The nProbe configuration portion of this blog has been depreciated by the release of nProbe v6.1.1.  Please see our Recommended nProbe Templates blog for the most recent configuration.

The question, “How do I configure nProbe to export URL and Latency information?” has started to come up more often in support, so I want to take the time to demonstrate how to configure nProbe and how to analyze URLs and latency with NetFlow.

Let’s start from the beginning

If you’re new to using nProbe, are looking for how to setup nProbe, or just want to export NetFlow v5, check out a previous blog I wrote which goes over what is needed to setup nProbe.

nProbe Configuration

Let’s dive right into configuring the nProbe for URLs and latency. The idea is the same as setting up Flexible NetFlow on Cisco Routers, in that you must build the NetFlow template from scratch, so let’s get started building a basic NetFlow v9 template then we can add the extra fields. It’s important to note that if you already have nProbe installed as a service you will need to delete the service before adding a new one.

Basic nProbe NetFlow v9 Export Template

nprobe /i nprobe_v9 -n 10.1.7.17:2055 -i 2 -t 60 -d 15 -u 1 -Q 2 -L 10.1.0.0/16 -r -V 9 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS %IPV4_SRC_MASK %IPV4_DST_MASK"

FYI – You will need to change the -n, -i, and -L tags to match your setup.  More information about these tags can be found in the nProbe User Guide.

nProbe NetFlow Export with URLs, Latency, and MAC Addresses

Now let’s look at the fields you came here for:

%CLIENT_NW_DELAY_SEC     Network latency client <-> nprobe (sec)
%CLIENT_NW_DELAY_USEC     Network latency client <-> nprobe (usec)
%SERVER_NW_DELAY_SEC      Network latency nprobe <-> server (sec)
%SERVER_NW_DELAY_USEC     Network latency nprobe <-> server (usec)
%APPL_LATENCY_SEC     Application latency (sec)
%APPL_LATENCY_USEC     Application latency (usec)
%HTTP_URL        HTTP URL
%IN_SRC_MAC        Source MAC Address
%OUT_DST_MAC    Destination MAC Address

You can add any, or all, of these fields to the nProbe NetFlow template and the nProbe will start collecting and exporting the related data.  You can find additional fields to export and more detail in the nProbe User Guide above.

nProbe NetFlow v9 Template with URLs, Latency, and MAC Addresses

nprobe /i nprobe_v9_MAC_URL_Latency -n 10.1.7.17:2055 -i 2 -t 60 -d 15 -u 1 -Q 2 -L 10.1.0.0/16 -r -V 9 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS %IPV4_SRC_MASK %IPV4_DST_MASK %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %HTTP_URL %IN_SRC_MAC %OUT_DST_MAC"

Scrutinizer Advanced Filters

With the recent release of our latest NetFlow and sFlow analyzer we’ve added the ability to filter on any field in the NetFlow template which means we can add filters for URLs, latency, and MAC addresses via NetFlow.  I’ll demonstrate this with a URL filter.

First, start by running a report on the nProbe in Scrutinizer and adding an “Advanced Filter”.

Scrutinizer Advanced NetFlow Filter

Next it will display the fields that are being exported by the nProbe NetFlow template and I’m going to select HTTP_URL for URL information.

Scrutinizer URL NetFlow Filter

Once you’ve selected the column, you will want to use a like filter to find any traffic going to a website. In my case, I’ve filtered for “facebook” traffic.  The graph below shows my machine accessing facebook.

Scrutinizer Facebook NetFlow Filter

You can even see what URLs were hit by clicking either Inbound or Outbound next to “View Raw Flows” under the graph.

Scrutinizer Facebook URLs via NetFlow

This same filtering technique can be applied to any custom fields exported by Flexible NetFlow or IPFIX which means it’s not limited to just the nProbe. Another example of where this is very useful is with our Microsoft Exchange Log Analyzer that exports Microsoft Exchange logs via IPFIX to Scrutinizer.  If you want a best at NetFlow solution that’s always on the cutting edge of NetFlow technologies be sure to follow our blogs and check out our NetFlow and sFlow analyzer.

Feel free to give us a call at 1-207-324-8805 if you have any questions.

Paul Dube

Paul Dube is the Technical Support Manager at Plixer. He has a passion for enabling individuals and organizations to use highly complex systems to solve business and personal objectives. This passion for problem solving has Paul working with some of the largest enterprises to solve their security and networking challenges and also educating his young daughters on how to enrich their lives with technology. When he's not working, you will find him enjoying time with his family, cooking something delicious on the Big Green Egg, and enjoying the best brews that the locals have to offer.

Related

5 comments on “How to Configure nProbe to Export URLs and Latency via NetFlow

  1. Hello,

    I would like to know the field type ( e.gf integer, string etc) of the following fields:

    %CLIENT_NW_DELAY_SEC Network latency client nprobe (sec)
    %CLIENT_NW_DELAY_USEC Network latency client nprobe (usec)
    %SERVER_NW_DELAY_SEC Network latency nprobe server (sec)
    %SERVER_NW_DELAY_USEC Network latency nprobe server (usec)
    %APPL_LATENCY_SEC Application latency (sec)
    %APPL_LATENCY_USEC Application latency (usec)
    %HTTP_URL HTTP URL
    %IN_SRC_MAC Source MAC Address
    %OUT_DST_MAC Destination MAC Address

    especially the filed “HTTP_URL”, is it a string with limited length ??

    Please advise and thanks.

    George

Comments are closed.