Discussion:
[Ntop] nProbe / ntopNG config
BASSAGET Cédric
2018-10-12 08:52:51 UTC
Permalink
Hello,
I'm trying to make nprobe work with IPFIX and ntopng, but data displayed by
ntopng is inconsistent.

Here's the path my netflow packets take :
router -> nprobe:6345 -> ntopNG:6445.
(nprobe and ntopng services are on the same host.)

nprobe runs with : (cat /etc/nprobe/nprobe.conf)
-i=any
-n=none
--collector-port=6345
--zmq tcp://*:6445 %EXPORTER_IPV4_ADDRESS
-T "@NTOPNG@"

ntopng runs with : (cat /etc/ntopng/ntopng.conf)
-i="tcp://127.0.0.1:6445"
-m=<my local subnet>
-F="mysql;/var/run/mysqld/mysqld.sock;ntopng;flows-%Y.%m.%d;ntopng;ntopng"

I have two hosts sending netflow to nprobe. I don't see two interfaces in
ntopng. any reason why ?
Trafic one one of the hosts which sends netflow to nprobe is always
100mb/s. In ntopng graphs, I do not see this value. It moves between 1 and
10mb/s. why ?

I'm running ntop/nprobe from ntop debian repositories, latest version
(upgraded this morning).

Regards
Cédriic
BASSAGET Cédric
2018-10-15 09:47:37 UTC
Permalink
Hi Simone,
Post by BASSAGET Cédric
Hello,
Hello,
I'm trying to make nprobe work with IPFIX and ntopng, but data displayed
by ntopng is inconsistent.
router -> nprobe:6345 -> ntopNG:6445.
(nprobe and ntopng services are on the same host.)
nprobe runs with : (cat /etc/nprobe/nprobe.conf)
-i=any
set to
-i=none
-n=none
--collector-port=6345
--zmq tcp://*:6445
%EXPORTER_IPV4_ADDRESS
@NTOPNG@ already includes %EXPORTER_IPV4_ADDRESS
Post by BASSAGET Cédric
ntopng runs with : (cat /etc/ntopng/ntopng.conf)
-i="tcp://127.0.0.1:6445"
-m=<my local subnet>
-F="mysql;/var/run/mysqld/mysqld.sock;ntopng;flows-%Y.%m.%d;ntopng;ntopng"
-F contains duplicated conf. Check that.
from man page :
Example -F "mysql;localhost;ntopng;flows-%Y.%m.%d;root;".

as the last "ntopng" is my password, I do not see what is duplicated.
Post by BASSAGET Cédric
I have two hosts sending netflow to nprobe. I don't see two interfaces in
ntopng. any reason why ?
Visit ntopng preferences, enable interfaces disaggregation on the basis of
the probe ip, and then restart ntopng
Done, works fine.
Post by BASSAGET Cédric
Trafic one one of the hosts which sends netflow to nprobe is always
100mb/s. In ntopng graphs, I do not see this value. It moves between 1 and
10mb/s. why ?
https://github.com/ntop/ntopng/issues/1359#issuecomment-320949928
I don't think it's related to this, as the host which sends netflows is a
BGP router and handles a lot of trafic from different sources. TCP sessions
may be relatively short.

I'm still seeing a difference between real trafic on my bgp router and data
gathered by nprobe from netflows. My netflow exporter has a samplign rate
defined to 10, so has my ntopng interface.
Running iftoip and other monitoring tools always shows more than 100mb/s RX.
Graph at the bottom of ntopng page shows completely different values (often
around 10Mb/s)
Historical page of interface shows a max value of 54Mb/s but my max value
on host is around 270Mb/s...

My exporter is pmacct, how to check if it sends cumulative counters or not ?
Regards,
Cédric
Post by BASSAGET Cédric
Regards,
Simone
I'm running ntop/nprobe from ntop debian repositories, latest version
(upgraded this morning).
Regards
Cédriic
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
BASSAGET Cédric
2018-10-24 14:12:44 UTC
Permalink
Hello Simone,
If I have multiple exporters which send flows with different sampling rates
to ZMQ nprobe, do I have a solution ?
Regards
Cédric,
You mentioned the exporter is doing 1:10 sampling. I am assuming you are
talking about the flow collection sampling rate. So I think you have to use
option -S in nProbe to upscale the incoming traffic.
-S <pkt rate>:<flow collection rate>:<flow export rate>
-S 1:10:1
Have a look at
https://www.ntop.org/guides/nProbe/cli_options.html?highlight=sampling for
a detailed description.
Simone
Hi Simone,
Post by BASSAGET Cédric
Hello,
Hello,
I'm trying to make nprobe work with IPFIX and ntopng, but data displayed
by ntopng is inconsistent.
router -> nprobe:6345 -> ntopNG:6445.
(nprobe and ntopng services are on the same host.)
nprobe runs with : (cat /etc/nprobe/nprobe.conf)
-i=any
set to
-i=none
-n=none
--collector-port=6345
--zmq tcp://*:6445
%EXPORTER_IPV4_ADDRESS
@NTOPNG@ already includes %EXPORTER_IPV4_ADDRESS
Post by BASSAGET Cédric
ntopng runs with : (cat /etc/ntopng/ntopng.conf)
-i="tcp://127.0.0.1:6445"
-m=<my local subnet>
-F="mysql;/var/run/mysqld/mysqld.sock;ntopng;flows-%Y.%m.%d;ntopng;ntopng"
-F contains duplicated conf. Check that.
Example -F "mysql;localhost;ntopng;flows-%Y.%m.%d;root;".
as the last "ntopng" is my password, I do not see what is duplicated.
Post by BASSAGET Cédric
I have two hosts sending netflow to nprobe. I don't see two interfaces in
ntopng. any reason why ?
Visit ntopng preferences, enable interfaces disaggregation on the basis
of the probe ip, and then restart ntopng
Done, works fine.
Post by BASSAGET Cédric
Trafic one one of the hosts which sends netflow to nprobe is always
100mb/s. In ntopng graphs, I do not see this value. It moves between 1 and
10mb/s. why ?
https://github.com/ntop/ntopng/issues/1359#issuecomment-320949928
I don't think it's related to this, as the host which sends netflows is a
BGP router and handles a lot of trafic from different sources. TCP sessions
may be relatively short.
I'm still seeing a difference between real trafic on my bgp router and
data gathered by nprobe from netflows. My netflow exporter has a samplign
rate defined to 10, so has my ntopng interface.
Running iftoip and other monitoring tools always shows more than 100mb/s RX.
Graph at the bottom of ntopng page shows completely different values
(often around 10Mb/s)
Historical page of interface shows a max value of 54Mb/s but my max value
on host is around 270Mb/s...
My exporter is pmacct, how to check if it sends cumulative counters or not ?
Regards,
Cédric
Post by BASSAGET Cédric
Regards,
Simone
I'm running ntop/nprobe from ntop debian repositories, latest version
(upgraded this morning).
Regards
Cédriic
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
http://listgateway.unipi.it/mailman/listinfo/ntop
Loading...