HowTo Configure Flow Collection in nProbe and ntopng

Posted · Add Comment

In flow (sFlow/NetFlow/IPFIX) collection, nProbe acts as a “flow processor” for ntopng . nProbe is responsible for sending ntopng flows after they have been processed that includes

  • Collection mode: flow normalization that is the process of converting flows on a format that ntopng can understand. This happens if flow exporter devices (e.g. a router) use custom information elements. In addition nProbe takes care of difference in flow format between sFlow and NetFlow/IPFIX that despite of the common word “Flow” are very different in format.
  • Probe mode: convert captured packets into flows that are then exported to ntopng.

When you configure flow collection you have two options that are described below. These solutions are pretty similar, and you need to choose which one fits your needs based on your firewall rules (who is the connector initiator?) and traffic policy (do you want to merge nProbe traffic on the ntopng side?).

Probe Mode

In collector mode ntopng connects to the various nProbes (i.e. ntopng is the connector initiator). In this case you need to define in ntopng one interface (-i) per remote nProbe you intend to connect to. If you need to aggregate multiple ntopng interfaces into one you can add “-i view:all” to merge them up onto a view interface.

 

Collector Mode

In probe mode multiple nProbes connects to same ntopng interface (i.e. nProbe is the connector initiator). In this case you need to define in ntopng one interface (-i) to which all remote nProbes will connect to. As this is in collector more, note that you need to add a small ‘c’ at the end of the interface definition in ntopng. In this setup all probe traffic is automatically merged into a single ntopng interface.

Enjoy !