Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Users

Ntop 4.03 - netflow from Cisco ASA isn't displayed

  

 
NTop users RSS feed   Index | Next | Previous | View Threaded


C.Krueger at gmx

Jul 27, 2011, 9:43 AM

Post #1 of 9 (1296 views)
Permalink
Ntop 4.03 - netflow from Cisco ASA isn't displayed
Hi,

I don't see any traffic, hosts, etc.

-I setup ntop 4.03 on ubuntu 10.04 according to
http://blog.dinotools.de/2010/12/20/ntop-4-unter-ubuntu-10-04-selbst-compilieren-und-installieren
(german build instructions for 4.03 on ubuntu)

-I setup my cisco according to:
https://supportforums.cisco.com/docs/DOC-6114

-Configured the netflow plugin

-Status
Listening on [NetFlow-device.2] for all packets (i.e. without a filtering expression)
Web reports include only interface "NetFlow-device.2"

-NetFlow Statistics
Packets Received 115
Packets with Bad Version 0
Packets Processed 115
Valid Flows Received 466
Average Number of Flows per Packet 8.1
V1 Flows Received 0
V5 Flows Received 0
V7 Flows Received 0
V9 Data Flows Received 466
V9 Option Flows Received 0
Total V9 Templates Received 1

Ideas what's wrong?

greetings
Carsten

PS: I also tried svn trunk, no difference.

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop


Ggatten at waddell

Jul 27, 2011, 9:50 AM

Post #2 of 9 (1252 views)
Permalink
Re: Ntop 4.03 - netflow from Cisco ASA isn't displayed [In reply to]
You're not looking at pages related to "Network Flows" are you? They have nothing to do with "netflow" and generally aren't used....

Else, your netflow stats look ok. Do you see "any" data at all?

----- Original Message -----
From: Carsten Krüger [mailto:C.Krueger [at] gmx]
Sent: Wednesday, July 27, 2011 11:43 AM
To: ntop [at] listgateway <ntop [at] listgateway>
Subject: [Ntop] Ntop 4.03 - netflow from Cisco ASA isn't displayed

Hi,

I don't see any traffic, hosts, etc.

-I setup ntop 4.03 on ubuntu 10.04 according to
http://blog.dinotools.de/2010/12/20/ntop-4-unter-ubuntu-10-04-selbst-compilieren-und-installieren
(german build instructions for 4.03 on ubuntu)

-I setup my cisco according to:
https://supportforums.cisco.com/docs/DOC-6114

-Configured the netflow plugin

-Status
Listening on [NetFlow-device.2] for all packets (i.e. without a filtering expression)
Web reports include only interface "NetFlow-device.2"

-NetFlow Statistics
Packets Received 115
Packets with Bad Version 0
Packets Processed 115
Valid Flows Received 466
Average Number of Flows per Packet 8.1
V1 Flows Received 0
V5 Flows Received 0
V7 Flows Received 0
V9 Data Flows Received 466
V9 Option Flows Received 0
Total V9 Templates Received 1

Ideas what's wrong?

greetings
Carsten

PS: I also tried svn trunk, no difference.

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop


Ggatten at waddell

Jul 27, 2011, 10:36 AM

Post #3 of 9 (1253 views)
Permalink
Re: Ntop 4.03 - netflow from Cisco ASA isn't displayed [In reply to]
I have not tried the ASA netflow thing, so can't help much. There have been several issues reported with it, that I "thought" were resolved. The template timeout and restarting ntop would have some issues associated with it, but, at some point it should "work". You can "try" to fetch the latest from svn and see if that version works. If not..... Luca will want a packet capture "full length" of the netflow records and template from your ASA. Oh, what version on your ASA? Perhaps Cisco fixed something in later releases?

----- Original Message -----
From: Carsten Krüger [mailto:cakruege [at] gmxpro]
Sent: Wednesday, July 27, 2011 12:13 PM
To: Gary Gatten
Cc: 'ntop [at] unipi' <ntop [at] unipi>
Subject: Re: [Ntop] Ntop 4.03 - netflow from Cisco ASA isn't displayed

Hello Gary,

PS: The problem with no flows received, but packets seems to appear
if ntop is stopped after it is configured on ASA.
If I delete the rules on the ASA while ntop is running and create them
again than ntop shows flows.

Maybe "template timeout rate" on Cisco is the problem, I try to set it
to one minute. My original problem exists still.

greetings
Carsten






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop


C.Krueger at gmx

Jul 27, 2011, 11:33 AM

Post #4 of 9 (1257 views)
Permalink
Re: Ntop 4.03 - netflow from Cisco ASA isn't displayed [In reply to]
Flows with Zero Byte Count 0
Attachments: netflow.tcpdump (7.54 KB)


C.Krueger at gmx

Jul 27, 2011, 11:33 AM

Post #5 of 9 (1253 views)
Permalink
Re: Ntop 4.03 - netflow from Cisco ASA isn't displayed [In reply to]
Flows with Zero Byte Count 0
Attachments: netflow.tcpdump (7.54 KB)


C.Krueger at gmx

Jul 27, 2011, 2:27 PM

Post #6 of 9 (1249 views)
Permalink
Re: Ntop 4.03 - netflow from Cisco ASA isn't displayed [In reply to]
> Flows with Zero Byte Count 0

This was a typo.

All flows are "Flows with Zero Byte Count".
Used the svn version

Flow Senders
Sender Pkts Flows Lost Flows
192.168.121.254:35290 1,222 1,222 0
Packets Received 1,222
Packets with Bad Version 0
Packets Processed 1,222
Valid Flows Received 2,683
Average Number of Flows per Packet 4.4
V1 Flows Received 0
V5 Flows Received 0
V7 Flows Received 0
V9 Data Flows Received 2,683
V9 Option Flows Received 0
Total V9 Templates Received 175

Discarded Flows
Flows with Zero Packet Count 0
Flows with Zero Byte Count 2,683
Flows with Bad Data 0
Flows with Unknown Template 0
Total Number of Flows Processed 0

greetings
Carsten

PS: Wireshark shows the flows correct.

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop


Ggatten at waddell

Jul 27, 2011, 2:44 PM

Post #7 of 9 (1254 views)
Permalink
Re: Ntop 4.03 - netflow from Cisco ASA isn't displayed [In reply to]
Sorry, I can't help much more... Can you properly view info from other sources, such as data captured from the ntop host nic? I'm trying to determine if ntop is generally working correctly and the problem is only with ASA type flows.

What are your startup args and other custom configs....

----- Original Message -----
From: Carsten Krüger [mailto:C.Krueger [at] gmx]
Sent: Wednesday, July 27, 2011 04:27 PM
To: ntop [at] unipi <ntop [at] unipi>
Subject: Re: [Ntop] Ntop 4.03 - netflow from Cisco ASA isn't displayed

> Flows with Zero Byte Count 0

This was a typo.

All flows are "Flows with Zero Byte Count".
Used the svn version

Flow Senders
Sender Pkts Flows Lost Flows
192.168.121.254:35290 1,222 1,222 0
Packets Received 1,222
Packets with Bad Version 0
Packets Processed 1,222
Valid Flows Received 2,683
Average Number of Flows per Packet 4.4
V1 Flows Received 0
V5 Flows Received 0
V7 Flows Received 0
V9 Data Flows Received 2,683
V9 Option Flows Received 0
Total V9 Templates Received 175

Discarded Flows
Flows with Zero Packet Count 0
Flows with Zero Byte Count 2,683
Flows with Bad Data 0
Flows with Unknown Template 0
Total Number of Flows Processed 0

greetings
Carsten

PS: Wireshark shows the flows correct.

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop


deri at ntop

Jul 31, 2011, 8:43 AM

Post #8 of 9 (1202 views)
Permalink
Re: Ntop 4.03 - netflow from Cisco ASA isn't displayed [In reply to]
Carsten
Can you please share your flows with me (.pcap file, full size)?

Luca

On Jul 27, 2011, at 6:43 PM, Carsten Krüger wrote:

> Hi,
>
> I don't see any traffic, hosts, etc.
>
> -I setup ntop 4.03 on ubuntu 10.04 according to
> http://blog.dinotools.de/2010/12/20/ntop-4-unter-ubuntu-10-04-selbst-compilieren-und-installieren
> (german build instructions for 4.03 on ubuntu)
>
> -I setup my cisco according to:
> https://supportforums.cisco.com/docs/DOC-6114
>
> -Configured the netflow plugin
>
> -Status
> Listening on [NetFlow-device.2] for all packets (i.e. without a filtering expression)
> Web reports include only interface "NetFlow-device.2"
>
> -NetFlow Statistics
> Packets Received 115
> Packets with Bad Version 0
> Packets Processed 115
> Valid Flows Received 466
> Average Number of Flows per Packet 8.1
> V1 Flows Received 0
> V5 Flows Received 0
> V7 Flows Received 0
> V9 Data Flows Received 466
> V9 Option Flows Received 0
> Total V9 Templates Received 1
>
> Ideas what's wrong?
>
> greetings
> Carsten
>
> PS: I also tried svn trunk, no difference.
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

---
Bildung ist kein Verbrechen




_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop


deri at ntop

Jul 31, 2011, 8:43 AM

Post #9 of 9 (1203 views)
Permalink
Re: Ntop 4.03 - netflow from Cisco ASA isn't displayed [In reply to]
Carsten
Can you please share your flows with me (.pcap file, full size)?

Luca

On Jul 27, 2011, at 6:43 PM, Carsten Krüger wrote:

> Hi,
>
> I don't see any traffic, hosts, etc.
>
> -I setup ntop 4.03 on ubuntu 10.04 according to
> http://blog.dinotools.de/2010/12/20/ntop-4-unter-ubuntu-10-04-selbst-compilieren-und-installieren
> (german build instructions for 4.03 on ubuntu)
>
> -I setup my cisco according to:
> https://supportforums.cisco.com/docs/DOC-6114
>
> -Configured the netflow plugin
>
> -Status
> Listening on [NetFlow-device.2] for all packets (i.e. without a filtering expression)
> Web reports include only interface "NetFlow-device.2"
>
> -NetFlow Statistics
> Packets Received 115
> Packets with Bad Version 0
> Packets Processed 115
> Valid Flows Received 466
> Average Number of Flows per Packet 8.1
> V1 Flows Received 0
> V5 Flows Received 0
> V7 Flows Received 0
> V9 Data Flows Received 466
> V9 Option Flows Received 0
> Total V9 Templates Received 1
>
> Ideas what's wrong?
>
> greetings
> Carsten
>
> PS: I also tried svn trunk, no difference.
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

---
Bildung ist kein Verbrechen




_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

NTop users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.