nProbe
Posted: Thu Jul 09, 2009 9:53 am
nProbe is a Netflow v5/v9/IPFIX probe. It can run on Unix and Windows environments. More ...
Combining nProbe to CySight provides a workable solution for traffic analysis without a router. nProbe can be installed on the computer which sits on the subnet to be monitored or which connects to the mirrored port of a switch. nProbe will capture all packets passing through the network interface card of the computer and send out the traffic data in the format of NetFlow v5/v9/IPFIX.
Set up nProbe to send NetFlow data to the IP and listening UDP port of CySight. CySight collects the NetFlow exported by nProbe.
Prerequisites:
Please setup nProbe to export a complete NetFlow record. Do not use flexible NetFlow. CySight only processes those v9 data FlowSets whose template contains at least source IP, destination IP, source port, destination port, protocol, input interface index, output interface index, incoming packets, incoming bytes, and Type of Service.
When using nProbe as the source of the NetFlow v9 export, the template definition must contain the following:
nprobe -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %INPUT_SNMP %OUTPUT_SNMP %IN_BYTES %IN_PKTS %SRC_TOS"
The sequence could be different.
For a complete description on nProbe and how to configure nProbe please see here.
nProbe Usage
Copyright 2002-09 by Luca Deri <deri@ntop.org>
Usage:
nprobe -n <host:port|none> [-i <interface|dump file>] [-t <lifetime timeout>]
[-d <idle timeout>] [-l <queue timeout>] [-s <scan cycle>] [-N]
[-p <aggregation>] [-f <filter>] [-a] [-b <level>]
[-P <path>] [-F <dump timeout>] [-D <format>]
[-u <in dev idx>] [-Q <out dev idx>]
[-v] [-w <hash size>] [-e <flow delay>] [-B <packet count>]
[-z <min flow size>] [-M <max num flows>][-R <payload Len>]
[-x <payload policy>] [-E <engine>] [-C <flow lock file>]
[-m <min # flows>][-q <host:port>]
[-S <sample rate>] [-A <AS list>] [-g <PID file>]
[-T <Flow Template>] [-U <Flow Template Id>]
[-o <v9 Templ. Export Policy>] [-L <local nets>] [-c] [-r]
[-1 <MAC>@<ifIdx>][-3 <port>] [-4] [-5 <port>] [-6]
[-9 <path>] [--black-list <networks>] [--pcap-file-list <filename>
]
Limitations:
Interface
nProbe captures packets out of a network interface card or from a mirrored port on switch or a Tap. Therefore, there is no preset interface information available as in the router scenario. nProbe is able to "forge" an interface ID and inject it into the NetFlow export. This means the interface information reflected in CySight is artificially produced by nProbe. Interface bandwidth settings need to be manually configured in order for the Overview screen to correctly reflect Utilization.
Device IP
CySight differentiates routers by their IP addresses. In the case of nProbe, allows you to spoof the IP Address of the original Device. If this is not set the CySight will report the IP address of the computer on which nProbe runs as the Device, and not the IP of any physical network device. SNMP is unavailable unless an SNMP agent is also running on the same box. In the case of a spoofed Device IP SNMP will only work correctly if the interfaces are reassigned on nProbe to use the same ifidx as the original router/switch.
Combining nProbe to CySight provides a workable solution for traffic analysis without a router. nProbe can be installed on the computer which sits on the subnet to be monitored or which connects to the mirrored port of a switch. nProbe will capture all packets passing through the network interface card of the computer and send out the traffic data in the format of NetFlow v5/v9/IPFIX.
Set up nProbe to send NetFlow data to the IP and listening UDP port of CySight. CySight collects the NetFlow exported by nProbe.
Prerequisites:
Please setup nProbe to export a complete NetFlow record. Do not use flexible NetFlow. CySight only processes those v9 data FlowSets whose template contains at least source IP, destination IP, source port, destination port, protocol, input interface index, output interface index, incoming packets, incoming bytes, and Type of Service.
When using nProbe as the source of the NetFlow v9 export, the template definition must contain the following:
nprobe -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %INPUT_SNMP %OUTPUT_SNMP %IN_BYTES %IN_PKTS %SRC_TOS"
The sequence could be different.
For a complete description on nProbe and how to configure nProbe please see here.
nProbe Usage
Copyright 2002-09 by Luca Deri <deri@ntop.org>
Usage:
nprobe -n <host:port|none> [-i <interface|dump file>] [-t <lifetime timeout>]
[-d <idle timeout>] [-l <queue timeout>] [-s <scan cycle>] [-N]
[-p <aggregation>] [-f <filter>] [-a] [-b <level>]
[-P <path>] [-F <dump timeout>] [-D <format>]
[-u <in dev idx>] [-Q <out dev idx>]
[-v] [-w <hash size>] [-e <flow delay>] [-B <packet count>]
[-z <min flow size>] [-M <max num flows>][-R <payload Len>]
[-x <payload policy>] [-E <engine>] [-C <flow lock file>]
[-m <min # flows>][-q <host:port>]
[-S <sample rate>] [-A <AS list>] [-g <PID file>]
[-T <Flow Template>] [-U <Flow Template Id>]
[-o <v9 Templ. Export Policy>] [-L <local nets>] [-c] [-r]
[-1 <MAC>@<ifIdx>][-3 <port>] [-4] [-5 <port>] [-6]
[-9 <path>] [--black-list <networks>] [--pcap-file-list <filename>
]
Limitations:
Interface
nProbe captures packets out of a network interface card or from a mirrored port on switch or a Tap. Therefore, there is no preset interface information available as in the router scenario. nProbe is able to "forge" an interface ID and inject it into the NetFlow export. This means the interface information reflected in CySight is artificially produced by nProbe. Interface bandwidth settings need to be manually configured in order for the Overview screen to correctly reflect Utilization.
Device IP
CySight differentiates routers by their IP addresses. In the case of nProbe, allows you to spoof the IP Address of the original Device. If this is not set the CySight will report the IP address of the computer on which nProbe runs as the Device, and not the IP of any physical network device. SNMP is unavailable unless an SNMP agent is also running on the same box. In the case of a spoofed Device IP SNMP will only work correctly if the interfaces are reassigned on nProbe to use the same ifidx as the original router/switch.