HowTo Deploy nProbe and ntopng on the Cloud

Posted · Add Comment

Some of our customers deploy ntopng on the cloud in order to collect flows coming from private nProbe instances often deployed on private networks or clouds. Thanks to ZMQ/Kafka communications, data sent by nProbe to ntopng travel encrypted; this is contrary to many other cloud-based collectors that instead receive clear-text IPFIX/NetFlow flows sent by exporters devices.

In this setup ntopng cannot poll the routers as they are on a private networks thus unreachable from ntopng. This means that ntopng cannot poll router interfaces via SNMP and thus to report symbolic interface names on the web GUI, and a workaround has to be identified in order to allow the collector to map interface id to names. This solution works when ntopng collects flows exported by nProbe. In this case you can:

  • Poll the interface names via SNMP and save their name in a text file
  • Use the --snmp-mappings option in order to let nProbe know the interface names
  • Such names are propagated to ntopng via ZMQ (i.e. do not forget to specify --zmq)

The --snmp-mappings option specifies the path of a text file containing the interface names of all flow exporters collected by nProbe (collector mode), or of the host where nProbe is active (probe mode). The file format is pretty straightforward: the first column is the flow exporter IP address, the second is the SNMP interface Id, and the last column the SNMP interface name.

# AgentIP ifIndex ifName
#
127.0.0.1 1 lo0
127.0.0.1 2 gif0
127.0.0.1 3 stf0
127.0.0.1 4 en0
127.0.0.1 5 en1
127.0.0.1 6 en2
192.168.1.1 11 utun0
192.168.1.1 12 utun1
192.168.1.1 13 utun2
192.168.1.1 14 utun3

In order to ease the creation of such file, the nProbe package comes with a companion tool part of the nProbe package, named /usr/bin/build_snmp_mappings.sh that you can use to create such file by polling the router via SNMP. The tool syntax is straightforward as shown below:

$ /usr/bin/build_snmp_mappings.sh
Usage:   build_snmp_mappings.sh <SNMP agent IP> <SNMP version 1|2c> <SNMP community>

Example: build_snmp_mappings.sh 127.0.0.1 2c public > snmp_mappings.txt
         nprobe --snmp-mappings snmp_mappings.txt ...

$ /usr/bin/build_snmp_mappings.sh 127.0.0.1 2c public > snmp_mappings.txt
$ cat snmp_mappings.txt
         127.0.0.1 1 lo0
         127.0.0.1 2 gif0
         127.0.0.1 3 stf0
         127.0.0.1 4 EHC250
         127.0.0.1 5 EHC253
         127.0.0.1 6 en0
         127.0.0.1 7 en3
         127.0.0.1 8 en1
         127.0.0.1 9 p2p0
         127.0.0.1 10 fw0
         127.0.0.1 11 utun0
         # Agent InterfaceId Name

Using SNMP Mappings

Suppose nProbe to collect packets from interface en3 and sends them to ntopng in flow format. You need to start nProbe and ntopng as follows:

  • nprobe --snmp-mappings snmp_mappings.txt -i en3 --ntopng zmq://127.0.0.1:1234 -t 3 -d 3 -b 2 -u 7 -Q 7
  • ntopng -i zmq://127.0.0.1:1234

As you can see ntopng has been able to map the interface id to name (en3). Note that the above setup works both with ZMQ and Kafka.

If you want you can read more about this topic in the nProbe manual.

Enjoy !