nprobe dumps no NetFlow data

[pshute]

I can see NetFlow data arriving on port 9996 in wireshark, but this command dumps no data: nprobe /c -i none -n none --collector-port 9996 -V9 -P c:\temp\nprobe

Am I doing something wrong?

Note that I'm using nprobe on a Win 10 machine. The attached file was dumped with WinDump.exe -s 0 -w c:\temp\nprobe\dump.txt dump.txt

[lucaderi]

@pshute I have looked at the pcap and as you can see the flow start/end time are missing. The is why they are not converted as nProbe has no clue what to do. Can you please check on the router side the configuration and add these information elements?

[pshute]

Thanks for taking the time to check that. I'll ask our ISP to add those fields, and I'll report if it works after that.

Can I request that a check be added to nProbe so it can can report the missing fields when it encounters them? It might save a few people a lot of time.

[pshute]

When I look again at the same capture file with Wireshark, I see that the "Duration" field shown above can be expanded to show a StartTime and an EndTime. I've uploaded a screen dump to show this. So if the fields are present, what makes you think they're causing this problem?

[pshute]

I've just captured some flows generated by nProbe in probe mode, and compared the fields in those to the ones sent by my routers. The routers are sending all the fields, but in a different order. Does that matter?

[lucaderi]

The order is not relevant

[pshute]

So if all fields are there, and order doesn't matter, why does nProbe seem to be ignoring the data?

[pshute]

Is it possible to get nprobe to read from the capture file in collector mode? I'd like to check if the problem is with it not interpreting the data correctly, or if it's having some kind of trouble even getting access to the data.

Any other tests I can do?

[lucaderi]

@pshute Sorry for the late reply but I am in vacation with limited internet access. I have looked at the pcap again and run a test and it seems to work to me (sorry but again due to limited access to my lab when I run the first test I got confused by the timestamp problem).

Example

nprobe -i none -b 2 -P /tmp/ -3 2055 -n none

produces

more /tmp/2016/08/23/09/09.flows IPV4_SRC_ADDR|IPV4_DST_ADDR|IPV4_NEXT_HOP|INPUT_SNMP|OUTPUT_SNMP|IN_PKTS|IN_BYTES|FIRST_SWITCHED|LAST_SWITCHED|L4_SRC_PORT|L4_DST_PORT|TCP_FLAGS|PROTOCOL|SRC_TOS|SRC_AS|DST_AS|IPV4_SRC_MASK|IPV4_DST_MASK 192.168.63.63|78.106.215.96|10.100.25.9|23|1|1|95|1471427611|1471427611|26922|61914|16|17|0|0|8402|24|0 192.168.63.63|46.119.196.212|10.100.25.9|23|1|2|190|1471427611|1471427611|26922|26541|16|17|0|0|15895|24|0 192.168.63.63|124.148.253.40|10.100.25.9|23|1|2|202|1471427611|1471427611|26922|62293|16|17|0|0|4739|24|0

Can you please add -b 2 (sorry but from here I don't have access to a win box so I have made tests on Unix) and see what nProbe prints on screen? No text files are produced at all?

[pshute]

How did you get it to read my file, please? I'd like to try the same test.

[lucaderi]

Not sure. Please send me the mail again (deri@ntop.org) and in the subject specify this issue.

[lucaderi]

Closing for inactivity. Will reopen if necessary.