search

ntop / nProbe

Open source components and extensions for nProbe
http://ntop.org
GNU General Public License v2.0
1.62k stars 44 forks source link

Flows do not arrive in nTopng #583

Closed pbolle closed 4 weeks ago

pbolle commented 11 months ago

Hi I am trying to collect netflows with nprobe and display them with ntop.

When starting nprobe it looks like it recognizes the switch. With tcpdump I can also see that flows arrive.

Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:5583] Reading configuration file /run/nprobe.conf
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [plugin.c:178] No plugins found in ./plugins
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [plugin.c:186] Loading 23 plugins [.so] from /usr/lib/nprobe/plugins
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:5350] Valid nProbe Enterprise M license found
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:5911] Disabling flow cache during collection
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:7690] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ?
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:7693] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ?
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:7718] Using ZMQ sourceId 1257846037
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:7789] Flow cache is disabled in flow collection mode
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:7792] Welcome to nProbe v.10.2.230720 for x86_64-pc-linux-gnu with native PF_RING acceleration
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:7814] Enterprise M Edition running on Rocky Linux release 9.2 (Blue Onyx)
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:7815] Current limits [16 ZMQ exporters][16 collector devices]
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:7826] SystemId: L3A5BDC46B208AA8C--U3A5BDC46A6900D83--OL
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:7919] Sample rate [packet: 1][flow collection/export: 1/1]
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:9948] Using template %IN_SRC_MAC %OUT_DST_MAC %INPUT_SNMP %OUTPUT_SNMP %SRC_VLAN %IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %IPV6_SRC_ADDR %IPV6_DST_ADDR %IP_PROTOCOL_VERSION %PROTOCOL %L7_PROTO %L7_CONFIDENCE %IN_BYTES %IN_PKTS %OUT_BYTES %OUT_PKTS %FIRST_SWITCHED %LAST_SWITCHED %CLIENT_TCP_FLAGS %SERVER_TCP_FLAGS %L7_PROTO_RISK %L7_RISK_SCORE %EXPORTER_IPV4_ADDRESS %DIRECTION %SAMPLING_INTERVAL %TOTAL_FLOWS_EXP %NPROBE_IPV4_ADDRESS %POST_NAT_SRC_IPV4_ADDR %POST_NAT_DST_IPV4_ADDR %POST_NAPT_SRC_TRANSPORT_PORT %POST_NAPT_DST_TRANSPORT_PORT
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:9950] Using NetFlow Packet Payload Len: 1472
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [template.c:3506] WARNING: Unable to locate template 'NPROBE_IPV6_ADDRESS'. Discarded.
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [template.c:3506] WARNING: Unable to locate template 'NPROBE_IPV6_ADDRESS'. Discarded.
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [plugin.c:1196] 0 plugin(s) enabled
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:10491] Each flow is 132 bytes long
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:10492] The # flows per packet has been set to 10
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:10495] IP TOS is ignored
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:11293] Flow export type (-T): bidirectional flows
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:11501] Flows ASs will not be computed (no GeoDB files loaded with --as-list)
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:11533] Flows will be exported in NetFlow 9 format
Jul 31 14:00:35 myserver nprobe[801037]: 31/Jul/2023 14:00:35 [nprobe.c:11576] Learning the public IP address.. Disable it with --disable-startup-checks
Jul 31 14:00:40 myserver nprobe[801037]: 31/Jul/2023 14:00:40 [util.c:6303] Initializing ZMQ as server
Jul 31 14:00:40 myserver nprobe[801037]: 31/Jul/2023 14:00:40 [util.c:6382] Successfully created ZMQ endpoint tcp://0.0.0.0:5556 with sourceId: 1257846037
Jul 31 14:00:40 myserver nprobe[801037]: 31/Jul/2023 14:00:40 [nprobe.c:11750] Not capturing packet from interface (collector mode)
Jul 31 14:00:40 myserver nprobe[801037]: 31/Jul/2023 14:00:40 [util.c:5143] Enlarged socket buffer [echo 8388608 > /proc/sys/net/core/rmem_max]
Jul 31 14:00:40 myserver nprobe[801037]: 31/Jul/2023 14:00:40 [util.c:5198] nProbe changed user to 'nprobe'
Jul 31 14:00:40 myserver nprobe[801037]: 31/Jul/2023 14:00:40 [collect.c:246] Flow collector listening on port 6363 (IPv4/v6)
Jul 31 14:00:40 myserver nprobe[801037]: 31/Jul/2023 14:00:40 [export.c:479] Using TLV as serialization format
Jul 31 14:00:40 myserver nprobe[801037]: 31/Jul/2023 14:00:40 [nprobe.c:12046] nProbe started successfully
Jul 31 14:00:42 myserver nprobe[801037]: 31/Jul/2023 14:00:42 [collect.c:3342] Collecting flows from 141.34.xx.xx [total: 1/16]
Jul 31 14:00:45 myserver nprobe[801037]: 31/Jul/2023 14:00:45 [collect.c:1782] Added new flow template definition [id=256][flow_version=9][netflow_device=141.34.xx.xx:60429][observation_domain_id=0][total=1]

Unfortunately I can't see any flows in ntop. But under Interface/Collected ZMQ Messages I can see that messages are fetched from NTopng.

My configuration: nprobe.conf

-n none
-i none
--ntopng=zmq://0.0.0.0:5556
--collector-port=6363

ntopng.conf

-G=/var/run/ntopng.pid
--dns-mode=1
-i tcp://141.34.xx.xx:5556

Do you have a hint what could be configured wrong?

cardigliano commented 4 weeks ago

Old issue, please reopen in case