nProbe Remote Packet Capture

Previously, we covered the basic configuration of nProbe and nTop to visualize and forward NetFlow data from a remote exporter. 

In this article, we will configure nProbe to collect traffic on the wire and forward it to nTop for visualization, as well as export a NetFlow of its own to a remote collector. 

 

Collecting Traffic over the Wire

In the nBox UI, navigate to "Applications > nProbe" and then select the interface you wish to capture on from the sub-menu.

2018-06-11-113437_872x122_scrot.png

 

From this page, there are three parameters we are interested in. 

1) Collectors IP 

If you wish to have nProbe export a NetFlow based on the traffic over the wire, you should configure the address of your remote collector here. 

2018-06-11-114327_1167x189_scrot.png

 

2) ZMQ Endpoint

This is the address that nProbe will listen on. nTop will connect to this address to retrieve information from nProbe.  

In this example, we listen on all interfaces. 

2018-06-11-114629_912x124_scrot.png

 

3) Flow Export Format

Finally, if you have configured a remote NetFlow collector in step one, we must select the format of our NetFlow export. 

2018-06-11-115143_1200x599_scrot.png

 

 

Now that the interface parameters have been set, we can navigate back to the "status" tab and enable it.

2018-06-11-115359_381x477_scrot.png

 

Visualizing the Traffic with nTop

Once nProbe has been configured and started, we can now start visualizing the traffic with nTop. 

In the nBox UI, navigate to "Applications > ntopng", and select the "Set Configuration" tab.

2018-06-11-115740_1196x566_scrot.png

1) Interfaces

nTop can either act as a stand-alone capture system, or as a head-end for nProbe. 
Since we are receiving remote traffic from nProbe, we will select "Collector Only" from the interface list. 

 

2) Collector Endpoint

This is the address and port of the nProbe ZMQ endpoint we configured previously. 
Our nProbe's IP address is 192.168.10.100.



Once this configuration is complete, restart nTop, and navigate to its Web UI.
You will see that now, the traffic being captured from the remote nProbe machine is being displayed. 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.