nProbe docker can't open interface

[bdollma]

Ciao, Very new to ntop. I have a IPFIX traffic incoming to one of the interfaces on my laptop, specifically utun4. I want to be able to analyse the incoming IPFIX traffic with nProbe and pass it to ntopng through ZMQ. My OS is MacOS. I couldn't find any nProbe for MacOS so I thought, I will run nProbe as a container, while running ntopng natively. However when I run:

sudo docker run -it -v $(pwd)/nprobe.license:/etc/nprobe.license  --net=host ntop/nprobe:stable --zmq "tcp://*:5556" -i utun4

I get the following:

05/Oct/2020 12:06:34 [plugin.c:177] No plugins found in ./plugins
05/Oct/2020 12:06:34 [plugin.c:185] Loading 23 plugins [.so] from /usr/local/lib/nprobe/plugins
05/Oct/2020 12:06:34 [nprobe.c:4605] ERROR: Invalid license (/etc/nprobe.license) [Empty license file]
05/Oct/2020 12:06:34 [nprobe.c:4612] ERROR: *****************************************************
05/Oct/2020 12:06:34 [nprobe.c:4613] ERROR: **                                                 **
05/Oct/2020 12:06:34 [nprobe.c:4614] ERROR: **  Switching to DEMO MODE (missing valid license) **
05/Oct/2020 12:06:34 [nprobe.c:4615] ERROR: **                                                 **
05/Oct/2020 12:06:34 [nprobe.c:4617] ERROR: **  Purchase your license at                       **
05/Oct/2020 12:06:34 [nprobe.c:4618] ERROR: **       https://shop.ntop.org/                    **
05/Oct/2020 12:06:34 [nprobe.c:4619] ERROR: **                                                 **
05/Oct/2020 12:06:34 [nprobe.c:4621] ERROR: *****************************************************
05/Oct/2020 12:06:34 [nprobe.c:6675] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ?
05/Oct/2020 12:06:34 [nprobe.c:6678] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ?
05/Oct/2020 12:06:34 [nprobe.c:6684] WARNING: You have specified --zmq and not specified -n.
05/Oct/2020 12:06:34 [nprobe.c:6685] WARNING: We believe you want to use just ZMQ and no netflow export
05/Oct/2020 12:06:34 [nprobe.c:6686] WARNING: Setting flow export to -n none
05/Oct/2020 12:06:34 [nprobe.c:6765] Welcome to nProbe v.9.0.200511 ($Revision: 6814 $) for x86_64-pc-linux-gnu with native PF_RING acceleration
05/Oct/2020 12:06:34 [nprobe.c:6776] Running on Ubuntu 18.04.4 LTS
05/Oct/2020 12:06:34 [nprobe.c:6787] [LICENSE] nProbe SystemId: 12030603760C6B22
05/Oct/2020 12:06:34 [nprobe.c:6858] Sample rate [packet: 1][flow collection/export: 1/1]
05/Oct/2020 12:06:34 [nprobe.c:9695] ERROR: ***************************************************************
05/Oct/2020 12:06:34 [nprobe.c:9696] ERROR: * NOTE: This is a DEMO version limited to 25000 flows export.  *
05/Oct/2020 12:06:34 [nprobe.c:9697] ERROR: ***************************************************************
05/Oct/2020 12:06:34 [modbusPlugin.c:104] [MODBUS] Idle flow timeout set to 120 sec
05/Oct/2020 12:06:34 [nprobe.c:9704] Welcome to nProbe v.9.0.200511 for x86_64-pc-linux-gnu
05/Oct/2020 12:06:34 [nprobe.c:8664] Using default template %IN_SRC_MAC %OUT_DST_MAC %INPUT_SNMP %OUTPUT_SNMP %SRC_VLAN %IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %IPV6_SRC_ADDR %IPV6_DST_ADDR %IP_PROTOCOL_VERSION %PROTOCOL %L7_PROTO %IN_BYTES %IN_PKTS %OUT_BYTES %OUT_PKTS %FIRST_SWITCHED %LAST_SWITCHED %CLIENT_TCP_FLAGS %SERVER_TCP_FLAGS %CLIENT_NW_LATENCY_MS %SERVER_NW_LATENCY_MS %APPL_LATENCY_MS %OOORDER_IN_PKTS %OOORDER_OUT_PKTS %RETRANSMITTED_IN_PKTS %RETRANSMITTED_OUT_PKTS %SRC_FRAGMENTS %DST_FRAGMENTS %DNS_QUERY %HTTP_URL %HTTP_SITE %TLS_SERVER_NAME %BITTORRENT_HASH
05/Oct/2020 12:06:34 [nprobe.c:8669] Using NetFlow Packet Payload Len: 1472
05/Oct/2020 12:06:34 [nprobe.c:8704] Flow export type: bidirectional flows
05/Oct/2020 12:06:34 [plugin.c:1309] 2 plugin(s) enabled
05/Oct/2020 12:06:34 [nprobe.c:9139] Each flow is 464 bytes long
05/Oct/2020 12:06:34 [nprobe.c:9140] The # flows per packet has been set to 2
05/Oct/2020 12:06:34 [nprobe.c:9143] IP TOS is ignored
05/Oct/2020 12:06:34 [util.c:5573] ERROR: Cannot get hw addr for utun4
05/Oct/2020 12:06:34 [pro/pf_ring.c:376] Initializing PF_RING socket on device utun4..
05/Oct/2020 12:06:34 [nprobe.c:7652] Initializing pcap socket on device utun4..
05/Oct/2020 12:06:34 [nprobe.c:7663] ERROR: Unable to open interface utun4.
05/Oct/2020 12:06:34 [nprobe.c:9834] ERROR: Unable to open interface utun4 (utun4: No such device exists (SIOCGIFHWADDR: No such device))
05/Oct/2020 12:06:34 [nprobe.c:9836] ERROR: Try using -i none if you do not want capture from a NIC

It might be that I am missing something and this is not meant to work this way. Any help would be appreciated. Grazie

[simonemainardi]

Hi, you need to use nprobe in collector mode. See https://www.ntop.org/nprobe/network-monitoring-101-a-beginners-guide-to-understanding-ntop-tools/, section Monitoring Netflow/sFlow Traffic. Note also that nprobe requires a license or it will just work in demo mode and export only the first 25k flows.

[clarenceharre]

@bdollma Hi, also very new to ntop and trying to achieve something similar (MacOS, use Docker). I've purchased a licence but can't figure out how to find 'System ID' and 'nProbe Version' - if you figured that out, could you please share how? Thank you

[cardigliano]

@clarenceharre you can read System ID and Version with --version of from the nProbe output as you can see in the output above:

05/Oct/2020 12:06:34 [nprobe.c:6765] Welcome to nProbe v.9.0.200511 ($Revision: 6814 $) for x86_64-pc-linux-gnu with native PF_RING acceleration 05/Oct/2020 12:06:34 [nprobe.c:6787] [LICENSE] nProbe SystemId: 12030603760C6B22

[clarenceharre]

Thank you @cardigliano - I was able to find them by looking at the error message as you suggested.

After learning more about the "docker run" structure I realised that we can replace the "-i eth0" with "nprobe -h" and it'll generate the systemID, version number and a long list of commands we can use.