Discussion:
[Ntop] nProbe as NetFlow collector
Oscar Carlstedt
2015-09-18 09:56:02 UTC
Permalink
Hi,

I'm having trouble configuring nProbe as a NetFlow-collector and then
relaying to nTop. I'm using this command:

[***@localhost ~]# nprobe --zmq "tcp://*:5556" --collector-port 2055

And getting these results:

18/Sep/2015 17:41:17 [nprobe.c:3130] Valid nProbe license found
18/Sep/2015 17:41:17 [nprobe.c:4488] WARNING: The output interfaceId is
set to 0: did you forget to use -Q perhaps ?
18/Sep/2015 17:41:17 [nprobe.c:4491] WARNING: The input interfaceId is set
to 0: did you forget to use -u perhaps ?
18/Sep/2015 17:41:17 [nprobe.c:4552] Welcome to nProbe v.7.2.150914
($Revision: 4468 $) for x86_64-unknown-linux-gnu with native PF_RING
acceleration
18/Sep/2015 17:41:17 [nprobe.c:4562] Running on CentOS Linux release
7.1.1503 (Core)
18/Sep/2015 17:41:17 [nprobe.c:4573] [LICENSE] nProbe SystemId:
688C59C68206217E
18/Sep/2015 17:41:17 [nprobe.c:4584] [LICENSE] nProbe License:
D7D37ED89D454B911767CA48AE0BF91014740557803F3D11BE
18/Sep/2015 17:41:17 [nprobe.c:4587] [LICENSE] nProbe Edition: Standard
[without PF_RING Acceleration]
18/Sep/2015 17:41:17 [nprobe.c:4614] [LICENSE] Maintenance is available
until Fri Sep 16 21:56:20 2016 [364 days left]
18/Sep/2015 17:41:17 [nprobe.c:4658] WARNING: -n parameter is missing.
127.0.0.1:2055 will be used.
18/Sep/2015 17:41:17 [nprobe.c:6526] Welcome to nprobe v.7.2.150914 for
x86_64-unknown-linux-gnu
18/Sep/2015 17:41:17 [plugin.c:1000] 0 plugin(s) enabled
18/Sep/2015 17:41:17 [nprobe.c:6203] Non IPv4/v6 traffic is discarded
according to the template
18/Sep/2015 17:41:17 [util.c:287] GeoIP: loaded AS config file
/usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat
18/Sep/2015 17:41:17 [util.c:296] GeoIP: loaded AS IPv6 config file
/usr/share/ntopng/httpdocs/geoip/GeoIPASNumv6.dat
18/Sep/2015 17:41:17 [nprobe.c:6698] IPv6 traffic will NOT be
exported/accounted by this probe
18/Sep/2015 17:41:17 [nprobe.c:6699] due to configuration options (e.g.
use NetFlow v9)
18/Sep/2015 17:41:17 [util.c:3840] Succesfully created ZMQ endpoint
tcp://*:5556
18/Sep/2015 17:41:17 [util.c:2892] WARNING: Don't dropping privileges
(required by NetFilter)
18/Sep/2015 17:41:17 [collect.c:51] ERROR: Bad configuration: flows will
be sent to the collection port
18/Sep/2015 17:41:17 [collect.c:52] ERROR: causing a waterfall effect:
flow collection will be disabled
18/Sep/2015 17:41:17 [nprobe.c:7035] nProbe started successfully

I can see packets coming in:

[***@localhost ~]# tcpdump -i ens160 udp dst port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes
17:37:07.828907 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72
17:37:07.937884 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72
17:37:08.046399 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72
17:37:08.156147 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72
17:37:08.264936 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72

But no flows are exported to nTop. Am I missing any parameters?

Please advise.

Best Regards,
Oscar Carlstedt
Oscar Carlstedt
2015-09-18 10:45:20 UTC
Permalink
Hi,

Yes, I might have been unclear, sorry.

Exporting flows to nTop works fine. If i run nProbe with the -i eth0 flag
I can see statistics in nTop and the flows are exported through the zeromq
socket.

It's the NetFlow part that I can't get to work (--collector-port 2055).
I'm sending NetFlow data to port 2055 on the nProbe/nTop host. The port is
open i the CentOS-firewall. But nProbe doesn't seem to be collecting.

I'm concerned about these errors:

18/Sep/2015 17:41:17 [collect.c:51] ERROR: Bad configuration: flows will
be sent to the collection port
18/Sep/2015 17:41:17 [collect.c:52] ERROR: causing a waterfall effect:
flow collection will be disabled

/Oscar
Oscar,
in this scenario ntopng will connect to port 5556 of nprobe (note that
nProbe acts as server instead of client in this case).
So, you will not see any packet exported on port 2055 for sure, but if
ntopng is configured in the right way, you will see traffic from ntopng to
nprobe on port 5556.
Yuri
###############################################
"Simplicity is the ultimate sophistication" - Leonardo da Vinci
###############################################
Post by Oscar Carlstedt
Hi,
I'm having trouble configuring nProbe as a NetFlow-collector and then
18/Sep/2015 17:41:17 [nprobe.c:3130] Valid nProbe license found
18/Sep/2015 17:41:17 [nprobe.c:4488] WARNING: The output interfaceId is
set to 0: did you forget to use -Q perhaps ?
18/Sep/2015 17:41:17 [nprobe.c:4491] WARNING: The input interfaceId is set
to 0: did you forget to use -u perhaps ?
18/Sep/2015 17:41:17 [nprobe.c:4552] Welcome to nProbe v.7.2.150914
($Revision: 4468 $) for x86_64-unknown-linux-gnu with native PF_RING
acceleration
18/Sep/2015 17:41:17 [nprobe.c:4562] Running on CentOS Linux release
7.1.1503 (Core)
688C59C68206217E
D7D37ED89D454B911767CA48AE0BF91014740557803F3D11BE
18/Sep/2015 17:41:17 [nprobe.c:4587] [LICENSE] nProbe Edition: Standard
[without PF_RING Acceleration]
18/Sep/2015 17:41:17 [nprobe.c:4614] [LICENSE] Maintenance is available
until Fri Sep 16 21:56:20 2016 [364 days left]
18/Sep/2015 17:41:17 [nprobe.c:4658] WARNING: -n parameter is missing.
127.0.0.1:2055 will be used.
18/Sep/2015 17:41:17 [nprobe.c:6526] Welcome to nprobe v.7.2.150914 for
x86_64-unknown-linux-gnu
18/Sep/2015 17:41:17 [plugin.c:1000] 0 plugin(s) enabled
18/Sep/2015 17:41:17 [nprobe.c:6203] Non IPv4/v6 traffic is discarded
according to the template
18/Sep/2015 17:41:17 [util.c:287] GeoIP: loaded AS config file
/usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat
18/Sep/2015 17:41:17 [util.c:296] GeoIP: loaded AS IPv6 config file
/usr/share/ntopng/httpdocs/geoip/GeoIPASNumv6.dat
18/Sep/2015 17:41:17 [nprobe.c:6698] IPv6 traffic will NOT be
exported/accounted by this probe
18/Sep/2015 17:41:17 [nprobe.c:6699] due to configuration options (e.g.
use NetFlow v9)
18/Sep/2015 17:41:17 [util.c:3840] Succesfully created ZMQ endpoint
tcp://*:5556
18/Sep/2015 17:41:17 [util.c:2892] WARNING: Don't dropping privileges
(required by NetFilter)
18/Sep/2015 17:41:17 [collect.c:51] ERROR: Bad configuration: flows will
be sent to the collection port
flow collection will be disabled
18/Sep/2015 17:41:17 [nprobe.c:7035] nProbe started successfully
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 65535 bytes
17:37:07.828907 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72
17:37:07.937884 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72
17:37:08.046399 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72
17:37:08.156147 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72
17:37:08.264936 IP a.b.c.d.63493 > localhost.localdomain.iop: UDP, length 72
But no flows are exported to nTop. Am I missing any parameters?
Please advise.
Best Regards,
Oscar Carlstedt
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
/Oscar
Oscar Carlstedt
2015-09-18 11:55:48 UTC
Permalink
Hi,

It seems to be working now, thanks a lot!
I was running on 9996 before trying 2055 but I must have made some other
error.

/Oscar
Hello Oscar,
Try to use the '-n none' flag to disable the collector, as you are not
redirecting the flow to another collector, but instead using zmq.
nprobe -n none -g /var/run/nprobe.pid --collector-port=2055 --zmq
"tcp://*:5556"
The default value of -n is localhost:2055, which is probably conflicting
with the collector-port in your case.
----- Mail original -----
Envoyé: Vendredi 18 Septembre 2015 12:45:20
Objet: Re: [Ntop] nProbe as NetFlow collector
Hi,
Yes, I might have been unclear, sorry.
Exporting flows to nTop works fine. If i run nProbe with the -i eth0
flag
I can see statistics in nTop and the flows are exported through the
zeromq
socket.
It's the NetFlow part that I can't get to work (--collector-port
2055).
I'm sending NetFlow data to port 2055 on the nProbe/nTop host. The
port is
open i the CentOS-firewall. But nProbe doesn't seem to be collecting.
18/Sep/2015 17:41:17 [collect.c:51] ERROR: Bad configuration: flows
will
be sent to the collection port
18/Sep/2015 17:41:17 [collect.c:52] ERROR: causing a waterfall
flow collection will be disabled
/Oscar

Loading...