By default nProbe tries to emulate a switched environment even if a mirror packet stream is used. For this reason both input and output interfaces are set to the last two bytes of the MAC address of the packet that is part of the flow. While this is a nice property, it is not likes by some netflow collectors that instead rely on static/physical interface numbers. nProbe supports this, however you need to understand first how interfaceId works on NetFlow and how to set it on nProbe.
The netflow id corresponds to the SNMP interfaceId and not the nprobe interface id. In order to find the correct value, it is necessary to snmpwalk on the host where nprobe is active, and see what are the indexes associated with the interfaces. In other words it is necessary to make sure that the snmp interfaceId and netflow interfaceId are consistent.
sh-3.2# snmpwalk -v 1 -c public localhost ifDescr
IF-MIB::ifDescr.1 = STRING: lo0
IF-MIB::ifDescr.2 = STRING: gif0
IF-MIB::ifDescr.3 = STRING: stf0
IF-MIB::ifDescr.4 = STRING: en0
IF-MIB::ifDescr.5 = STRING: fw0
IF-MIB::ifDescr.6 = STRING: en1
IF-MIB::ifDescr.7 = STRING: en2
IF-MIB::ifDescr.8 = STRING: en3
This means that we need to use interfaceId 8 for en3, 7 for en2….
Note that some collectors do not like flows with the same input and output interfaceId, so in case you use the same Id for in and out, this can create problems.
Posted in: nProbe