3 Replies Latest reply on Oct 9, 2009 1:01 PM by chris.lapoint

    nProbe and the Real-Time Netflow Analyzer

    Steve Pfister

      Is it possible to use nprobe with the Netflow Analyzer? I'm trying to find a solution for situations where Netflow isn't available. Netflow isn't supported by a lot of the equipment we have (well, without additional hardware). I was thinking about a laptop connected to the switch in question running nProbe and then Netflow Analyzer would be running on the same machine. I started nProbe as:

      nprobe /c -i 2 -n 127.0.0.1:2055

      and then started the Netflow Analyzer. I added 127.0.0.1 as a Netflow device, and it sees the loopback interface as sending Netflow packets. I start capturing on the loopback interface, but it never really shows any traffic. On one attempt, it showed something about multicast and IGMP. Is this setup something that's workable?

      Thanks!
      --Steve

        • Re: nProbe and the Real-Time Netflow Analyzer
          chris.lapoint

          Steve, thanks for the post.  I've been meaning to try out this configuration myself in our lab.   I think the issue you're experiencing is because the interface indexes set in the flows aren't monitored in Orion NTA (they don't exist) so the flows are being discarded. 

          I found these additional config options on nProbe's site:


          [--in-iface-idx|-u] <in dev idx>    | Index of the input device used in the
                                                             | emitted flows (incoming traffic). If no
                                                             | value is set, the input device is
                                                             | dynamically set to the last two bytes of
                                                             | the MAC address of the flow sender.
          [--out-iface-idx|-Q] <out dev idx>  | Index of the output device used in the
                                                                 | emitted flows (outgoing traffic). If no
                                                                 | value is set, the output device is
                                                                 | dynamically set to the last two bytes
                                                                 | of the MAC address of the flow receiver.

          If you can add all of the laptop's interfaces as monitored NTA sources and then set nProbe to set those as the input and output interface index, this might work.  Let me know how it goes.