nProbe™

Extensible NetFlow v5/v9/IPFIX Probe and Collector

In commercial environments, NetFlow is probably the de-facto standard for network traffic accounting. nProbe includes both a NetFlow v5/v9/IPFIX probe and collector that can be used to play with NetFlow flows. This means nProbe™ can be used:

  • To collect and export NetFlow flows generated by border gateways/switches/routers or any other device that can export in NetFlow v5/v9
  • As a drop-in replacement of embedded, low-speed, NetFlow probes that may already been deployed
  • To analyze multi-Gbit networks at full speed with no (or very moderate) packet loss
  • To send monitored flows towards a collector such as the open-source ntopng or a commercial one (e.g. Cisco NetFlow Collector or Plixer)

Currently nProbe™ is a software application available stand-alone or as an embedded system (nBox appliance).

nprobe-short
at a glance

Key Features

  • Layer-7 visibility and accounting with 450+ detected applications (e.g. Teams, BitTorrent, Citrix, ...)
  • Integrate with ntopng to visualize, collect, and analyze monitored traffic
  • NetFlow v5/v9/IPFIX support for efficient flow handling and legacy routers compatibility
  • Flexible NetFlow export for the creation of custom NetFlow templates, with optional PEN support
  • Convert Cisco ASA and sFlow into NetFlow v5/v9/IPFIX
  • Cisco NetFlow-Lite support
  • Native support for PF_RING Zero Copy (ZC) for ultra-high speed packet capture
  • Flow and packet sampling
  • Agent mode support on Windows and Linux systems (eBPF based) to augment network metadata with users and processes
  • IPS inline mode for blocking and shaping traffic at Layer-7
  • Flow export to Kafka, ElasticSearch, Apache™, Syslog, MySQL/MariaDB, Splunk (via TCP streaming)
  • Flow dump to text files (CSV)
  • Support of tunneled traffic (GRE, PPP, VXLAN, GTP) and export of inner/outer envelope/packet information
  • VoIP (SIP and RTP) traffic analysis including voice quality and pseudo MOS
  • HTTP, MySQL/Oracle, DNS protocol analysis and logs generation
  • Fully interoperable with commercial collectors such as IsarFlow, Fluke, Cisco, Dartware, Arbor Networks, Plixer, NetFlow Auditor, SolarWinds Orion NTA, Andrisoft
Works great with ntopng!

nProbe works even better when paired with ntopng. Unlock advanced flow-based traffic analysis and deep visibility into your network!

Ideal for Every Environment

Use Cases

Flow Probe on Mirror/TAP

This mode can be used to analyse traffic from a mirror or TAP device and export flows in NetFlow v5/v9/IPFIX format or to ntopng.

Mirror (SPAN) ports or TAP devices allow network monitoring tools to observe all packets flowing through the network for for network visibility, troubleshooting, threat detection, and capacity planning, without generating traffic or altering the data path.

  • Mirror Port (SPAN): available on most managed switches, duplicates traffic from selected ports or VLANs to a dedicated monitoring port.
  • TAP Device: transparently copies all network traffic at the physical layer, acting as a bump-in-the-wire and providing a fail-safe method for capturing traffic.

A physical NIC card connected to a mirror can be monitored by nProbe by simply specifying its interface name. This configuration can be used to monitor a mirror port from a switch, or in conjunction with a TAP device by aggregating two directions from two network interfaces.

This mode can be used to collect flows in NetFlow v5/v9/IPFIX format and deliver flows to ntopng.

In proxy mode it is possible to convert from/to IPFIX/NetFlow v5/v9 in order to smoothly upgrade to newer NetFlow protocol versions while capitalizing on previous protocol versions. So you can for instance convert flows coming from your v5 router into IPFIX and vice-versa.

In this configuration nProbe acts as a bridge device by applying Layer-7 policies to the bridged traffic.

Specifications

Tech Specs

  • Linux
  • FreeBSD (including OPNsense and pfSense)
  • Windows x64 (including Windows 10/11)
  • macOS
  • RaspbianOS
  • NetFlow v5/v9/IPFIX
  • ZMQ (ntopng)
  • Kafka
  • Text file (CSV)
  • MySQL/MariaDB
  • ElasticSearch
  • TCP Stream
  • Syslog
  • Limited memory footprint (less that 2 MB of memory regardless of the network size) and CPU savvy
  • Designed for running on environments with limited resources and embedded systems (ARM and  MIPSEL-based)
  • IPv4/IPv6
  • TCP/UDP/ICMP
  • GTP/GRE/MPLS/VXLAN/PPP
  • 450+ Layer-7 application protocols supported by nDPI

Performance

nProbe has been designed to keep up with multi-Gbit speeds on commodity hardware. Using a dual core CPU, nProbe can be used for capturing packets at 1 Gbit with no/very little (< 1%) packet loss using vanilla PF_RING (no ZC), or even at higher rate with PF_RING ZC kernel-bypass drivers. Please note that performance figures below are per-core. This means that, for example, by leveraging on PF_RING ZC, it is possible to achieve a 4x performance improvement on a quad-core CPU.

Packet Size (Bytes) Per-core throughput with no packet loss
Fixed 64 3.32 Mpps, 2.15 Gb/secs
Fixed 512 Wire rate
Fixed 1500 Wire rate
Random 64-1500 Wire rate

The table above shows the result of a worst-case performance test using:

  • Dell R220
  • CPU Intel E3-1241 v3 @ 3.50GHz
  • Intel 82599-based 10 Gbit card
  • Traffic Generator: pfsend -i zc:ethX -a -g 1 -b 250000
  • 250K rotating IP addresses
  • Generation of 250K flows/minute
  • Command used: nprobe -i zc:eth1 –cpu-affinity 1 -t 60 -b 1 -w 500000 -V 9
  • No flow storage on DB or disk, just forwarding to a collector

This mode can be used to collect flows in NetFlow v5/v9/IPFIX format and deliver flows to ntopng. Please find below the performance of nProbe collecting NetFlow and exporting flows over ZMQ.

Template Ingress Rate (NetFlow) Export Rate (ZMQ)
Default 12’000 packets/second (avg 19 records/packet) 230’000 flows/second
@NTOPNG@ 8’500 packets/second (avg 19 records/packet) 160’000 flows/second

The table above shows the result of a worst-case performance test using:

  • CPU Intel E3-1230 v5 @ 3.40GHz
  • Incoming flows in NetFlow v9 format
  • ZMQ export (TLV)
  • Internal cache disabled (this guarantees that nProbe transparently forwards incoming flows)
  • Command used: nprobe -i none -n none –collector-port 2055 –zmq tcp://192.168.1.1:5556 –disable-cache [-T @NTOPNG@]
  • No flow storage on DB or disk, just forwarding to ntopng as collector via ZMQ
versions

Choose Your Version

Did you already install the software?

Install

Select the nProbe version that fits your needs. Different versions unlock different features, plugins and capacity.

Check the comparison table for the features set about the various versions.

Pro
299€
  • Layer-7 traffic inspection with nDPI
  • NetFlow/sFlow flow collection
  • PF_RING packet capture acceleration
  • NetFlow and ZMQ export
  • IPv4 deduplication
  • Modbus support
  • Designed for SMEs
Buy
Enterprise S/M/L
499+€
  • All Pro features included
  • Kafka, ElasticSearch, JSON export
  • NetFlow-lite collection
  • Deep protocol analysis for HTTP, DNS, IMAP, RTP, GTP, ...
  • Agent mode
  • Flow collection deduplication
  • Designed for large organizations, telcos, ...
Buy

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe