Welcome to nProbe 10: Agent-mode, Timeseries, AWS/Google Cloud, Custom Flow Collection

Posted · Add Comment

nProbe 1.0 was introduced in 2002. After 20 years we are glad to introduce nProbe 10 that introduces several new features and improvements:

Agent Mode

When nProbe in deployed on a host, it is possible to use the new –agent-mode command line (available on Windows and Linux systems with eBPF support). You can start nProbe and ntopng as follows

  • nprobe -i eno1 --zmq tcp:// --agent-mode
  • ntopng -i tcp://

In this configuration nProbe will enrich flow information with process, user and package (Linux only) information as shown in the picture below.

Furthermore it is possible to start nProbe in process learning mode for keeping track of used processes. Example:

--process-learning <sec>:<0|1>      | Process learning duration <seconds>.
                                    | 0=means continue learning, 1=restart learning at nprobe start

For instance you can start nProbe with

  • nprobe -i eno1 --zmq tcp:// --agent-mode --process-learning 3600:0

for learning process started for one hour. Processes that are not part of a package or not know during learning are marked as suspicious and nProbe will return a FLOW_VERDICT information element set to drop. This is the first step towards a host-based EDR.


nProbe can now generated InfluxDB-compatible timeseries for the self monitoring (-b 1) and for converting sFlow-collected interface counters. You can read more about this on this blog post where we also describe how we support the timeseries generation of Calix devices.

Cloud Support

nProbe started to support cloud-based services:

  • Process Amazon VPC logs and turn them into flows
  • Export flows towards Google cloud for those who need to store flows on the cloud.

Collection of Proprietary Flows

In this release we have improved support of proprietary flows via custom flow definition files. In particular we have speedup proprietary fields collection and reduced memory used. Furthermore Nokia NAT/AAA correlation via proprietary flows is now fully supported.

Syslog Flow Collection

nProbe now supports syslog (UDP and TCP) flow collection via a new CLI parameter

[--syslog-flow-format] <fmt>:<port> | Parse incoming flows sent to syslog port <port>
                                    | --syslog-flow-format 1:514 [collect on UDP:514]
                                    | --syslog-flow-format 1:TCP/514

Currently we handle out of the box Fortinet flow syslog that can be collected and re-exported as standard flows.

This said the list of changes is very long and we invite you to have a look at the whole nProbe changelog.

Enjoy !