New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ntopng showing no IPv6 traffic flows/IPs/etc using IPFIX #1906

Closed
jforman opened this Issue Aug 9, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@jforman
Copy link

jforman commented Aug 9, 2018

I've recently spun up IPv6 connectivity on one of my subnets at home through a tunnel broker, and wished to use nprobe/ntopng to dig into traffic flows and learn some things. I set up a flow exporter on my firewall/router to send traffic to an nprobe collector on another internal host, be viewed via ntopng. The problem is, nowhere in the ntopng UI does it show any IPv6 flows/traffic. Every IP/flow/etc is IPv4. I must be missing something in my configuration....

OpenBSD 6.3 is exporting data (as my firewall/router):
$ cat /etc/hostname.pflow0
flowsrc 10.10.2.1 flowdst flow1:3001 pflowproto 10

nprobe on flow1 host:
nprobe --zmq "tcp://*:5556" --collector-port 3001 --collector none --interface none --flow-version 10

ntopng on flow1 host config:
root@flow1:~# grep -v ^# /etc/ntopng/ntopng.conf
--community
-G=/var/run/ntopng.pid
--interface="tcp://127.0.0.1:5556"
--local-networks="10.10.0.0/16,2001:470:88f8::/48"
--dns-mode=1

Versions:
ntopng Community Edition v.3.5.180808
nprobe: v.8.5.180808 ($Revision: 6242 $)

@jforman

This comment has been minimized.

Copy link

jforman commented Aug 9, 2018

It seems the template via -T was not defined, and from reading ntop/nProbe#169, i was able to get it working. Why doesn't this work by default? Are there different forms of templates?

@simonemainardi

This comment has been minimized.

Copy link
Member

simonemainardi commented Aug 10, 2018

We use a conservative approach and leave the default templates as small as possible, to avoid exporting fields default users don't care about. This is not a loss in generality as templates are fully customizable and any advanced user can tailor them to fit his/her needs.

In the case of IPFIX the default template is IPv4 only and contains the following fields and this explains why you were not seeing IPv6:

"%IPV4_SRC_ADDR %IPV4_DST_ADDR %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS %DST_AS"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment