I installed latest ntopng pkg on FW2 on 2.2 and have a question. (after having issues with garbled text on RRD graphs on ntop, otherwise I would have sticked with that I think)
I have installed softflowd on another 2.2 (FW1) that have it enabled on 4-5 interfaces to produce flows. First: softflowd refused to start when I enabled all local interfaces but after having deselected a few it started. Possibly a bug or limitation it seems.
As I understand it pfflowd can not send flows from many interfaces at once?
Now, when I look in ntopng at FW2 it seems to only show flows where it has local interfaces (2) and not all flows that are produced from FW1.
I actually looked in flows from packet dumps from FW1 and indeed there is info from other interfaces in those flows being sent to FW2.
Why are not all flow data showed in ntopng?
I removed the LAN interface from the ntopng service config on FW2 and all flows corresponding to IPs on that network seems to disappear from the ntopng GUI.
This setting only tells ntopng where to listen for flows, right?
Why does it then not show all flows being present in the flow data coming in on the enabled interface?
I also noticed that there are very few settings present in the GUI, at least compared to ntop.
I'm starting to think that ntopng doesn't receive or handle some remote Netflows at all… I see no info mentioning of settings of local port etc. I don't see any info in package listing about it not receiving probes though, it actually says "It sports a NetFlow/sFlow emitter/collector".
Since many use centralized systems for stuff like syslog and Netflow handling I suspect the above should be easy to answer for you, let me know if I need to supply any more details.
Using: 2.2-RELEASE (i386)
I see there's no answers to my questions to ntop/ng, I'll post some updated info on the topic to see if someone recognizes anything.
I have installed a new virtual pfS 2.2.2 ("FW2") and installed softflowd on "FW1". FW2 only has one interface, WAN and some ports are opened on WAN side.
FW2 is placed on a special network dedicated to NMS systems, logging etc.
On FW1 in softflowd I have enabled some interfaces and on FW2 the WAN interface (not loopback). No timeout values set.
After having run this for a few days it seems the ntopng GUI works well and it looks good and all that, but as earlier noted not all speaking hosts are present in the statistics.
I have a number of other networks in FW1 and nothing from them is seen in ntopng on FW2.
I have checked with Wireshark inside the flow data actually being received by FW2 from FW1 and they indeed do contain flow info from other interfaces on FW1.
The exported flows are in version 9.
I downloaded a 2 GB file online and that traffic newer showes up in ntopng for the host in question.
In ntopng settings there's an option to save historical data, I guess this relates to data being available through the "Historical" interface in ntopng GUI?
How do I manage how many days worth of data is saved? An earlier installation filled up the entire disk of that system and I'd like to be able to manage this in a balanced manner.
Isn't there a setting somewhere to tell ntopng what networks to collect info for? I think there were some settings of that kind in the ntop GUI.
What am I missing?