There are numerous ways to configure nProbe to work with NetFlow.
In this article we will cover two ways to configure nProbe using proxy mode using the nBox graphical interface, so that we may forward flows to either ntopng or another collector such as SolarWinds NTA.
nProbe forwarding to ntopng
Configure ntopng
ntopng and nProbe utilize ZeroMQ. This gives us greater control over how our flow data can be distributed to collectors.
Our first task is to configure an interface for ntopng to listen on.
This will be a connection to a ZeroMQ socket that we will configure nProbe to create in the next step.
From the nBox UI, navigate to “Applications > ntopng”, and select the configuration tab.
In this example, we are going to use ntopng only as a NetFlow collector.
Under Interfaces, we will select “Collector Only”
We then specify our address for the “Collector Endpoints”. In our case, we have nProbe running on the same machine, so we will be connecting to a socket on localhost.
Once the changes are saved, we will see this in the list of Interfaces in ntop.
Configuring nProbe
We must now configure nProbe to listen for incoming NetFlow traffic, decode it, and publish it to ntopng.
In the nBox UI, navigate to “Appplication > nProbe”, and select the “Proxy” tab.
Here we configure our “Listening Port”, and “ZMQ Endpoint”, and “Flow Export Format”.
The listening port is where the NetFlow exporter should send to.
In this case, we use 2055.
In the previous step, we configured ntop to connect to a ZMQ socket on localhost.
We will now instruct nProbe to create this socket by setting the “ZeroMQ Endpoint” to “tcp://127.0.0.1:5556”.
The final step, is to configure the “Flow Export Format”.
Here we select the NetFlow version, as well as any fields we want to decode from the flow. (IPFIX only)
Once this configuration is saved and the services started, you are ready to start viewing flow data in ntopng.
nProbe forwarding to remote collector
There are cases where you may require nProbe to act as a sort of “hub” for collection, such as behind a NAT.
In this scenerio, the nProbe configuration is essential the same as above, however, with a slight modification.
Instead of specifying a “ZeroMQ Endpoint”, we will specify the address of our remote collector in the “Collector(s) IP”
If you’d like to know more, you can reach out to us at sales@TruePathTechnologies.com or check out our webpage: http://truepath.wpengine.com/ntop/