search

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring
http://www.ntop.org
GNU General Public License v3.0
6.23k stars 654 forks source link

Nprobe + NtopNG with Cisco ASA #713

Closed tiitba closed 8 years ago

tiitba commented 8 years ago

hi, i have installed: ntopng Pro [Small Business Edition] v.2.4.160818 nProbe Pro v.7.4.160818 for another side, Cisco ASA that send netflow service to port 2055 my config of nprobe: #nprobe -G --zmq tcp://*:5556 -i none -n none --collector-port 2055 my config of ntopng.conf: -G=/var/run/ntopng.pid --online-license-check --local-networks="10.0.0.0/16, 10.2.0.0/16, 10.1.0.0/16, 10.1.1.0/24, 10.7.0.0/16, 172.17.0.0/16" --interface="tcp://10.1.0.26:5556" --daemon --enable-aggregations

up to this point, all ok: asaok

but then, the graphical appear clean intervals: asanook

on this case, the traffic es very poor, dont show the real: asanook2

On console screen: (netstat -putan) udp 0 0 0.0.0.0:2055 0.0.0.0:* 2870/nprobe (iftop) 10.1.0.26:2055 <=10.1.14.2:37348 477Kb 531Kb 470Kb

When 10.1.0.26 is host with linux debian jessie, ntopng + nprobe and 10.1.14.2 is a Cisco ASA

Any idea to analize this?

simonemainardi commented 8 years ago

apart from the dashboard, does the traffic continue to appear on ntopng? For example, if you navigate to the flows page, do you still see new flows?

You can try and use the browser inspector to see if there is some issue with the dashboard. Right click->inspect element and look for exceptions while the issue occurs.

tiitba commented 8 years ago

on "Top Local Talkers" and "Top Remote Destinations" panel is updated. The problem is on realtime traffic panels, for network interfaces and Application Traffic. I not found exceptions using inspect elements.

simonemainardi commented 8 years ago

I need to see that behavior in action. Can you send me a remote access at least to the web interface? you can use my mail mainardi ntop org

tiitba commented 8 years ago

hi, i cant give you access to you, but a system activity logging. It is util?

tiitba commented 8 years ago

i think that i found the problem: ntopflow

Is necesary use parameter --max-num-flows? default is 131072, but what is the recomendation?

simonemainardi commented 8 years ago

increase that to make sure the maximum number is much higher than the actual number. This will limit the collisions in the internal hash tables and boost the performance.

please, let us know.

simonemainardi commented 8 years ago

@tiitba any news?

tiitba commented 8 years ago

hi, sory, i was with issues with servers, when i finish with these, i returne to work with ntopng, i will try with 1000000 flows as parametre, do you think that it will have any problems with perfeormance?

simonemainardi commented 8 years ago

1M flows as maximum value may be OK but if you approach 1M real flows in practice on a single interface then this number may bee too high. In that cases, there are tricks you can use such as network views that create a logical merge of multiple interfaces.

tiitba commented 8 years ago

hi, i am not using -H parameter, because i not set mysql yet. In case to use db, is necesary set flows? If you want, i can show you my final proyect (a simple scheme) to monitoring two routers at different sites, and then you tell me if it is the best setting to use ntopng + nprobe. I not have hurry, but i would like have this system running to end of the year.

simonemainardi commented 8 years ago

I guess you mean flag -F... Anyway, without storing flows to db, you can still get a plenty of information. If you need raw flows stored on the db this depends on you and what you want to achieve.

Please, share the scheme here.

simonemainardi commented 8 years ago

possible solution found. no feedback received. closing for inactivity.

tiitba commented 8 years ago

hi, sory for the wait, my active directory of organization broke and was take demanded my time, i have the schema to i would like to use: ntopng

I have the routers config (mikrotik and ASA) ready. what type of setup recommend to use?

simonemainardi commented 8 years ago

that setup is perfectly fine. launch three nprobe instances, each one receiving flows from a router. then configure each nprobe for the export flows to ntopng on a different port (e.g., tcp://:5556, tcp://:5557 and tcp://*:5558). Finally start ntopng on three different interfaces (-itcp://localhost:5556, -itcp://localhost:5557, -itcp://localhost:5558) and you're done

tiitba commented 8 years ago

ok thanks, i will work in your solution and then i will tell about result that i obtained.

tiitba commented 8 years ago

hi, here is the config that i use conform with your intructions: nprobe config: nprobe -G -i eth0 -n none -3 2056 --zmq tcp://10.1.0.26:5556 nprobe -G -i eth0 -n none -3 2057 --zmq tcp://10.1.0.26:5557

ntopng config: /etc/ntopng/ntopng.conf -G=/var/run/ntopng.pid --online-license-check --local-networks="10.0.0.0/16, 10.2.0.0/16, 10.1.0.0/16, 10.1.1.0/24, 10.7.0.0/16, 172.17.0.0/16" --interface="tcp://10.1.0.26:5556" --interface="tcp://10.1.0.26:5557" --daemon --enable-aggregations --max-num-flows=200000 --max-num-hosts=250000 --sticky-hosts

it works!!!

but i have any doubts with the flows and hosts (yes, i come back with this topic) i readed help and guide included in nprobe and ntopng. I found in guide of nprobe the next parameters: --lifetime-timeout | -d --idle-timeout | -l and in the other side, in ntopng guide i found this parameters: --max-num-flows --max-num-hosts --sticky-hosts

So, can i use both parameters on the diferent components? what values to use in each parameters?

thanks

simonemainardi commented 8 years ago

Hi, see below,

On Mon, Sep 19, 2016 at 9:16 PM, tiitba notifications@github.com wrote:

hi, here is the config that i use conform with your intructions: nprobe config: nprobe -G -i eth0 -n none -3 2056 --zmq tcp://10.1.0.26:5556 nprobe -G -i eth0 -n none -3 2057 --zmq tcp://10.1.0.26:5557

ntopng config: /etc/ntopng/ntopng.conf -G=/var/run/ntopng.pid --online-license-check --local-networks="10.0.0.0/16, 10.2.0.0/16, 10.1.0.0/16, 10.1.1.0/24, 10.7.0.0/16, 172.17.0.0/16" --interface="tcp://10.1.0.26:5556" --interface="tcp://10.1.0.26:5557" --daemon --enable-aggregations --max-num-flows=200000 --max-num-hosts=250000 --sticky-hosts

it works!!!

but i have any doubts with the flows and hosts (yes, i come back with this topic) i readed help and guide included in nprobe and ntopng. I found in guide of nprobe the next parameters: --lifetime-timeout | -d --idle-timeout | -l

defaults should be ok so you shouldn't have to tune them. However, you may want to increase ntopng flow idle timeout to 240 seconds (you can do this from ntopng preferences pane)

and in the other side, in ntopng guide i found this parameters: --max-num-flows --max-num-hosts --sticky-hosts

you can tune those guys independently from the parameters above

make sure max-num-flows and max-num-hosts are are much greater than the actual number of flows and hosts.

So, can i use both parameters on the diferent components?

yes

what values to use in each parameters?

thanks

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/ntop/ntopng/issues/713#issuecomment-248093848, or mute the thread https://github.com/notifications/unsubscribe-auth/ADPYH936d74iS2PrIK5xDPMcvp_VnS0gks5qrt-ggaJpZM4JsVDp .