Hello all, we’ve been getting a lot of questions nToplately on how to configure nProbe and what the recommended nProbe configurations are, so I’ve put together some sample nProbe configurations to help setup your Linux nProbe.

Let’s dive right in; this guide is for nProbe v6.13 or greater and it’s recommended to use the Linux nProbe. One of the configuration parameters on the nProbe has changed to better support traffic direction on the nProbe, so be aware that this configuration is different and will not work with any prior versions of nProbe. The -1 command will allow you to specify multiple subnets and which interface they are associated with; they should be ordered from the most specific to the least specific subnet.

Example: -1 “10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]” this will send all traffic on subnet 10.1.15.0/24 to interface 1, 10.1.0.0/16 to interface 2 and all other traffic to interface 3.

In all of the following recommended nProbe templates, you will need to change the following switches to match your configuration: -n, -i, -1.  You can find more detail about these switches in the nProbe user guide.

nProbe NetFlow v5 Template

This is the most basic nProbe NetFlow export.

./nprobe -a -n 10.1.7.17:2055 -i eth0 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 5 -G

nProbe IPFIX Templates with Client, Server, Application Latency, MAC addresses, and HTTP URLs.

This is the recommended and most efficient setup for the nProbe to process latency, MAC addresses and HTTP URLs. This setup will run three nProbe processes from one machine where each nProbe daemon will process only the necessary data (E.g. HTTP URL information will only be processed for traffic on port 80 traffic).  This helps speed up processing time and will reduce the amount of disk space required to store the nProbe data. You MUST run all three of the following nProbe processes for this setup to work properly.

./nprobe -E "0:1" -f "!tcp" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC" -G


./nprobe -E "0:2" -f "tcp and !(port 80)" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_MS %SERVER_NW_DELAY_MS %APPL_LATENCY_MS" -G


./nprobe -E "0:3" -f "tcp and port 80" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_MS %SERVER_NW_DELAY_MS %APPL_LATENCY_MS %HTTP_URL %HTTP_RET_CODE %HTTP_REFERER %HTTP_UA %HTTP_MIME" -G

Our NetFlow and sFlow analyzer’s ability to receive and process multiple NetFlow templates is another reason why it’s a best at NetFlow solution.

James Lawrence

James Lawrence

I currently live in Kennebunk, Maine with my wife and 3 children. When I am not working and going to school full time, I enjoy fishing, camping, and playing video games with my oldest son. I do enjoy working outside and gardening is one of my favorite things to do in the seasons that allow it.

Related

5 comments on “Recommended nProbe Templates

  1. Hi Paul,

    I actually applied your configurationn, but I can see nProbe reports, but I can’t display some info. It seems my plugins are not capturing enough stuff…

    [email protected]:~# nprobe -E “0:3” -f “tcp and port 80” -a -n 192.168.172.1:9999 -i eth1 -t 60 -d 15 -1 “192.168.1.0/[email protected]” -V 10 -T “%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_SEC %CLIENT_NW_DELAY_USEC %SERVER_NW_DELAY_SEC %SERVER_NW_DELAY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %HTTP_URL %HTTP_RET_CODE %HTTP_REFERER %HTTP_UA %HTTP_MIME” -G*
    nprobe: invalid option — ‘*’
    01/Dec/2012 09:57:34 [nprobe.c:2995] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ?
    01/Dec/2012 09:57:34 [nprobe.c:2998] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ?
    01/Dec/2012 09:57:34 [nprobe.c:3043] Welcome to nprobe v.6.9.9 ($Revision: 2773 $) for x86_64-unknown-linux-gnu
    01/Dec/2012 09:57:34 [plugin.c:150] No plugins found in ./plugins
    01/Dec/2012 09:57:34 [plugin.c:156] Loading plugins [.so] from /usr/local/lib/nprobe/plugins
    01/Dec/2012 09:57:34 [dbPlugin.c:160] WARNING: DB support is not enabled (disabled at compile time)
    01/Dec/2012 09:57:34 [nprobe.c:4722] Welcome to nprobe v.6.9.9 for x86_64-unknown-linux-gnu
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_URL’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_RET_CODE’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_REFERER’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_UA’. Discarded.
    01/Dec/2012 09:57:34 [template.c:1196] WARNING: Unable to locate template ‘HTTP_MIME’. Discarded.
    01/Dec/2012 09:57:34 [plugin.c:800] 0 plugin(s) enabled
    01/Dec/2012 09:57:34 [nprobe.c:3510] Using packet capture length 128
    01/Dec/2012 09:57:34 [nprobe.c:4937] Flows ASs will not be computed (missing GeoIP support)
    01/Dec/2012 09:57:34 [nprobe.c:5013] Capturing packets from interface eth1

    Can you help me please on this?

    BR,

    Denis

  2. Hello Denis,

    You’re missing the HTTP plugin which is why you’re getting all of these errors. I see that there’s a support case open with you on this. Someone will be contacting you directly in regards to this.

    – Paul

Comments are closed.