Hello all, we’ve been getting a lot of questions lately on how to configure nProbe and what the recommended nProbe configurations are, so I’ve put together some sample nProbe configurations to help setup your Linux nProbe.
Let’s dive right in; this guide is for nProbe v6.13 or greater and it’s recommended to use the Linux nProbe. One of the configuration parameters on the nProbe has changed to better support traffic direction on the nProbe, so be aware that this configuration is different and will not work with any prior versions of nProbe. The -1 command will allow you to specify multiple subnets and which interface they are associated with; they should be ordered from the most specific to the least specific subnet.
Example: -1 “10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]” this will send all traffic on subnet 10.1.15.0/24 to interface 1, 10.1.0.0/16 to interface 2 and all other traffic to interface 3.
In all of the following recommended nProbe templates, you will need to change the following switches to match your configuration: -n, -i, -1. You can find more detail about these switches in the nProbe user guide.
nProbe NetFlow v5 Template
This is the most basic nProbe NetFlow export.
./nprobe -a -n 10.1.7.17:2055 -i eth0 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 5 -G
nProbe IPFIX Templates with Client, Server, Application Latency, MAC addresses, and HTTP URLs.
This is the recommended and most efficient setup for the nProbe to process latency, MAC addresses and HTTP URLs. This setup will run three nProbe processes from one machine where each nProbe daemon will process only the necessary data (E.g. HTTP URL information will only be processed for traffic on port 80 traffic). This helps speed up processing time and will reduce the amount of disk space required to store the nProbe data. You MUST run all three of the following nProbe processes for this setup to work properly.
./nprobe -E "0:1" -f "!tcp" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC" -G
./nprobe -E "0:2" -f "tcp and !(port 80)" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_MS %SERVER_NW_DELAY_MS %APPL_LATENCY_MS" -G
./nprobe -E "0:3" -f "tcp and port 80" -a -n 10.1.7.17:2055 -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "10.1.15.0/[email protected],10.1.0.0/[email protected],0.0.0.0/[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %TCP_FLAGS %CLIENT_NW_DELAY_MS %SERVER_NW_DELAY_MS %APPL_LATENCY_MS %HTTP_URL %HTTP_RET_CODE %HTTP_REFERER %HTTP_UA %HTTP_MIME" -G
Our NetFlow and sFlow analyzer’s ability to receive and process multiple NetFlow templates is another reason why it’s a best at NetFlow solution.