lucaderi
commented
7 years ago The debug option is used only by us during debugging. What you want to achieve can be done with tcpdump/wireshark while nProbe is running.
Closed frgagnon closed 7 years ago
lucaderi
commented
7 years ago The debug option is used only by us during debugging. What you want to achieve can be done with tcpdump/wireshark while nProbe is running.
frgagnon
commented
7 years ago @lucaderi Thanks for the answer, but I don't think it helps me unless there is something I misunderstand.
Since we are using nProbe as an sflow receiver (not generator), I fail to see what it would do to run Wireshark while nProbe is running (both on the receiving end).
I know I can use wireshark to capture packets, but the packets I receive (sflows) are packets (eth/ip/tcp/...) encapsulated as raw data inside another packet (eth/ip/udp/sflow/RAW) following the sflow protocol. If I do that, I'll have to go about the task of unwraping the sflow protocol to access the original packets (those collected by the flow enabled swtich). I know nprobe already does this unwrapping of the sflow protocol, since nProbe provides the option to generate a pcap without the sflow wraping. But as far as I know, nProbe generates the pcap file only upon termination instead of creating rotating pcap every X min or every X packets written (I think this should eventually be a feature or nProbe). I was looking for a way to use nProbe sflow parsing engine, but I think we'll go with a custom solution to dissect sflow packets and retrieve the original raw data.
But please let me know if I am missing something about a functionality of nProbe that would allow me to use it.
Thanks !
We are using nProbe as a receiver for sflow packets (and for other analysis as weel). What we want to do is to post-process the packets embedded into sflow. So far, here's what we do:
We run nProbe in debug with a count and have it dump packets into a pcap file and after that we post-process the pcap file with our own engine. We use the following command:
"nprobe –debug –count=100 –collector-port=6343 –dump-pkts=pcapFile"
It works but this is not super cool as we need to stop nProbe for the pcap trace to be available and stoping nProbe is not "easy" (that's why we use a counter as a workaround) and not convenient (we would prefer nProbe to run continously for other monitoring use cases).
So we would like to have a way for another process to access the data inside sflow packets (the embedded sampled packets). It could be done by having nprobe supporting the creation of many pcap files (e.g., one file for every X minutes of monitoring or one file for every X packets). In that way, the other process could grap those file when they become available and post-process them.
Maybe there's already a ways of achieving something similar, but we couldn't find how to do it.
Thanks