matej
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
Matěj Grégr
2017-12-01 09:55:24 UTC
Permalink
Hi Luca,
it's mirrored traffic. Does --if-networks option apply only for
traffic originated/received by the machine?

M.
Matěj,
the problem of -b is that the rest of the CLI was not parsed.
What type of traffic did you attach to fge1? Is traffic
originated/received by the machine or is traffic mirrored to it? Can you
please check this?
Thanks Luca
 
Post by Matěj Grégr
Hello Luca,
hm, I don't see any difference. I tried to run cento from command line
cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1
fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5.
However, I still see input and output interface set to 1 and 2.
# cat cento-networks
But without success.
M.
Hi Matěj,
please change
D=0
--syslog=cento
-b *<=== REMOVE*
(remove -b)
and it will work
Regards Luca
Post by Matěj Grégr
Hello Luca,
# cat /etc/cento/cento.conf
-p=/var/run/cento.pid
-t=30
-d=20
-9=x.x.x.x:9998
-i=fge1
-i=fge2
-g=0,1
-G=2,3
-D=0
--syslog=cento
-b
M.
Matej,
can you please share the flow command line you are using?
Luca
Post by Matěj Grégr
Hello,
Hi Jesse
please see below
Post by Jesse Alexander
We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
Bytes 12-13, and 14-15 in the flow record
12-13 | input | SNMP index of input interface
14-15 | output | SNMP index of output interface
All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
It appears this has been brought up before, but there isn't a solution mentioned.
http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
How do we get cento to correctly report the interface ID?
In the current cento (devel) you can do
--iface-id <in>:<out> | Set input/output interfaceId
in exported flows
where
- interface indexes and (router) MAC/IP addresses
Flag --iface-id is used to specify the SNMP interface identifiers
for emitted flows.
However using --if-networks it is possible to specify an interface
identifier to which
by a comma (,).
the networks
specified using the above format.
It doesn't work for me. I have the same issue as Jesse - all flows from
cento are exported with if interface 1, out interface 2.
3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
However, I still see only 1 for incomming and 2 for outgoing index in
Flags = 0x00 FLOW, Unsampled
<snip>
input = 1
output = 2
Running cento --version
v.1.3.171116
Any idea what I am doing wrong?
Thanks,
Matej
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
Matěj Grégr
2017-12-01 17:51:48 UTC
Permalink
Hi Luca,
ok, thanks. I totally misunderstood the option then. --iface-id is
maybe more suitable for my needs. However, I have to probably split
cento to two instances as I don't see how I could specific iface-id if
run only one instance of cento. e.g. cento -i fge1 -i fge2. But I think
that cento -i fge1 --iface-id 5:7 and cento -i fge2 --iface-id 6:7 will
work.

M.
Matej
it applies to the MAC address of the packets received by cento, not to the MAC of the NIC receiving them
Luca
Post by Matěj Grégr
Hi Luca,
it's mirrored traffic. Does --if-networks option apply only for
traffic originated/received by the machine?
M.
Matěj,
the problem of -b is that the rest of the CLI was not parsed.
What type of traffic did you attach to fge1? Is traffic
originated/received by the machine or is traffic mirrored to it? Can you
please check this?
Thanks Luca
Post by Matěj Grégr
Hello Luca,
hm, I don't see any difference. I tried to run cento from command line
cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1
fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5.
However, I still see input and output interface set to 1 and 2.
# cat cento-networks
But without success.
M.
Hi Matěj,
please change
D=0
--syslog=cento
-b *<=== REMOVE*
(remove -b)
and it will work
Regards Luca
Post by Matěj Grégr
Hello Luca,
# cat /etc/cento/cento.conf
-p=/var/run/cento.pid
-t=30
-d=20
-9=x.x.x.x:9998
-i=fge1
-i=fge2
-g=0,1
-G=2,3
-D=0
--syslog=cento
-b
M.
Matej,
can you please share the flow command line you are using?
Luca
Post by Matěj Grégr
Hello,
Hi Jesse
please see below
Post by Jesse Alexander
We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
Bytes 12-13, and 14-15 in the flow record
12-13 | input | SNMP index of input interface
14-15 | output | SNMP index of output interface
All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
It appears this has been brought up before, but there isn't a solution mentioned.
http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
How do we get cento to correctly report the interface ID?
In the current cento (devel) you can do
--iface-id <in>:<out> | Set input/output interfaceId
in exported flows
where
- interface indexes and (router) MAC/IP addresses
Flag --iface-id is used to specify the SNMP interface identifiers
for emitted flows.
However using --if-networks it is possible to specify an interface
identifier to which
by a comma (,).
the networks
specified using the above format.
It doesn't work for me. I have the same issue as Jesse - all flows from
cento are exported with if interface 1, out interface 2.
3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
However, I still see only 1 for incomming and 2 for outgoing index in
Flags = 0x00 FLOW, Unsampled
<snip>
input = 1
output = 2
Running cento --version
v.1.3.171116
Any idea what I am doing wrong?
Thanks,
Matej
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
Loading...