Hi,
I have been trialling scrutinizer because we want to see the packets coming in from 3750's and these are not supported
under netflow. You can put span ports and plug a laptop into it and the Nprobe software will convert the original packets into
netflow format. This is then sent to the Scrutinizer module on the server and you can see the application traffic etc.
Solarwinds said that this should working using the Netflow module but I either get an error message saying that netflow traffic is seen on an unmanaged interface on the laptop (but i am monitoring all the interfaces) or it does not see any traffic.
If the laptop is pushing netflow traffic to the netflow module I would think that it should see this and it should work.
Anyone any knowledge on this?
Thanks
Sam
If anyone said that it would definitely work, they misspoke. It may or may not work. It's not something we officially support, so we've never tried it in-house. You are the first request for this feature. If we begin to see more demand, I'll consider adding it, at which point we'll make sure it works.
I don't know if anyone else might want it but if they knew it would work I'm sure they would.
If it doesn't work then we will probably have to buy scrutinizer instead of the Netflow module which is
a bit of a shame because the functionality of the netflow module is much better.
I'd be interested in this functionality.
I'm trying to work around having our border router as a Sonicwall rather than Cisco.
Alternatively, you could support SW's exported log format, but I suspect that's a bit more work...
I have successfully used nprobe to collect info from a windows server and send it to NTA.
You need to set the -u and -Q parameters to fix the index number of the input and output devices
I'm probably being dense, but how do you set the parameters for the server?
Any points would be helpful.
At the command prompt use nprobe /r to remove the existing service
nprobe /c -h then provides full listing of all switches
something like
nprobe /i -i 1 -n 192.168.0.1:2055 -u 1 -Q 1
will re-install the service and send all the data from interface 1 to NTA (on 192.168.0.1 port 2055) all tagged as coming from interface index 1
Following on from my post, I've worked out how to set the variables, and I can see the netflow packets arriving at the collector, but it's not being picked up by Orion.
What do I need to set -u and -q to for Orion to see the network packets?
The monitoring box has two ethernet interfaces, one that's plugged into a span port, and the other that is used to send the flows across the network.
try the interface index of either port, providing that port is being monitored by orion
Sorted and working beautifully. Thanks for your help.
I am still unable to get this work and I'm sure that it's the command line that I'm doing wrong.
I have a laptop plugged in to the monitor port on the cisco 3750 and the other port connected to a normal
port to send the traffic.
I have found out that the laptop has interface index numbers of 0 and 8. So one is the monitor port and the
other one is the normal port. I have tried lots of combinations of the command ie
nprobe /i -i 1 -n 192.168.0.1:2055 -u 0 -Q 8
nprobe /i -i 0 -n 192.168.0.1:2055 -u 8 -Q 8
I am guessing really as i don't know which interface index number is connected to which port on the laptop.
If anyone has any ideas that would be great as I'm begining to lose the plot!!
If you are monitoring both interfaces on Orion then setting the -u and -Q switches to either 0 or 8 should work with either -i 0 or -i 8 depending on which is the ingress port.
I have had a problem with running nprobe as a service on 1 or 2 machines. Try running it from the console nprobe /c, this has the advantage of a verbose mode -b 1 or -b 2 which may help with debugging
I had loads of problems with this but I have finally got it working.
SAM
I still don't quite get it.
If none of our routers or switches have netflow, jflow or sflow then this is pointless?
I started reading this thread on the context that nprobe was a soft-alternative to buying a netflow-able router. But having played with it, it looks like just another collector.
Please tell me I missed something?
I have been evaluating your products for the last week or so and am utterly in love... Or I would be if it actually analysed traffic! I hope there is a work around, because I really don't see anything else worth considering on the market.
Ghostcorps,
The others on this thread seem to indicate that they got it working. Maybe on the box with Orion NetFlow module, can you use WireShark and get a sniffer trace capture? See if there is UDP traffic coming in on the port that nprobe should be sending to. If not, then you know that your problem isn't the Orion NetFlow module. If the traffic is coming in, then I'd be interested in taking a look at that sniffer trace for you.
Thanks,
Thanks David,
I will see what I can do. :)
I apologise for not providing more details, it was late and I was getting frustrated. The thing that I am not sure about is whether or not this method will replace the need for a netflow-able router altogether. Will one instance of nprobe, properly configured, provide the flows for all the interfaces being monitored? Or will I need to run nprobe on every device being monitored?
Regards
[EDIT]
I have since installed fprobe on one of the Linux interfaces and confirm that it is working correctly so far, I may recant this when I have had a chance to collect enough data.
I now understand that nprobe must be installed on each individual device, and that the collector is working. Now all I need is to figure out the correct nprobe flags... :s hopefully this won't be too hard :)
[EDIT2]
"NetFlow Receiver Service [PC3] is receiving a NetFlow data stream from an unmanaged interface on 10.0.0.133. The NetFlow data stream will be discarded. Please use the Orion System Manager to add Interface #8 in order to process this NetFlow data stream."
So close! PC03 is infact 10.0.0.133, which is where Orion is installed and it is also the collector. I have added this interface again with the System Manager but it changed nothing. Where exactly do i advise Orion to accept the netflow stream from this interface?
Still no luck.
I am at the point of trying to discover the values for -i, -u & -Q.
I have tried omitting -u & Q, so that it can be allocated dynamically, but neither "-i 1" nor "-i 0" makes any change.
I have deleted the node and re-discovered it a nubmer of times, ensuring that I have selected the interface when doing so, but the results are not changing.
The 'Interface Details' page says that the index is 2. I tried using this for -u & -Q, but again there was no change. I now have 21 big yellow warning boxes, and am out of combinations to try.
I don't suppose anyone has a method for determining these numbers other than trial and error?
It would be greatly appreciated :)
Hello again,.
I am still having trouble here.
I have the full nProbe binary for win32, which I have installd as a service on the same machine as the collector with the following args:
c:/Prog.../nProbe.exe -/i -n localhost:2055
I use fprobe on my linux machine, which 'seems' to work, so I assume the collector is working. Can anyone suggest a working configuration for the nProbe service?
=^_^=
did you try nprobe /c -h?
At the end you get the available interfaces with the index
Thanks :)
It looks like it is working:
C:\Program Files\nProbe-Win32>nprobe /c -hRunning nProbe for Win32.~Available interfaces: [index=0] 'Adapter for generic dialup and VPN capture' [index=1] 'Attansic AtcL001 Gigabit Ethernet Controller'...C:\Program Files\nProbe-Win32>nprobe /c -i 1 -n 10.0.0.133:2055Running nProbe for Win32.01/Sep/2008 08:45:14 [dbPlugin.c:65] Initializing DB plugin01/Sep/2008 08:45:14 [nprobe.c:3858] Capturing packets from interface \Device\NPF_{14CE400A-4AB7-47C4-AAD7-5440FB2E6DA6}
However when I point the Netflow Realtime application at this IP, it captures the traffic speed, but when I select 'Start Flow Capture' I receive the warning 'NetFlow is not detected on the selected interface (see attached image)
It looks like nProbe is running, but not generating any captures. Are they stored locally anywhere that I can confirm it is recording somethgin at all?
Thanks for your help :)