Hello all, we’ve been getting a lot of questions nToplately on how to configure nProbe and what the recommended nProbe configurations are, so I’ve put together some sample nProbe configurations to help setup your Linux nProbe.

Let’s dive right in; this guide is for nProbe v6.13 or greater and it’s recommended to use the Linux nProbe. One of the configuration parameters on the nProbe has changed to better support traffic direction on the nProbe, so be aware that this configuration is different and will not work with any prior versions of nProbe. The -1 command will allow you to specify multiple subnets and which interface they are associated with; they should be ordered from the most specific to the least specific subnet.

Example: -1 “[email protected],[email protected],[email protected]” this will send all traffic on subnet to interface 1, to interface 2 and all other traffic to interface 3.

In all of the following recommended nProbe templates, you will need to change the following switches to match your configuration: -n, -i, -1.  You can find more detail about these switches in the nProbe user guide.

nProbe NetFlow v5 Template

This is the most basic nProbe NetFlow export.

./nprobe -a -n -i eth0 -t 60 -d 15 -1 "[email protected],[email protected],[email protected]" -V 5 -G

nProbe IPFIX Templates with Client, Server, Application Latency, MAC addresses, and HTTP URLs.

This is the recommended and most efficient setup for the nProbe to process latency, MAC addresses and HTTP URLs. This setup will run three nProbe processes from one machine where each nProbe daemon will process only the necessary data (E.g. HTTP URL information will only be processed for traffic on port 80 traffic).  This helps speed up processing time and will reduce the amount of disk space required to store the nProbe data. You MUST run all three of the following nProbe processes for this setup to work properly.

./nprobe -E "0:1" -f "!tcp" -a -n -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "[email protected],[email protected],[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC" -G

./nprobe -E "0:2" -f "tcp and !(port 80)" -a -n -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "[email protected],[email protected],[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_MS %SERVER_NW_DELAY_MS %APPL_LATENCY_MS" -G


Our NetFlow and sFlow analyzer’s ability to receive and process multiple NetFlow templates is another reason why it’s a best at NetFlow solution.

Paul Dube

Paul Dube is the Technical Support Manager at Plixer. He has a passion for enabling individuals and organizations to use highly complex systems to solve business and personal objectives. This passion for problem solving has Paul working with some of the largest enterprises to solve their security and networking challenges and also educating his young daughters on how to enrich their lives with technology. When he's not working, you will find him enjoying time with his family, cooking something delicious on the Big Green Egg, and enjoying the best brews that the locals have to offer.