When nProbe collects data (both sFlow/NetFlow/IPFIX and nTap), it immediately discards collected data after processing. However sometimes it is useful to dump such data. A typical use-case include:
- nProbe collects packets sent by ntap_remove
- nProbe collects flows exported by a switch/router
Probe can dump collected data to a virtual network interface on top of which applications such as n2disk or tcpdump can be enabled. This can be enabled with --dump-collected-pkts <interface> for dumping collected data onto the specified network interface. In case of nTap raw collectd packets are dumped “as is” to the interface, whereas collected flows are dumped with a dummy ethernet/IP/UDP header.
You can dump packets onto an existing host ethernet interface (e.g. eth0), or you can create (on Linux) a dummy ethernet interface using:
$ sudo ip link add rec0 type dummy$ sudo ifconfig rec0 up
Now you can dump nTap collected packet with:
- [host a.b.c.d]
$ sudo nprobe --dump-collected-pkts rec0 -3 5678 --ntap hello - [host f.g.h.i]
$ sudo ntap_remote -i eno1 -c a.b.c.d:5678 -k hello
or dump collected flows on port 2055 using:
$ sudo nprobe --dump-collected-pkts rec0 -3 2055
Note that in case you use ntopng with n2disk (e.g. ntopng bundle) you can configure ntopng to enable n2disk on the selected interface as described on the ntopng manual.
Enjoy !