28 Replies Latest reply on Jan 25, 2011 6:14 AM by Martin.Krivanek

    Nprobe should it work?

      Hi,


      I have been trialling scrutinizer because we want to see the packets coming in from 3750's and these are not supported


      under netflow. You can put span ports and plug a laptop into it and the Nprobe software will convert the original packets into


      netflow format. This is then sent to the Scrutinizer module on the server and you can see the application traffic etc.


      Solarwinds said that this should working using the Netflow module but I either get an error message saying that netflow traffic is seen on an unmanaged interface on the laptop (but i am monitoring all the interfaces) or it does not see any traffic.


      If the laptop is pushing netflow traffic to the netflow module I would think that it should see this and it should work.


      Anyone any knowledge on this?


      Thanks


      Sam

        • Re: Nprobe should it work?
          denny.lecompte

          If anyone said that it would definitely work, they misspoke.  It may or may not work.  It's not something we officially support, so we've never tried it in-house.  You are the first request for this feature.  If we begin to see more demand, I'll consider adding it, at which point we'll make sure it works. 

            • Re: Nprobe should it work?

              I don't know if anyone else might want it but if they knew it would work I'm sure they would.


              If it doesn't work then we will probably have to buy scrutinizer instead of the Netflow module which is


              a bit of a shame because the functionality of the netflow module is much better.


              Thanks


              Sam

                • Re: Nprobe should it work?

                  I'd be interested in this functionality.

                  I'm trying to work around having our border router as a Sonicwall rather than Cisco.

                   Alternatively, you could support SW's exported log format, but I suspect that's a bit more work...
                   

                    • Re: Nprobe should it work?
                      darryld

                      I have successfully used nprobe to collect info from a windows server and send it to NTA.


                      You need to set the -u and -Q parameters to fix the index number of the input and output devices


                        • Re: Nprobe should it work?

                           I'm probably being dense, but how do you set the parameters for the server?

                           Any points would be helpful.
                           

                            • Re: Nprobe should it work?
                              darryld

                              At the command prompt use nprobe /r to remove the existing service


                              nprobe /c -h then provides full listing of all switches


                               something like


                                            nprobe /i -i 1 -n 192.168.0.1:2055 -u 1 -Q 1


                              will re-install the service and send all the data from interface 1 to NTA (on 192.168.0.1 port 2055) all tagged as coming from interface index 1

                              • Re: Nprobe should it work?

                                Following on from my post, I've worked out how to set the variables, and I can see the netflow packets arriving at the collector, but it's not being picked up by Orion.

                                 What do I need to set -u and -q to for Orion to see the network packets?

                                The monitoring box has two ethernet interfaces, one that's plugged into a span port, and the other that is used to send the flows across the network.

                                 


                                 

                                  • Re: Nprobe should it work?
                                    darryld

                                    try the interface index of  either port, providing that port is being monitored by orion 

                                      • Re: Nprobe should it work?

                                        Sorted and working beautifully. Thanks for your help. 

                                        • Re: Nprobe should it work?

                                          I am still unable to get this work and I'm sure that it's the command line that I'm doing wrong.


                                          I have a laptop plugged in to the monitor port on the cisco 3750 and the other port connected to a normal


                                          port to send the traffic.


                                          I have found out that the laptop has interface index numbers of 0 and 8. So one is the monitor port and the


                                          other one is the normal port. I have tried lots of combinations of the command ie


                                          nprobe /i -i 1 -n 192.168.0.1:2055 -u 0 -Q 8


                                          nprobe /i -i 0 -n 192.168.0.1:2055 -u 8 -Q 8


                                           nprobe /i -i 0 -n 192.168.0.1:2055 -u 8 -Q 8


                                          I am guessing really as i don't know which interface index number is connected to which port on the laptop.


                                           If anyone has any ideas that would be great as I'm begining to lose the plot!!


                                          Sam


                                            • Re: Nprobe should it work?
                                              darryld

                                              If you are monitoring both interfaces on Orion then setting the -u and -Q switches to either 0 or 8 should work with either -i 0 or -i 8 depending on which is the ingress port.


                                              I have had a problem with running nprobe as a service on 1 or 2 machines. Try running it from the console nprobe /c, this has the advantage of a verbose mode -b 1 or -b 2 which may help with debugging

                                                • Re: Nprobe should it work?

                                                  I had loads of problems with this but I have finally got it working.


                                                  Thanks


                                                  SAM

                                                    • Re: Nprobe should it work?

                                                       I still don't quite get it.


                                                       If none of our routers or switches have netflow, jflow or sflow then this is pointless?

                                                       

                                                       I started reading this thread on the context that nprobe was a soft-alternative to buying a netflow-able router. But having played with it, it looks like just another collector.

                                                      Please tell me I missed something?

                                                       

                                                      I have been evaluating your products for the last week or so and am utterly in love... Or I would be if it actually analysed traffic! I hope there is a work around, because I really don't see anything else worth considering on the market.

                                                       

                                                      Thanks

                                                        • Re: Nprobe should it work?
                                                          davidmaltby

                                                          Ghostcorps,


                                                          The others on this thread seem to indicate that they got it working.  Maybe on the box with Orion NetFlow module, can you use WireShark and get a sniffer trace capture?  See if there is UDP traffic coming in on the port that nprobe should be sending to.  If not, then you know that your problem isn't the Orion NetFlow module.  If the traffic is coming in, then I'd be interested in taking a look at that sniffer trace for you.


                                                           Thanks,

                                                            • Re: Nprobe should it work?

                                                               Thanks David,

                                                               

                                                               I will see what I can do. :)

                                                               I apologise for not providing more details, it was late and I was getting frustrated. The thing that I am not sure about is whether or not this method will replace the need for a netflow-able router altogether. Will one instance of nprobe, properly configured, provide the flows for all the interfaces being monitored? Or will I need to run nprobe on every device being monitored?

                                                               

                                                              Regards

                                                               

                                                              [EDIT]

                                                               I have since installed fprobe on one of the Linux interfaces and confirm that it is working correctly so far, I may recant this when I have had a chance to collect enough data. 

                                                               I now understand that nprobe must be installed on each individual device, and that the collector is working. Now all I need is to figure out the correct nprobe flags... :s  hopefully this won't be too hard :)

                                                               [EDIT2]

                                                               

                                                              "NetFlow Receiver Service [PC3] is receiving a NetFlow data stream from an unmanaged interface on 10.0.0.133. The NetFlow data stream will be discarded. Please use the Orion System Manager to add Interface #8 in order to process this NetFlow data stream."

                                                               

                                                              So close!   PC03 is infact 10.0.0.133, which is where Orion is installed and it is also the collector. I have added this interface again with the System Manager but it changed nothing. Where exactly do i advise Orion to accept the netflow stream from this interface?

                                                                • Re: Nprobe should it work?

                                                                   Still no luck.

                                                                   

                                                                   I am at the point of trying to discover the values for  -i, -u & -Q. 

                                                                   I have tried omitting -u & Q, so that it can be allocated dynamically, but neither "-i 1" nor "-i 0" makes any change.

                                                                   I have deleted the node and re-discovered it a nubmer of times, ensuring that I have selected the interface when doing so, but the results are not changing.

                                                                   The 'Interface Details' page says that the index is 2. I tried using this for -u & -Q, but again there was no change. I now have 21 big yellow warning boxes, and am out of combinations to try.

                                                                   

                                                                  I don't suppose anyone has a method for determining these numbers other than trial and error?

                                                                   

                                                                  It would be greatly appreciated

                                                                    • Re: Nprobe should it work?

                                                                       Hello again,.

                                                                       

                                                                       I am still having trouble here.

                                                                       

                                                                       I have the full nProbe binary for win32, which I have installd as a service on the same machine as the collector with the following args:

                                                                       

                                                                        c:/Prog.../nProbe.exe -/i -n localhost:2055

                                                                       

                                                                      I use fprobe on my linux machine, which 'seems' to work, so I assume the collector is working.  Can anyone suggest a working configuration for the nProbe service?

                                                                       

                                                                      Thanks

                                                                       

                                                                      =^_^=

                                                                      • Re: Nprobe should it work?

                                                                        did you try nprobe /c  -h?


                                                                        At the end you get the available interfaces with the index 

                                                                          • Re: Nprobe should it work?

                                                                             Thanks :)

                                                                             

                                                                              It looks like it is working:

                                                                             

                                                                            C:\Program Files\nProbe-Win32>nprobe /c -h
                                                                            Running nProbe for Win32.

                                                                            ~

                                                                            Available interfaces:
                                                                                    [index=0] 'Adapter for generic dialup and VPN capture'
                                                                                    [index=1] 'Attansic AtcL001 Gigabit Ethernet Controller'

                                                                            ...


                                                                            C:\Program Files\nProbe-Win32>nprobe /c -i 1 -n 10.0.0.133:2055
                                                                            Running nProbe for Win32.
                                                                            01/Sep/2008 08:45:14 [dbPlugin.c:65] Initializing DB plugin
                                                                            01/Sep/2008 08:45:14 [nprobe.c:3858] Capturing packets from interface \Device\NP
                                                                            F_{14CE400A-4AB7-47C4-AAD7-5440FB2E6DA6}


                                                                            However when I point the Netflow Realtime application at this IP, it captures the traffic speed, but when I select 'Start Flow Capture' I receive the warning 'NetFlow is not detected on the selected interface (see attached image)

                                                                             

                                                                             It looks like nProbe is running, but not generating any captures. Are they stored locally anywhere that I can confirm it is recording somethgin at all?

                                                                             

                                                                             

                                                                            Thanks for your help

                                                                      • Re: Nprobe should it work?
                                                                        tomiannelli

                                                                        I have been trying to get this to work. I can get it to recognize data from my LAPTOP but not the server. I am wondering if the Interface Index in solarwinds db has anything to do with it. The Interface index in the database is 65539 and of course using nprobe it is 2! Not sure how else the two systems would recognize each others interfaces, but I can not get it to work.

                                                                        I even tried installing the Netflow Real-time monitor and sending the probe information to that on a different port on the same machine.

                                                                          • Re: Nprobe should it work?

                                                                            Hi Tom, this is a late reply, but hopefully this will help others who are confused about this as well.

                                                                             

                                                                            nProbe uses two different ways of identifying the interface.

                                                                            The first way is with the -i switch (interface to capture data on.) That interface list is simply a list that starts at zero (0 is generally a loopback) and increases with each interface the system has. So a dual ethernet server will generally have interfaces 0,1, and 2. It can be a pain to figure out which interface to use if your server has a lot of them, but there is a trick. When you start a capture from the console you'll get some output that helps to identify which interface the -i # switch actually maps to:

                                                                              C:\Program Files\nProbe-Win32>nprobe /c -n 10.0.0.12:2055 -i 4 -u 65555 -Q 65555
                                                                              Running nProbe for Win32.
                                                                              14/Aug/2009 15:43:02 [dbPlugin.c:65] Initializing DB plugin
                                                                              14/Aug/2009 15:43:02 [plugin.c:548] 1 plugin(s) enabled
                                                                              14/Aug/2009 15:43:02 [nprobe.c:3993] Capturing packets from interface \Device\NPF_{6126941C-E92E-412C-B682-E4596B78D775}

                                                                            The output identifies the interface it is capturing from via its GUID. If you look in the server's registery under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, you'll see a list of GUIDs in the system. By clicking on them you can see which IP address is bound to which GUID. In my example above, I had to go through -i 0 through 4 before I was capturing on the right interface.

                                                                             

                                                                            Now the second interface identifer that nProbe uses is the interface index. This number is generated whenever a new interface is added to a windows system. This number also seems to vary like crazy. This is the interface number (index) that SolarWinds wants to see the data coming from in the NetFlow packet in order to match it up with its interface list within the node. This is the number you have to use with the -u and -Q flags (65555 in my example above.)

                                                                            You can get this number in two ways. One is to add the correct node/interface in Orion and then look at the interface details and find the "Index" field. Another way is to do a "route print" from the command line of the the windows server. At the top of the output is the list of interfaces on the system. The first column is the interface index # in hex. Here is an example:

                                                                            0x10013 ...00 06 5b fd 49 30 ...... Broadcom NetXtreme Gigabit Ethernet - Virtual Machine Network Services Driver

                                                                            In this case hex 10013 equals 65555 in decimal

                                                                             

                                                                            Hope this helps,

                                                                            Neil

                                                                              • Re: Nprobe should it work?
                                                                                drknight0

                                                                                Your post got me very close.  I only seem to use the MS Loopback address as the net flow source

                                                                                this is the command that i working:

                                                                                nprobe /1 -n x.x.x.x:2055 -b 1 -i 2 -u 1 -Q 65541

                                                                                 

                                                                                 

                                                                                nprobe /c -h reports the follwoing interfaces:


                                                                                Available interfaces:
                                                                                        [index=0] 'Adapter for generic dialup and VPN capture'
                                                                                        [index=1] 'Intel(R) PRO/1000 MT Dual Port Network Connection'
                                                                                        [index=2] 'Intel(R) PRO/1000 MT Dual Port Network Connection'
                                                                                        [index=3] 'Broadcom Advanced Server Program Driver for Windows Server 2003 with SNP'
                                                                                        [index=4] 'Broadcom NetXtreme Gigabit Ethernet Driver'
                                                                                        [index=5] 'Broadcom NetXtreme Gigabit Ethernet Driver'

                                                                                route print is:

                                                                                IPv4 Route Table
                                                                                ===========================================================================
                                                                                Interface List
                                                                                0x1 ........................... MS TCP Loopback interface
                                                                                0x10003 ...00 16 35 3f b1 ac ...... BASP Virtual Adapter
                                                                                0x10005 ...00 11 0a 62 ba f4 ...... Intel(R) PRO/1000 MT Dual Port Network Connection

                                                                                'BASP Virtual Adapter' is the interface used to access my windows server

                                                                                'Intel(R) PRO/1000 MT Dual Port Network Connection' is the interface used to Span traffic

                                                                                 

                                                                                What do I need to do to get Orion to map the netflow source to the actual span interface? is this possible?

                                                                                • Re: Nprobe should it work?

                                                                                  Somebody help please!

                                                                                  When I do a route print my interface indexes show as follows:

                                                                                  0x1 ........................... MS TCP Loopback interface
                                                                                  0x10003 ...00 16 76 25 e9 8e ...... Intel(R) PRO/100 VE Network Connection
                                                                                  0x10004 ...00 40 05 05 93 94 ...... Realtek RTL8139 Family PCI Fast Ethernet NIC
                                                                                  0x10005 ...00 01 03 c0 a7 86 ...... 3Com EtherLink XL 10/100 PCI For Complete PC

                                                                                  So in decimal my index values wolud be 65539, 65540 and 65541.

                                                                                  !!!However netflow uses only 2 bytes for the index number, so the higher interface index i can use is 65535!!!

                                                                                  this is the reasson why I cant get any data from nprobe to solarwinds from any interface except for the loopback.

                                                                                    • Re: Nprobe should it work?
                                                                                      Martin.Krivanek

                                                                                      Hi Juan Figueroa,

                                                                                      You are right, NetFlow uses only two bytes for index number, so higher indexes can't be used. But if you're using nProbe, you can specify interface indexes by command line parameters (-u, -Q). Does that help you?

                                                                                      Best regards,

                                                                                      Martin

                                                                                        • Re: Nprobe should it work?

                                                                                          The problem comes when I try to integrate it with solarwinds.  Since solarwinds will poll Interface Index via SNMP, if I specify a different index with '-u', when the data is received by Orion NTA it will be discarded since the interface index won't match with the one polled via SNMP.

                                                                                          Do you know if there is a way to make Orion NTA receive netflow from unmanaged interfaces?

                                                                                          I found out that if you re-install windows, it will assign interface indexes starting from 2 and on to the NIC it recognizes during installation, if a NIC is not recognized during windows installation and you install the driver afterwards then windows will assign a Interface Index above 65535 which then will give the problem of not fitting inside the 2 bytes.

                                                                                          I think I will rather give it a try with some unix based OS since I expect it will be easier to deal with interfaces indexes.

                                                                                          Thanks for the reply!