search

ntop / nProbe

Open source components and extensions for nProbe
http://ntop.org
GNU General Public License v2.0
1.65k stars 44 forks source link

nprobe in reflector mode changes some netflow fields #104

Closed ronaldral closed 7 years ago

ronaldral commented 7 years ago

Hello,

I have several routers sending netflow v5/9 to instance#1. I have installed nprobe there, and I am using the following configuration file:

-i=none --collector=udp://10.30.0.38:5000 --collector=udp://10.30.0.37:5000 --all-collectors= --collector-port=5000 -T=%IN_BYTES %IN_PKTS %PROTOCOL %SRC_TOS %L4_SRC_PORT %L4_SRC_PORT_MAP %IPV4_SRC_ADDR %IPV4_SRC_MASK %IPV4_NEXT_HOP %L4_DST_PORT %L4_DST_PORT_MAP %IPV4_DST_ADDR %IPV4_DST_MASK %OUT_BYTES %OUT_PKTS %IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV6_SRC_MASK %IPV6_DST_MASK %TOTAL_BYTES_EXP %TOTAL_PKTS_EXP %TOTAL_FLOWS_EXP %IN_SRC_MAC %SRC_VLAN %DST_VLAN %IP_PROTOCOL_VERSION %MPLS_LABEL_1 %MPLS_LABEL_2 %MPLS_LABEL_3 %MPLS_LABEL_4 %MPLS_LABEL_5 %MPLS_LABEL_6 %MPLS_LABEL_7 %MPLS_LABEL_8 %MPLS_LABEL_9 %MPLS_LABEL_10 %OUT_DST_MAC %FLOW_ID %EXPORTER_IPV4_ADDRESS %EXPORTER_IPV6_ADDRESS %FLOW_START_SEC %FLOW_END_SEC %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %INPUT_SNMP %OUTPUT_SNMP -V=9 --daemon-mode=

The idea is to basically sent (reflect/mirror) the incoming netflow to 2 collectors. I dont want the netflow packages data been altered aside from converting those in v5 to v9 (so everything is v9).

My issue: When I collected netflow on the collectors, some fields have been altered i.e %EXPORTER_IPV4_ADDRESS. If instead of sending netflow to collectors I just dump the netflow data to a local disk, this field (EXPORTER_IPV4_ADDRESS) shows the IPs of all my routers. But if I check again at the collector side, this field shows the ip where nprobe is installed.

I would like to know if there is anyway to avoid this. I want nprobe to work as a reflector of all incoming netflow.

Thank you very much for your time.

Regards,

Ronald

lucaderi commented 7 years ago

In the past weeks we have changed the logic of the EXPORTER_IPV4_ADDRESS. it contains the IP address of the original flow exporter. Instead NPROBE_IPV4_ADDRESS contains the IPv4 address of the host where nProbe runs.

nprobe -h | grep ADDRESS [130] %EXPORTER_IPV4_ADDRESS %exporterIPv4Address Flow exporter IPv4 Address [131] %EXPORTER_IPV6_ADDRESS %exporterIPv6Address Flow exporter IPv6 Address [NFv9 57943][IPFIX 35632.471] %NPROBE_IPV4_ADDRESS IPv4 address of the host were nProbe runs