search

ntop / nProbe

Open source components and extensions for nProbe
http://ntop.org
GNU General Public License v2.0
1.65k stars 44 forks source link

Application recognition in nProbe #120

Closed seleznevae closed 7 years ago

seleznevae commented 7 years ago

I'm doing DPI myself, want to disable L7 recogniton in nProbe, to use nProbe as a collector and to watch results in ntopnng. So my question is partly duplicating https://github.com/ntop/nProbe/issues/46, and as I understand what I want is doable.

Application name I write in the field APPLICATION_NAME (field 96 in netflow v9). Here an example of netflow packets netflow_v9.pcapng.gz

However protocols in ntopng are defined as Unknown. nprobe I run as follows: nprobe --zmq tcp://*:5556 -i none -n none --collector-port 2055 -V 9 -b 2 -T "%FIRST_SWITCHED %LAST_SWITCHED %PROTOCOL %IPV4_SRC_ADDR %IPV4_DST_ADDR %IN_BYTES %IN_PKTS %L7_PROTO %L7_PROTO_NAME" --disable-l7-protocol-guess

As I understand my APPLICATION_NAME should be recognized. Am I doing something wrong? Would be grateful for any hint. Best regards, Anton

ValentinaViscarelli commented 7 years ago

@seleznevae Sorry for delayed reply. nProbe uses L7_PROTO field in order to export the L7 applications to ntopng. Please exports L7_PROTO field instead of APPLICATION_NAME field.