nbrobe ipfix collector mode issue

[hemskgren]

Hi

I have a Cisco ASR 1k. When i send Netflow v9 to nprobe it works well but when i change to ipfix i get 0 bps in "Actual Thpt" in ntopng. And the "info" always give "This flow cannot be found (expired ?)" but total bytes is showing but only low KB/byte.

I was hoping to use ipfix %HTTP_HOST to show site accessed thru HTTP proxy. But i read some thing 6 mounts old saying it was not supported.

/usr/local/bin/nprobe --zmq tcp://127.0.0.1:5556 -i none -n none --collector-port 2055 11/Dec/2015 23:54:40 [nprobe.c:3160] ERROR: Invalid nProbe license (/etc/nprobe.license) [Missing license file]

11/Dec/2015 23:54:40 [nprobe.c:3167] ERROR: *** 11/Dec/2015 23:54:40 [nprobe.c:3168] ERROR: \ 11/Dec/2015 23:54:40 [nprobe.c:3169] ERROR: \ Switching to DEMO MODE (missing valid license) 11/Dec/2015 23:54:40 [nprobe.c:3170] ERROR: \ 11/Dec/2015 23:54:40 [nprobe.c:3171] ERROR: \ Create your nProbe license at 11/Dec/2015 23:54:40 [nprobe.c:3172] ERROR: \ http://www.nmon.net/mklicense/ 11/Dec/2015 23:54:40 [nprobe.c:3173] ERROR: \ 11/Dec/2015 23:54:40 [nprobe.c:3174] ERROR: * 11/Dec/2015 23:54:40 [nprobe.c:6681] ERROR: ***** 11/Dec/2015 23:54:40 [nprobe.c:6682] ERROR: * NOTE: This is a DEMO version limited to 25000 flows export. * 11/Dec/2015 23:54:40 [nprobe.c:6683] ERROR: *** 11/Dec/2015 23:54:40 [plugin.c:169] No plugins found in ./plugins 11/Dec/2015 23:54:40 [plugin.c:177] Loading 22 plugins [.so] from /usr/local/lib/nprobe/plugins 11/Dec/2015 23:54:40 [nprobe.c:4576] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ? 11/Dec/2015 23:54:40 [nprobe.c:4579] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ? 11/Dec/2015 23:54:40 [nprobe.c:4671] Welcome to nProbe Pro v.7.3.151211 ($Revision: 4733 $) for x86_64-unknown-linux-gnu with native PF_RING acceleration 11/Dec/2015 23:54:40 [nprobe.c:4681] Running on CentOS Linux release 7.1.1503 (Core) 11/Dec/2015 23:54:40 [nprobe.c:4692] [LICENSE] nProbe SystemId: 689677AB82072B13 11/Dec/2015 23:54:40 [nprobe.c:6699] Welcome to nProbe v.7.3.151211 for x86_64-unknown-linux-gnu 11/Dec/2015 23:54:40 [plugin.c:1009] 0 plugin(s) enabled 11/Dec/2015 23:54:40 [nprobe.c:6374] Non IPv4/v6 traffic is discarded according to the template 11/Dec/2015 23:54:40 [util.c:431] GeoIP: loaded AS config file /usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat 11/Dec/2015 23:54:40 [util.c:441] GeoIP: loaded AS IPv6 config file /usr/share/ntopng/httpdocs/geoip/GeoIPASNumv6.dat 11/Dec/2015 23:54:40 [nprobe.c:5243] Using packet capture length 128 11/Dec/2015 23:54:40 [nprobe.c:6872] IPv6 traffic will NOT be exported/accounted by this probe 11/Dec/2015 23:54:40 [nprobe.c:6873] due to configuration options (e.g. use NetFlow v9) 11/Dec/2015 23:54:40 [nprobe.c:7001] Not capturing packet from interface (collector mode) 11/Dec/2015 23:54:40 [util.c:4011] Succesfully created ZMQ endpoint tcp://127.0.0.1:5556 11/Dec/2015 23:54:40 [collect.c:145] Flow collector listening on port 2055 (IPv4/v6) 11/Dec/2015 23:54:40 [nprobe.c:7213] nProbe started successfully ^C11/Dec/2015 23:56:48 [cache.c:1210] Redis Cache [0 total/0.0 get/sec][0 total/0.0 set/sec] 11/Dec/2015 23:56:48 [nprobe.c:394] Received shutdown request... [signal: 2] 11/Dec/2015 23:56:48 [engine.c:2639] About to flush hash (threadId 0) 11/Dec/2015 23:56:48 [engine.c:2641] Completed hash walk (thread 0) 11/Dec/2015 23:56:51 [cache.c:1210] Redis Cache [0 total/0.0 get/sec][0 total/0.0 set/sec] 11/Dec/2015 23:56:51 [nprobe.c:2503] Processed packets: 0 (max bucket search: 0) 11/Dec/2015 23:56:51 [nprobe.c:2486] Fragment queue length: 0 11/Dec/2015 23:56:51 [nprobe.c:2512] Flow export stats: [0 bytes/0 pkts][0 flows/0 pkts sent] 11/Dec/2015 23:56:51 [nprobe.c:2519] Flow collection: [collected pkts: 543][processed flows: 2395] 11/Dec/2015 23:56:51 [nprobe.c:2522] Flow drop stats: [0 bytes/0 pkts][0 flows] 11/Dec/2015 23:56:51 [nprobe.c:2527] Total flow stats: [0 bytes/0 pkts][0 flows/0 pkts sent]

regards Christer

[lucaderi]

I think what you want to do cannot work as in collector mode nProbe is unable to see packets and this it can do just conversion. With some ASA models/configurations the flows lack important fields and this the problem. I suggest to check your ASA configuration and try again