Recommended nProbe Templates

Posted in Network Traffic Analysis, Network Traffic Monitor, Scrutinizer on December 14th, 2010 by Paul

Buffer

Hello all, we’ve been getting a lot of questions lately on how to configure nProbe and what the recommended nProbe configurations are, so I’ve put together some sample nProbe configurations to help setup your Linux nProbe.

Let’s dive right in; this guide is for nProbe v6.1.1 or greater and it’s recommended to use the Linux nProbe. One of the configuration parameters on the nProbe has changed to better support traffic direction on the nProbe, so be aware that this configuration is different and will not work with any prior versions of nProbe. The -1 command will allow you to specify multiple subnets and which interface they are associated with; they should be ordered from the most specific to the least specific subnet.

Example: -1 “10.1.15.0/24@1,10.1.0.0/16@2,0.0.0.0/0@3″ this will send all traffic on subnet 10.1.15.0/24 to interface 1, 10.1.0.0/16 to interface 2 and all other traffic to interface 3.

In all of the following recommended nProbe templates, you will need to change the following switches to match your configuration: -n, -i, -1.  You can find more detail about these switches in the nProbe user guide.

nProbe NetFlow v5 Template

This is the most basic nProbe NetFlow export.

./nprobe -a -n 10.1.7.17:2055 -i eth0 -t 60 -d 15 -1 "10.1.15.0/24@1,10.1.0.0/16@2,0.0.0.0/0@3" -V 5 -G

nProbe IPFIX Templates with Client, Server, Application Latency, MAC addresses, and HTTP URLs.

This is the recommended and most efficient setup for the nProbe to process latency, MAC addresses and HTTP URLs. This setup will run three nProbe processes from one machine where each nProbe daemon will process only the necessary data (E.g. HTTP URL information will only be processed for traffic on port 80 traffic).  This helps speed up processing time and will reduce the amount of disk space required to store the nProbe data. You MUST run all three of the following nProbe processes for this setup to work properly.

./nprobe -E "0:1" -f "!tcp" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/24@1,10.1.0.0/16@2,0.0.0.0/0@3" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC" -G


./nprobe -E "0:2" -f "tcp and !(port 80)" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/24@1,10.1.0.0/16@2,0.0.0.0/0@3" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC" -G


./nprobe -E "0:3" -f "tcp and port 80" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/24@1,10.1.0.0/16@2,0.0.0.0/0@3" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %HTTP_URL %HTTP_RET_CODE %HTTP_REFERER %HTTP_UA %HTTP_MIME" -G

Our NetFlow and sFlow analyzer’s ability to receive and process multiple NetFlow templates is another reason why it’s a best at NetFlow solution.

Paul

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Tags: appliction latency, Best at NetFlow, client latency, How to configure nProbe, how to guide, ipfix, Linux nProbe, MAC address reporting, NetFlow Probe, NetFlow URLs, nProbe configuration templates, recommended nProbe configuration, sample nProbe configuration, server latency, Unix nProbe

This entry was posted on Tuesday, December 14th, 2010 at 12:45 pm and is filed under Network Traffic Analysis, Network Traffic Monitor, Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Recommended nProbe Templates”

1. How to Configure nProbe to Export URLs and Latency via NetFlow - NetFlow & sFlow Network Monitoring - Systrax Says:
   
   September 26th, 2011 at 11:56 am

   [...] portion of this blog has been depreciated by the release of nProbe v6.1.1.  Please see our Recommended nProbe Templates blog for the most recent [...]

2. Application Performance Monitoring: Out of Order Packets - NetFlow & sFlow Network Monitoring - Systrax Says:
   
   November 28th, 2012 at 9:13 am

   [...] you can take a proactive approach to network monitoring. If you’re looking for a guide on how to configure an nProbe IPFIX template, we have some great examples for you. How are you monitoring for out of order [...]

3. Denis Says:
   
   December 3rd, 2012 at 9:37 am

   Hi Paul,

   I actually applied your configurationn, but I can see nProbe reports, but I can’t display some info. It seems my plugins are not capturing enough stuff…

   root@nProbeProOrsenna:~# nprobe -E “0:3″ -f “tcp and port 80″ -a -n 192.168.172.1:9999 -i eth1 -t 60 -d 15 -1 “192.168.1.0/24@1″ -V 10 -T “%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %HTTP_URL %HTTP_RET_CODE %HTTP_REFERER %HTTP_UA %HTTP_MIME” -G*
   nprobe: invalid option — ‘*’
   01/Dec/2012 09:57:34 [nprobe.c:2995] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ?
   01/Dec/2012 09:57:34 [nprobe.c:2998] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ?
   01/Dec/2012 09:57:34 [nprobe.c:3043] Welcome to nprobe v.6.9.9 ($Revision: 2773 $) for x86_64-unknown-linux-gnu
   01/Dec/2012 09:57:34 [plugin.c:150] No plugins found in ./plugins
   01/Dec/2012 09:57:34 [plugin.c:156] Loading plugins [.so] from /usr/local/lib/nprobe/plugins
   01/Dec/2012 09:57:34 [dbPlugin.c:160] WARNING: DB support is not enabled (disabled at compile time)
   01/Dec/2012 09:57:34 [nprobe.c:4722] Welcome to nprobe v.6.9.9 for x86_64-unknown-linux-gnu
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
   01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
   01/Dec/2012 09:57:34 [plugin.c:800] 0 plugin(s) enabled
   01/Dec/2012 09:57:34 [nprobe.c:3510] Using packet capture length 128
   01/Dec/2012 09:57:34 [nprobe.c:4937] Flows ASs will not be computed (missing GeoIP support)
   01/Dec/2012 09:57:34 [nprobe.c:5013] Capturing packets from interface eth1

   Can you help me please on this?

   BR,

   Denis

4. Paul Says:
   
   December 4th, 2012 at 11:00 am

   Hello Denis,

   You’re missing the HTTP plugin which is why you’re getting all of these errors. I see that there’s a support case open with you on this. Someone will be contacting you directly in regards to this.

   - Paul

5. Denis Says:
   
   December 5th, 2012 at 9:51 am

   You are right
   I got an answer from ntop, and they said that we don’t order this plugin.

   Thanks

   Denis

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

CAPTCHA Code *

Notify me of follow-up comments by email.

Notify me of new posts by email.