Hello all, we’ve been getting a lot of questions 
lately on how to configure nProbe and what the recommended nProbe configurations are, so I’ve put together some sample nProbe configurations to help setup your Linux nProbe.
Let’s dive right in; this guide is for nProbe v6.13 or greater and it’s recommended to use the Linux nProbe. One of the configuration parameters on the nProbe has changed to better support traffic direction on the nProbe, so be aware that this configuration is different and will not work with any prior versions of nProbe. The -1 command will allow you to specify multiple subnets and which interface they are associated with; they should be ordered from the most specific to the least specific subnet.
Example: -1 “10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]” this will send all traffic on subnet 10.1.15.0/24 to interface 1, 10.1.0.0/16 to interface 2 and all other traffic to interface 3.
In all of the following recommended nProbe templates, you will need to change the following switches to match your configuration: -n, -i, -1. You can find more detail about these switches in the nProbe user guide.
nProbe NetFlow v5 Template
This is the most basic nProbe NetFlow export.
./nprobe -a -n 10.1.7.17:2055 -i eth0 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 5 -G
nProbe IPFIX Templates with Client, Server, Application Latency, MAC addresses, and HTTP URLs.
This is the recommended and most efficient setup for the nProbe to process latency, MAC addresses and HTTP URLs. This setup will run three nProbe processes from one machine where each nProbe daemon will process only the necessary data (E.g. HTTP URL information will only be processed for traffic on port 80 traffic). This helps speed up processing time and will reduce the amount of disk space required to store the nProbe data. You MUST run all three of the following nProbe processes for this setup to work properly.
./nprobe -E "0:1" -f "!tcp" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC" -G
./nprobe -E "0:2" -f "tcp and !(port 80)" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_MS %SERVER_NW_DELAY_MS %APPL_LATENCY_MS" -G
./nprobe -E "0:3" -f "tcp and port 80" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_MS %SERVER_NW_DELAY_MS %APPL_LATENCY_MS %HTTP_URL %HTTP_RET_CODE %HTTP_REFERER %HTTP_UA %HTTP_MIME" -G
Our NetFlow and sFlow analyzer’s ability to receive and process multiple NetFlow templates is another reason why it’s a best at NetFlow solution.
Related
Integrate your network alarms with Microsoft Teams
2020 was a year of incredible change—changes that I believe will have a lasting impact, but also changes that require…
5 comments on “Recommended nProbe Templates”
Comments are closed.
Hi Paul,
I actually applied your configurationn, but I can see nProbe reports, but I can’t display some info. It seems my plugins are not capturing enough stuff…
[email protected]:~# nprobe -E “0:3” -f “tcp and port 80” -a -n 192.168.172.1:9999 -i eth1 -t 60 -d 15 -1 “192.168.1.0/[email protected]” -V 10 -T “%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %HTTP_URL %HTTP_RET_CODE %HTTP_REFERER %HTTP_UA %HTTP_MIME” -G*
nprobe: invalid option — ‘*’
01/Dec/2012 09:57:34 [nprobe.c:2995] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ?
01/Dec/2012 09:57:34 [nprobe.c:2998] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ?
01/Dec/2012 09:57:34 [nprobe.c:3043] Welcome to nprobe v.6.9.9 ($Revision: 2773 $) for x86_64-unknown-linux-gnu
01/Dec/2012 09:57:34 [plugin.c:150] No plugins found in ./plugins
01/Dec/2012 09:57:34 [plugin.c:156] Loading plugins [.so] from /usr/local/lib/nprobe/plugins
01/Dec/2012 09:57:34 [dbPlugin.c:160] WARNING: DB support is not enabled (disabled at compile time)
01/Dec/2012 09:57:34 [nprobe.c:4722] Welcome to nprobe v.6.9.9 for x86_64-unknown-linux-gnu
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
01/Dec/2012 09:57:34 [plugin.c:800] 0 plugin(s) enabled
01/Dec/2012 09:57:34 [nprobe.c:3510] Using packet capture length 128
01/Dec/2012 09:57:34 [nprobe.c:4937] Flows ASs will not be computed (missing GeoIP support)
01/Dec/2012 09:57:34 [nprobe.c:5013] Capturing packets from interface eth1
Can you help me please on this?
BR,
Denis
Hello Denis,
You’re missing the HTTP plugin which is why you’re getting all of these errors. I see that there’s a support case open with you on this. Someone will be contacting you directly in regards to this.
– Paul
You are right 🙂
I got an answer from ntop, and they said that we don’t order this plugin.
Thanks
Denis