06-19-2012 08:34 AM
Hi all,
Does anyone have experience feeding NTop via NetFlow from their PA firewalls? I have it setup and sending flows but NTop sees all of the received flows as either "Flows with zero byte count" or "Flows with zero packet count" and discards them. Perhaps someone knows a fix for this?
Thanks,
Chris
07-04-2012 11:02 AM
I think the problem is that NTOP doesn't understand the PANOS field types. I have opened a bug with Luca (the NTOP dev.), and provided some NF pcaps, but I don't think he has had time to work on it.
-Scott
07-04-2012 12:58 PM
I have seen similar issues with Orion Netflow Analyzer which was due to the mismatching fields.
Please find a related Bug .
Bug Severity Issue Impact Root Cause Target Release
| 36257 | Critical | 4.1.1 | Some data being sent to Netflow connector is in the wrong format. | Incomplete data received in collector. | Issue resolved with the direction of the packet flow. | 4.1.7, 5.0.0 |
Refer:
https://live.paloaltonetworks.com/docs/DOC-1982
Regads,
Ameya
11-17-2012 11:05 AM
Hi all,
i also have this issue , using Ubuntu 12.04 ntop version (4.1) and PA-500 device using Pan OS 5.0.0.
upgraded to latest ntop didn't resolve the issue.
After doing some checking of the netflow packets send by PA-500 device , and source code of the netflow plugin
i noticed that ntop netflow plugin expects that packet size = 4 bytes , but PA-500 sends a size of 8 bytes.
if patched the ntop netflow plugin plugins/netflowPlugin.c , line 1721 like this
case 1: /* IN_BYTES */
if(fields[fieldId].fieldLen == 😎 {
/* PA devices uses 8 for size, ignore first 4 bytes) */
memcpy(&record.rcvdOctets, &buffer[displ+4], 4)
} else {
memcpy(&record.rcvdOctets, &buffer[displ], 4);
}
you can view original code at https://svn.ntop.org/svn/ntop/trunk/ntop/plugins/netflowPlugin.c
rebuild debian package, and now it reporting correctly all flows.
Luc
11-18-2012 11:19 AM
Just an FYI, Luca, the ntop developer put your changes in the latest SVN.
if(fields[fieldId].fieldLen == 😎 {
/*
PaloAlto devices uses 8 for size, ignore first 4 bytes)
Courtesy of Luc Willems <luc.willems@it4y.eu>
*/
memcpy(&record.rcvdOctets, &buffer[displ+4], 4);
} else
memcpy(&record.rcvdOctets, &buffer[displ], 4);
-Scott
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
