nProbe™ v6

An Extensible NetFlow v5/v9/IPFIX GPL Probe for IPv4/v6

In commercial environments, NetFlow is probably the de-facto standard for network traffic accounting. ntop includes both a NetFlow v5/v9/IPFIX probe and collector that can be used to play with NetFlow flows. This means that you can use ntop:

  • for analysing NetFlow flows generated by your border gateway
  • replacing the embedded, low-speed, NetFlow probe available on your gateway
  • analyzing Gbit networks at full speed with no (or very moderate) packet loss exploiting nProbe™
  • as a NetFlow probe that sends flows towards a collector either ntop or a commercial one (e.g. Cisco NetFlow Collector or HP-OV)
  • both as a probe and collector.

Nevertheless, due to the original ntop design, it cannot be easily deployed as a pure NetFlow collector in environments such as a diskless embedded system with limited resources or a corporate firewall.

In addition, in some environments it would be nice to distribute light network probes on the network that send traffic information towards a central traffic analysis console such as ntop.

In order to satisfy the above requirements nProbe™ has been designed. Currently nProbe™ is a software application available stand-alone or as an embedded system named nBox .

Main nProbe™ Features

  • Available for Unix (including MacOS X and Solaris), Windows, and embedded environments.
  • Added layer 7 application visibility (including Skype, BitTorrent, Citrix….).
  • NetFlow v9/IPFIX support for efficient flow handling.
  • Added Cisco NetFlow-Lite support (as of version 6.5).
  • Full IPFIX support: PEN (Private Enterprise Numbers) and Variable length encoding.
  • Support for IPv4 and v6.
  • Limited memory footprint (less that 2 MB of memory regardless of the network size) and CPU savvy.
  • Ability to natively save flows into MySQL and SQLite, as well as text and binary.
  • Ability to natively dump flows in FastBit format.
  • Ability to dump flows in format ready for import in columnar databases such as InfiniDB.
  • Native PF_RING support for high speed flow generation (nProbe™ Pro Unix and above).
  • Ability to act as flow collector and proxy. All combinations are supported.
  • Ability to collect sFlow flows and turn them into flows (v5/v9/IPFIX).
  • Support of detect protocols via DPI (deep packet inspection) and report protocol name in flows for precise collector protocol accounting.
  • Ability to forge NetFlow interfaceIds based on MAC/IP addresses.
  • Collection of Cisco ASA flows and conversion in ‘standard’ flows.
  • New nprobe architecture for better performance and exploitation of multicore architectures.
  • Support of tunneled (including GRE, PPP and GTP) traffic and ability to export in flows inner/outer envelope/packet information.
  • Support of both flow and packet sampling.
  • Support of Flexible Netflow: create your netflow templates, now with PEN support.
  • VoIP (SIP and RTP) traffic analysis.
  • HTTP and MySQL/Oracle, DNS protocol analysis: ability to generate logs of web, MySQL/Oracle and DNS activities in addition to flow export.
  • BGP Plugin for establishing a BGP session with a router and generate flows with AS and AS path information.
  • Plugin architecture for easy extensibility via custom V9/IPFIX tags.
  • Fully interoperable with commercial collectors such as IsarFlow, Fluke, Cisco, Dartware, AdventNet, Arbor Networks, Plixer, NetFlow Auditor, SolarWinds Orion NTA.
  • Designed for running on environments with limited resources (the nProbe™ binary < 100 Kb) and embedded systems (e.g. ARM-based appliaces).
  • It can be used to build cheap NetFlow probes using commodity hardware.
  • Able to save flows on disk for later analysis or integration into an existing monitoring application.
  • Fully user configurable.
  • High-performance probe: commercial probes included those embedded on routers and switches are often not able to keep up with high-speeds.
  • Ntop can be used as collector and analyser for NetFlow v5/v9/IPFIX flows such as those generated by nProbe™ and commercial routers.

Using nProbe™

The current nProbe™ version is much more that a simple netflow probe.

Probe mode

Command: nprobe -i eth0 -n collector_ip:2055

Collector mode

Command: nprobe –nf-collector-port 2055

Proxy mode

Command: nprobe –nf-collector-port 2055 -n collector_ip:2055 -V 9

It can be a probe, probe+collector, collector, or a proxy. In proxy mode you can convert from/to IPFIX/NetFlow v5/v9 in order to smoothly upgrade to newer netflow protocol versions while capitalizing on previous protocol versions. So you can for instance convert flows coming from your v5 router into IPFIX and vice-versa. Note that with some combinations (e.g. from v9 to v5) you might loose some flow information.


Many people are aware that not all the available NetFlow probes are scalable. nProbe™ has been designed to keep up with Gigabit speeds on commodity hardware. Using a dual core CPU, nProbe™ can be used for capturing packets at full speed with no/very little (< 1%) packet loss using PF_RING. Better results can be achieved using packet/flow sampling (i.e. the probe does not receive all the packets but just a sample), or using an accelerated packet capture card.

Packet Size (Bytes) nProbe™ Sustained Throughtput with no packet loss
fixed 64 462 Kpps [~237 Mbit] Wire rate
fixed 512 Wire rate
fixed 1500
random 64-1500

The table above shows the result of a worst-case performance test using

  • nProbe™ 6.9.x Pro/Plugins (native PF_RING support)
  • Ubuntu Linux 11.10
  • PF_RING 5.3.x
  • Supermicro PDSM4+ board
  • Intel(R) Core(TM)2 CPU 6320 [1.86GHz]
  • Intel PCIe Gbit card
  • IXIA 400 Traffic Generator
  • 100K rotating IP addresses
  • Generation of 6’500 flows/minute
  • Command used: nprobe -i eth4 -b 1 -w 512000
  • No flow storage on DB or disk, just forwarding to a collector

For the latest news about nProbe, please read the ntop blog.

Running nProbe™ at 10 Gbit

Today commodity hardware cannot provide full 10 Gbit traffic analysis unless some special drivers are used. Using PF_RING DNA is designed to offer wire-speed packet capture performance. nProbe on top of DNA and multi RX-queue can process about 11 Mpps as described on this paper.

nProbe™, FastBit, and InfiniDB

In early 6.x nProbe releases we supported natively the FastBit database. Later on we decided to drop this feature in favour of import in InfiniDB, that features a performance similar to FastBit but it offers full SQL support and integration with MySQL. In InfiniDB data import is performed with the cpimport utility that acceps as input the flow files dumped by nProbe with -P command line flag.


nProbe™ is distributed in both source and binary format. Once installed, nProbe™ is available for use with no further configuration. Similar to ntop, nProbe™ will be activated on a PC from which it is possible to see/capture the traffic you’re interested in. For this reason, in case of switched networks, it is necessary to either mirror traffic (VLAN or port mirror) or place the probe on a location (e.g. by the border gateway) where most of the traffic flows.

Once activated, nProbe™ will collect traffic data (see below) and emit NetFlow v5/v9/IPFIX flows towards the specified collector. A set of packets with the same (src ip & port, dst ip & port, protocol #) is called flow (note that some protocols such as ICMP have no concept of ports). Every flow, even a very long standing ISO CD image download, has a limited lifetime; this is because the flow collector should periodically receive flow chunks for accounting traffic precisely.

Welcome to nprobe v.6.9.9 ($Revision: 2660 $) for x86_64-apple-darwin12.2.0

Copyright 2002-12 by Luca Deri

SystemID: 1FE719B8-0B82-5C67-9AE6-990B5030479F-7105a182
Valid nProbe license found

nprobe -n [-i ] [-t ]
[-d ] [-l ] [-s ]
[-p ] [-f ] [-a] [-b ] [-G] [-O ]
[-P ] [-F ] [-D ]
[-u ] [-Q ]
[-I ] [-v] [-w ] [-e ] [-B ]
[-z ] [-M ][-R ]
[-x ] [-E ] [-C ]
[-m ]
[-S ] [-A ] [-g ]
[-T ] [-U ]
[-o ] [-L ] [-c] [-r]
[-1 ] [-2 ] [-3 ] [-4] [-5 ] [-6]
[-9 ] [--black-list ] [--pcap-file-list ]
[-N] [--dont-drop-privileges]

[--collector|-n] | Address of the NetFlow collector(s).
| Multiple collectors can be defined using
| multiple -n flags. In this case flows
| will be sent in round robin mode to
| all defined collectors if the -a flag
| is used. Note that you can specify
| both IPv4 and IPv6 addresses.
| If you specify none as value,
| no flow will be export; in this case
| the -P parameter is mandatory.
| Note that you can specify the protocol
| used to send packets. Example:
| udp://, tcp://
[--interface|-i] | Interface name from which packets are
| captured, or .pcap file (debug only)
[--lifetime-timeout|-t] | It specifies the maximum (seconds) flow
| lifetime [default=120]
[--idle-timeout|-d] | It specifies the maximum (seconds) flow
| idle lifetime [default=30]
[--queue-timeout|-l] | It specifies how long expired flows
| (queued before delivery) are emitted
| [default=30]
[--aggregation|-p] | It specifies the flow aggiregation level:
| /////
| where each element can be set to 0=ignore
| or 1=take care. Example ‘-p 1/0/1/1/1/1′
| ignores the protocol, whereas
| ‘-p 0/0/1/0/0/0′ ignores everything
| but the IP
[--bpf-filter|-f] | BPF filter for captured packets
| [default=no filter]
[--all-collectors|-a] | If several collectors are defined, this
| option gives the ability to send all
| collectors all the flows. If the flag is
| omitted collectors are selected in
| round robin.
[--verbose|-b] | Verbose output:
| 0 – No verbose logging
| 1 – Limited logging (traffic statistics)
| 2 – Full verbose logging
[--daemon-mode|-G] | Start as daemon.
[--num-threads|-O] | Number of packet fetcher threads
| [default=1]. Use 1 unless you know
| what you’re doing.
[--dump-path|-P] | Directory where dump files will
| be stored.
[--dump-frequency|-F] | Dump files dump frequencey (sec).
| Default: 60
[--dump-format|-D] | : flows are saved as:
| b : raw/uncompressed flows
| B : raw core flow fields (flow size: 144 bytes)
| t : text flows
| Example: -D b. Note: this flag has no
| effect without -P.
[--in-iface-idx|-u] | Index of the input device used in the
| emitted flows (incoming traffic). The default
| value is 0. Use -1 as value to dynamically
| set to the last two bytes of
| the MAC address of the flow sender.
[--out-iface-idx|-Q] | Index of the output device used in the
| emitted flows (outgoing traffic). The default
| value is 0. Use -1 as value to dynamically
| set to the last two bytes of
| the MAC address of the flow receiver.
[--vlanid-as-iface-idx] | Use vlanId (or 0 if the traffic isn’t tagged)
| as interface index. Mode specifies in case of
| stacked VLANs which vlanId to choose. Possible
| values are ‘inner’ or ‘outer’. Note that this option
| superseedes the –in/out-iface-idx options
[--discard-unknown-flows] | In case you enable L7 proto detection (e.g. add %L7_PROTO
| to the template) this options enables you not to export
| flows for which nDPI has not been able to detect the proto.
| Mode values:
| 0 – Export both known and unknown flows (default)
| 1 – Export only known flows (discard flows with unknown protos)
| 2 – Export only unknown flows (discard flows with known protos)
[--nprobe-version|-v] | Prints the program version.
[--flow-lock|-C] | If the flow lock file is present no flows
| are emitted. This facility is useful to
| implement high availability by means of
| a daemon that can create a lock file
| when this instance is in standby.
[--help|-h] | Prints this help.
[--interpret-flow-packets] | Interpret received packets to see if they contain flows (development only).
[--debug] | Enable debugging (development only).
[--quick-mode] | Micro-nprobe.
[--fake-capture] | Fake packet capture (development only).
[--dont-nest-dump-dirs] | Plugins will create dump files all in the same directory.
[--performance] | Enable performance tracing (development only).
[--syslog|-I] | Log to syslog as | [default=stdout]
[--hash-size|-w] | Flows hash size [default=131072]
[--no-ipv6|-W] | IPv6 packets/traffic will not be accounted.
[--flow-delay|-e] | Delay (in ms) between two flow
| exports [default=1]
[--count-delay|-B] | Send this many packets before
| the -e delay [default=1]
[--min-flow-size|-z] | Minimum TCP flow size (in bytes).
| If a TCP flow is shorter than the
| specified size the flow is not
| emitted [default=unlimited]
[--max-num-flows|-M] | Limit the number of active flows. This is
| useful if you want to limit the memory
| or CPU allocated to nProbe in case of non
| well-behaved applications such as
| worms or DoS. [default=4294967295]
[--netflow-engine|-E] | Specify the engine type and id.
| The format is engineType:engineId.
| [default=0:113] where engineId is a
| random number.
[--min-num-flows|-m] | Minimum number of flows per packet
| unless an expired flow is queued
| for too long (see -l) [default=30
| for v5, dynamic for v9]
[--sender-address|-q] | Specifies the address:port of the flow
| sender. This optionis useful for hosts
| with multiple interfaces or if flows
| must be emitted from a static port
[--sample-rate|-S] :
| Packet capture sampling rate and flow
| sampling rate. If starts with ‘@’
| it means that nprobe will report the specified
| sampling rate but will not sample itself
| as incoming packets are already sampled
| on the specified capture device at the
| specified rate. Default: 1:1 [no sampling]
[--as-list|-A] | GeoIP file containing the list of known ASs.
| Example: GeoIPASNum.dat
[--city-list] | GeoIP file containing the city/IP mapping. Note
| that nProbe will load the IPv6 file equivalent
| if present. Example: –city-list GeoLiteCity.dat
| will also attempt to load GeoLiteCityv6.dat
[--pid-file|-g] | Put the PID in the specified file
[--flow-templ|-T] | Specify the NFv9 template (see below).
[--flow-templ-id|-U] | Specify the NFv9 template identifier
| [default: 257]
[--flow-version|-V] | NetFlow Version: 5=v5, 9=v9, 10=IPFIX
[--flows-intra-templ|-o] | Specify how many flow pkts are exported
| between template exports [default: 10]
[--local-networks|-L] | Specify the list of local networks whose
| format is / (if multiple use comma).
[--local-hosts-only|-c] | All the IPv4 hosts outside the local
| network lists will be set to
| (-L must be specified before -c).
| This reduces the load on the probe
| instead of discarding flows on the
| collector side.
[--local-traffic-direction|-r] | All the traffic going towards
| the local networks (-L must also be
| specified before -r) is assumed incoming
| traffic all the rest is assumed outgoing
| (see also -u and -Q).
[--if-networks|-1] | Specify the binding between interfaceId
| and a network (see below).
[--count|-2] | Capture a specified number of packets
| and quit (debug only)
[--collector-port|-3] | NetFlow/sFlow collector port for incoming flows
[--tunnel|-5] | Compute flows on tunneled traffic rather than
| on the external envelope
[--no-promisc|-6] | Capture packets in non-promiscuous mode
[--smart-udp-frags|-7] | Ignore UDP fragmented packets with fragment offset
| greater than zero, and compute the fragmented
| packet length on the initial fragment header.
[--ipsec-auth-data-len|-8] | Length of the authentication data of IPSec
| in tunnel mode. If not set, IPSec will not be decoded
[--dump-stats|-9] | Periodically dump traffic stats into the
| specified file
–black-list | All the IPv4 hosts inside the networks
| black-list will be discarded.
| This reduces the load on the probe
| instead of discarding flows on the
| collector side.
–pcap-file-list | Specify a filename containing a list
| of pcap files.
| If you use this flag the -i option will be
| ignored.
[--biflows-export-policy|-N] | Bi-directional flows export policy:
| 0 – export all flows
| 1 – export bi-directional flows only
| 2 – export mono-directional flows only
–csv-separator | Specify the separator for text files (see -P)
| Default is ‘|’ (pipe)
–dont-drop-privileges | Do not drop privileges changing to user nobody
–bi-directional | Force flows to be bi-directional. This option
| is not supported by NetFlow V5 that by nature
| supports only mono-directional flows
–account-l2 | NetFlow accounts IP traffic only, not counting
| L2 headers. Using this option the L2 headers
| are also accounted
–dump-metadata | Dump flow metadata into the specified file
| and quit
–event-log | Dump relevant activities into the specified log file
–original-speed | When using -i with a pcap file, instead of reading packets
| as fast as possible, the original speed is preserved (debug only)
–db-engine | Define the DB engine type (example MyISAM, InfiniDB).
| Default MyISAM.
–unprivileged-user | Use instead of nobody when dropping privileges
–disable-cache | Disable flow cache for avoid merging flows. This option
| is available only in collector/proxy mode
| (i.e. use -i none)
–redis [:] | Connected to the specified redis server
| Example –redis localhost
–ucloud | Enable the nProbe micro-cloud

Further plugin available command line options
07/Oct/2012 19:31:30 [plugin.c:156] Loading plugins [.so] from ./plugins
07/Oct/2012 19:31:30 [dbPlugin.c:198] WARNING: DB support is not enabled (disabled at compile time)
07/Oct/2012 19:31:30 [l7BridgePlugin.c:110] WARNING: [L7] Plugin disabled due to lack of PF_RING
[BGP Update Listener]
–bgp-port | TCP port on which BGP updates will be sent


[DNS Protocol]
–dns-dump-dir | Directory where DNS logs will be dumped

[GTPv1 Signaling Protocol]
–gtpv1-dump-dir | Directory where GTP logs will be dumped
–gtpv1-exec-cmd | Command executed whenever a directory has been dumped

[GTPv2 Signaling Protocol]
–gtpv2-dump-dir | Directory where GTP logs will be dumped
–gtpv2-exec-cmd | Command executed whenever a directory has been dumped

[HTTP Protocol]
–http-dump-dir | Directory where HTTP logs will be dumped
–ssl-config-file | Configuration file for SSL certificate decoding
–http-exec-cmd | Command executed whenever a directory has been dumped
–dont-hash-cookies | Dump cookie string instead of cookie hash
–max-http-log-lines | Max number of lines per log file (default 10000)

[IMAP Protocol]
–imap-dump-dir | Directory where IMAP logs will be dumped
–imap-exec-cmd | Command executed whenever a directory has been dumped
–imap-peek-headers | Dump both emails body and headers (default: body only)

[L7 Plugin]
–l7-rules | L7 bridging rules, comma separated (see nprobe -h).
| Example 7,18 blocks HTTP and DHCP protocols.

[Log Plugin]
–log[:]> | Specify log listen port(s) (max 32)

[MySQL Plugin]
–mysql-dump-dir | Directory where MySQL logs will be dumped
–mysql-exec-cmd | Command executed whenever a directory has been dumped
–max-mysql-log-lines | Max number of lines per log file (default 10000)

[Netflow-Lite Plugin]
–nflite[:]> | Specify NetFlow-Lite listen port(s) (max 32)

[Oracle Protocol]
–oracle-dump-dir | Directory where Oracle logs will be dumped
–oracle-exec-cmd | Command executed whenever a directory has been dumped
–max-oracle-log-lines | Max number of lines per log file (default 10000)

[POP3 Protocol]
–pop-dump-dir | Directory where POP3 logs will be dumped
–pop-exec-cmd | Command executed whenever a directory has been dumped

[Radius Protocol]
–radius-dump-dir | Directory where Radius logs will be dumped
–radius-exec-cmd | Command executed whenever a directory has been dumped

[SMTP Protocol]
–smtp-dump-dir | Directory where SMTP logs will be dumped
–smtp-exec-cmd | Command executed whenever a directory has been dumped

Note on interface indexes and (router) MAC/IP addresses
Flags -u and -Q are used to specify the SNMP interface identifiers for emitted flows.
However using –if-networks it is possible to specify an interface identifier to which
a MAC address or IP network is bound. The syntax of –if-networks is:
<MAC|IP/mask>@ where multiple entries can be separated by a comma (,).
Example: –if-networks “AA:BB:CC:DD:EE:FF@3,″ or
–if-networks @ where is a file path containing the networks
specified using the above format.

NetFlow v9/IPFIX format [-T]
The following options can be used to specify the format:

ID NetFlow Label IPFIX Label Description
[ 1] %IN_BYTES %octetDeltaCount Incoming flow bytes (src->core.tuple.dst)
[ 2] %IN_PKTS %packetDeltaCount Incoming flow packets (src->core.tuple.dst)
[ 3] %FLOWS Number of flows
[ 4] %PROTOCOL %protocolIdentifier IP protocol byte
[164] %PROTOCOL_MAP IP protocol name
[ 5] %SRC_TOS %ipClassOfService Type of service byte
[ 6] %TCP_FLAGS %tcpControlBits Cumulative of all flow TCP flags
[ 7] %L4_SRC_PORT %sourceTransportPort IPv4 source port
[167] %L4_SRC_PORT_MAP Layer 4 source port symbolic name
[ 8] %IPV4_SRC_ADDR %sourceIPv4Address IPv4 source address
[ 9] %IPV4_SRC_MASK %sourceIPv4PrefixLength IPv4 source subnet mask (/)
[ 10] %INPUT_SNMP %ingressInterface Input interface SNMP idx
[ 11] %L4_DST_PORT %destinationTransportPort IPv4 destination port
[171] %L4_DST_PORT_MAP Layer 4 destination port symbolic name
[172] %L4_SRV_PORT Layer 4 server port
[173] %L4_SRV_PORT_MAP Layer 4 server port symbolic name
[ 12] %IPV4_DST_ADDR %destinationIPv4Address IPv4 destination address
[ 13] %IPV4_DST_MASK %destinationIPv4PrefixLength IPv4 dest subnet mask (/)
[ 14] %OUTPUT_SNMP %egressInterface Output interface SNMP idx
[ 15] %IPV4_NEXT_HOP %ipNextHopIPv4Address IPv4 next hop address
[ 16] %SRC_AS %bgpSourceAsNumber Source BGP AS
[ 17] %DST_AS %bgpDestinationAsNumber Destination BGP AS
[ 21] %LAST_SWITCHED %flowEndSysUpTime SysUptime (msec) of the last flow pkt
[ 22] %FIRST_SWITCHED %flowStartSysUpTime SysUptime (msec) of the first flow pkt
[ 23] %OUT_BYTES %postOctetDeltaCount Outgoing flow bytes (dst->src)
[ 24] %OUT_PKTS %postPacketDeltaCount Outgoing flow packets (dst->src)
[ 27] %IPV6_SRC_ADDR %sourceIPv6Address IPv6 source address
[ 28] %IPV6_DST_ADDR %destinationIPv6Address IPv6 destination address
[ 29] %IPV6_SRC_MASK %sourceIPv6PrefixLength IPv6 source mask
[ 30] %IPV6_DST_MASK %destinationIPv6PrefixLength IPv6 destination mask
[ 32] %ICMP_TYPE %icmpTypeCodeIPv4 ICMP Type * 256 + ICMP code
[ 34] %SAMPLING_INTERVAL Sampling rate
[ 35] %SAMPLING_ALGORITHM Sampling type (deterministic/random)
[ 36] %FLOW_ACTIVE_TIMEOUT %flowActiveTimeout Activity timeout of flow cache entries
[ 37] %FLOW_INACTIVE_TIMEOUT %flowIdleTimeout Inactivity timeout of flow cache entries
[ 38] %ENGINE_TYPE Flow switching engine
[ 39] %ENGINE_ID Id of the flow switching engine
[ 40] %TOTAL_BYTES_EXP %exportedOctetTotalCount Total bytes exported
[ 41] %TOTAL_PKTS_EXP %exportedMessageTotalCount Total flow packets exported
[ 42] %TOTAL_FLOWS_EXP %exportedFlowRecordTotalCount Total number of exported flows
[ 52] %MIN_TTL %minimumTTL Min flow TTL
[ 53] %MAX_TTL %maximumTTL Max flow TTL
[ 56] %IN_SRC_MAC %sourceMacAddress Source MAC Address
[ 58] %SRC_VLAN %vlanId Source VLAN
[ 59] %DST_VLAN %postVlanId Destination VLAN
[ 60] %IP_PROTOCOL_VERSION %ipVersion [4=IPv4][6=IPv6]
[ 61] %DIRECTION %flowDirection It indicates where a sample has been taken (always 0)
[ 62] %IPV6_NEXT_HOP %ipNextHopIPv6Address IPv6 next hop address
[ 70] %MPLS_LABEL_1 %mplsTopLabelStackSection MPLS label at position 1
[ 71] %MPLS_LABEL_2 %mplsLabelStackSection2 MPLS label at position 2
[ 72] %MPLS_LABEL_3 %mplsLabelStackSection3 MPLS label at position 3
[ 73] %MPLS_LABEL_4 %mplsLabelStackSection4 MPLS label at position 4
[ 74] %MPLS_LABEL_5 %mplsLabelStackSection5 MPLS label at position 5
[ 75] %MPLS_LABEL_6 %mplsLabelStackSection6 MPLS label at position 6
[ 76] %MPLS_LABEL_7 %mplsLabelStackSection7 MPLS label at position 7
[ 77] %MPLS_LABEL_8 %mplsLabelStackSection8 MPLS label at position 8
[ 78] %MPLS_LABEL_9 %mplsLabelStackSection9 MPLS label at position 9
[ 79] %MPLS_LABEL_10 %mplsLabelStackSection10 MPLS label at position 10
[ 80] %OUT_DST_MAC %destinationMacAddress Destination MAC Address
[ 95] %APPLICATION_ID %application_id Cisco NBAR Application Id
[102] %PACKET_SECTION_OFFSET Packet section offset
[103] %SAMPLED_PACKET_SIZE Sampled packet size
[104] %SAMPLED_PACKET_ID Sampled packet id
[130] %EXPORTER_IPV4_ADDRESS %exporterIPv4Address Exporter IPv4 Address
[131] %EXPORTER_IPV6_ADDRESS %exporterIPv6Address Exporter IPv6 Address
[148] %FLOW_ID %flowId Serial Flow Identifier
[150] %FLOW_START_SEC %flowStartSeconds Seconds (epoch) of the first flow packet
[151] %FLOW_END_SEC %flowEndSeconds Seconds (epoch) of the last flow packet
[152] %FLOW_START_MILLISECONDS %flowStartMilliseconds Msec (epoch) of the first flow packet
[153] %FLOW_END_MILLISECONDS %flowEndMilliseconds Msec (epoch) of the last flow packet
[239] %BIFLOW_DIRECTION %biflow_direction 1=initiator, 2=reverseInitiator
[277] %OBSERVATION_POINT_TYPE Observation point type
[300] %OBSERVATION_POINT_ID Observation point id
[302] %SELECTOR_ID Selector id
[304] %SAMPLING_ALGORITHM Sampling algorithm
[309] %SAMPLING_SIZE Number of packets to sample
[310] %SAMPLING_POPULATION Sampling population
[312] %FRAME_LENGTH Original L2 frame length
[318] %PACKETS_OBSERVED Tot number of packets seen
[319] %PACKETS_SELECTED Number of pkts selected for sampling
[335] %SELECTOR_NAME Sampler name
[NFv9 57552][IPFIX 35632.80] %FRAGMENTS Number of fragmented flow packets
[NFv9 57554][IPFIX 35632.82] %CLIENT_NW_DELAY_SEC Network latency client nprobe (sec)
[NFv9 57555][IPFIX 35632.83] %CLIENT_NW_DELAY_USEC Network latency client nprobe (residual usec)
[NFv9 57556][IPFIX 35632.84] %SERVER_NW_DELAY_SEC Network latency nprobe server (sec)
[NFv9 57557][IPFIX 35632.85] %SERVER_NW_DELAY_USEC Network latency nprobe server (residual usec)
[NFv9 57558][IPFIX 35632.86] %APPL_LATENCY_SEC Application latency (sec)
[NFv9 57559][IPFIX 35632.87] %APPL_LATENCY_USEC Application latency (residual usec)
[NFv9 57560][IPFIX 35632.88] %NUM_PKTS_UP_TO_128_BYTES # packets whose size 128 and 256 and < 512 [NFv9 57563][IPFIX 35632.91] %NUM_PKTS_512_TO_1024_BYTES # packets whose size > 512 and < 1024 [NFv9 57564][IPFIX 35632.92] %NUM_PKTS_1024_TO_1514_BYTES # packets whose size > 1024 and 1514
[NFv9 57573][IPFIX 35632.101] %SRC_IP_COUNTRY Country where the src IP is located
[NFv9 57574][IPFIX 35632.102] %SRC_IP_CITY City where the src IP is located
[NFv9 57575][IPFIX 35632.103] %DST_IP_COUNTRY Country where the dst IP is located
[NFv9 57576][IPFIX 35632.104] %DST_IP_CITY City where the dst IP is located
[NFv9 57577][IPFIX 35632.105] %FLOW_PROTO_PORT L7 port that identifies the flow protocol or 0 if unknown
[NFv9 57578][IPFIX 35632.106] %UPSTREAM_TUNNEL_ID Upstream tunnel identifier (e.g. GTP TEID) or 0 if unknown
[NFv9 57579][IPFIX 35632.107] %LONGEST_FLOW_PKT Longest packet (bytes) of the flow
[NFv9 57580][IPFIX 35632.108] %SHORTEST_FLOW_PKT Shortest packet (bytes) of the flow
[NFv9 57581][IPFIX 35632.109] %RETRANSMITTED_IN_PKTS Number of retransmitted TCP flow packets (src->core.tuple.dst)
[NFv9 57582][IPFIX 35632.110] %RETRANSMITTED_OUT_PKTS Number of retransmitted TCP flow packets (dst->src)
[NFv9 57583][IPFIX 35632.111] %OOORDER_IN_PKTS Number of out of order TCP flow packets (dst->src)
[NFv9 57584][IPFIX 35632.112] %OOORDER_OUT_PKTS Number of out of order TCP flow packets (dst->src)
[NFv9 57585][IPFIX 35632.113] %UNTUNNELED_PROTOCOL Untunneled IP protocol byte
[NFv9 57586][IPFIX 35632.114] %UNTUNNELED_IPV4_SRC_ADDR Untunneled IPv4 source address
[NFv9 57587][IPFIX 35632.115] %UNTUNNELED_L4_SRC_PORT Untunneled IPv4 source port
[NFv9 57588][IPFIX 35632.116] %UNTUNNELED_IPV4_DST_ADDR Untunneled IPv4 destination address
[NFv9 57589][IPFIX 35632.117] %UNTUNNELED_L4_DST_PORT Untunneled IPv4 destination port
[NFv9 57590][IPFIX 35632.118] %L7_PROTO Layer 7 protocol (numeric)
[NFv9 57591][IPFIX 35632.119] %L7_PROTO_NAME Layer 7 protocol name
[NFv9 57592][IPFIX 35632.120] %DOWNSTREAM_TUNNEL_ID Downstream tunnel identifier (e.g. GTP TEID) or 0 if unknown
[NFv9 57593][IPFIX 35632.121] %FLOW_USER_NAME Flow username of the tunnel (if known)
[NFv9 57594][IPFIX 35632.122] %FLOW_SERVER_NAME Flow server name (if known)

Plugin BGP Update Listener templates:
[NFv9 57762][IPFIX 35632.290] %SRC_AS_PATH_1 Src AS path position 1
[NFv9 57763][IPFIX 35632.291] %SRC_AS_PATH_2 Src AS path position 2
[NFv9 57764][IPFIX 35632.292] %SRC_AS_PATH_3 Src AS path position 3
[NFv9 57765][IPFIX 35632.293] %SRC_AS_PATH_4 Src AS path position 4
[NFv9 57766][IPFIX 35632.294] %SRC_AS_PATH_5 Src AS path position 5
[NFv9 57767][IPFIX 35632.295] %SRC_AS_PATH_6 Src AS path position 6
[NFv9 57768][IPFIX 35632.296] %SRC_AS_PATH_7 Src AS path position 7
[NFv9 57769][IPFIX 35632.297] %SRC_AS_PATH_8 Src AS path position 8
[NFv9 57770][IPFIX 35632.298] %SRC_AS_PATH_9 Src AS path position 9
[NFv9 57771][IPFIX 35632.299] %SRC_AS_PATH_10 Src AS path position 10
[NFv9 57772][IPFIX 35632.300] %DST_AS_PATH_1 Dest AS path position 1
[NFv9 57773][IPFIX 35632.301] %DST_AS_PATH_2 Dest AS path position 2
[NFv9 57774][IPFIX 35632.302] %DST_AS_PATH_3 Dest AS path position 3
[NFv9 57775][IPFIX 35632.303] %DST_AS_PATH_4 Dest AS path position 4
[NFv9 57776][IPFIX 35632.304] %DST_AS_PATH_5 Dest AS path position 5
[NFv9 57777][IPFIX 35632.305] %DST_AS_PATH_6 Dest AS path position 6
[NFv9 57778][IPFIX 35632.306] %DST_AS_PATH_7 Dest AS path position 7
[NFv9 57779][IPFIX 35632.307] %DST_AS_PATH_8 Dest AS path position 8
[NFv9 57780][IPFIX 35632.308] %DST_AS_PATH_9 Dest AS path position 9
[NFv9 57781][IPFIX 35632.309] %DST_AS_PATH_10 Dest AS path position 10

Plugin DNS Protocol templates:
[NFv9 57677][IPFIX 35632.205] %DNS_QUERY DNS query
[NFv9 57678][IPFIX 35632.206] %DNS_QUERY_ID DNS query transaction Id
[NFv9 57679][IPFIX 35632.207] %DNS_QUERY_TYPE DNS query type (e.g. 1=A, 2=NS..)
[NFv9 57680][IPFIX 35632.208] %DNS_RET_CODE DNS return code (e.g. 0=no error)
[NFv9 57681][IPFIX 35632.209] %DNS_NUM_ANSWERS DNS # of returned answers

Plugin dump templates:
[NFv9 57642][IPFIX 35632.170] %DUMP_PATH Path where dumps will be saved

Plugin GTPv1 Signaling Protocol templates:
[NFv9 57692][IPFIX 35632.220] %GTPV1_REQ_MSG_TYPE GTPv1 Request Msg Type
[NFv9 57693][IPFIX 35632.221] %GTPV1_RSP_MSG_TYPE GTPv1 Response Msg Type
[NFv9 57694][IPFIX 35632.222] %GTPV1_C2S_TEID_DATA GTPv1 Client->Server TunnelId Data
[NFv9 57695][IPFIX 35632.223] %GTPV1_C2S_TEID_CTRL GTPv1 Client->Server TunnelId Control
[NFv9 57696][IPFIX 35632.224] %GTPV1_S2C_TEID_DATA GTPv1 Server->Client TunnelId Data
[NFv9 57697][IPFIX 35632.225] %GTPV1_S2C_TEID_CTRL GTPv1 Server->Client TunnelId Control
[NFv9 57698][IPFIX 35632.226] %GTPV1_END_USER_IP GTPv1 End User IP Address
[NFv9 57699][IPFIX 35632.227] %GTPV1_END_USER_IMSI GTPv1 End User IMSI
[NFv9 57700][IPFIX 35632.228] %GTPV1_END_USER_MSISDN GTPv1 End User MSISDN
[NFv9 57701][IPFIX 35632.229] %GTPV1_END_USER_IMEI GTPv1 End User IMEI
[NFv9 57702][IPFIX 35632.230] %GTPV1_APN_NAME GTPv1 APN Name
[NFv9 57703][IPFIX 35632.231] %GTPV1_MCC GTPv1 Mobile Country Code
[NFv9 57704][IPFIX 35632.232] %GTPV1_MNC GTPv1 Mobile Network Code
[NFv9 57705][IPFIX 35632.233] %GTPV1_CELL_LAC GTPv1 Cell Location Area Code
[NFv9 57706][IPFIX 35632.234] %GTPV1_CELL_CI GTPv1 Cell CI
[NFv9 57707][IPFIX 35632.235] %GTPV1_SAC GTPv1 SAC

Plugin GTPv2 Signaling Protocol templates:
[NFv9 57742][IPFIX 35632.270] %GTPV2_REQ_MSG_TYPE GTPv2 Request Msg Type
[NFv9 57743][IPFIX 35632.271] %GTPV2_RSP_MSG_TYPE GTPv2 Response Msg Type
[NFv9 57744][IPFIX 35632.272] %GTPV2_C2S_S1U_GTPU_TEID GTPv2 Client->Svr S1U GTPU TEID
[NFv9 57745][IPFIX 35632.273] %GTPV2_C2S_S1U_GTPU_IP GTPv2 Client->Svr S1U GTPU IP
[NFv9 57746][IPFIX 35632.274] %GTPV2_S2C_S1U_GTPU_TEID GTPv2 Srv->Client S1U GTPU TEID
[NFv9 57747][IPFIX 35632.275] %GTPV2_S2C_S1U_GTPU_IP GTPv2 Srv->Client S1U GTPU IP
[NFv9 57748][IPFIX 35632.276] %GTPV2_END_USER_IMSI GTPv2 End User IMSI
[NFv9 57749][IPFIX 35632.277] %GTPV2_END_USER_MSISDN GTPv2 End User MSISDN
[NFv9 57750][IPFIX 35632.278] %GTPV2_APN_NAME GTPv2 APN Name
[NFv9 57751][IPFIX 35632.279] %GTPV2_MCC GTPv2 Mobile Country Code
[NFv9 57752][IPFIX 35632.280] %GTPV2_MNC GTPv2 Mobile Network Code
[NFv9 57753][IPFIX 35632.281] %GTPV2_CELL_TAC GTPv2 Tracking Area Code
[NFv9 57754][IPFIX 35632.282] %GTPV2_SAC GTPv2 Cell Identifier

Plugin HTTP Protocol templates:
[NFv9 57652][IPFIX 35632.180] %HTTP_URL HTTP URL
[NFv9 57653][IPFIX 35632.181] %HTTP_RET_CODE HTTP return code (e.g. 200, 304…)
[NFv9 57654][IPFIX 35632.182] %HTTP_REFERER HTTP Referer
[NFv9 57655][IPFIX 35632.183] %HTTP_UA HTTP User Agent
[NFv9 57656][IPFIX 35632.184] %HTTP_MIME HTTP Mime Type
[NFv9 57657][IPFIX 35632.185] %HTTP_HOST HTTP Host Name
[NFv9 57658][IPFIX 35632.186] %HTTP_FBOOK_CHAT HTTP Facebook Chat

Plugin IMAP Protocol templates:
[NFv9 57732][IPFIX 35632.260] %IMAP_LOGIN Mail sender

Plugin MySQL Plugin templates:
[NFv9 57667][IPFIX 35632.195] %MYSQL_SERVER_VERSION MySQL server version
[NFv9 57668][IPFIX 35632.196] %MYSQL_USERNAME MySQL username
[NFv9 57669][IPFIX 35632.197] %MYSQL_DB MySQL database in use
[NFv9 57670][IPFIX 35632.198] %MYSQL_QUERY MySQL Query
[NFv9 57671][IPFIX 35632.199] %MYSQL_RESPONSE MySQL server response

Plugin Oracle Protocol templates:
[NFv9 57672][IPFIX 35632.200] %ORACLE_USERNAME Oracle Username
[NFv9 57673][IPFIX 35632.201] %ORACLE_QUERY Oracle Query
[NFv9 57674][IPFIX 35632.202] %ORACLE_RSP_CODE Oracle Response Code
[NFv9 57675][IPFIX 35632.203] %ORACLE_RSP_STRING Oracle Response String
[NFv9 57676][IPFIX 35632.204] %ORACLE_QUERY_DURATION Oracle Query Duration (msec)

Plugin POP3 Protocol templates:
[NFv9 57682][IPFIX 35632.210] %POP_USER Mail sender

Plugin Radius Protocol templates:
[NFv9 57712][IPFIX 35632.240] %RADIUS_REQ_MSG_TYPE RADIUS Request Msg Type
[NFv9 57713][IPFIX 35632.241] %RADIUS_RSP_MSG_TYPE RADIUS Response Msg Type
[NFv9 57714][IPFIX 35632.242] %RADIUS_USER_NAME RADIUS User Name (Access Only)
[NFv9 57715][IPFIX 35632.243] %RADIUS_CALLING_STATION_ID RADIUS Calling Station Id
[NFv9 57716][IPFIX 35632.244] %RADIUS_CALLED_STATION_ID RADIUS Called Station Id
[NFv9 57717][IPFIX 35632.245] %RADIUS_NAS_IP_ADDR RADIUS NAS IP Address
[NFv9 57718][IPFIX 35632.246] %RADIUS_NAS_IDENTIFIER RADIUS NAS Identifier
[NFv9 57719][IPFIX 35632.247] %RADIUS_USER_IMSI RADIUS User IMSI (Extension)
[NFv9 57720][IPFIX 35632.248] %RADIUS_USER_IMEI RADIUS User MSISDN (Extension)
[NFv9 57721][IPFIX 35632.249] %RADIUS_FRAMED_IP_ADDR RADIUS Framed IP
[NFv9 57722][IPFIX 35632.250] %RADIUS_ACCT_SESSION_ID RADIUS Accounting Session Name
[NFv9 57723][IPFIX 35632.251] %RADIUS_ACCT_STATUS_TYPE RADIUS Accounting Status Type
[NFv9 57724][IPFIX 35632.252] %RADIUS_ACCT_IN_OCTETS RADIUS Accounting Input Octets
[NFv9 57725][IPFIX 35632.253] %RADIUS_ACCT_OUT_OCTETS RADIUS Accounting Output Octets
[NFv9 57726][IPFIX 35632.254] %RADIUS_ACCT_IN_PKTS RADIUS Accounting Input Packets
[NFv9 57727][IPFIX 35632.255] %RADIUS_ACCT_OUT_PKTS RADIUS Accounting Output Packets

Plugin RTP Plugin templates:
[NFv9 57622][IPFIX 35632.150] %RTP_FIRST_SSRC First flow RTP Sync Source ID
[NFv9 57623][IPFIX 35632.151] %RTP_FIRST_TS First flow RTP timestamp
[NFv9 57624][IPFIX 35632.152] %RTP_LAST_SSRC Last flow RTP Sync Source ID
[NFv9 57625][IPFIX 35632.153] %RTP_LAST_TS Last flow RTP timestamp
[NFv9 57626][IPFIX 35632.154] %RTP_IN_JITTER RTP Jitter (ms * 1000)
[NFv9 57627][IPFIX 35632.155] %RTP_OUT_JITTER RTP Jitter (ms * 1000)
[NFv9 57628][IPFIX 35632.156] %RTP_IN_PKT_LOST Packet lost in stream
[NFv9 57629][IPFIX 35632.157] %RTP_OUT_PKT_LOST Packet lost in stream
[NFv9 57630][IPFIX 35632.158] %RTP_IN_PAYLOAD_TYPE RTP payload type
[NFv9 57631][IPFIX 35632.159] %RTP_OUT_PAYLOAD_TYPE RTP payload type
[NFv9 57632][IPFIX 35632.160] %RTP_IN_MAX_DELTA Max delta (ms*100) between consecutive pkts
[NFv9 57633][IPFIX 35632.161] %RTP_OUT_MAX_DELTA Max delta (ms*100) between consecutive pkts

Plugin SIP Plugin templates:
[NFv9 57602][IPFIX 35632.130] %SIP_CALL_ID SIP call-id
[NFv9 57603][IPFIX 35632.131] %SIP_CALLING_PARTY SIP Call initiator
[NFv9 57604][IPFIX 35632.132] %SIP_CALLED_PARTY SIP Called party
[NFv9 57605][IPFIX 35632.133] %SIP_RTP_CODECS SIP RTP codecs
[NFv9 57606][IPFIX 35632.134] %SIP_INVITE_TIME SIP SysUptime (msec) of INVITE
[NFv9 57607][IPFIX 35632.135] %SIP_TRYING_TIME SIP SysUptime (msec) of Trying
[NFv9 57608][IPFIX 35632.136] %SIP_RINGING_TIME SIP SysUptime (msec) of RINGING
[NFv9 57609][IPFIX 35632.137] %SIP_INVITE_OK_TIME SIP SysUptime (msec) of INVITE OK
[NFv9 57610][IPFIX 35632.138] %SIP_INVITE_FAILURE_TIME SIP SysUptime (msec) of INVITE FAILURE
[NFv9 57611][IPFIX 35632.139] %SIP_BYE_TIME SIP SysUptime (msec) of BYE
[NFv9 57612][IPFIX 35632.140] %SIP_BYE_OK_TIME SIP SysUptime (msec) of BYE OK
[NFv9 57613][IPFIX 35632.141] %SIP_CANCEL_TIME SIP SysUptime (msec) of CANCEL
[NFv9 57614][IPFIX 35632.142] %SIP_CANCEL_OK_TIME SIP SysUptime (msec) of CANCEL OK
[NFv9 57615][IPFIX 35632.143] %SIP_RTP_IPV4_SRC_ADDR SIP RTP stream source IP
[NFv9 57616][IPFIX 35632.144] %SIP_RTP_L4_SRC_PORT SIP RTP stream source port
[NFv9 57617][IPFIX 35632.145] %SIP_RTP_IPV4_DST_ADDR SIP RTP stream dest IP
[NFv9 57618][IPFIX 35632.146] %SIP_RTP_L4_DST_PORT SIP RTP stream dest port
[NFv9 57619][IPFIX 35632.147] %SIP_FAILURE_CODE SIP failure response code
[NFv9 57620][IPFIX 35632.148] %SIP_REASON_CAUSE SIP Cancel/Bye/Failure reason cause

Plugin SMTP Protocol templates:
[NFv9 57660][IPFIX 35632.188] %SMTP_MAIL_FROM Mail sender
[NFv9 57661][IPFIX 35632.189] %SMTP_RCPT_TO Mail recipient

Major protocol (%L7_PROTO) symbolic mapping 0…149:
[ 0] Unknown
[ 1] FTP
[ 2] Mail_POP
[ 3] Mail_SMTP
[ 4] Mail_IMAP
[ 5] DNS
[ 6] IPP
[ 7] HTTP
[ 8] MDNS
[ 9] NTP
[ 11] NFS
[ 12] SSDP
[ 13] BGP
[ 14] SNMP
[ 15] XDMCP
[ 16] SMB
[ 17] SYSLOG
[ 18] DHCP
[ 19] PostgreSQL
[ 20] MySQL
[ 21] TDS
[ 22] DirectDownloadLink
[ 23] I23V5
[ 24] AppleJuice
[ 25] DirectConnect
[ 26] Socrates
[ 27] WinMX
[ 29] PANDO
[ 30] Filetopia
[ 31] iMESH
[ 32] Kontiki
[ 33] OpenFT
[ 34] Kazaa/Fasttrack
[ 35] Gnutella
[ 36] eDonkey
[ 37] Bittorrent
[ 38] OFF
[ 39] AVI
[ 40] Flash
[ 41] OGG
[ 42] MPEG
[ 43] QuickTime
[ 44] RealMedia
[ 45] Windowsmedia
[ 46] MMS
[ 47] XBOX
[ 48] QQ
[ 49] MOVE
[ 50] RTSP
[ 51] Feidian
[ 52] Icecast
[ 53] PPLive
[ 54] PPStream
[ 55] Zattoo
[ 56] SHOUTCast
[ 57] SopCast
[ 58] TVAnts
[ 59] TVUplayer
[ 60] VeohTV
[ 61] QQLive
[ 62] Thunder/Webthunder
[ 63] Soulseek
[ 64] GaduGadu
[ 65] IRC
[ 66] Popo
[ 67] Jabber
[ 68] MSN
[ 69] Oscar
[ 70] Yahoo
[ 71] Battlefield
[ 72] Quake
[ 73] Second Life
[ 74] Steam
[ 75] Halflife2
[ 76] World of Warcraft
[ 77] Telnet
[ 78] STUN
[ 79] IPSEC
[ 80] GRE
[ 81] ICMP
[ 82] IGMP
[ 83] EGP
[ 84] SCTP
[ 85] OSPF
[ 86] IP in IP
[ 87] RTP
[ 88] RDP
[ 89] VNC
[ 90] PCAnywhere
[ 91] SSL
[ 92] SSH
[ 93] USENET
[ 94] MGCP
[ 95] IAX
[ 96] TFTP
[ 97] AFP
[ 98] StealthNet
[ 99] Aimini
[100] SIP
[101] Truphone
[102] ICMPv6
[103] DHCPv6
[104] Armagetron
[105] CrossFire
[106] Dofus
[107] Fiesta
[108] Florensia
[109] Guildwars
[110] HTTP Application Activesync
[111] Kerberos
[112] LDAP
[113] MapleStory
[114] msSQL
[115] PPTP
[117] World of Kung Fu
[118] MEEBO
[119] FaceBook
[120] Twitter
[121] DropBox
[122] Gmail
[123] Google Maps
[124] YouTube
[125] Skype
[126] Google
[127] DCE RPC
[128] NetFlow_IPFIX
[129] sFlow
[130] HTTP Connect
[131] HTTP Proxy
[132] Citrix
[133] Netflix
[135] Grooveshark
[136] Skyfile_prepaid
[137] Skyfile_rudics
[138] Skyfile_postpaid
[139] CitrixOnline_GotoMeeting
[140] Apple
[141] Webex
[142] WhatsApp
[143] Apple_iCloud
[144] Viber
[145] Apple_iTunes
[146] Radius
[147] WindowsUpdate
[148] TeamViewer
[149] Tuenti

Any standard NetFlow collector including ntop can be used to analyse the flows generated by nProbe™ (please note that not all the commercial collecotrs support v9).
When used with ntop, the nProbe™ can act as a remote and light traffic probe, and ntop as a central network monitoring console for IPFIX/v5/v9.


  1. Q: Is nProbe™ able to operate on Gbit networks at full speed?
    A: Yes. Note that for exploiting the Gbit packet capture you need a 64-bit PCI Gigabit Ethernet interface.
  2. Q: Is the nProbe™ source code available?
    A: Yes of course, it’s GPL.
  3. Q: Why do you charge for nProbe™ although it’s GPL?
    A: GPL has nothing to do with price ([1] [2] [3]) but with freedom. Many open source companies ask a fee for their software.
  4. Q: What do you do with the money you get charging for nProbe™?
    A: This money is invested for doing research in ntop, nBox and nProbe™ projects.


nProbe User’s Guide


NetFlow is copyright Cisco Systems.
nProbe™ is a trademark registered in USA and the European Union.

nProbe Plugins

nProbe™ is extensible by means of optional plugins. Depending on the platform you can get them in source (Unix) or pre-compiled binary (Win32). Plugins can be used to dissect specific traffic or to provide other features (e.g. traffic collection). Below you can find the list of currently available plugins.

Plugin Description
HTTP Decode HTTP traffic and HTTPS certificates. It can generate a comprehensive log of HTTP traffic, including page
download and network/server delay. Microcloud friendly.
DNS Decodes DNS traffic, and produce a log of main domain name resolution activities. Microcloud friendly.
flow-to-MySQL Dumps exported flows into a MySQL database.
MySQL Decodes (unencrypted) MySQL traffic, and produce a log of SQL requests/responses along with performance indicators.
Oracle Similar to MySQL plugin, just for Oracle databases.
BGP Fills nProbe with AS path information. The BGP decoding is performed by a Perl-script provided with the plugin that acts
as a BGP server. This plugin is part of nProbe Pro/Plugins.
IMAP, POP3, SMTP Email plugins for decoding (unencrypted) email traffic and generate flows and logs of email activities.
SIP, RTP Plugins for decoding VoIP (Voice over IP) traffic and producing call log, and voice information (jitter and packet loss).
Radius Plugin decoding Radius traffic including 3GPP extensions for mobile networks. Microcloud friendly.
Available only in binary format.
GTPv1 Plugin for decoding GTPv1-C (2G and 3G networks) signalling and producing comprehensive mobile user and traffic
tracking. Microcloud friendly. Available only in binary format.
GTPv2 Same as GTPv1 plugin, just for v2 protocol version used in LTE (Long Term Evolution) mobile networks.
Available only in binary format.
NetFlow-Lite Plugin Plugin for collecting NetFlow-Lite traffic sent by some Cisco switches.

Note that the Win32 version of nProbe is available as binary version (we prebuilt it for you), whereas the Unix version is available as source (you need to compile it yourself).

Get It

nProbe™ is available in two flavours

Version Unix Win32
Standard Probe with no plugins and basic libpcap-based packet capture. Same as Unix.
Pro with Plugins Same as Pro version with native PF_RING, and support for plugins.
It also includes the following plugins: flow dump into MySQL database (flow-to-MySQL) and BGP plugin.
Same as Unix.

nProbe™ is available under the GPLv2 licence for a little fee, that’s used for running the project and funding the new developments. You can purchase online your copy of nProbe™ at the ntop e-shop site, that includes one year support. After the transaction is completed you can download your nProbe™ copy immediately.

If you are an existing nProbe™ owner, you can get the standard version and we’ll give you a free upgrade to the pro/plugins version (do not forget to send us a mail after completing your transaction).

If you want to test drive nProbe™ you can use our pre-build binary packages.

If you are a no profit institution or a university, you can have nProbe™ at no cost (even if your donations are welcome): please drop us a mail from your university account where you explain why you qualify (emails originating from non-university account including hotmail, gmail and yahoo will be ignored).

Note that for nProbe™ OEM, reselling, repackaging (including device embed) you need a written commercial licence that’s available on request from its author. This because this is considered as derived work as specified in the GPL license.