[Ntop] Some questions
Polossat, Arnaud [FR]
2018-09-12 13:48:50 UTC

I would like to set up Ntopng as a NetFlow collector to monitor a network of virtual machines. I used VirtualBox to create the network (see enclosed image "Network.png"). My goal is to display NetFlow data relative to the flows passing through a Cisco CSR1000v virtual router. I have installed Ntopng in a CentOS 7 VM in Community mode. The load generators are used to simulate traffic through the CSR with Iperf.

The Flexible NetFlow configuration in the CSR is as follows:
flow record netflow-record
collect application name
collect connection initiator
collect connection client counter bytes network long
collect connection client counter packets long
collect connection client ipv4 address
collect connection client transport port
collect connection server counter bytes network long
collect connection server counter packets long
collect connection server ipv4 address
collect connection server transport port
collect counter bytes long
collect counter bytes layer2 long
collect counter packets long
collect datalink source-vlan-id
collect datalink destination-vlan-id
collect datalink mac source address input
collect datalink mac source address output
collect datalink mac destination address input
collect datalink mac destination address output
match flow direction
match interface input
match interface output
match ipv4 source address
collect ipv4 source mask
collect ipv4 source prefix
match ipv4 destination address
collect ipv4 destination mask
collect ipv4 destination prefix
match ipv4 protocol
collect timestamp absolute first
collect timestamp absolute last
match transport source-port
match transport destination-port
collect transport tcp source-port
collect transport tcp destination-port
collect transport udp source-port
collect transport udp destination-port

flow exporter ntopng
source GigabitEthernet 1
transport udp 2055

flow monitor netflow-monitor
exporter ntopng
record netflow-record
cache timeout active 30
cache timeout inactive 10

interface GigabitEthernet 1
ip flow monitor netflow-monitor input

interface GigabitEthernet 2
ip flow monitor netflow-monitor input
To collect NetFlow data, the configuration of nProbe in /etc/nprobe/nprobe.conf is the following:
-i none
-n none
-3 2055
--zmq "tcp://*:5556"

That of Ntopng in /etc/ntopng/ntopng.conf is:
-m ","

With these configurations, I get some NetFlow data in Ntopng. The Timeseries graphs work fine and I can see the number of bits/s correctly for the Hosts, Networks and the tcp:// interface. But I would rather plot data every minute than with a 5 minute interval. Is it possible?

My main problem is that I don't manage to see data relative to packets, ports and protocols for the hosts:

- I can sometimes see the client ports of the Iperf traffic (see enclosed image "Client ports.png") for about 2s. But most of the time, information disappears for minutes and only "100% Other" is displayed for Client and Server ports (see enclosed image "Ports.png"), as if NetFlow collected data is rarely understood by Ntopng.

- The data relative to protocols is never processed by Ntopng, the legends "Other", "Unknown", "Unrated" or "Unspecified" are displayed (see enclosed image "Protocol overviews.png"). The same problem appears for the section Protocols of the tcp:// interface.

- I cannot see data in the Packets section at all, the Sent and Received distributions are always empty (see enclosed image "Packets.png")

Could you explain to me what I should do to solve these issues please?

Moreover, I would like to have the NetFlow data in Grafana by means of its Ntopng plugin.
Referring to Grafana plugin presentation, I would be able to plot:
Interface Metrics:

- Traffic rates, in bits and packets per second

- Traffic totals, both in Bytes and packets

- Application protocol rates, in bits per second
Host Metrics:

- Traffic rate in bits per second

- Traffic total in Bytes

- Application protocol rates in bits per second.

However, I currently manage to visualize only Traffic rate in bits per second for the hosts (host_10.0.0.1_interface_tcp:// and host_10.0.0.5_interface_tcp://
For host_10.0.0.X_interface_tcp://, the graph displays "Data points outside time range".
For host_10.0.0.X_interface_tcp:// and host_10.0.0.X_interface_tcp://, the graphs display "No data points".

Besides, no interface metric is available.
Do these issues come from Ntopng or Grafana? And how can they be solved please?

Thank you very much in advance for answering my questions.

Best regards,

Airbus Defence and Space
1, Bvd Jean Moulin, CS 40001
78 996 Elancourt Cedex, France
E-mail: ***@fr.airbus.com<mailto:***@fr.airbus.com>

