Command Line Options

nProbe supports a large number of command line parameters. To see what they are, simply enter the command nprobe -h and the help information should be printed

Welcome to nProbe

Copyright 2002-20 ntop.org

Build OS: MacOSX 10.13.6

nProbe is subject to the terms and conditions defined in the LICENSE and EULA files that are part of this package.

nProbe also contains third party code: Radix tree code - (C) The Regents of the University of Michigan

(“The Regents”) and Merit Network, Inc.

sFlow collector - (C) InMon Inc.

Usage: nProbe -n <host:port|none> [-i <interface|dump file>] [-t <lifetime timeout>]

[-d <idle timeout>] [-l <queue timeout>] [-s <snaplen>] [-p <aggregation>] [-f <filter>] [-a] [-b <level>] [-G] [-P <path>] [-F <dump timeout>] [-D <format>] [-u <in dev idx>] [-Q <out dev idx>] [-I <probe name>] [-v] [-w <hash size>] [-e <flow delay>] [-B <packet count>] [-z <min flow size>] [-M <max num flows>] [-E <engine>] [-C <flow lock file>] [-m <min # flows>] [-R <cmd>] [-S <sample rate>] [-A <AS list>] [-g <PID file>] [-T <flow template>] [-U <flow template id>] [-o <v9 templ. export policy>] [-L <local nets>] [-c] [-r] [-1 <interface nets>] [-2 <number>] [-3 <port>] [-4] [-5] [-6] [-9 <path>] [–black-list <networks>] [–pcap-file-list <filename>] [-N <biflows export policy>] [–dont-drop-privileges]

nProbe (packet capture) specific options: [–snaplen|-s] <snaplen> | Packet capture snaplen [default 128 bytes] [–bpf-filter|-f] <BPF filter> | BPF filter for captured packets

[default=no filter]
--capture-direction <direction>
 
Specify packet capture direction
0=RX+TX (default), 1=RX only, 2=TX only
--enable-ipv4-deduplication
 
By default IPv4 frames hw-duplicated are not detected
and discarded. Use this option to enable
IPv4 hw-deduplication

[–skip-packet-header-bytes] <num> | Skip <num> bytes from ingress packet header. [–tunnel|-5] | Compute flows on tunnelled traffic rather than

on the external envelope
[–max-num-untunnels] | Max number of tunnels that will be decapsulated
when using –tunnel

[–no-promisc|-6] | Capture packets in non-promiscuous mode [–smart-udp-frags|-7] | Ignore UDP fragmented packets with fragment offset

greater than zero, and compute the fragmented
packet length on the initial fragment header.
[–ipsec-auth-data-len|-8] <len> | Length of the authentication data of IPSec
in tunnel mode. If not set, IPSec will not be decoded
--account-l2
NetFlow accounts IP traffic only, not counting
L2 headers. Using this option the L2 headers
are also accounted
--dump-pkts <.pcap file>
 
Dump incoming packets received on -i <dev> on <.pcap file>
--dump-bad-packets <file>
 
Dump bad/undecodeable packets into the specified pcap file

[–no-ipv6|-W] | IPv6 packets will not be accounted. Flow collector/proxy specific options (please use -i none): [–collector-port|-3] <port> | Collect NetFlow/jFlow/IPFIX/sFlow packets on port <port>

Example: -3 6343
Example: –collector-port 2055
NetFlow/jFlow/IPFIX/sFlow packets can also be received through
a ZMQ relay, in which case <port> is used to specify the
relay endpoint. An implementation of a ZMQ relay
comes packaged and is available as binary flowRelay.
--collection-filter <filter>
 
Filter applied to collected flows only (-3). Filter format:
[!]<asX | network/mask> (! means discard flows matching filter)
Multiple filters can be defined using multiple –collection-filter options.
Filter examples: !as12345, 192.168.0.0/24, !10.0.0.0/8

[–keep-probes-unmerged] | Don’t merge flows rcvd from different probe IPs. –load-custom-fields <file> | Load custom templates from the specified file. Pro only. –mask-interface-id | This flag has effect only in collector mode based on the:

flow version being collected:
v5 mask = engineId
v9 mask = sourceId (low 16 bits)
ipfix mask = observationDomainId (low 16 bits)
The mask is shifted of 16 bits and put in OR with the
flow interface Ids in/out of the collected flow
--discard-tcp-probing-flows
 
Discard TCP probing flows (e.g. 1 packet with SYN set)

[–max-ingress-rate] <rate> | Maximum ingress rate in Mbit/s (rate limiting) –collector-passthrough | Export collected flows as-is to the specified ZMQ

endpoints, skipping the internal flow cache and ignoring any
template configured with -T. All the fields found in the collected flows
are exported. This option provides the best collection performance
and it should be used when possible. This is a Pro-only feature.

Flow lifecycle/export specific options: [–collector|-n] <host:port|none> | Address of the NetFlow collector(s).

Multiple collectors can be defined using
multiple -n flags. In this case flows
will be sent in round robin mode to
all defined collectors if the -a flag
is used. Note that you can specify
both IPv4 and IPv6 addresses.
If you specify none as value,
no flow will be export; in this case
the -P parameter is mandatory.
Note that you can specify the protocol
used to send packets. Example:
udp://192.168.0.1:2055,tcp://10.1.2.3:2055
[–lifetime-timeout|-t] <timeout> | It specifies the maximum (seconds) flow
lifetime [default=120]
[–idle-timeout|-d] <timeout> | It specifies the maximum (seconds) flow
idle lifetime [default=30]
[–queue-timeout|-l] <timeout> | It specifies how long expired flows
(queued before delivery) are emitted
[default=30]
[–aggregation|-p] <aggregation> | It specifies the flow aggregation level:
<VLAN Id>/<proto>/<IP>/<port>/<TOS>/<SCTP StreamId>/<exporter IP>
where each element can be set to 0=ignore
or 1=take care. Example ‘-p 1/0/1/1/1/1/0’
ignores the protocol, whereas
‘-p 0/0/1/0/0/0/0’ ignores everything
but the IP. Default: 1/1/1/1/0/1/1
[–all-collectors|-a] | If several collectors are defined, this
option gives the ability to send all
collectors all the flows. If the flag is
omitted collectors are selected in
round robin.
[–dump-path|-P] <path> | Directory where dump files will
be stored.
--dont-nest-dump-dirs
 
Dump files (-P) won’t be saved on nested dirs.
[–exec-cmd-dump|-R] <cmd> | Execute the specified command for each
file dump on disk (including plugins).
[–exec-cmd-pcap|-x] <cmd> | Execute the specified command for each
pcap file that has been processed with -i.
[–dump-frequency|-F] <dump timeout>| Dump files dump frequencey (sec).
Default: 60
[–dump-format|-D] <format> | <format>: flows are saved as:
b : raw/uncompressed flows
B : raw core flow fields (152 bytes)
t : text flows
Example: -D b. Note: this flag has no
effect without -P.
[–in-iface-idx|-u] <in dev idx> | Index of the input device used in the
emitted flows (incoming traffic). Default
value is 0. Use -1 as value to dynamically
set to the last two bytes of
the MAC address of the flow sender.
[–out-iface-idx|-Q] <out dev idx> | Index of the output device used in the
emitted flows (outgoing traffic). Default
value is 0. Use -1 as value to dynamically
set to the last two bytes of
the MAC address of the flow receiver.
[–vlanid-as-iface-idx] <mode> | Use vlanId (0 for untagged traffic)
as interface index. Mode specifies with
stacked VLANs which vlanId to choose. Values
are ‘inner’, ‘outer’, ‘single’, or ‘dual’:
inner = use the most inner VLAN tag
outer = use the first (the one close to ether) VLAN tag
single = for even outer VLAN tags ‘E’,
where E={2,4,6…4094},
ifIdx is set to IN=‘0’,OUT=’E’.
For odd outer VLAN tags ‘O’,
where O={3,5,7…4095},
ifIdx is set to IN=’O-1’,OUT=‘0’
double = for even outer VLAN tags ‘E’,
where E={2,4,6…4094}, ifIdx
is set to IN=’E+1’,OUT=’E’.
For odd outer VLAN tags ‘O’,
where O={3,5,7…4095},
ifIdx are set to IN=’O-1’,OUT=’O’
Note that this option
superseedes the –in/out-iface-idx options
[–discard-unknown-flows] <mode> | In case you enable L7 proto detection
(e.g. add %L7_PROTO to the template)
this options enables you not to export
flows for which nDPI has not been able
to detect the proto. Mode values:
0 - Export known/unknown flows (default)
1 - Export only known flows (discard
flows with unknown protos)
2 - Export only unknown flows (discard
flows with known protos)
[–flow-lock|-C] <flow lock> | If the flow lock file is present no flows
are emitted. This facility is useful to
implement high availability by means of
a daemon that can create a lock file
when this instance is in standby.
--json-to-syslog
 
Export flows in JSON format to syslog
--json-labels
In case JSON label is used (e.g. with ZMQ)
labels instead of numbers are used as keys.
--lua <lua path>
 
Run the specified lua file before flow export (Pro-only).
[–flow-delay|-e] <flow delay> | Delay (in ms) between two flow
exports [default=0]
[–count-delay|-B] <packet count> | Send this many packets before
the -e delay [default=1]
[–min-flow-size|-z] <TCP[:UDP[:O]]>| Minimum flow size (in bytes).
If a flow is shorter than the
specified size the flow is not
emitted. Flow size can be specified
for TCP, UDP and Other flows, with Other
meaning neither TCP nor UDP.
[default=no_min/no_min/no_min]
[–max-num-flows|-M] <max num flows>| Limit the number of active flows. This is
useful if you want to limit the memory
or CPU allocated to nProbe in case of non
well-behaved applications such as
worms or DoS. [default=524288]
[–netflow-engine|-E] <type:id> | Specify the engine type and id.
The format is engineType:engineId.
[default=0:98] where engineId is a
random number.
If IPFIX is used, the observationDomainId/sourceId
is set to (engineType << 8) + engineId
[–min-num-flows|-m] <min # flows> | Minimum number of flows per packet
unless an expired flow is queued
for too long (see -l) [default=30
for v5, dynamic for v9/IPFIX]
[–sender-address|-q <host>[:<prt>]]| Specifies the address:port of the flow
sender. This option is useful for hosts
with multiple interfaces or if flows
must be emitted from a static port/IP.
--add-pid-to-logfile
 
Append the nProbe PID to dump files to avoid file
overwrite in case multiple probes dump onto the
same directory
--add-engineid-to-logfile
 
Append the defined NetFlow engineId to dump files

[–flow-templ|-T] <flow template> | Specify the NFv9/IPFIX template (see below). [–flow-templ-id|-U] <templ. id> | Specify the NFv9/IPFIX template identifier

[default: 257]

[–flow-version|-V] <version> | NetFlow Version: 5=NFv5, 9=NFv9, 10=IPFIX [–flows-intra-templ|-o] <num> | Specify how many flow pkts are exported

between template exports [default: 10]
--black-list <networks>
 
All the IPv4 hosts inside the networks
black-list will be discarded.
This reduces the load on the probe
instead of discarding flows on the
collector side.
[–biflows-export-policy|-N] <pol> | Bi-directional flows export policy:
0 - export all flows
1 - export bi-directional flows only
2 - export mono-directional flows only
--csv-separator <separator>
 
Specify the text files separator (see -P)
Default is ‘|’ (pipe)
--dump-metadata <file>
 
Dump flow metadata into the specified file
and quit. Useful for knowking the IE handled.
--max-log-lines <num>
 
Maximum number of lines on a dump file, or 0 = unlimited. Default: 10000.
--timestamp-format <mode>
 
Specify the timestamp format on dump files. Values:
0 - Unix Epoch
1 - Unix Epoch with microseconds
2 - Human readable timestamp
--event-log <file>
 
Dump relevant activities into the specified log file
--mac-asn-map <file>
 
Map ASN number based on the destination MAC specified
in <file> whose format is <MAC> <ASN>. Example:
# MAC ASN
00:11:22:33:44:55 1234
--vlan-iface-map <file>
 
Map VLAN IDs to in/egress interface Ids as specified
in <file> whose format is <MAC> <ASN>. Example:
# VLAN IN OUT
1234 5 6
Note: this option might conflict with the
option –vlanid-as-iface-idx
--tcp <server:port>
 
Deliver flows in JSON format to the specified server via TCP.
--bind-export-interface <name>
 
Bind the flow export socket to the IP of specified
network interface

ntopng/nProbe integration specific options: –zmq <socket> | Deliver flows to subscribers connected to the specified endpoint.

Example tcp://*:5556 or ipc://flows.ipc
You can define up to 8 endpoints. When more than one endpoint is defined,
a hash function is used to evenly balance the flows among them.
--zmq-encryption-key <pub key>
 
Encrypt ZMQ data using the specified public key.
--zmq-probe-mode
 
By default nProbe in ZMQ mode acts as a server with subscribers
(e.g. ntopng) attaching to it. When this option is used, roles are
reverted (i.e. use ntopng –zmq-collector-mode).
--zmq-format <format>
 
Select the ZMQ data format:
t - TLV (default)
j - JSON
--zmq-disable-compression
 
Disable JSON compression when z=sent via ZMQ (default: compress)
--zmq-disable-buffering
 
Disable flow buffering (less latency, but more ZMQ messages) (default: enabled)

IMPORTANT: for best results, please use -T “@NTOPNG@” as template when exporting flows towards ntopng

Read traffic from pcap file(s) (-i .pcap) specific options: –original-speed | When using -i with a pcap file, instead of reading packets

as fast as possible, the original speed is preserved (debug only)
--dont-reforge-timestamps
 
Disable nProbe to reforge timestamps with -i <pcap file> and
prevent flows from expire until the whole pcap is read (debug only)
--pcap-file-list <filename>
 
Specify a filename containing a list
of pcap files.
If you use this flag the -i option will be
ignored.

General options: [–interface|-i] <iface|pcap> | Interface name from which packets are

captured, or .pcap file.
[–verbose|-b] <level> | Verbose output:
0 - No verbose logging
1 - Limited logging (traffic statistics)
2 - Full verbose logging

[–daemon-mode|-G] | Start as daemon. [–nprobe-version|-v] | Prints the program version. [–help|-h] | Prints the nprobe help. Use -H for long help. [–help-netflow|-H] | Prints help including templates and plugins info. –l7-aggregation <mode> | Enable data aggregation in redis (–redis required)

1 - Aggregate hourly (redis key nprobe.l7_xxx.epoch)
2 - Aggregate daily (redis key nprobe.l7_xxx.epoch)
3 - Aggregate totals (redis key nprobe.l7_totals)
Where epoch is the current epoch modulus 3600 (hourly)
and 86400 (daily) and xxx is bytes/pkts.
--hostname-cache-duration <sec>
 
Hostname caching duration for %SRC_HOST_NAME/%DST_HOST_NAME
Default: 300 sec
[–syslog|-I] <probe name> | Log to syslog as <probe name>
[default=stdout]

[–hash-size|-w] <hash size> | Flows hash size [default=131072] [–sample-rate|-S] <pkt rate>:<flow collection rate>:<flow export rate>

Packet capture sampling rate (-i only)
and NetFlow collection/export sampling rate.
If <pkt rate> starts with
‘@’ it means that nProbe will report
the specified sampling rate but will
not sample itself as incoming packets
are already sampled on the specified
capture device at the specified rate.
NOTE: in sFlow pkt rate is part of the packet.
Flow collection rate specify the flow sampling
rate of the flows being collected (-3 only)).
Flow export rate (export only e.g. -n)
specifies how many flows are exported
(i.e. it does not affect flow collection).
Default: 1:1:1 [no sampling]
[–as-list|-A] <AS list> | GeoIP file containing with known ASs.
Example: /usr/share/GeoIP/GeoLite2-ASN.mmdb
--city-list <city list>
 
GeoIP file containing the city/IP mapping.
Example: –city-list /usr/share/GeoIP/GeoLite2-City.mmdb

[–pid-file|-g] <PID file> | Put the PID in the specified file [–http-server] <port>:<user>:<pwd> | Start the HTTP server on local port <port> with

specified credentials
[–local-networks|-L] <nets> | Specify the list of local networks whose
format is <net>/<mask> (if multiple use comma).
[–local-hosts-only|-c] | All the IPv4 hosts outside the local
network lists will be set to 0.0.0.0
(-L must be specified before -c).
This reduces the load on the probe
instead of discarding flows on the
collector side.
[–local-traffic-direction|-r] | All the traffic going towards
the local networks (-L must also be
specified before -r) is assumed incoming
traffic all the rest is assumed outgoing
(see also -u and -Q).
[–max-flow-size|-0] <size> | Specify the maximum flow size. NOTE:
This parameter has influence on -m.
[–if-networks|-1] <nets> | Specify the binding between interfaceId
and a network (see below).
[–dump-stats|-9] <path> | Periodically dump traffic stats into the
specified file
--dont-drop-privileges
 
Do not drop privileges changing to user nobody
--disable-sflow-upscale
 
Ignore sFlow sampling rate (1:1 is used) and thus
collected traffic is not upscaled
--ndpi-proto <proto>
 
Comma separated list of nDPI protocols to enable. If
not specified, all known protocols are detected.

–cli <port>:<user>:<pwd> | Enable command-line on the specified port –lru-cache-size <size> | Users and protocol cache size. Default 16384 –enable-throughput-stats | Compute throughput stats that can be dumped when -P is used –ndpi-proto-ports <file> | Read custom ports definitions for nDPI (see nDPI/example/protos.txt) –disable-l7-protocol-guess | When nDPI is enabled, in case a protocol is not recognized,

nProbe guesses the protocol based on ports. This option disables
this feature and uses only strict payload dissection
--db-engine <database engine>
 
Define the DB engine type (example MyISAM, InfiniDB).
This information is used by the database plugin.
Default MyISAM.
--unprivileged-user <name>
 
Use <name> instead of nobody when dropping privileges
--enable-collection-cache
 
Enable flow cache in collection mode (disabled by default)o
for avoid merging flows. This option is available only in
collector/proxy mode
–redis <host>[:<port>] | Connected to the specified redis server
Example –redis localhost
--use-redis-proxy
 
Use a redis proxy (e.g.
--ucloud
Enable the nProbe micro-cloud
--disable-startup-checks
 
Disable startup activities such as computation of public
IP address
--minute-expire
 
All active flows across a minute change are exported
regardless of the flow export settings

Plugin specific options: –plugin-dir <dir> | Load plugins from the specified directory. –drop-flow-no-plugin | Drop flows that have not processed by a plugin. –dump-plugin-families | Dump all available plugin families –plugin-notify | In case plugin(s) are enabled and –zmq is used

it is possible to send immediately to remote collectors
a JSON message with the decoded plugin flow info without
having to wait the flow to expire

GTP traffic specific options: –imsi-apn-aggregation | Aggregate IMSI and APN traffic –aggregate-gtp-tunnels | Aggregate GTP traffic on tunnel id.

Debug specific options (NOT for general use): –debug | Enable debugging (development only). –debug-hash | Enable hash debugging (development only). –terminate-in <sec> | Terminate nProbe in <sec> seconds. –performance | Enable performance tracing. [–count|-2] <number> | Capture a specified number of packets

and quit.
--simulate-storage
 
Simulate storage to disk.
--fake-capture
Fake packet capture (development only).
--interpret-flow-packets
 
Interpret received packets to see
if they contain flows (debug only)

Note on interface indexes and (router) MAC/IP addresses

Flags -u and -Q are used to specify the SNMP interface identifiers for emitted flows. However using –if-networks it is possible to specify an interface identifier to which a MAC address or IP network is bound. The syntax of –if-networks is:

<MAC|IP/mask>@<interfaceId> where multiple entries can be separated by a comma (,).

Example: –if-networks “AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2” or –if-networks @<filename> where <filename> is a file path containing the networks specified using the above format.

Further plugin available command line options

06/May/2020 16:53:23 [modbusPlugin.c:104] [MODBUS] Idle flow timeout set to 120 sec [HTTP Protocol]

--http-dump-dir <dump dir>
 
Directory where HTTP logs will be dumped
--http-content-dump-dir <dump dir>
 
Directory where HTTP content (request only) will be dumped
--http-content-dump-response
 
Dump both HTTP request and response with –http-content-dump-dir
--http-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
--dont-hash-cookies
 
Dump cookie string instead of cookie hash
--http-verbose-level <level>
 
0 - Relevant info, 1 - Very verbose (default: 1)
--http-ports
List of ports used for http protocol (default: 80)
--proxy-ports
List of ports used for proxy protocol (default: 3128, 8080)
--http-parse-geolocation
 
Dump geolocation info if explicitly present inside mobile app protocol (e.g., “Nimbuzz”)
[DNS/LLMNR Protocol]
--dns-dump-dir <dump dir>
 
Directory where DNS logs will be dumped
[SIP Plugin]
--sip-dump-dir <dump dir>
 
Directory where SIP logs will be dumped
--sip-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped

You can use @SIP@ in -T as shortcut for %SIP_CALL_ID %SIP_UAC %SIP_UAS %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_IPV4_SRC_ADDR %SIP_RTP_L4_SRC_PORT %SIP_RTP_IPV4_DST_ADDR %SIP_RTP_L4_DST_PORT %SIP_RESPONSE_CODE %SIP_REASON_CAUSE %SIP_CALL_STATE %SIP_RTP_CODECS

[RTP Plugin]
--rtp-discard-late-pkts <msec>
 
Discard from stats RTP packets whose inter-arrival is
greater than the specified latency.

You can use @RTP@ in -T as shortcut for %RTP_SIP_CALL_ID %RTP_RTT %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST %RTP_IN_PKT_DROP %RTP_OUT_PKT_DROP %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA %RTP_IN_PAYLOAD_TYPE %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MOS %RTP_OUT_MOS %RTP_IN_R_FACTOR %RTP_OUT_R_FACTOR

[FTP Protocol]
--ftp-dump-dir <dump dir>
 
Directory where FTP logs will be dumped
--ftp-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
[SMTP Protocol]
--smtp-dump-dir <dump dir>
 
Directory where SMTP logs will be dumped
--smtp-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
[BGP Update Listener]
--bgp-port <port>
 
TCP port on which BGP updates will be sent
--adj-from-as-path <num>
 
Use the <num>-th ASN in the AS path to the source IP
to populate field %BGP_PREV_ADJACENT_ASN,
and <num>-th ASN in the AS path to the destination IP
to populate field %BGP_NEXT_ADJACENT_ASN.
[Netflow-Lite Plugin]
–nflite <flow listen port low>[:<num ports>]> | Specify NetFlow-Lite listen port(s) (max 32)
[GTPv0 Signaling Protocol]
--gtpv0-dump-dir <dump dir>
 
Directory where GTP logs will be dumped
--gtpv0-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
[GTPv1 Signaling Protocol]
--gtpv1-dump-dir <dump dir>
 
Directory where GTP logs will be dumped
--gtpv1-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
--gtpv1-account-imsi
 
Enable IMSI aggregation on GTPv1 signalling
--gtpv1-track-non-gtp-u-traffic
 
Enable tracking of user traffic non GTP-U encapsulated
triggered by GTP-U signalling (requires –ucloud)
[GTPv2 Signaling Protocol]
--gtpv2-dump-dir <dump dir>
 
Directory where GTP logs will be dumped
--gtpv2-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
--gtpv2-account-imsi
 
Enable GTPv2 traffic accounting
--gtpv2-track-non-gtp-u-traffic
 
Enable tracking of user traffic non GTP-U encapsulated
triggered by GTP-U signalling (requires –ucloud)
[Radius Protocol]
--radius-dump-dir <dump dir>
 
Directory where Radius logs will be dumped
--radius-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
[Modbus Plugin]
--modbus-dump-dir <dump dir>
 
Directory where modbus logs will be dumped
--modbus-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
--modbus-idle-timeout <duration>
 
Modbus idle flow timeout set to 120 seconds
[Diameter Protocol]
--diameter-dump-dir <dump dir>
 
Directory where Diameter logs will be dumped
--diameter-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
[NETBIOS Protocol]
--netbios-dump-dir <dump dir>
 
Directory where NETBIOS logs will be dumped
[SSDP Protocol]
--ssdp-dump-dir <dump dir>
 
Directory where SSDP logs will be dumped
[DHCP Protocol]
--dhcp-dump-dir <dump dir>
 
Directory where DHCP logs will be dumped
--dhcp-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
[IMAP Protocol]
--imap-dump-dir <dump dir>
 
Directory where IMAP logs will be dumped
--imap-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
--imap-peek-headers
 
Dump both emails body and headers (default: body only)
[POP3 Protocol]
--pop-dump-dir <dump dir>
 
Directory where POP3 logs will be dumped
--pop-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped

[MySQL DB]

[MySQL Plugin]
--mysql-dump-dir <dump dir>
 
Directory where MySQL logs will be dumped
--mysql-exec-cmd <cmd>
 
Command executed whenever a directory has been dumped
[Export Plugin]
--elastic <format>
 
Enable export to ElasticSearch
Format: <index type>;<index name>;<es URL>;<es user>:<es pwd>
Note: <es user> and <es pwd> can be directly specified in the <es URL>
Note: the <index name> accepts the format supported by strftime().
Examples:
–elastic “flows;nprobe-%Y.%m.%d;http://localhost:9200/_bulk”
–elastic “flows;nprobe-%Y.%m.%d;http://elastic:3last1cpassw0rd@localhost:9200/_bulk”
–elastic “flows;nprobe-%Y.%m.%d;http://localhost:9200/_bulk;elastic:3last1cpassw0rd”
–kafka <brokers>;<topic>;[<opt topic>;<ack>;<comp>] | Send flows to Apache Kafka brokers obtained by metadata information
<host1>[:<port1>],<host2>[:<port2>]… Initial brokers list used to receive metadata information
<flow topic> Flow topic
<opt topic> Flow options topic
<0|1|-1> 0 = Don’t wait for ack
1 = Leader ack is enough
1 = All replica must ack
<compression> Compression type: none, gzip, snappy
Note: <opt topic> is only used when collecting NetFlow
to export option template records.
Option template records are just exported as-is,
and must be configured with option –load-custom-fields.
To disable option template records export it is safe
to specify none as value for <opt topic>.
Example: –kafka localhost;flowsTopic;optionsTopic
–kafka-conf [<prop=value>|list] | Set arbitrary librdkafka configuration property.
Properties prefixed with “topic.” are set to the topic.
Pass “list” to print all the available properties.
Multiple properties can be set by repeating this option.
Examples:
–kafka-conf batch.num.messages=1000
–kafka-conf debug=msg
–kafka-conf queue.buffering.max.ms=100
–kafka-conf topic.auto.commit.interval.ms=200
–kafka-conf list
--kafka-num-producers <num>
 
Create <num> parallel Kafka producers.
Producers are used in round-robin to export flows.
Default: 1, maximum: 4.
--kafka-performance-test <num>
 
Exports every flow <num>+1 times.
Use only in test environments to perform performance analyses
and measure how fast Kafka is able to ingest flows.
--kafka-add-timestamp
 
Add @timestamp field in ISO-8601 format
[Custom Fields]
--custom-fields <fields>
 
Comma-separated list of custom fields in the format <key>=<value>
where value is a literal string/number (or a function)
Example: –custom-fields “NAME=ntop,YEAR=2019”

NetFlow v9/IPFIX format [-T]

The following options can be used to specify the format:

ID NetFlow Label IPFIX Label Description

[ 4][Len 1] %PROTOCOL %protocolIdentifier IP protocol byte [NFv9 58500][IPFIX 35632.1028][Len 16] %PROTOCOL_MAP IP protocol name [ 5][Len 1] %SRC_TOS %ipClassOfService TOS/DSCP (src->dst) [ 6][Len 1] %TCP_FLAGS %tcpControlBits Cumulative of all flow TCP flags [ 7][Len 2] %L4_SRC_PORT %sourceTransportPort IPv4 source port [NFv9 58503][IPFIX 35632.1031][Len 16] %L4_SRC_PORT_MAP Layer 4 source port symbolic name [ 8][Len 4] %IPV4_SRC_ADDR %sourceIPv4Address IPv4 source address [ 9][Len 1] %IPV4_SRC_MASK %sourceIPv4PrefixLength IPv4 source subnet mask (/<bits>) [ 10][Len 4] %INPUT_SNMP %ingressInterface Input interface SNMP idx [ 11][Len 2] %L4_DST_PORT %destinationTransportPort IPv4 destination port [NFv9 58507][IPFIX 35632.1035][Len 16] %L4_DST_PORT_MAP Layer 4 destination port symbolic name [NFv9 58508][IPFIX 35632.1036][Len 2] %L4_SRV_PORT Layer 4 server port [NFv9 58509][IPFIX 35632.1037][Len 16] %L4_SRV_PORT_MAP Layer 4 server port symbolic name [ 12][Len 4] %IPV4_DST_ADDR %destinationIPv4Address IPv4 destination address [ 13][Len 1] %IPV4_DST_MASK %destinationIPv4PrefixLength IPv4 dest subnet mask (/<bits>) [ 14][Len 4] %OUTPUT_SNMP %egressInterface Output interface SNMP idx [ 15][Len 4] %IPV4_NEXT_HOP %ipNextHopIPv4Address IPv4 next hop address [ 16][Len 4] %SRC_AS %bgpSourceAsNumber Source BGP AS [ 17][Len 4] %DST_AS %bgpDestinationAsNumber Destination BGP AS [129][Len 4] %BGP_PREV_ADJACENT_ASN %bgpNextAdjacentAsNumber Source BGP Prev AS [128][Len 4] %BGP_NEXT_ADJACENT_ASN %bgpPrevAdjacentAsNumber Destination BGP Next AS [ 18][Len 4] %BGP_IPV4_NEXT_HOP %bgpNexthopIPv4Address [ 21][Len 4] %LAST_SWITCHED %flowEndSysUpTime SysUptime (msec) of the last flow pkt [ 22][Len 4] %FIRST_SWITCHED %flowStartSysUpTime SysUptime (msec) of the first flow pkt [ 23][Len 4] %OUT_BYTES %postOctetDeltaCount Outgoing flow bytes (dst->src) [Aliased to %DST_TO_SRC_BYTES] [ 24][Len 4] %OUT_PKTS %postPacketDeltaCount Outgoing flow packets (dst->src) [Aliased to %DST_TO_SRC_PKTS] [ 25][Len 2] %MIN_IP_PKT_LEN %minimumIpTotalLength Len of the smallest flow IP packet observed [ 26][Len 2] %MAX_IP_PKT_LEN %maximumIpTotalLength Len of the largest flow IP packet observed [ 27][Len 16] %IPV6_SRC_ADDR %sourceIPv6Address IPv6 source address [ 28][Len 16] %IPV6_DST_ADDR %destinationIPv6Address IPv6 destination address [ 29][Len 1] %IPV6_SRC_MASK %sourceIPv6PrefixLength IPv6 source mask [ 30][Len 1] %IPV6_DST_MASK %destinationIPv6PrefixLength IPv6 destination mask [ 32][Len 2] %ICMP_TYPE %icmpTypeCodeIPv4 ICMP Type * 256 + ICMP code [ 34][Len 4] %SAMPLING_INTERVAL Sampling rate [ 35][Len 1] %SAMPLING_ALGORITHM Sampling type (deterministic/random) [ 36][Len 2] %FLOW_ACTIVE_TIMEOUT %flowActiveTimeout Activity timeout of flow cache entries [ 37][Len 2] %FLOW_INACTIVE_TIMEOUT %flowIdleTimeout Inactivity timeout of flow cache entries [ 38][Len 1] %ENGINE_TYPE Flow switching engine [ 39][Len 1] %ENGINE_ID Id of the flow switching engine [ 40][Len 4] %TOTAL_BYTES_EXP %exportedOctetTotalCount Total bytes exported [ 41][Len 4] %TOTAL_PKTS_EXP %exportedMessageTotalCount Total flow packets exported [ 42][Len 4] %TOTAL_FLOWS_EXP %exportedFlowRecordTotalCount Total number of exported flows [ 52][Len 1] %MIN_TTL %minimumTTL Min flow TTL [ 53][Len 1] %MAX_TTL %maximumTTL Max flow TTL [ 55][Len 1] %DST_TOS %ipClassOfService TOS/DSCP (dst->src) [ 58][Len 2] %SRC_VLAN %vlanId Source VLAN (inner VLAN in QinQ) [ 59][Len 2] %DST_VLAN %postVlanId Destination VLAN (inner VLAN in QinQ) [ 56][Len 6] %IN_SRC_MAC %sourceMacAddress Source MAC Address [ 57][Len 6] %OUT_DST_MAC %postDestinationMacAddress Post Destination MAC Address [ 80][Len 6] %IN_DST_MAC %destinationMacAddress Destination MAC Address [ 81][Len 6] %OUT_SRC_MAC %postSourceMacAddress Post Source MAC Address [ 82][Len 8] %INTERFACE_NAME %interfaceName Interface you are capturing from (-i) [243][Len 2] %DOT1Q_SRC_VLAN %dot1qVlanId Source VLAN (outer VLAN in QinQ) [254][Len 2] %DOT1Q_DST_VLAN %postdot1qVlanId Destination VLAN (outer VLAN in QinQ) [ 60][Len 1] %IP_PROTOCOL_VERSION %ipVersion [4=IPv4][6=IPv6] [ 61][Len 1] %DIRECTION %flowDirection Flow direction [0=src->dst, 1=dst->src] [ 62][Len 16] %IPV6_NEXT_HOP %ipNextHopIPv6Address IPv6 next hop address [ 70][Len 3] %MPLS_LABEL_1 %mplsTopLabelStackSection MPLS label at position 1 [ 71][Len 3] %MPLS_LABEL_2 %mplsLabelStackSection2 MPLS label at position 2 [ 72][Len 3] %MPLS_LABEL_3 %mplsLabelStackSection3 MPLS label at position 3 [ 73][Len 3] %MPLS_LABEL_4 %mplsLabelStackSection4 MPLS label at position 4 [ 74][Len 3] %MPLS_LABEL_5 %mplsLabelStackSection5 MPLS label at position 5 [ 75][Len 3] %MPLS_LABEL_6 %mplsLabelStackSection6 MPLS label at position 6 [ 76][Len 3] %MPLS_LABEL_7 %mplsLabelStackSection7 MPLS label at position 7 [ 77][Len 3] %MPLS_LABEL_8 %mplsLabelStackSection8 MPLS label at position 8 [ 78][Len 3] %MPLS_LABEL_9 %mplsLabelStackSection9 MPLS label at position 9 [ 79][Len 3] %MPLS_LABEL_10 %mplsLabelStackSection10 MPLS label at position 10 [ 95][Len 4] %APPLICATION_ID %application_id Cisco Application Id [136][Len 1] %FLOW_END_REASON %flowEndReason The reason for flow termination. [102][Len 2] %PACKET_SECTION_OFFSET Packet section offset [103][Len 2] %SAMPLED_PACKET_SIZE Sampled packet size [104][Len 2] %SAMPLED_PACKET_ID Sampled packet id [130][Len 4] %EXPORTER_IPV4_ADDRESS %exporterIPv4Address Flow exporter IPv4 Address [131][Len 16] %EXPORTER_IPV6_ADDRESS %exporterIPv6Address Flow exporter IPv6 Address [148][Len 4] %FLOW_ID %flowId Serial Flow Identifier [150][Len 4] %FLOW_START_SEC %flowStartSeconds Seconds (epoch) of the first flow packet [151][Len 4] %FLOW_END_SEC %flowEndSeconds Seconds (epoch) of the last flow packet [152][Len 8] %FLOW_START_MILLISECONDS %flowStartMilliseconds Msec (epoch) of the first flow packet [154][Len 8] %FLOW_START_MICROSECONDS %flowStartMicroseconds uSec (epoch) of the first flow packet [153][Len 8] %FLOW_END_MILLISECONDS %flowEndMilliseconds Msec (epoch) of the last flow packet [155][Len 8] %FLOW_END_MICROSECONDS %flowEndMicroseconds uSec (epoch) of the last flow packet [239][Len 1] %BIFLOW_DIRECTION %biflow_direction 1=initiator, 2=reverseInitiator [225][Len 4] %POST_NAT_SRC_IPV4_ADDR %postNatSourceIPv4Address Post Nat Source IPv4 Address [226][Len 4] %POST_NAT_DST_IPV4_ADDR %postNatDestinationIPv4Address Post Nat Destination IPv4 Address [227][Len 2] %POST_NAPT_SRC_TRANSPORT_PORT %postNaptSourceTransportPort Post Napt Source Transport Port [228][Len 2] %POST_NAPT_DST_TRANSPORT_PORT %postNaptDestinationTransportPort Post Napt Destination Transport Port [229][Len 1] %NAT_ORIGINATING_ADDRESS_REALM %natOriginatingAddressRealm Nat Originating Address Realm [230][Len 1] %NAT_EVENT %natEvent Nat Event [233][Len 1] %FIREWALL_EVENT %firewallEvent Flow events 0=ignore, 1=created, 2=deleted, 3=denied, 4=alert, 5=update [234][Len 4] %INGRESS_VRFID %ingressVRFID Ingress VRF ID [161][Len 4] %FLOW_DURATION_MILLISECONDS %flowDurationMilliseconds Flow duration (msec) [162][Len 4] %FLOW_DURATION_MICROSECONDS %flowDurationMicroseconds Flow duration (usec) [176][Len 1] %ICMP_IPV4_TYPE %icmpTypeIPv4 ICMP Type [177][Len 1] %ICMP_IPV4_CODE %icmpCodeIPv4 ICMP Code [277][Len 2] %OBSERVATION_POINT_TYPE Observation point type [300][Len 2] %OBSERVATION_POINT_ID Observation point id [302][Len 2] %SELECTOR_ID Selector id [304][Len 2] %IPFIX_SAMPLING_ALGORITHM Sampling algorithm [309][Len 2] %SAMPLING_SIZE Number of packets to sample [310][Len 2] %SAMPLING_POPULATION Sampling population [312][Len 2] %FRAME_LENGTH Original L2 frame length [318][Len 2] %PACKETS_OBSERVED Tot number of packets seen [319][Len 2] %PACKETS_SELECTED Number of pkts selected for sampling [335][Len 2] %SELECTOR_NAME Sampler name [NFv9 57552][IPFIX 35632.80][Len 2] %SRC_FRAGMENTS Num fragmented packets src->dst [NFv9 57553][IPFIX 35632.81][Len 2] %DST_FRAGMENTS Num fragmented packets dst->src [NFv9 57595][IPFIX 35632.123][Len 4] %CLIENT_NW_LATENCY_MS Network RTT/2 client <-> nprobe (msec) [NFv9 57596][IPFIX 35632.124][Len 4] %SERVER_NW_LATENCY_MS Network RTT/2 nprobe <-> server (msec) [NFv9 57550][IPFIX 35632.78][Len 1] %CLIENT_TCP_FLAGS Cumulative of all client TCP flags [NFv9 57551][IPFIX 35632.79][Len 1] %SERVER_TCP_FLAGS Cumulative of all server TCP flags [NFv9 57597][IPFIX 35632.125][Len 4] %APPL_LATENCY_MS Application latency (msec), a.k.a. server response time [NFv9 57943][IPFIX 35632.471][Len 4] %NPROBE_IPV4_ADDRESS IPv4 address of the host were nProbe runs [NFv9 57554][IPFIX 35632.82][Len 4] %SRC_TO_DST_MAX_THROUGHPUT Src to dst max thpt (bps) [NFv9 57555][IPFIX 35632.83][Len 4] %SRC_TO_DST_MIN_THROUGHPUT Src to dst min thpt (bps) [NFv9 57556][IPFIX 35632.84][Len 4] %SRC_TO_DST_AVG_THROUGHPUT Src to dst average thpt (bps) [NFv9 57557][IPFIX 35632.85][Len 4] %DST_TO_SRC_MAX_THROUGHPUT Dst to src max thpt (bps) [NFv9 57558][IPFIX 35632.86][Len 4] %DST_TO_SRC_MIN_THROUGHPUT Dst to src min thpt (bps) [NFv9 57559][IPFIX 35632.87][Len 4] %DST_TO_SRC_AVG_THROUGHPUT Dst to src average thpt (bps) [NFv9 57560][IPFIX 35632.88][Len 4] %NUM_PKTS_UP_TO_128_BYTES # packets whose IP size <= 128 [NFv9 57561][IPFIX 35632.89][Len 4] %NUM_PKTS_128_TO_256_BYTES # packets whose IP size > 128 and <= 256 [NFv9 57562][IPFIX 35632.90][Len 4] %NUM_PKTS_256_TO_512_BYTES # packets whose IP size > 256 and < 512 [NFv9 57563][IPFIX 35632.91][Len 4] %NUM_PKTS_512_TO_1024_BYTES # packets whose IP size > 512 and < 1024 [NFv9 57564][IPFIX 35632.92][Len 4] %NUM_PKTS_1024_TO_1514_BYTES # packets whose IP size > 1024 and <= 1514 [NFv9 57565][IPFIX 35632.93][Len 4] %NUM_PKTS_OVER_1514_BYTES # packets whose IP size > 1514 [NFv9 57570][IPFIX 35632.98][Len 4] %CUMULATIVE_ICMP_TYPE Cumulative OR of ICMP type packets [NFv9 57577][IPFIX 35632.105][Len 2] %FLOW_PROTO_PORT L7 port that identifies the flow protocol or 0 if unknown [NFv9 57578][IPFIX 35632.106][Len 4] %UPSTREAM_TUNNEL_ID Upstream tunnel identifier (e.g. GTP TEID, VXLAN VNI) or 0 if unknown [NFv9 57918][IPFIX 35632.446][Len 2] %UPSTREAM_SESSION_ID Upstream session identifier (e.g. L2TP) or 0 if unknown [NFv9 57579][IPFIX 35632.107][Len 2] %LONGEST_FLOW_PKT Longest packet (bytes) of the flow [NFv9 57580][IPFIX 35632.108][Len 2] %SHORTEST_FLOW_PKT Shortest packet (bytes) of the flow [NFv9 57599][IPFIX 35632.127][Len 4] %RETRANSMITTED_IN_BYTES Number of retransmitted TCP flow bytes (src->dst) [NFv9 57581][IPFIX 35632.109][Len 4] %RETRANSMITTED_IN_PKTS Number of retransmitted TCP flow packets (src->dst) [NFv9 57600][IPFIX 35632.128][Len 4] %RETRANSMITTED_OUT_BYTES Number of retransmitted TCP flow bytes (dst->src) [NFv9 57582][IPFIX 35632.110][Len 4] %RETRANSMITTED_OUT_PKTS Number of retransmitted TCP flow packets (dst->src) [NFv9 57583][IPFIX 35632.111][Len 4] %OOORDER_IN_PKTS Number of out of order TCP flow packets (dst->src) [NFv9 57584][IPFIX 35632.112][Len 4] %OOORDER_OUT_PKTS Number of out of order TCP flow packets (src->dst) [NFv9 57585][IPFIX 35632.113][Len 1] %UNTUNNELED_PROTOCOL Untunneled IP protocol byte [NFv9 57586][IPFIX 35632.114][Len 4] %UNTUNNELED_IPV4_SRC_ADDR Untunneled IPv4 source address [NFv9 57587][IPFIX 35632.115][Len 2] %UNTUNNELED_L4_SRC_PORT Untunneled IPv4 source port [NFv9 57588][IPFIX 35632.116][Len 4] %UNTUNNELED_IPV4_DST_ADDR Untunneled IPv4 destination address [NFv9 57589][IPFIX 35632.117][Len 2] %UNTUNNELED_L4_DST_PORT Untunneled IPv4 destination port [NFv9 57590][IPFIX 35632.118][Len 2] %L7_PROTO Layer 7 protocol (numeric) [NFv9 57591][IPFIX 35632.119][Len 16 varlen] %L7_PROTO_NAME Layer 7 protocol name [NFv9 57973][IPFIX 35632.501][Len 16 varlen] %L7_PROTO_CATEGORY Layer 7 protocol category [NFv9 57592][IPFIX 35632.120][Len 4] %DOWNSTREAM_TUNNEL_ID Downstream tunnel identifier (e.g. GTP TEID, VXLAN VNI) or 0 if unknown [NFv9 57919][IPFIX 35632.447][Len 2] %DOWNSTREAM_SESSION_ID Downstream session identifier (e.g. L2TP) or 0 if unknown [NFv9 57660][IPFIX 35632.188][Len 48 varlen] %TLS_SERVER_NAME TLS server name [NFv9 57661][IPFIX 35632.189][Len 40 varlen] %BITTORRENT_HASH BITTORRENT hash [NFv9 57593][IPFIX 35632.121][Len 32 varlen] %FLOW_USER_NAME Flow username of the tunnel (if known) [NFv9 57594][IPFIX 35632.122][Len 32 varlen] %FLOW_SERVER_NAME Flow server name (if known) [NFv9 57598][IPFIX 35632.126][Len 8 varlen] %PLUGIN_NAME Plugin name used by this flow (if any) [NFv9 57868][IPFIX 35632.396][Len 16] %UNTUNNELED_IPV6_SRC_ADDR Untunneled IPv6 source address [NFv9 57869][IPFIX 35632.397][Len 16] %UNTUNNELED_IPV6_DST_ADDR Untunneled IPv6 destination address [NFv9 57819][IPFIX 35632.347][Len 4] %NUM_PKTS_TTL_EQ_1 # packets with TTL = 1 [NFv9 57818][IPFIX 35632.346][Len 4] %NUM_PKTS_TTL_2_5 # packets with TTL > 1 and TTL <= 5 [NFv9 57806][IPFIX 35632.334][Len 4] %NUM_PKTS_TTL_5_32 # packets with TTL > 5 and TTL <= 32 [NFv9 57807][IPFIX 35632.335][Len 4] %NUM_PKTS_TTL_32_64 # packets with TTL > 32 and <= 64 [NFv9 57808][IPFIX 35632.336][Len 4] %NUM_PKTS_TTL_64_96 # packets with TTL > 64 and <= 96 [NFv9 57809][IPFIX 35632.337][Len 4] %NUM_PKTS_TTL_96_128 # packets with TTL > 96 and <= 128 [NFv9 57810][IPFIX 35632.338][Len 4] %NUM_PKTS_TTL_128_160 # packets with TTL > 128 and <= 160 [NFv9 57811][IPFIX 35632.339][Len 4] %NUM_PKTS_TTL_160_192 # packets with TTL > 160 and <= 192 [NFv9 57812][IPFIX 35632.340][Len 4] %NUM_PKTS_TTL_192_224 # packets with TTL > 192 and <= 224 [NFv9 57813][IPFIX 35632.341][Len 4] %NUM_PKTS_TTL_224_255 # packets with TTL > 224 and <= 255 [NFv9 57821][IPFIX 35632.349][Len 37] %IN_SRC_OSI_SAP OSI Source SAP (OSI Traffic Only) [NFv9 57822][IPFIX 35632.350][Len 37] %OUT_DST_OSI_SAP OSI Destination SAP (OSI Traffic Only) [NFv9 57863][IPFIX 35632.391][Len 4] %DURATION_IN Client to Server stream duration (msec) [NFv9 57864][IPFIX 35632.392][Len 4] %DURATION_OUT Client to Server stream duration (msec) [NFv9 57887][IPFIX 35632.415][Len 2] %TCP_WIN_MIN_IN Min TCP Window (src->dst) [NFv9 57888][IPFIX 35632.416][Len 2] %TCP_WIN_MAX_IN Max TCP Window (src->dst) [NFv9 57889][IPFIX 35632.417][Len 2] %TCP_WIN_MSS_IN TCP Max Segment Size (src->dst) [NFv9 57890][IPFIX 35632.418][Len 1] %TCP_WIN_SCALE_IN TCP Window Scale (src->dst) [NFv9 57891][IPFIX 35632.419][Len 2] %TCP_WIN_MIN_OUT Min TCP Window (dst->src) [NFv9 57892][IPFIX 35632.420][Len 2] %TCP_WIN_MAX_OUT Max TCP Window (dst->src) [NFv9 57893][IPFIX 35632.421][Len 2] %TCP_WIN_MSS_OUT TCP Max Segment Size (dst->src) [NFv9 57894][IPFIX 35632.422][Len 1] %TCP_WIN_SCALE_OUT TCP Window Scale (dst->src) [NFv9 57910][IPFIX 35632.438][Len 4] %PAYLOAD_HASH Initial flow payload hash [NFv9 57915][IPFIX 35632.443][Len 16] %SRC_AS_MAP Organization name for SRC_AS [NFv9 57916][IPFIX 35632.444][Len 16] %DST_AS_MAP Organization name for DST_AS [NFv9 57944][IPFIX 35632.472][Len 8] %SRC_TO_DST_SECOND_BYTES Bytes/sec (src->dst) [pro only] [NFv9 57945][IPFIX 35632.473][Len 8] %DST_TO_SRC_SECOND_BYTES Bytes/sec2 (dst->src) [pro only] [NFv9 57961][IPFIX 35632.489][Len 32 varlen] %JA3C_HASH JA3 client hash [NFv9 57962][IPFIX 35632.490][Len 32 varlen] %JA3S_HASH JA3 server hash [NFv9 57963][IPFIX 35632.491][Len 48 varlen] %SRC_HOST_NAME Symbolic src host name [NFv9 57964][IPFIX 35632.492][Len 48 varlen] %DST_HOST_NAME Symbolic dst host name [NFv9 57965][IPFIX 35632.493][Len 2] %TLS_CIPHER TLS Connection Cipher [NFv9 57966][IPFIX 35632.494][Len 1] %TLS_UNSAFE_CIPHER TLS Safe(0)/unsafe(1) cipher [NFv9 57967][IPFIX 35632.495][Len 2] %TLS_VERSION TLS Version [NFv9 57974][IPFIX 35632.502][Len 12] %SEQ_PLEN Seq of packet len (6 classes) [NFv9 57977][IPFIX 35632.505][Len 12] %SEQ_TDIFF Seq of time diff (6 classes) [NFv9 57978][IPFIX 35632.506][Len 2] %SEQ_PLEN_HASH Seq of packet len hash [NFv9 57979][IPFIX 35632.507][Len 2] %SEQ_TDIFF_HASH Seq of time diff hash [NFv9 57980][IPFIX 35632.508][Len 12] %PKT_VECTOR Seq of packet len (+=c2s, -=s2c) [NFv9 57971][IPFIX 35632.499][Len 32 varlen] %HASSH_CLIENT HASSH client hash [NFv9 57972][IPFIX 35632.500][Len 32 varlen] %HASSH_SERVER HASSH server hash [NFv9 57975][IPFIX 35632.503][Len 4] %ENTROPY_CLIENT_BYTES Byte (src->dst) entropy * 1000 [NFv9 57976][IPFIX 35632.504][Len 4] %ENTROPY_SERVER_BYTES Byte (dst->src) entropy * 1000

Plugin HTTP Protocol templates: [NFv9 57652][IPFIX 35632.180][Len 128 varlen] %HTTP_URL HTTP URL (IXIA URI) [NFv9 57832][IPFIX 35632.360][Len 4 varlen] %HTTP_METHOD HTTP METHOD [NFv9 57653][IPFIX 35632.181][Len 2] %HTTP_RET_CODE HTTP return code (e.g. 200, 304…) [NFv9 57654][IPFIX 35632.182][Len 128 varlen] %HTTP_REFERER HTTP Referer [NFv9 57655][IPFIX 35632.183][Len 256 varlen] %HTTP_UA HTTP User Agent [NFv9 57656][IPFIX 35632.184][Len 256 varlen] %HTTP_MIME HTTP Mime Type [NFv9 57659][IPFIX 35632.187][Len 64 varlen] %HTTP_HOST HTTP(S) Host Name (IXIA Host Name) [NFv9 57833][IPFIX 35632.361][Len 64 varlen] %HTTP_SITE HTTP server without host name [NFv9 57932][IPFIX 35632.460][Len 256 varlen] %HTTP_X_FORWARDED_FOR HTTP X-Forwarded-For [NFv9 57933][IPFIX 35632.461][Len 256 varlen] %HTTP_VIA HTTP Via

Plugin DNS/LLMNR Protocol templates: [NFv9 57677][IPFIX 35632.205][Len 256 varlen] %DNS_QUERY DNS query [NFv9 57678][IPFIX 35632.206][Len 2] %DNS_QUERY_ID DNS query transaction Id [NFv9 57679][IPFIX 35632.207][Len 1] %DNS_QUERY_TYPE DNS query type (e.g. 1=A, 2=NS..) [NFv9 57680][IPFIX 35632.208][Len 1] %DNS_RET_CODE DNS return code (e.g. 0=no error) [NFv9 57681][IPFIX 35632.209][Len 1] %DNS_NUM_ANSWERS DNS # of returned answers [NFv9 57824][IPFIX 35632.352][Len 4] %DNS_TTL_ANSWER TTL of the first A record (if any) [NFv9 57870][IPFIX 35632.398][Len 256 varlen] %DNS_RESPONSE DNS response(s)

Plugin SIP Plugin templates: [NFv9 57602][IPFIX 35632.130][Len 96 varlen] %SIP_CALL_ID SIP call-id [NFv9 57603][IPFIX 35632.131][Len 96 varlen] %SIP_CALLING_PARTY SIP Call initiator [NFv9 57604][IPFIX 35632.132][Len 96 varlen] %SIP_CALLED_PARTY SIP Called party [NFv9 57605][IPFIX 35632.133][Len 512] %SIP_RTP_CODECS SIP RTP codecs [NFv9 57606][IPFIX 35632.134][Len 4] %SIP_INVITE_TIME SIP time (epoch) of INVITE [NFv9 57607][IPFIX 35632.135][Len 4] %SIP_TRYING_TIME SIP time (epoch) of Trying [NFv9 57608][IPFIX 35632.136][Len 4] %SIP_RINGING_TIME SIP time (epoch) of RINGING [NFv9 57609][IPFIX 35632.137][Len 4] %SIP_INVITE_OK_TIME SIP time (epoch) of INVITE OK [NFv9 57610][IPFIX 35632.138][Len 4] %SIP_INVITE_FAILURE_TIME SIP time (epoch) of INVITE FAILURE [NFv9 57611][IPFIX 35632.139][Len 4] %SIP_BYE_TIME SIP time (epoch) of BYE [NFv9 57612][IPFIX 35632.140][Len 4] %SIP_BYE_OK_TIME SIP time (epoch) of BYE OK [NFv9 57613][IPFIX 35632.141][Len 4] %SIP_CANCEL_TIME SIP time (epoch) of CANCEL [NFv9 57614][IPFIX 35632.142][Len 4] %SIP_CANCEL_OK_TIME SIP time (epoch) of CANCEL OK [NFv9 57615][IPFIX 35632.143][Len 4] %SIP_RTP_IPV4_SRC_ADDR SIP RTP stream source IP [NFv9 57616][IPFIX 35632.144][Len 2] %SIP_RTP_L4_SRC_PORT SIP RTP stream source port [NFv9 57617][IPFIX 35632.145][Len 4] %SIP_RTP_IPV4_DST_ADDR SIP RTP stream dest IP [NFv9 57618][IPFIX 35632.146][Len 2] %SIP_RTP_L4_DST_PORT SIP RTP stream dest port [NFv9 57619][IPFIX 35632.147][Len 4] %SIP_RESPONSE_CODE SIP failure response code [NFv9 57620][IPFIX 35632.148][Len 4] %SIP_REASON_CAUSE SIP Cancel/Bye/Failure reason cause [NFv9 57788][IPFIX 35632.316][Len 96 varlen] %SIP_UAC SIP user-agent client [NFv9 57789][IPFIX 35632.317][Len 96 varlen] %SIP_UAS SIP user-agent server [NFv9 57834][IPFIX 35632.362][Len 128] %SIP_C_IP SIP C IP adresses [NFv9 57835][IPFIX 35632.363][Len 12 varlen] %SIP_CALL_STATE SIP Call State

Plugin RTP Plugin templates: [NFv9 57909][IPFIX 35632.437][Len 4] %RTP_SSRC RTP Sync Source ID [NFv9 57622][IPFIX 35632.150][Len 4] %RTP_FIRST_SEQ First flow RTP Seq Number [NFv9 57623][IPFIX 35632.151][Len 4] %RTP_FIRST_TS First flow RTP timestamp [NFv9 57624][IPFIX 35632.152][Len 4] %RTP_LAST_SEQ Last flow RTP Seq Number [NFv9 57625][IPFIX 35632.153][Len 4] %RTP_LAST_TS Last flow RTP timestamp [NFv9 57626][IPFIX 35632.154][Len 4] %RTP_IN_JITTER RTP jitter (ms * 1000) [NFv9 57627][IPFIX 35632.155][Len 4] %RTP_OUT_JITTER RTP jitter (ms * 1000) [NFv9 57628][IPFIX 35632.156][Len 4] %RTP_IN_PKT_LOST Packet lost in stream (src->dst) [NFv9 57629][IPFIX 35632.157][Len 4] %RTP_OUT_PKT_LOST Packet lost in stream (dst->src) [NFv9 57902][IPFIX 35632.430][Len 4] %RTP_IN_PKT_DROP Packet discarded by Jitter Buffer (src->dst) [NFv9 57903][IPFIX 35632.431][Len 4] %RTP_OUT_PKT_DROP Packet discarded by Jitter Buffer (dst->src) [NFv9 57633][IPFIX 35632.161][Len 1] %RTP_IN_PAYLOAD_TYPE RTP payload type [NFv9 57630][IPFIX 35632.158][Len 1] %RTP_OUT_PAYLOAD_TYPE RTP payload type [NFv9 57631][IPFIX 35632.159][Len 4] %RTP_IN_MAX_DELTA Max delta (ms*100) between consecutive pkts (src->dst) [NFv9 57632][IPFIX 35632.160][Len 4] %RTP_OUT_MAX_DELTA Max delta (ms*100) between consecutive pkts (dst->src) [NFv9 57820][IPFIX 35632.348][Len 64 varlen] %RTP_SIP_CALL_ID SIP call-id corresponding to this RTP stream [NFv9 57906][IPFIX 35632.434][Len 4] %RTP_MOS RTP pseudo-MOS (value * 100) (average both directions) [NFv9 57842][IPFIX 35632.370][Len 4] %RTP_IN_MOS RTP pseudo-MOS (value * 100) (src->dst) [NFv9 57904][IPFIX 35632.432][Len 4] %RTP_OUT_MOS RTP pseudo-MOS (value * 100) (dst->src) [NFv9 57908][IPFIX 35632.436][Len 4] %RTP_R_FACTOR RTP pseudo-R_FACTOR (value * 100) (average both directions) [NFv9 57843][IPFIX 35632.371][Len 4] %RTP_IN_R_FACTOR RTP pseudo-R_FACTOR (value * 100) (src->dst) [NFv9 57905][IPFIX 35632.433][Len 4] %RTP_OUT_R_FACTOR RTP pseudo-R_FACTOR (value * 100) (dst->src) [NFv9 57853][IPFIX 35632.381][Len 4] %RTP_IN_TRANSIT RTP Transit (value * 100) (src->dst) [NFv9 57854][IPFIX 35632.382][Len 4] %RTP_OUT_TRANSIT RTP Transit (value * 100) (dst->src) [NFv9 57852][IPFIX 35632.380][Len 4] %RTP_RTT RTP Round Trip Time (ms) [NFv9 57867][IPFIX 35632.395][Len 16 varlen] %RTP_DTMF_TONES DTMF tones sent (if any) during the call

Plugin FTP Protocol templates: [NFv9 57828][IPFIX 35632.356][Len 32 varlen] %FTP_LOGIN FTP client login [NFv9 57829][IPFIX 35632.357][Len 32 varlen] %FTP_PASSWORD FTP client password [NFv9 57830][IPFIX 35632.358][Len 64 varlen] %FTP_COMMAND FTP client command [NFv9 57831][IPFIX 35632.359][Len 2] %FTP_COMMAND_RET_CODE FTP client command return code

Plugin SMTP Protocol templates: [NFv9 57657][IPFIX 35632.185][Len 64 varlen] %SMTP_MAIL_FROM Mail sender [NFv9 57658][IPFIX 35632.186][Len 64 varlen] %SMTP_RCPT_TO Mail recipient

Plugin BGP Update Listener templates: [NFv9 57762][IPFIX 35632.290][Len 4] %SRC_AS_PATH_1 Src AS path position 1 [NFv9 57763][IPFIX 35632.291][Len 4] %SRC_AS_PATH_2 Src AS path position 2 [NFv9 57764][IPFIX 35632.292][Len 4] %SRC_AS_PATH_3 Src AS path position 3 [NFv9 57765][IPFIX 35632.293][Len 4] %SRC_AS_PATH_4 Src AS path position 4 [NFv9 57766][IPFIX 35632.294][Len 4] %SRC_AS_PATH_5 Src AS path position 5 [NFv9 57767][IPFIX 35632.295][Len 4] %SRC_AS_PATH_6 Src AS path position 6 [NFv9 57768][IPFIX 35632.296][Len 4] %SRC_AS_PATH_7 Src AS path position 7 [NFv9 57769][IPFIX 35632.297][Len 4] %SRC_AS_PATH_8 Src AS path position 8 [NFv9 57770][IPFIX 35632.298][Len 4] %SRC_AS_PATH_9 Src AS path position 9 [NFv9 57771][IPFIX 35632.299][Len 4] %SRC_AS_PATH_10 Src AS path position 10 [NFv9 57772][IPFIX 35632.300][Len 4] %DST_AS_PATH_1 Dest AS path position 1 [NFv9 57773][IPFIX 35632.301][Len 4] %DST_AS_PATH_2 Dest AS path position 2 [NFv9 57774][IPFIX 35632.302][Len 4] %DST_AS_PATH_3 Dest AS path position 3 [NFv9 57775][IPFIX 35632.303][Len 4] %DST_AS_PATH_4 Dest AS path position 4 [NFv9 57776][IPFIX 35632.304][Len 4] %DST_AS_PATH_5 Dest AS path position 5 [NFv9 57777][IPFIX 35632.305][Len 4] %DST_AS_PATH_6 Dest AS path position 6 [NFv9 57778][IPFIX 35632.306][Len 4] %DST_AS_PATH_7 Dest AS path position 7 [NFv9 57779][IPFIX 35632.307][Len 4] %DST_AS_PATH_8 Dest AS path position 8 [NFv9 57780][IPFIX 35632.308][Len 4] %DST_AS_PATH_9 Dest AS path position 9 [NFv9 57781][IPFIX 35632.309][Len 4] %DST_AS_PATH_10 Dest AS path position 10

Plugin GTPv0 Signaling Protocol templates: [NFv9 57793][IPFIX 35632.321][Len 1] %GTPV0_REQ_MSG_TYPE GTPv0 Request Msg Type [NFv9 57794][IPFIX 35632.322][Len 1] %GTPV0_RSP_MSG_TYPE GTPv0 Response Msg Type [NFv9 57795][IPFIX 35632.323][Len 8] %GTPV0_TID GTPv0 Tunnel Identifier [NFv9 57798][IPFIX 35632.326][Len 64] %GTPV0_APN_NAME GTPv0 APN Name [NFv9 57796][IPFIX 35632.324][Len 4] %GTPV0_END_USER_IP GTPv0 End User IP Address [NFv9 57797][IPFIX 35632.325][Len 16] %GTPV0_END_USER_MSISDN GTPv0 End User MSISDN [NFv9 57799][IPFIX 35632.327][Len 2] %GTPV0_RAI_MCC GTPv0 Mobile Country Code [NFv9 57800][IPFIX 35632.328][Len 2] %GTPV0_RAI_MNC GTPv0 Mobile Network Code [NFv9 57801][IPFIX 35632.329][Len 2] %GTPV0_RAI_CELL_LAC GTPv0 Cell Location Area Code [NFv9 57802][IPFIX 35632.330][Len 2] %GTPV0_RAI_CELL_RAC GTPv0 Cell Routing Area Code [NFv9 57803][IPFIX 35632.331][Len 1] %GTPV0_RESPONSE_CAUSE GTPv0 Cause of Operation

Plugin GTPv1 Signaling Protocol templates: [NFv9 57692][IPFIX 35632.220][Len 1] %GTPV1_REQ_MSG_TYPE GTPv1 Request Msg Type [NFv9 57693][IPFIX 35632.221][Len 1] %GTPV1_RSP_MSG_TYPE GTPv1 Response Msg Type [NFv9 57694][IPFIX 35632.222][Len 4] %GTPV1_C2S_TEID_DATA GTPv1 Client->Server TunnelId Data [NFv9 57695][IPFIX 35632.223][Len 4] %GTPV1_C2S_TEID_CTRL GTPv1 Client->Server TunnelId Control [NFv9 57696][IPFIX 35632.224][Len 4] %GTPV1_S2C_TEID_DATA GTPv1 Server->Client TunnelId Data [NFv9 57697][IPFIX 35632.225][Len 4] %GTPV1_S2C_TEID_CTRL GTPv1 Server->Client TunnelId Control [NFv9 57698][IPFIX 35632.226][Len 4] %GTPV1_END_USER_IPV4 GTPv1 End User IP Address [NFv9 57699][IPFIX 35632.227][Len 16] %GTPV1_END_USER_IMSI GTPv1 End User IMSI [NFv9 57700][IPFIX 35632.228][Len 16] %GTPV1_END_USER_MSISDN GTPv1 End User MSISDN [NFv9 57701][IPFIX 35632.229][Len 16] %GTPV1_END_USER_IMEI GTPv1 End User IMEI [NFv9 57702][IPFIX 35632.230][Len 64] %GTPV1_APN_NAME GTPv1 APN Name [NFv9 57708][IPFIX 35632.236][Len 1] %GTPV1_RAT_TYPE GTPv1 RAT Type [NFv9 57703][IPFIX 35632.231][Len 2] %GTPV1_RAI_MCC GTPv1 RAI Mobile Country Code [NFv9 57704][IPFIX 35632.232][Len 2] %GTPV1_RAI_MNC GTPv1 RAI Mobile Network Code [NFv9 57814][IPFIX 35632.342][Len 2] %GTPV1_RAI_LAC GTPv1 RAI Location Area Code [NFv9 57815][IPFIX 35632.343][Len 1] %GTPV1_RAI_RAC GTPv1 RAI Routing Area Code [NFv9 57816][IPFIX 35632.344][Len 2] %GTPV1_ULI_MCC GTPv1 ULI Mobile Country Code [NFv9 57817][IPFIX 35632.345][Len 2] %GTPV1_ULI_MNC GTPv1 ULI Mobile Network Code [NFv9 57705][IPFIX 35632.233][Len 2] %GTPV1_ULI_CELL_LAC GTPv1 ULI Cell Location Area Code [NFv9 57706][IPFIX 35632.234][Len 2] %GTPV1_ULI_CELL_CI GTPv1 ULI Cell CI [NFv9 57707][IPFIX 35632.235][Len 2] %GTPV1_ULI_SAC GTPv1 ULI SAC [NFv9 57804][IPFIX 35632.332][Len 1] %GTPV1_RESPONSE_CAUSE GTPv1 Cause of Operation

Plugin GTPv2 Signaling Protocol templates: [NFv9 57742][IPFIX 35632.270][Len 1] %GTPV2_REQ_MSG_TYPE GTPv2 Request Msg Type [NFv9 57743][IPFIX 35632.271][Len 1] %GTPV2_RSP_MSG_TYPE GTPv2 Response Msg Type [NFv9 57744][IPFIX 35632.272][Len 4] %GTPV2_C2S_S1U_GTPU_TEID GTPv2 Client->Svr S1U GTPU TEID [NFv9 57745][IPFIX 35632.273][Len 4] %GTPV2_C2S_S1U_GTPU_IP GTPv2 Client->Svr S1U GTPU IP [NFv9 57746][IPFIX 35632.274][Len 4] %GTPV2_S2C_S1U_GTPU_TEID GTPv2 Srv->Client S1U GTPU TEID [NFv9 57907][IPFIX 35632.435][Len 17] %GTPV2_S5_S8_GTPC_TEID GTPv2 S5/S8 SGW GTPC TEIDs [NFv9 57747][IPFIX 35632.275][Len 4] %GTPV2_S2C_S1U_GTPU_IP GTPv2 Srv->Client S1U GTPU IP [NFv9 57911][IPFIX 35632.439][Len 4] %GTPV2_C2S_S5_S8_GTPU_TEID GTPv2 Client->Srv S5/S8 PGW GTPU TEID [NFv9 57912][IPFIX 35632.440][Len 4] %GTPV2_S2C_S5_S8_GTPU_TEID GTPv2 Srv->Client S5/S8 PGW GTPU TEID [NFv9 57913][IPFIX 35632.441][Len 4] %GTPV2_C2S_S5_S8_GTPU_IP GTPv2 Client->Srv S5/S8 PGW GTPU IP [NFv9 57914][IPFIX 35632.442][Len 4] %GTPV2_S2C_S5_S8_GTPU_IP GTPv2 Srv->Client S5/S8 PGW GTPU IP [NFv9 57748][IPFIX 35632.276][Len 16] %GTPV2_END_USER_IMSI GTPv2 End User IMSI [NFv9 57749][IPFIX 35632.277][Len 16] %GTPV2_END_USER_MSISDN GTPv2 End User MSISDN [NFv9 57750][IPFIX 35632.278][Len 64] %GTPV2_APN_NAME GTPv2 APN Name [NFv9 57751][IPFIX 35632.279][Len 2] %GTPV2_ULI_MCC GTPv2 Mobile Country Code [NFv9 57752][IPFIX 35632.280][Len 2] %GTPV2_ULI_MNC GTPv2 Mobile Network Code [NFv9 57753][IPFIX 35632.281][Len 2] %GTPV2_ULI_CELL_TAC GTPv2 Tracking Area Code [NFv9 57754][IPFIX 35632.282][Len 4] %GTPV2_ULI_CELL_ID GTPv2 Cell Identifier [NFv9 57805][IPFIX 35632.333][Len 1] %GTPV2_RESPONSE_CAUSE GTPv2 Cause of Operation [NFv9 57755][IPFIX 35632.283][Len 1] %GTPV2_RAT_TYPE GTPv2 RAT Type [NFv9 57756][IPFIX 35632.284][Len 4] %GTPV2_PDN_IP GTPV2 PDN IP Address [NFv9 57757][IPFIX 35632.285][Len 16] %GTPV2_END_USER_IMEI GTPv2 End User IMEI [NFv9 57926][IPFIX 35632.454][Len 4] %GTPV2_C2S_S5_S8_GTPC_IP GTPv2 Client->Svr S5/S8 GTPC IP [NFv9 57927][IPFIX 35632.455][Len 4] %GTPV2_S2C_S5_S8_GTPC_IP GTPv2 Svr->Client S5/S8 GTPC IP [NFv9 57928][IPFIX 35632.456][Len 4] %GTPV2_C2S_S5_S8_SGW_GTPU_TEID GTPv2 Client->Srv S5/S8 SGW GTPU TEID [NFv9 57929][IPFIX 35632.457][Len 4] %GTPV2_S2C_S5_S8_SGW_GTPU_TEID GTPv2 Srv->Client S5/S8 SGW GTPU TEID [NFv9 57930][IPFIX 35632.458][Len 4] %GTPV2_C2S_S5_S8_SGW_GTPU_IP GTPv2 Client->Srv S5/S8 SGW GTPU IP [NFv9 57931][IPFIX 35632.459][Len 4] %GTPV2_S2C_S5_S8_SGW_GTPU_IP GTPv2 Srv->Client S5/S8 SGW GTPU IP

Plugin Radius Protocol templates: [NFv9 57712][IPFIX 35632.240][Len 1] %RADIUS_REQ_MSG_TYPE RADIUS Request Msg Type [NFv9 57713][IPFIX 35632.241][Len 1] %RADIUS_RSP_MSG_TYPE RADIUS Response Msg Type [NFv9 57714][IPFIX 35632.242][Len 32 varlen] %RADIUS_USER_NAME RADIUS User Name (Access Only) [NFv9 57715][IPFIX 35632.243][Len 32 varlen] %RADIUS_CALLING_STATION_ID RADIUS Calling Station Id [NFv9 57716][IPFIX 35632.244][Len 32 varlen] %RADIUS_CALLED_STATION_ID RADIUS Called Station Id [NFv9 57717][IPFIX 35632.245][Len 4] %RADIUS_NAS_IP_ADDR RADIUS NAS IP Address [NFv9 57718][IPFIX 35632.246][Len 24 varlen] %RADIUS_NAS_IDENTIFIER RADIUS NAS Identifier [NFv9 57719][IPFIX 35632.247][Len 16] %RADIUS_USER_IMSI RADIUS User IMSI (Extension) [NFv9 57720][IPFIX 35632.248][Len 16] %RADIUS_USER_IMEI RADIUS User MSISDN (Extension) [NFv9 57721][IPFIX 35632.249][Len 4] %RADIUS_FRAMED_IP_ADDR RADIUS Framed IP [NFv9 57722][IPFIX 35632.250][Len 24 varlen] %RADIUS_ACCT_SESSION_ID RADIUS Accounting Session Name [NFv9 57723][IPFIX 35632.251][Len 1] %RADIUS_ACCT_STATUS_TYPE RADIUS Accounting Status Type [NFv9 57724][IPFIX 35632.252][Len 4] %RADIUS_ACCT_IN_OCTETS RADIUS Accounting Input Octets [NFv9 57725][IPFIX 35632.253][Len 4] %RADIUS_ACCT_OUT_OCTETS RADIUS Accounting Output Octets [NFv9 57726][IPFIX 35632.254][Len 4] %RADIUS_ACCT_IN_PKTS RADIUS Accounting Input Packets [NFv9 57727][IPFIX 35632.255][Len 4] %RADIUS_ACCT_OUT_PKTS RADIUS Accounting Output Packets

Plugin Diameter Protocol templates: [NFv9 57871][IPFIX 35632.399][Len 4] %DIAMETER_REQ_MSG_TYPE DIAMETER Request Msg Type [NFv9 57872][IPFIX 35632.400][Len 4] %DIAMETER_RSP_MSG_TYPE DIAMETER Response Msg Type [NFv9 57873][IPFIX 35632.401][Len 64 varlen] %DIAMETER_REQ_ORIGIN_HOST DIAMETER Origin Host Request [NFv9 57874][IPFIX 35632.402][Len 64 varlen] %DIAMETER_RSP_ORIGIN_HOST DIAMETER Origin Host Response [NFv9 57875][IPFIX 35632.403][Len 64 varlen] %DIAMETER_REQ_USER_NAME DIAMETER Request User Name [NFv9 57876][IPFIX 35632.404][Len 4] %DIAMETER_RSP_RESULT_CODE DIAMETER Response Result Code [NFv9 57877][IPFIX 35632.405][Len 4] %DIAMETER_EXP_RES_VENDOR_ID DIAMETER Response Experimental Result Vendor Id [NFv9 57878][IPFIX 35632.406][Len 4] %DIAMETER_EXP_RES_RESULT_CODE DIAMETER Response Experimental Result Code [NFv9 57917][IPFIX 35632.445][Len 4] %DIAMETER_HOP_BY_HOP_ID DIAMETER Hop by Hop Identifier [NFv9 57924][IPFIX 35632.452][Len 4] %DIAMETER_CLR_CANCEL_TYPE DIAMETER Cancellation Type [NFv9 57925][IPFIX 35632.453][Len 4] %DIAMETER_CLR_FLAGS DIAMETER CLR Flags [NFv9 57733][IPFIX 35632.261][Len 4] %DIAMETER_FRAMED_IP_ADDR DIAMETER Framed IP [NFv9 57734][IPFIX 35632.262][Len 4] %DIAMETER_SERVED_IP_ADDR DIAMETER Served IP [NFv9 57740][IPFIX 35632.268][Len 4] %DIAMETER_PDP_ADDR DIAMETER PDP ADRRESS IP [NFv9 57735][IPFIX 35632.263][Len 32 varlen] %DIAMETER_CALLING_STATION_ID DIAMETER Calling Station Id [NFv9 57736][IPFIX 35632.264][Len 32 varlen] %DIAMETER_CALLED_STATION_ID DIAMETER Called Station Id [NFv9 57737][IPFIX 35632.265][Len 64 varlen] %DIAMETER_SUBSCRIPTION_ID DIAMETER Subscription Id [NFv9 57738][IPFIX 35632.266][Len 64 varlen] %DIAMETER_CALLING_PARTY_ADDRESS DIAMETER Calling Party Address [NFv9 57739][IPFIX 35632.267][Len 64 varlen] %DIAMETER_CALLED_PARTY_ADDRESS DIAMETER Called Party Address

Plugin NETBIOS Protocol templates: [NFv9 57936][IPFIX 35632.464][Len 48 varlen] %NETBIOS_QUERY_NAME NETBIOS Query Name [NFv9 57937][IPFIX 35632.465][Len 64 varlen] %NETBIOS_QUERY_TYPE NETBIOS Query Type [NFv9 57938][IPFIX 35632.466][Len 64 varlen] %NETBIOS_RESPONSE NETBIOS Query Response [NFv9 57939][IPFIX 35632.467][Len 24 varlen] %NETBIOS_QUERY_OS NETBIOS Query OS

Plugin SSDP Protocol templates: [NFv9 57934][IPFIX 35632.462][Len 48 varlen] %SSDP_HOST SSDP Host [NFv9 57935][IPFIX 35632.463][Len 64 varlen] %SSDP_USN SSDP USN [NFv9 57940][IPFIX 35632.468][Len 64 varlen] %SSDP_SERVER SSDP Server [NFv9 57941][IPFIX 35632.469][Len 64 varlen] %SSDP_TYPE SSDP Type [NFv9 57942][IPFIX 35632.470][Len 8 varlen] %SSDP_METHOD SSDP Method

Plugin DHCP Protocol templates: [NFv9 57825][IPFIX 35632.353][Len 6] %DHCP_CLIENT_MAC MAC of the DHCP client [NFv9 57826][IPFIX 35632.354][Len 4] %DHCP_CLIENT_IP DHCP assigned client IPv4 address [NFv9 57827][IPFIX 35632.355][Len 64 varlen] %DHCP_CLIENT_NAME DHCP client name [NFv9 57895][IPFIX 35632.423][Len 32 varlen] %DHCP_REMOTE_ID DHCP agent remote Id [NFv9 57896][IPFIX 35632.424][Len 48 varlen] %DHCP_SUBSCRIBER_ID DHCP subscribed Id [NFv9 57901][IPFIX 35632.429][Len 1] %DHCP_MESSAGE_TYPE DHCP message type

Plugin IMAP Protocol templates: [NFv9 57732][IPFIX 35632.260][Len 64 varlen] %IMAP_LOGIN Mail sender

Plugin POP3 Protocol templates: [NFv9 57682][IPFIX 35632.210][Len 64 varlen] %POP_USER POP3 user login

Plugin MySQL Plugin templates: [NFv9 57667][IPFIX 35632.195][Len 16] %MYSQL_SERVER_VERSION MySQL server version [NFv9 57668][IPFIX 35632.196][Len 16] %MYSQL_USERNAME MySQL username [NFv9 57669][IPFIX 35632.197][Len 64] %MYSQL_DB MySQL database in use [NFv9 57670][IPFIX 35632.198][Len 128 varlen] %MYSQL_QUERY MySQL Query [NFv9 57671][IPFIX 35632.199][Len 2] %MYSQL_RESPONSE MySQL server response [NFv9 57792][IPFIX 35632.320][Len 4] %MYSQL_APPL_LATENCY_USEC MySQL request->response latecy (usec)

Major protocol (%L7_PROTO) symbolic mapping 0…251:
Id Protocol Layer_4 Breed Category
0 Unknown TCP Unrated Unspecified 1 FTP_CONTROL TCP Unsafe Download-FileTransfer-FileSharing 2 POP3 TCP Unsafe Email 3 SMTP TCP Acceptable Email 4 IMAP TCP Unsafe Email 5 DNS TCP/UDP Acceptable Network 6 IPP TCP/UDP Acceptable System 7 HTTP TCP Acceptable Web 8 MDNS UDP Acceptable Network 9 NTP UDP Acceptable System

10 NetBIOS TCP/UDP Acceptable System 11 NFS TCP/UDP Acceptable DataTransfer 12 SSDP UDP Acceptable System 13 BGP TCP Acceptable Network 14 SNMP UDP Acceptable Network 15 XDMCP TCP/UDP Acceptable RemoteAccess 16 SMBv1 TCP Dangerous System 17 Syslog TCP/UDP Acceptable System 18 DHCP UDP Acceptable Network 19 PostgreSQL TCP Acceptable Database 20 MySQL TCP Acceptable Database 21 Hotmail TCP Acceptable Email 22 Direct_Download_Link TCP Potentially Dangerous Download-FileTransfer-FileSharing 23 POPS TCP Safe Email 24 AppleJuice TCP Potentially Dangerous Download-FileTransfer-FileSharing 25 DirectConnect TCP/UDP Potentially Dangerous Download-FileTransfer-FileSharing 26 ntop TCP Safe Network 27 COAP UDP Safe RPC 28 VMware UDP Acceptable RemoteAccess 29 SMTPS TCP Safe Email 30 FacebookZero TCP Safe SocialNetwork 31 UBNTAC2 UDP Safe Network 32 Kontiki UDP Potentially Dangerous Media 33 OpenFT TCP Potentially Dangerous Download-FileTransfer-FileSharing 34 FastTrack TCP Potentially Dangerous Download-FileTransfer-FileSharing 35 Gnutella TCP/UDP Potentially Dangerous Download-FileTransfer-FileSharing 36 eDonkey TCP/UDP Unsafe Download-FileTransfer-FileSharing 37 BitTorrent TCP/UDP Unsafe Download-FileTransfer-FileSharing 38 SkypeCall TCP Acceptable VoIP 39 Signal TCP Fun Chat 40 Memcached TCP/UDP Acceptable Network 41 SMBv23 TCP Acceptable System 42 Mining UDP Unsafe Mining 43 NestLogSink TCP Acceptable Cloud 44 Modbus TCP Acceptable Network 45 WhatsAppCall TCP Acceptable VoIP 46 DataSaver TCP Fun Web 47 Xbox UDP Fun Game 48 QQ UDP Fun Chat 49 TikTok TCP Fun SocialNetwork 50 RTSP TCP/UDP Fun Media 51 IMAPS TCP Safe Email 52 IceCast TCP Fun Media 53 PPLive UDP Fun Media 54 PPStream TCP/UDP Fun Video 55 Zattoo TCP/UDP Fun Video 56 ShoutCast TCP Fun Music 57 Sopcast TCP/UDP Fun Video 58 Tvants TCP/UDP Fun Video 59 TVUplayer TCP/UDP Fun Video 60 HTTP_Download TCP Acceptable Download-FileTransfer-FileSharing 61 QQLive TCP Fun Video 62 Thunder TCP/UDP Fun Download-FileTransfer-FileSharing 63 Soulseek TCP Fun Download-FileTransfer-FileSharing 64 PS_VUE TCP Acceptable Video 65 IRC TCP Unsafe Chat 66 Ayiya UDP Acceptable Network 67 Unencrypted_Jabber TCP/UDP Acceptable Web 68 Nats TCP Acceptable RPC 69 Oscar TCP/UDP Acceptable Chat 70 Yahoo TCP/UDP Safe Web 71 BattleField UDP Fun Game 72 GooglePlus TCP Fun SocialNetwork 73 VRRP TCP Acceptable Network 74 Steam TCP/UDP Fun Game 75 HalfLife2 UDP Fun Game 76 WorldOfWarcraft TCP Fun Game 77 Telnet TCP Unsafe RemoteAccess 78 STUN TCP/UDP Acceptable Network 79 IPsec Safe VPN 80 GRE Acceptable Network 81 ICMP Acceptable Network 82 IGMP Acceptable Network 83 EGP Acceptable Network 84 SCTP Acceptable Network 85 OSPF Acceptable Network 86 IP_in_IP Acceptable Network 87 RTP UDP Acceptable Media 88 RDP TCP Acceptable RemoteAccess 89 VNC TCP Acceptable RemoteAccess 90 PcAnywhere TCP/UDP Acceptable RemoteAccess 91 TLS UDP Safe Web 92 SSH TCP Acceptable RemoteAccess 93 Usenet TCP Acceptable Web 94 MGCP UDP Acceptable VoIP 95 IAX UDP Acceptable VoIP 96 TFTP UDP Acceptable DataTransfer 97 AFP TCP Acceptable DataTransfer 98 Stealthnet TCP Potentially Dangerous Download-FileTransfer-FileSharing 99 Aimini TCP/UDP Fun Download-FileTransfer-FileSharing

100 SIP TCP/UDP Acceptable VoIP 101 TruPhone TCP Acceptable VoIP 102 ICMPV6 Acceptable Network 103 DHCPV6 UDP Acceptable Network 104 Armagetron UDP Fun Game 105 Crossfire TCP/UDP Fun RPC 106 Dofus TCP Fun Game 107 Fiesta TCP Fun Game 108 Florensia TCP/UDP Fun Game 109 Guildwars TCP Fun Game 110 HTTP_ActiveSync TCP Acceptable Cloud 111 Kerberos TCP/UDP Acceptable Network 112 LDAP TCP/UDP Acceptable System 113 MapleStory TCP Fun Game 114 MsSQL-TDS TCP Acceptable Database 115 PPTP TCP Acceptable VPN 116 Warcraft3 TCP/UDP Fun Game 117 WorldOfKungFu TCP Fun Game 118 Slack TCP Acceptable Collaborative 119 Facebook TCP Fun SocialNetwork 120 Twitter TCP Fun SocialNetwork 121 Dropbox UDP Acceptable Cloud 122 GMail TCP Acceptable Email 123 GoogleMaps TCP Safe Web 124 YouTube TCP Fun Media 125 Skype TCP/UDP Acceptable VoIP 126 Google TCP Unrated Web 127 DCE_RPC TCP Acceptable RPC 128 NetFlow UDP Acceptable Network 129 sFlow UDP Acceptable Network 130 HTTP_Connect TCP Acceptable Web 131 HTTP_Proxy TCP Acceptable Web 132 Citrix TCP Acceptable Network 133 NetFlix TCP Fun Video 134 LastFM TCP Fun Music 135 Waze TCP Acceptable Web 136 YouTubeUpload TCP Fun Media 137 Hulu TCP Fun Streaming 138 CHECKMK TCP Acceptable DataTransfer 139 AJP TCP Acceptable Web 140 Apple TCP Safe Web 141 Webex TCP Acceptable VoIP 142 WhatsApp TCP Acceptable Chat 143 AppleiCloud TCP Acceptable Web 144 Viber UDP Acceptable VoIP 145 AppleiTunes TCP Fun Streaming 146 Radius UDP Acceptable Network 147 WindowsUpdate TCP Safe SoftwareUpdate 148 TeamViewer TCP/UDP Acceptable RemoteAccess 149 Tuenti TCP Acceptable VoIP 150 LotusNotes TCP Acceptable Collaborative 151 SAP TCP Acceptable Network 152 GTP UDP Acceptable Network 153 UPnP UDP Acceptable Network 154 LLMNR TCP Acceptable Network 155 RemoteScan TCP Potentially Dangerous Network 156 Spotify TCP/UDP Acceptable Music 157 Messenger TCP Acceptable VoIP 158 H323 TCP/UDP Acceptable VoIP 159 OpenVPN TCP/UDP Acceptable VPN 160 NOE TCP/UDP Acceptable VoIP 161 CiscoVPN TCP/UDP Acceptable VPN 162 TeamSpeak TCP/UDP Acceptable VoIP 163 Tor TCP Potentially Dangerous VPN 164 CiscoSkinny TCP Acceptable VoIP 165 RTCP TCP/UDP Acceptable VoIP 166 RSYNC TCP Acceptable DataTransfer 167 Oracle TCP Acceptable Database 168 Corba TCP Acceptable RPC 169 UbuntuONE TCP Acceptable Cloud 170 Whois-DAS TCP Acceptable Network 171 Collectd TCP Acceptable System 172 SOCKS TCP Acceptable Web 173 Nintendo UDP Fun Game 174 RTMP TCP Acceptable Media 175 FTP_DATA TCP Acceptable Download-FileTransfer-FileSharing 176 Wikipedia TCP Safe Web 177 ZeroMQ TCP Acceptable RPC 178 Amazon TCP Acceptable Web 179 eBay TCP Safe Shopping 180 CNN TCP Safe Web 181 Megaco UDP Acceptable VoIP 182 Redis TCP Acceptable Database 183 Pando_Media_Booster TCP/UDP Fun Web 184 VHUA UDP Fun VoIP 185 Telegram TCP/UDP Acceptable Chat 186 Vevo TCP Fun Music 187 Pandora TCP Fun Streaming 188 QUIC UDP Acceptable Web 189 Zoom TCP Acceptable Video 190 EAQ UDP Acceptable Network 191 Ookla TCP Safe Network 192 AMQP TCP Acceptable RPC 193 KakaoTalk TCP Acceptable Chat 194 KakaoTalk_Voice UDP Acceptable VoIP 195 Twitch TCP Fun Video 196 DoH_DoT TCP Fun Network 197 WeChat TCP Fun Chat 198 MPEG_TS UDP Fun Media 199 Snapchat TCP Fun SocialNetwork 200 Sina(Weibo) TCP Fun SocialNetwork 201 GoogleHangoutDuo TCP/UDP Acceptable VoIP 202 IFLIX TCP Fun Video 203 Github TCP Acceptable Collaborative 204 BJNP UDP Acceptable System 205 FREE_205 TCP Fun VoIP 206 WireGuard UDP Acceptable VPN 207 SMPP TCP Acceptable Download-FileTransfer-FileSharing 208 DNScrypt TCP Safe Network 209 TINC TCP/UDP Acceptable VPN 210 Deezer TCP Fun Music 211 Instagram TCP Fun SocialNetwork 212 Microsoft TCP Safe Cloud 213 Starcraft TCP/UDP Fun Game 214 Teredo UDP Acceptable Network 215 HotspotShield TCP Potentially Dangerous VPN 216 IMO UDP Acceptable VoIP 217 GoogleDrive TCP Acceptable Cloud 218 OCS TCP Fun Media 219 Microsoft365 TCP Acceptable Collaborative 220 Cloudflare TCP Acceptable Web 221 MS_OneDrive TCP Acceptable Cloud 222 MQTT TCP Acceptable RPC 223 RX UDP Acceptable RPC 224 AppleStore TCP Safe SoftwareUpdate 225 OpenDNS TCP Acceptable Web 226 Git TCP Safe Collaborative 227 DRDA TCP Acceptable Database 228 PlayStore TCP Safe SoftwareUpdate 229 SOMEIP TCP/UDP Acceptable RPC 230 FIX TCP Safe RPC 231 Playstation TCP Fun Game 232 Pastebin TCP Potentially Dangerous Download-FileTransfer-FileSharing 233 LinkedIn TCP Fun SocialNetwork 234 SoundCloud TCP Fun Music 235 CSGO UDP Fun Game 236 LISP UDP Acceptable Cloud 237 Diameter UDP Acceptable Network 238 ApplePush TCP Acceptable Cloud 239 GoogleServices TCP Acceptable Web 240 AmazonVideo TCP/UDP Acceptable Cloud 241 GoogleDocs TCP Acceptable Collaborative 242 WhatsAppFiles TCP Acceptable Download-FileTransfer-FileSharing 243 Targus Dataspeed TCP/UDP Acceptable Network 244 DNP3 TCP Acceptable Network 245 IEC60870 TCP Acceptable Network 246 Bloomberg TCP Acceptable Network 247 CAPWAP UDP Acceptable Network 248 Zabbix TCP Acceptable Network 249 s7comm TCP Acceptable Network 250 Teams TCP Safe Collaborative 251 WebSocket TCP Acceptable Web

The default template (if -T is omitted) is: %IPV4_SRC_ADDR %IPV4_DST_ADDR %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS

Usage examples: 1. Capture packets on eth0, and export them towards collector running at 192.168.2.25:2055

nprobe -i eth0 -n 192.168.2.25:2055
  1. Collect flows on port 9995 and export them in IPFIX format towards collector running at 192.168.2.25:2055 nprobe -i none -3 9995 -V 10 -n 192.168.2.25:2055
  2. Capture packets on eth0, and export them towards ntopng running on local host nprobe -i eth0 -n none -T “@NTOPNG@” –zmq tcp://127.0.0.1:1234
[on 192.168.2.25] ntopng -itcp://127.0.01:1234

Some of the most important parameters are briefly discussed here.

-n: collector addresses

This specifies the NetFlow collectors addresses to which nProbe will send the flows. If more than one is specified, they need to be separated with a comma or the –n flag can be repeated several times (e.g. -n 172.22.3.4:33,172.22.3.4:34 and -n 172.22.3.4:33 –n 172.22.3.4:34 are equivalent). When multiple collectors are defined, you can control the way flows are exported using the –a option (see below); if on a collector address the destination port is omitted, flows are sent to 2055 port and whereas if all the option is not specified, by default, flows are sent to the loop back interface (127.0.0.1) on port 2055. If this parameter is used, nProbe exports flows towards collector running at 127.0.0.1:2055. By default the UDP protocol is used but also TCP and SCTP (Linux only when nProbe is compiled with SCTP support and the kernel supports it). In this case you can specify the collector address as udp://<host>:<port>, tcp://<host>:<port>, and sctp://<host>:<port>,

-i: interface name

It specifies the interface from which packets are captured. If -i is not used, nProbe will use the default interface (if any). In case a user needs to activate nProbe on two different interfaces, then he/she needs to activate multiple nProbe instances once per interface. For debugging purposes it is possible to pass nProbe a .pcap file from which packets will be read. If nProbe is compiled and activated with PF_RING support, you can specify multiple interfaces from which packets are captured. For example, “-i eth0,eth1”, will merge packets received on eth0 and eth1 into a single traffic stream. This configuration is particularly useful when merging the two directions (TX and RX) of a network TAP.

-t: maximum flow lifetime

Regardless of the flow duration, a flow that has been active for more that the specified maximum lifetime is considered expired and it will be emitted. Further packets belonging to the same flow will be accounted on a new flow.

-d: maximum flow idle lifetime

A flow is over when the last packet received is older that the maximum flow idle lifetime. This means that whenever applicable, (e.g. SNMP walk) UDP flows will not be accounted on 1 packet/1 flow basis, but on one global flow that accounts all the traffic. This has a benefit on the total number of generated flows and on the overall collector performance.

-l: maximum queue timeout It specifies the maximum amount of time that a flow can be queued waiting to be exported. Use this option in order to try to pack several flows into fewer packets, but at the same time have an upper bound timeout for queuing flows into the probe.

-s:  snaplen

This flag specifies the portion of the packet (also called snaplen) that will be captured by nProbe. By default nprobe sets the snaplen automatically according to its configuration, but you can override its value using thia flag.

-p: <VLAN Id>/<proto>/<IP>/<port>/<TOS>/<SCTP StreamId>/<exporter IP>

Flows can be aggregated both at collector and probe side. However probe allocation is much more effective as it reduces significantly the number of emitted flows hence the work that the collector has to carry on. nProbe supports various aggregation levels that can be selected specifying with the -p flag. The aggregation format is <VLAN Id>/<proto>/<IP>/<port>/<TOS>/<SCTP StreamId>/<exporter IP> where each option can be set to 0 (ignore) or 1 (take care). Ignored fields are set to a null value when doing the aggregation as well as when doing the export. For example setting the <exporter IP> to 0 (ignore) will consider all the incoming flows as if they were coming from the same null exporter that will be output in %EXPORTER_IPV4_ADDRESS as 0.0.0.0. By default no aggregation is performed. For the sake of example, the value 0/0/1/0/0/0/0 can be used to create a map of who’s talking to who (network conversation matrix).

-f: packet capture filter

This BPF filter (see the appendix for further information about BPF filters) allows nProbe to take into account only those packets that match the filter (if specified).

-a: select flow export policy

When multiple collectors are defined (see –n option), nProbe sends them flows in round robin. However it is possible to send the same flow to all collectors as a flow redirector does if the –a option is used.

-b: enable verbose logging

Using this flag, nProbe generates verbose output that can be used to tune its performance (see chapter 2.4). Zero is the lowest level (little information is printed), 1 displays traffic statistics, 2 is really verbose. Example of traffic statistics:

04/Jul/2007 18:16:00 [nprobe.c:1129] Average traffic: [1.7 pkt/sec][1 Kb/sec]
04/Jul/2007 18:16:00 [nprobe.c:1134] Current traffic: [1.9 pkt/sec][1 Kb/sec]
04/Jul/2007 18:16:00 [nprobe.c:1140] Current flow export rate: [0.9 flows/sec]
04/Jul/2007 18:16:00 [nprobe.c:1144] Buckets: [active=13][allocated=21][free=8][toBeExported=0][frags=0]
04/Jul/2007 18:16:00 [nprobe.c:1149] Fragment queue: [len=0]
04/Jul/2007 18:16:00 [nprobe.c:1153] Num Packets: 111 (max bucket search: 0)
04/Jul/2007 18:16:00 [nprobe.c:1170] 115 pkts rcvd/0 pkts dropped

-G: start nprobe as a daemon.

Useful when starting nprobe as daemon.

-O: set the number of threads that fetch packets out of the network interface.

In general: the more threads are available, the better is the performance. However it is not suggested to have too many threads as in some platforms this can slow down the probe. Start with 1 and increase it if necessary. We suggest to run nprobe as single threaded application and distribute the traffic across multiple probes using PF_RING (e.g. PF_RING cluster or libzero). In fact adding threads you will end up spending a lot of time on synchronization without improving the performance. Please refer to this post http://www.ntop.org/nprobe/10-gbit-line-rate-netflow-traffic-analysis-using-nprobe-and-dna/ for more information.

-P: dump flows

This path specifies the directory where flows will be dumped. The dump format is text and it depends on the nProbe template specified with -T.

-F

It specifies the frequency at which files are dumped on disk

  • D: dump flows format

    Flows stored on disks can be stored in two formats: text with user-specified format or SQLite format (availability depends on the platform and if nProbe has been compiled with it). Using flow SQLite format (-D d) can significantly reduce the size of stored files, although all the collectors might not support this format. Text flows (-D t) are the safest setting if you want to use a standard collector able to read flows dump on disk. You can also export core flow fields (-D B) in binary format for post-processing by binary applications. Note that this flag has no effect unless –P is used.

-u: input device index

The NetFlow specification contains a numeric index in order to identify flows coming from different interfaces of the same probe. As multiple nProbe instances can be started on the same host but on different devices, the collector can use this flag to divide flows according to the interface number. If –u is not used, then nprobe will use 0 as interface index. Alternatively, if -1 is used then the last two bytes of the mac address of the flow sender are used as index.

-Q: output device index

Similar to –u but for the output interface.

--vlanid-as-iface-idx <mode: inner | outer | single | double>

nProbe can use the VLAN tag as interface identifier. Using this flag you enable this feature. As VLAN tags can be stacked you need to specify if the inner or outer tag will be used for the interface identifier.

--discard-unknown-flows <mode:0 | 1 | 2>

nProbe includes nDPI support for analyzing packet contents in order to detect application protocol. The mode value can be used to:

  • 0: Export all know (i.e. those whose application protocol has been detected) and unknown (i.e. the application protocol is unknown)
  • 1: Export only know flows, discarding unknown flows.
  • 2: Export only unknown flows, discarding known flows.

-v: print version

This flag is used to print the nProbe version number and date.

-C: flow export lock

This is a simple way to implement high-availability. Start two probes capturing the same data. The master probe emit flows, the slave probe is started with –C <path>. As long as <path> exists, the slave works but no flow is emitted. If the <path> file is deleted (e.g. using an external program for controlling the master/slave such as heartbeat) the slave starts emitting flows. If the file is restored, the slave is silent again.

-h: print help

Prints the nProbe help.

--dont-nest-dump-dirs

nProbe dumps data on disk (e.g. with -P) using a nested directory. In essence the base directory will be partitioned in sub-directories with <year>/<month>/<day>/<hour>/<min> structure. use this option is you want nProbe to dump all data in the base directory without creating this nested directory tree.

-I: log to syslog <probe name>

nProbe logs on stdout unless the –g flag (see above) is used. If the syslog needs to be used instead of a file, this flag instruments nProbe to log on it using the specified name (this is useful when multiple nProbe instances are active on the same host). Please note that –g is ignored if –I is used, and this option is not available on nProbe for Win32.

-w: size of the hash that stores the flows

The default size is 131072 and it should be enough for most of networks. In case flows are not emitted often and with strong traffic conditions it would be necessary to increase the hash. See later in this manual for knowing more about nProbe tuning.

-W: Discard IPv6 traffic

Use this flag if you want nProbe not to account IPv6 traffic.

-e: flow export delay

Some collectors cannot keep up with nProbe export speed. This flag allows flows to be slow down by adding a short delay (specified in ms) between two consecutive exports. The maximum allowed delay is 1000 ms.

-B: packet count delay

It specified how many flow packets need to be sent before –e is applied,

-z: <TCP[:UDP[:O]]>

Peer-to-peer applications, attacks or misconfigured applications often generate a lot of tiny flows that can cause significant load on the collector side. As most collector setups often discarded those flows, it is possible to instrument nProbe via the –z flag not to emit such flows.

-M: maximum number of active flows

It is used to limit the maximum number of concurrent flows that the probe can sustain. This is useful for preventing the probe from creating as many flows as needed and hence to take over all the available resources.

-E: netflow engine

Specify the netflow engineType:engineId into the generated flows.

-m: minimum number of flows per packet

In order to minimize the number of emitted packets containing flows, it is possible to specify the minimum number of flows that necessarily need to be contained in a packet. This means that the packet is not emitted until the specified number of flows is reached.

-q: <host>:[<port>] flow sender address and port

This option is used to specify the address and, optionally, the port that will be used by nProbe to emit the flows towards the destination indicated with -n. In practice, nProbe will create a socket and bind it to <host>:[port], thus allowing the user to choose the interface taken by the emitted flows when leaving the host.

-S <pkt rate>:<flow collection rate>:<flow export rate>

Three different rates can be specified with this option:

  • Packet capture sampling rate <pkt rate>. This rate is effective for interfaces specified with -i and allows to control the sampling rate of incoming packets. For example, a sampling rate of 100 will instruct nprobe to actually process one packet out of 100, discarding all the others. All the statistics, including total bytes and packets, will be automatically up-scaled by nprobe to reflect the sample rate. In the previous example, the size of the sampled packet will be multiplied by 100. <pkt rate> can be prepended with a ‘@’ to instruct nprobe to only use the sampling rate for the up-scaling, without performing any actual sampling. This is particularly useful when incoming packets are already sampled on the capture device connected to nprobe but it is still meaningful to have up-scaled statistics.
  • Flow collection sampling rate <flow collection rate>. This rate works when nprobe is in collector mode, that is, when option –collector-port is used and specifies the flow rate at which flows being collected have been sampled. In this case, no actual sampling is performed on the incoming flows. The specified rate is only used to perform the upscaling. For example, a flow with 250 IN_BYTES will be up-scaled by a factor equal to the sampling rate. If the sampling rate is 100, a total of 2500 IN_BYTES will be accounted for that flow.
  • Flow export rate <flow export rate>. This rate is effective when nprobe exports NetFlow towards a downstream collector, that is, when option -n is used. It controls the output sampling. For example, a <flow export rate> of 100 will cause nprobe to only export 1 flow out of 100 towards the downstream collector.

-A: AS file

Network probes are usually installed on systems where the routing information is available (e.g. via BGP) in order to specify the AS (Autonomous System) id of the flow peer. As nProbe has no access to BGP information unless you enable the BGP plugin, users need to provide this information by means of a static file whose format is <AS>:<network>. The file can be stored in both plain text and gzip format.

--city-list: City List

With this option you can enable geolocation of IP addresses at city/country detail level. Here you need to specify the GeoIP city database (e.g. GeoLiteCity.dat)
-g:
It specifies the path where nProbe will save the process PID.

-T: flow template definition

Contrary to NetFlow v5 where the flow format is fixed, NetFlow V9 and IPFIX flows have a custom format that can be specified at runtime using this option as specified in appendix.

-U: flow template id

NetFlow v9 and IPFIX flows format is specified in a template whose definition is sent by nProbe before to start sending flows. The flow format is defined by –T, where –U is used to set the template identifier. This option should not be used unless the default template value (257) needs to be changed. As based on -T nProbe can define several templates, this value is the one used for the first defined template.

-V: flow export version

It is used to specify the flow version for exported flows. Supported versions are 5 (v5), 9 (v9) and 10 (IPFIX).

-o: intra templates packet export.

It specifies the number of flow packets that are exported between two templates export.

--aggregate-gtp-tunnels

Aggregates traffic flowing in each GTP tunnel based in tunnel id.

-L: local networks

Use this flag to specify (format network/mask, e.g. 192.168.0.10/24) the list of networks that are considered local (see –c).

-c: track local hosts only

It allows nProbe to set to 0.0.0.0 all those hosts that are considered non-local (see –L). This is useful when it is necessary to restrict the traffic analysis only to local hosts.

-r: set traffic direction

When this option is used (-L must be specified before –r), all the traffic that goes towards the local networks is considered incoming, all the rest is outgoing. This has effect on the –u/-Q that are then forced with –r.

--if-networks

Flags -u and -Q are used to specify the SNMP interface identifiers for emitted flows. In mirrored environments, it is possible to simulate a switched environment by playing with MAC addresses. This option allows users to bind a MAC or IP address to a specified interfaceId.. The syntax of –if-networks is <MAC|IP/mask>@<interfaceId> where multiple entries can be separated by a comma (,). Example: –if-networks “AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2” or –if-networks @<filename> where <filename> is a file path containing the networks specified using the above format.

--count: debug only

Let the probe capture only up to the specified number of packets.

--collector-port: specifies the NetFlow collector port

Use nProbe to collect NetFlow/jFlow/IPFIX/sFlow packets. Use option --collector-port to specify on which on which ports such packets should be collected. nProbe is able to ingest and convert flows from various versions. For instance nprobe --collector-port 2055 --i 192.168.0.1:2056 --V 10 converts each flow received on port 2055 to IPFIX and sends them to 192.168.0.1:2056.

Option --collector-port can also be used to receive NetFlow/jFlow/IPFIX/sFlow packets through a ZMQ relay. In this case one should specify a ZMQ endpoint. An implementation of a ZMQ relay is available in executable flowRelay. Run flowRelay -h to see how to use it.

--collector-passthrough

Export flows to the configured ZMQ endpoints as-is, ignoring the -T. Using --collector-passthrough gives the highest collection throughput. Only ZMQ exports are supported. See Understanding How NetFlow v5 v9/NetFlow Lite/sFlow/IPFIX/jFlow Collection Works for a detailed discussion. This is a nProbe Pro-only feature.

--tunnel:

Let the probe decode tunneled traffic (e.g. GTP or GRE traffic) and thus extract traffic information from such traffic rather than from the external envelope.

--no-promisc:

With this option nProbe does not use promiscuous mode to capture packets.

--smart-udp-frags:

Ignore UDP fragmented packets with fragment offset greater than zero, and compute the fragmented packet length on the initial fragment header. This flag might lead to inaccuracy in measurement but it speeds us operations with fragmented traffic.

--ipsec-auth-data-len

Length of the authentication data of IPSec in tunnel mode. If not set, IPSec will not be decoded but just accounted.

--dump-stats:  dump some flow statistics on file

Periodically dump NetFlow statistics on the specified file. Note that when using nProbe over PF_RING, nProbe dumps statistics on /proc/net/pf_ring/stats/<nprobe stats file>.

--black-list

With this option you can specify a list of networks or hosts from which all the incoming packets will be discarded by the probe. The accepted notation can be CIDR format or the classical network/netmask format.

--pcap-file-list <file>

The specified file path contains a list of pcap files to be read in sequence by nProbe. Use this option when you want nProbe to read a list of pcap files (e.g. when generated using tcpdump).

--biflows-export-policy <policy>

Bi-directional flows are such when there is traffic in both direction of the flow (i.e. source->dest and dest->source). As mono-directional flows might indicate suspicious activities, this flag is used to determine the export policy:

  • 0: Export all know (i.e. mono and bi-directional flows)
  • 1: Export only bi-directional flows, discarding mono-directional flows.
  • 2: Export only mono-directional flows, discarding bi-directional flows.

--csv-separator <separator>

Override the default ‘|’ separator in dumps with the specified one.

--dont-drop-privileges

Do not drop root privileges to user ‘nobody’ when this option is specified. See al –unprivileged-user later int this manual.

--account-l2

NetFlow accounts IP traffic only, not counting layer 2 headers. Using this option the layer 2 headers are also accounted in flow traffic statistics.

--dump-metadata <file>

Dump metadata information into the specified file and quit. This option is useful when users want to know the type of each information element exported by nProbe so that (for instance) they can properly import into a database.

--zmq <socket>

Specify a socket (e.g., tcp://\*:5556) that will be used to deliver flows to subscribers polling the socket. Up to 8 ZMQ endpoints can be specified by repeating the –zmq. When more than one endpoint is specified, nProbe uses an hash function to evenly balance flows among all the defined endpoints. Example:

./nprobe -i eth0 -n none --zmq tcp://\*:5556 --zmq tcp://\*:5557
./ntopng -i tcp://127.0.0.1:5556 -i tcp://127.0.0.1:5557 -i view: tcp://127.0.0.1:5556, tcp://127.0.0.1:5557

--zmq-probe-mode

By default, nProbe act as a ZMQ server that delivers flows to subscribers. Using this switch, its role is reverted. This is typically used in conjunction with ntopng run in collector mode. For a thorough description refer to the section “Using nProbe with ntopng”.

--tcp <server:port>

Delivers flows in JSON format via TCP to the specified pair server:port.

--event-log <file>

Dump relevant activities (e.g. nProbe start/stop or packet drop) onto the specified file.

--enable-throughput-stats

When -P is used, with this option is also possible to generate throughput information. The file has the following format: <epoch> <bytes> <packets>. Each line is printed every second and it contains the number of bytes and packets observed within minute.

--ndpi-proto-ports <file>

Read the nDPI custom protocol and ports configuration from the specified file. Please refer to the nDPI manual for further information about the format of this file.

--disable-l7-protocol-guess

When nDPI is unable to detect a protocol, nProbe uses the port information to guess the protocol. This flag prevents nProbe from doing that, so protocols are detected only by nDPI without relying on default ports.

--db-engine <database engine>

In case flows are dumped on a MySQL database (see later on this manual) the default database engine used by nProbe is MyISAM. With this option you can use another engine (e.g. InnoDB).

--unprivileged-user <name>

When nprobe drops privileges (unless –dont-drop-privileges is used) the user nobody is used. It is possible to use another user by using this option.

--enable-collection-cache

nProbe implements a flow cache for merging packets belonging to the same flow. In flow collection the flow cache is disabled. This option enables the flow collection cache as when nProbe operates in packet capture mode. Note that this option is available only in collector/proxy mode (i.e. use -i none).

--collector-passthrough

When you want to use nProbe as a flow proxy/collector (towards ntopng for instance) and have a 1:1 mapping between collected/exported flows this is the options to use. This because it allows you to collect flows at high speed with limited CPU usage. Note that this option is useless when –disable-cache is used.

--redis <host>[:<port>]

The redis database (when nProbe is compiled with it) is used to implement a data cache and for aggregating flow information. This option specifies the host (and optionally the port) where redis is listening. nProbe opens several connections to redis (not just one) in order to maximize performance.

--ucloud

This option enables the micro-cloud concept. Please refer to http://www.ntop.org/nprobe/monitoring-on-the-microcloud/ for more information.

--check-license

Checks if the configured license is valid (for binary nProbe’s only).

--disable-startup-checks

During startup nProbe obtains both the management interface IP address and its public IP address. The management interface IP address is the address of the physically-attached interface that carries nProbe network traffic. The public IP address is the address of the management interface as it is seen from the internet. Obtaining the public IP address triggers a request to http://checkip.dyndns.org.

--dump-plugin-families

Dump installed plugin family names.

--minute-expire

Force nProbe to export active flows when a minute elapses. This is useful if you want (e.g. using -P) to have fresh flows every minute and all ending at X minutes, 0 seconds.

As some people prefer to have a configuration file containing the options that otherwise would be specified on the command line, it is also possible to start nProbe as follows:

nprobe <configuration file path>

where the configuration file contains the same options otherwise specified on the command line. The only difference between the command line and the configuration file is that different options need to be specified on different lines. For instance:

nprobe --n 127.0.0.1:2055 -i en0 -a -p

is the same as:

nprobe /etc/nprobe.conf

where :code`/etc/nprobe.conf` contains the following lines:

# cat /etc/nprobe.conf

-n=127.0.0.1:2055
-i=en0
-a=
-p=

Note that flags with no parameter associated (e.g. –a) also need to have ‘=’ specified. Any standard NetFlow collector (e.g. ntop) can be used to analyze the flows generated by nProbe. When used with ntop, the nProbe can act as a remote and light traffic collector and ntop as a central network monitoring console. See chapter 3 for further information about this topic