The nProbe configuration portion of this blog has been depreciated by the release of nProbe v6.1.1. Please see our Recommended nProbe Templates blog for the most recent configuration.
The question, “How do I configure nProbe to export URL and Latency information?” has started to come up more often in support, so I want to take the time to demonstrate how to configure nProbe and how to analyze URLs and latency with NetFlow.
Let’s start from the beginning
If you’re new to using nProbe, are looking for how to setup nProbe, or just want to export NetFlow v5, check out a previous blog I wrote which goes over what is needed to setup nProbe.
Let’s dive right into configuring the nProbe for URLs and latency. The idea is the same as setting up Flexible NetFlow on Cisco Routers, in that you must build the NetFlow template from scratch, so let’s get started building a basic NetFlow v9 template then we can add the extra fields. It’s important to note that if you already have nProbe installed as a service you will need to delete the service before adding a new one.
Basic nProbe NetFlow v9 Export Template
nprobe /i nprobe_v9 -n 10.1.7.17:2055 -i 2 -t 60 -d 15 -u 1 -Q 2 -L 10.1.0.0/16 -r -V 9 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS %IPV4_SRC_MASK %IPV4_DST_MASK"
FYI – You will need to change the -n, -i, and -L tags to match your setup. More information about these tags can be found in the nProbe User Guide.
nProbe NetFlow Export with URLs, Latency, and MAC Addresses
Now let’s look at the fields you came here for:
%CLIENT_NW_DELAY_SEC Network latency client <-> nprobe (sec)
%CLIENT_NW_DELAY_USEC Network latency client <-> nprobe (usec)
%SERVER_NW_DELAY_SEC Network latency nprobe <-> server (sec)
%SERVER_NW_DELAY_USEC Network latency nprobe <-> server (usec)
%APPL_LATENCY_SEC Application latency (sec)
%APPL_LATENCY_USEC Application latency (usec)
%HTTP_URL HTTP URL
%IN_SRC_MAC Source MAC Address
%OUT_DST_MAC Destination MAC Address
You can add any, or all, of these fields to the nProbe NetFlow template and the nProbe will start collecting and exporting the related data. You can find additional fields to export and more detail in the nProbe User Guide above.
nProbe NetFlow v9 Template with URLs, Latency, and MAC Addresses
nprobe /i nprobe_v9_MAC_URL_Latency -n 10.1.7.17:2055 -i 2 -t 60 -d 15 -u 1 -Q 2 -L 10.1.0.0/16 -r -V 9 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS %IPV4_SRC_MASK %IPV4_DST_MASK %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %HTTP_URL %IN_SRC_MAC %OUT_DST_MAC"
Scrutinizer Advanced Filters
With the recent release of our latest NetFlow and sFlow analyzer we’ve added the ability to filter on any field in the NetFlow template which means we can add filters for URLs, latency, and MAC addresses via NetFlow. I’ll demonstrate this with a URL filter.
First, start by running a report on the nProbe in Scrutinizer and adding an “Advanced Filter”.
Next it will display the fields that are being exported by the nProbe NetFlow template and I’m going to select HTTP_URL for URL information.
Once you’ve selected the column, you will want to use a like filter to find any traffic going to a website. In my case, I’ve filtered for “facebook” traffic. The graph below shows my machine accessing facebook.
You can even see what URLs were hit by clicking either Inbound or Outbound next to “View Raw Flows” under the graph.
This same filtering technique can be applied to any custom fields exported by Flexible NetFlow or IPFIX which means it’s not limited to just the nProbe. Another example of where this is very useful is with our Microsoft Exchange Log Analyzer that exports Microsoft Exchange logs via IPFIX to Scrutinizer. If you want a best at NetFlow solution that’s always on the cutting edge of NetFlow technologies be sure to follow our blogs and check out our NetFlow and sFlow analyzer.
Feel free to give us a call at 1-207-324-8805 if you have any questions.