NTop NetFlow

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NTop NetFlow

L1 Bithead

Hi all,

Does anyone have experience feeding NTop via NetFlow from their PA firewalls? I have it setup and sending flows but NTop sees all of the received flows as either "Flows with zero byte count" or "Flows with zero packet count" and discards them. Perhaps someone knows a fix for this?

Thanks,

Chris

5 REPLIES 5

Not applicable

HI Chris,

     I have the exactly the same behavior using the ntop x86_64-apple-darwin11.4.0. Could you solve that ?

Thanks,

Denis D'Amico

L2 Linker

I think the problem is that NTOP doesn't understand the PANOS field types. I have opened a bug with Luca (the NTOP dev.), and provided some NF pcaps, but I don't think he has had time to work on it.

-Scott

L5 Sessionator

I have seen similar  issues with Orion Netflow Analyzer which was  due to the mismatching fields.

Please find a related  Bug .

Bug      Severity                Issue                                                                         Impact                                                     Root Cause                               Target Release

36257Critical4.1.1Some data being sent to Netflow connector is in the wrong format.Incomplete data received in collector.Issue resolved with the direction of the packet flow.4.1.7, 5.0.0

Refer:

https://live.paloaltonetworks.com/docs/DOC-1982

Regads,

Ameya

Hi all,

i also have this issue , using Ubuntu 12.04 ntop version (4.1) and PA-500 device using Pan OS 5.0.0.

upgraded to latest ntop didn't resolve the issue.

After doing some checking of the netflow packets send by PA-500 device , and source code of the netflow plugin

i noticed that ntop netflow plugin expects that packet size = 4 bytes , but PA-500 sends a size of 8 bytes.

if patched the ntop netflow plugin plugins/netflowPlugin.c , line 1721 like this

case 1: /* IN_BYTES */

if(fields[fieldId].fieldLen == 😎 {

   /* PA devices uses 8 for size, ignore first 4 bytes) */

  memcpy(&record.rcvdOctets, &buffer[displ+4], 4)

} else {

   memcpy(&record.rcvdOctets, &buffer[displ], 4);

}

you can view original code at https://svn.ntop.org/svn/ntop/trunk/ntop/plugins/netflowPlugin.c

rebuild debian package, and now it reporting correctly all flows.

  Luc

Just an FYI, Luca, the ntop developer put your changes in the latest SVN.

if(fields[fieldId].fieldLen == 😎 {

                      /*

                         PaloAlto devices uses 8 for size, ignore first 4 bytes)

                         Courtesy of Luc Willems <luc.willems@it4y.eu>

                       */

                      memcpy(&record.rcvdOctets, &buffer[displ+4], 4);

                    } else

                      memcpy(&record.rcvdOctets, &buffer[displ], 4);

-Scott

  • 4056 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!