nprobe flows not showing in ntopng flows live #637
Comments
|
The equal sign and the "c" suffix in the nprobe port may not be correct. Try something like: ~ |
|
Hi Marco,
Review and suggestions appreciated. I applied the suggested code but
ntopng/flows/live (see attached)
…On Thu, Oct 31, 2024 at 8:44 PM Marco Graziano ***@***.***> wrote:
The equal sign and the "c" suffix in the nprobe port may not be correct.
Try something like:
/usr/bin/ntopng -e -i eth0 -i lo -i zmq://127.0.0.1:5556c -w 3000 -n 1
/usr/bin/nprobe -n none -T ***@***.***@" --ntopng zmq://127.0.0.1:5556
--zmq-probe-mode
~
—
Reply to this email directly, view it on GitHub
<#637 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASCCXOCD6R6RD4AFFLZHGSDZ6LMH5AVCNFSM6AAAAABQ7AVRNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJRGEZTOMJXGQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
Feel free to contact me if I may provide any additional information and
thank you in advance for your attention in this matter.
Danny
***@***.***
P Please consider the environment before printing this e-mail
|
|
You did not specify -i eth0 for nprobe and it is connected to the lo interface as it is the default interface. Is that what you want? Also, remove the c in zmq://127.0.0.1:5556c to zmq://127.0.0.1:5556. |
|
Hello and response appreciated. ntopng traffic dashboard shows active
hosts but flows live does not. Here's the most recent code:
sudo /usr/bin/ntopng -e -i eth0 -i zmq://127.0.0.1:5556c -w 3000 -n 1
sudo /usr/bin/nprobe -n none -i eth0 -T ***@***.***@" --ntopng zmq://
127.0.0.1:5556 --zmq-probe-mode
Specifics for my location and case tweaks are needed:
1. Using Pro embedded ntopng and Pro embedded nprobe for Raspberry Pi 5
2. Raspberry Pi 5 will monitor/alert/report network for outgoing LAN and
incoming WAN traffic
3. Raspberry Pi 5 is located on LAN with router and behind pfSense firewall
4. Have ability/will eventually add port mirroring for pfSense traffic
Thanks. Danny.
…On Fri, Nov 1, 2024 at 5:39 AM dkggpeters ***@***.***> wrote:
You did not specify -i eth0 for nprobe and it is connected to the lo
interface as it is the default interface. Is that what you want?
Also, remove the c in zmq://127.0.0.1:5556c to zmq://127.0.0.1:5556.
/usr/bin/nprobe -n none -T ***@***.***@" --ntopng zmq://127.0.0.1:5556*c*
--zmq-probe-mode
—
Reply to this email directly, view it on GitHub
<#637 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASCCXOCEMNJE335TQEFSJALZ6NK6LAVCNFSM6AAAAABQ7AVRNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJRGY3DSOJVGY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
Feel free to contact me if I may provide any additional information and
thank you in advance for your attention in this matter.
Danny
***@***.***
P Please consider the environment before printing this e-mail
|
|
Not sure on the capabilities of NProbe Embedded but I believe you can only use it as a collector or proxy. You most likely need to use PFlow with PFSense (only plus has this option) to pass Netflow/IPFIX data to nprobe or port mirroring to the nprobe. Another option to try is use the ip address:5556 of the raspberry pi rather then 127.0.0.1 and *.5556c on ntopng since it appears to reside on the pi as well. The attached blog has 2 parts in which nprobe is running on a raspberry pi although data is being fed in via port mirroring on a switch. https://brezular.com/2019/04/01/part1-monitoring-network-traffic-with-ntopng-and-nprobe/ Outside of that if it does not work, I would email support. |
|
Hi Danny, I am setting up a RPI for a very similar use case and I am interested in knowing why you are setting up ntopng in probe mode. I am imagine because it is behind a firewall even though from your description it is not completely clear. Also, what you are referring to as "ntopng embedded" is this perhaps ntopng edge? I am waiting for a dual Ethernet shield for my compute module to setup the RPI in a very similar configuration to run nprobe on it. Best. |
|
Hi Marco,
I'm reading/learning and ntopng in probe mode seems to be the right option
for Raspberry Pi 5 behind pfSense firewall ... however, I'm open to
changes if needed. These are the licenses I've installed based on my
reading (again, I'm learning and open to changes if needed):
ntopng Pro Embedded [Raspberry] license
nProbe Pro Embedded [Raspberry] license:
I wasn't aware of the dual shield option for Raspberry Pi 5 ... I've placed
pfSense and router on a separate managed LAN switch and using one of the
managed switch ports in mirror mode to send traffic to Raspberry Pi 5 (for
ntopng traffic monitoring/alerts/reporting) connected to a separate
internal LAN network switch. At least that's the goal once I figure out
showing live flows.
Thanks. Danny.
…On Fri, Nov 1, 2024 at 4:12 PM Marco Graziano ***@***.***> wrote:
Hi Danny,
I am setting up a RPI for a very similar use case and I am interested in
knowing why you are setting up ntopng in probe mode. I am imagine because
it is behind a firewall even though from your description it is not
completely clear.
Also, what you are referring to as "ntopng embedded" is this perhaps
ntopng edge?
I am waiting for a dual Ethernet shield for my compute module to setup the
RPI in a very similar configuration to run nprobe on it.
Best.
—
Reply to this email directly, view it on GitHub
<#637 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASCCXODJD2MS6CLKOCVFYMTZ6PVDXAVCNFSM6AAAAABQ7AVRNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSGU4TONRRGU>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
Feel free to contact me if I may provide any additional information and
thank you in advance for your attention in this matter.
Danny
***@***.***
P Please consider the environment before printing this e-mail
|
|
Hello and guidance appreciated. However, I wasn't able to access your
included link describing port mirroring usng ntopng and nprobe. However, I
located this link and it describes my current network design and setup:
https://www.ntop.org/ntopng/howto-monitor-traffic-in-smes-and-home-networks-a-primer/.
However, I haven't plugged in the mirrored port into the Raspberry Pi 5
because I'm unsure of impact especially with flows not quite working and my
expertise/knowledge is very limited at this level. Seems like I'm very
close ... maybe a support request is a good idea and if so, what's required
to get started. I recently activated the licenses and think initial setup
support is included?
Thanks. Danny.
…On Fri, Nov 1, 2024 at 2:13 PM dkggpeters ***@***.***> wrote:
Not sure on the capabilities of NProbe Embedded but I believe you can only
use it as a collector or proxy. You most likely need to use PFlow with
PFSense (only plus has this option) to pass Netflow/IPFIX data to nprobe or
port mirroring to the nprobe.
Another option to try is use the ip address:5556 of the raspberry pi
rather then 127.0.0.1 and *.5556c on ntopng since it appears to reside on
the pi as well. The attached blog has 2 parts in which nprobe is running on
a raspberry pi although data is being fed in via port mirroring on a
switch.
https://brezular.com/2019/04/01/part1-monitoring-network-traffic-with-ntopng-and-nprobe/
<http://url>
Outside of that if it does not work, I would email support.
—
Reply to this email directly, view it on GitHub
<#637 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASCCXOHFKGCFEQUML77BKXDZ6PHFFAVCNFSM6AAAAABQ7AVRNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJSGQ2DMMJVHA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
Feel free to contact me if I may provide any additional information and
thank you in advance for your attention in this matter.
Danny
***@***.***
P Please consider the environment before printing this e-mail
|
|
Hi Danny, Check this blog as well: Also, support is certainly included with the professional license. They people at ntop the company are very good at what they do. I have a TP-Link TL-SG105E switch with the router traffic mirrored to another port where I intend to connect a RPI to monitor the traffic with nprobe. I just got my hardware, based actually on a Compute Module and a carrier board from Waveshare with two Ethernet. I will report back my experience in terms of performance but I am not worried based on my previous experience in an enterprise network with nprobe albeit on a much more powerful hardware. From your description I don't understand how you determined you need to use nprobe in probe because if your setup is like the one in the article you provided, unless ntopng is on a remote host, you should be able to use nprobe in collector mode. Check the blog I suggested for a good definition of the two modes. Best, -Marco G. |
|
Hi Marco,
Suggestions appreciated, I'll give it a try, and let you know the outcome.
As suggested, I've also submitted a support request to ntopng.
Thanks. Danny,
…On Sat, Nov 2, 2024 at 9:10 PM Marco Graziano ***@***.***> wrote:
Hi Danny,
Check this blog as well:
https://www.ntop.org/nprobe/howto-configure-flow-collection-in-nprobe-and-ntopng/
Also, support is certainly included with the professional license. They
people at ntop the company are very good at what they do.
I have a TP-Link TL-SG105E switch with the router traffic mirrored to
another port where I intend to connect a RPI to monitor the traffic with
nprobe. I just got my hardware, based actually on a Compute Module and a
carrier board from Waveshare with two Ethernet. I will report back my
experience in terms of performance but I am not worried based on my
previous experience in an enterprise network with nprobe albeit on a much
more powerful hardware.
From your description I don't understand how you determined you need to
use nprobe in probe because if your setup is like the one in the article
you provided, unless ntopng is on a remote host, you should be able to use
nprobe in collector mode. Check the blog I suggested for a good definition
of the two modes.
Best,
-Marco G.
—
Reply to this email directly, view it on GitHub
<#637 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ASCCXOHHRLMWHQKQFRGWYUDZ6WA2ZAVCNFSM6AAAAABQ7AVRNWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJTGI3DGMRYGI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
--
Feel free to contact me if I may provide any additional information and
thank you in advance for your attention in this matter.
Danny
***@***.***
P Please consider the environment before printing this e-mail
|
|
Hi Danny, I wanted to get back to you to report that I have installed the RPI with nprobe, configured ntopng on a linux machine and that everything is working as expected. My configuration is with the RPI running nprobe with two Ethernet. One (eth1) is tapping behind the firewall the traffic on the WAN connection and the other (eth0) is inside the firewall on the same LAN where the linux machine with ntopng in configured collector mode. I am including the configuration files for both nprobe and ntopng. The RPI eth0 is configured with IP 192.168.50.186. The linux server running ntopng is at IP 192.168.50. 17. Hope this helps. -Marco G. |
Hello and good day! Starting new with ntop and nprobe; both are licensed and operational:
/usr/bin/ntopng -e -i eth0 -i lo -i= zmq://127.0.0.1:5556c -w 3000 -n 1/usr/bin/nprobe -n none -T "@NTOPNG@" --ntopng zmq://127.0.0.1:5556c --zmq-probe-modeBoth are licensed and operational but:
Did I miss a step? What's required to see nprobe flows in the ntopng live flows section?
Thanks. Danny.
The text was updated successfully, but these errors were encountered: