In flow (sFlow/NetFlow/IPFIX) collection, nProbe acts as a “flow processor” for ntopng . nProbe is responsible for sending ntopng flows after they have been processed that includes
- Probe mode. nProbe captures network packets that are converted into flows that are then exported to ntopng.
- Collection mode. nProbe collects flows produced by a probe such as a router. Flow normalization that is the process of converting flows on a format that ntopng can understand. This happens if flow exporter devices (e.g. a router) use custom information elements. In addition nProbe takes care of difference in flow format between sFlow and NetFlow/IPFIX that despite of the common word “Flow” are very different in format.
In both scenarios, nProbe manipulates or creates flows that are
When you configure flow collection you have two options that are described below. These solutions are pretty similar, and you need to choose which one fits your needs based on your firewall rules (who is the connector initiator?) and traffic policy (do you want to merge nProbe traffic on the ntopng side?).
Collector Mode
In collector mode ntopng connects to the various nProbes (i.e. ntopng is the connector initiator). In this case you need to define in ntopng one interface (-i) per remote nProbe you intend to connect to. If you need to aggregate multiple ntopng interfaces into one you can add “-i view:all” to merge them up onto a view interface.
Probe Mode
In probe mode multiple nProbes connects to same ntopng interface (i.e. nProbe is the connector initiator). In this case you need to define in ntopng one interface (-i) to which all remote nProbes will connect to. As this is in collector more, note that you need to add a small ‘c’ at the end of the interface definition in ntopng. In this setup all probe traffic is automatically merged into a single ntopng interface.
Enjoy !