Two way traffic

[mzaian]

Hi, Is it possible to get a list of current / historic conversations with source and destination IP, protocol and port? not Top Talkers but two way conversation ? between internal clients with each other , not between clients and ntop server or broadcast address.

Thanks

[simonemainardi]

Hi Mohamed,

You can browse peers involved in current conversations just by selecting the "Peers" tab into each host details page. Host details page are reachable from the dropdown Hosts menu.

Se for example the Peers page of host 65.52.108.74 looks as follows

If you want to drill down historical conversation data, then you should consider exporting ntopng flow data to a MySQL database (e.g., ./ntopng -F"mysql;localhost;ntopng;flows;root;", see the user guide for the details) and the run your own custom queries straight onto the database.

The database has a fairly plain structure, it has just two tables, one for IPv4 and one for IPv6, and contains all the information you need, including interfaces, ip, and so on.

[mzaian]

Hello,

We enabled mysql configuration and it starts to store the data. Our objective is to view top conversations between any 2 parties. This will help us for example to understand who consumes much bandwidth in our wan.

When checked the peers of one of our wan routers we only found the monitoring host communicating to it. Please see the attached image.

[simonemainardi]

@mzaian I think the monitoring host is not seeing the traffic that goes through the wan router. This is why it only shows just the traffic that directly involve it.

You should make sure the traffic that goes through the wan router is also sent to the monitoring host (e.g., via a span port, a tap or via nprobe).

[mzaian]

@simonemainardi

Would you please send us the documentation of configuring nProbe on Ubuntu 14.04. We have ntopng as well as nbox installed on our server.

[simonemainardi]

you can do nprobe --help for detailed usage help. @ValentinaViscarelli may have some additional documentation as well.

[ValentinaViscarelli]

you can find nprobe user's guide here:

http://www.ntop.org/wp-content/uploads/2013/03/nProbe_UserGuide.pdf

[mzaian]

@ValentinaViscarelli I've read the guide and it contains everything and its complicated for us to start with, can you please send us the minimal configuration to use nProbe.

[ValentinaViscarelli]

example ntopng instance: /usr/local/bin/ntopng -i tcp://127.0.0.1:5556

example nprobe instance (eth0 is the interface for incoming traffic): /usr/local/bin/nprobe -i eth0 -n none --zmq tcp://*:5556

In this case nprobe and ntopng are in the same machine. If you have two different machine replace 127.0.0.1 with the nprobe machine address. Said that this is the wrong place to discuss about nprobe application. If you have other comments, please open a issue on "https://github.com/ntop/nProbe/issues"

[mzaian]

Hi,

I followed your steps and was able to make ntopng works with nprobe as a collector.

Now still cannot get the netflow results despite that we configured our WAN router with the correct netflow configuration to redirect to nprobe.

Please check the attachment and inform how we can see a same results from ntopng.

Thanks

[lucaderi]

Please add -b 2 to nprobe so it can print the flows it receives/emits

[ValentinaViscarelli]

@mzaian Do you receive on nprobe "Normal traffic" or "Netflow data"? If you receive netflow data please use this to run nprobe:

/usr/local/bin/nprobe -i none -n none --collector-port 2055 --zmq tcp://*:5556

where --collector-port is the number port where the router send netflow data

[mzaian]

@lucaderi

Thx, I will attach the nprobe and ntopng configuration files, because i'm using nbox to configure both.

@ValentinaViscarelli I'm redirecting the traffic to 9996 from my wan router so i'm running this with port 9996 instead of 2055. Please see the attached conf files.

ntopng.conf.txt nprobe-eth0.conf.txt

[ValentinaViscarelli]

The nprobe configuration is wrong. If you want to receive netflow data from a router you have to use "proxy" tab in nprobe configuration (no eth0 tab). Fill "Listening Port" field with 9996 and "ZeroMQ Endpoint" field with tcp://*:5556

[mzaian]

Thanks this helps a lot. it successfully now showing the "Active Flows". How can we get a detailed report of the same flows for a duration of "Last X" "15 Mins", "1 hour" or "1 day" for example.

Thanks

[mzaian]

pleas update, as i sent you it showed active flows , but how can we check historical data ?

Thanks

[simonemainardi]

@mzaian if you use the Professional edition you can get detailed ntopng reports. If you are running the Community edition, then you can still get plenty of historical data for example by browsing the interface page. You'll se a chart that you can click to drill down an select the time range of interest.

below the chart, if you have mysql enabled, you'll see recorded flows as well