Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Is possible monitor the source of the network from a device?

https://support.nagios.com/forum/viewtopic.php?t=35166

Page 3 of 4

Re: Is possible monitor the source of the network from a dev

Posted: Fri Oct 30, 2015 7:50 am
by eloyd
Also, despite the fact that NNA is accepting data, it can take a few minutes (or more) for it to show up in the dashboards as traffic. You should still be able to query for data though and return results.

Re: Is possible monitor the source of the network from a dev

Posted: Fri Oct 30, 2015 1:19 pm
by tgriep
xerez, did you get the fprobe software to run on the Linux host?
Try running the following on that system as root and see if it runs and starts sending data the the NA server.

Code: Select all

fprobe xxx.xxx.xxx.xxx:2055
Replace xxx.xxx.xxx.xxx with the IP address of the NA server.

Re: Is possible monitor the source of the network from a dev

Posted: Tue Nov 03, 2015 8:12 am
by xerez
jdalrymple wrote:I suspect that your fprobe installation just straight up failed.

Code: Select all

ls -l /usr/local/sbin
If there isn't a file in there called fprobe that is executable you need to re-run the installation and show us the output if it fails again.

Code: Select all

[user@linux ~]$ ls -l /usr/local/sbin/
total 92
-rwxr-xr-x. 1 root root 93417 Oct 29 12:58 fprobe
tgriep wrote:xerez, did you get the fprobe software to run on the Linux host?
Try running the following on that system as root and see if it runs and starts sending data the the NA server.

Code: Select all

fprobe xxx.xxx.xxx.xxx:2055
Replace xxx.xxx.xxx.xxx with the IP address of the NA server.

Code: Select all

[root@linux user]# fprobe 192.168.10.99:2055
[root@linux user]#
However in the interface I still see "No Data Available" and "There is no data available for the currently selected time period."

Other question, if I stop the VM (NNA) and the next day I resume it again, can it doesn't get more data from the machines? Because today isn't getting data from Window machine again. Even I tried to restart NNA but nothing.

Re: Is possible monitor the source of the network from a dev

Posted: Tue Nov 03, 2015 2:30 pm
by tgriep
Try and restart the flow service on the windows system to see if it starts to send data to the NA server. Maybe it stopped sending when the NA server was off.
On the NA server, can you run the following and post back the output?

Code: Select all

service iptables status
ip addr
Run the tcpdump command below for about 10 minutes on the NA server to see if it captures any data from the Linux System. Post the output here.

Code: Select all

tcpdump -i eth0 port 2055

Re: Is possible monitor the source of the network from a dev

Posted: Wed Nov 04, 2015 6:13 am
by xerez
tgriep wrote:Try and restart the flow service on the windows system to see if it starts to send data to the NA server. Maybe it stopped sending when the NA server was off.
If after resume NNA VM I restart "flowExportService" service on Windows, NNA get data again.
tgriep wrote:On the NA server, can you run the following and post back the output?

Code: Select all

service iptables status
ip addr

Code: Select all

[root@localhost ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:2055
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:2001
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:2001
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:2000
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

[root@localhost ~]#
tgriep wrote:Run the tcpdump command below for about 10 minutes on the NA server to see if it captures any data from the Linux System. Post the output here.

Code: Select all

tcpdump -i eth0 port 2055

Code: Select all

[root@localhost ~]# tcpdump -i eth0 port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

^C
0 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

Re: Is possible monitor the source of the network from a dev

Posted: Wed Nov 04, 2015 5:16 pm
by jdalrymple
`grep fprobe /var/log/messages`

Re: the Windows problem, try restarting 1 thing at a time. Next time try the Windows service without restarting NNA. NNA is typically very stable and doesn't require restarting.

Re: Is possible monitor the source of the network from a dev

Posted: Thu Nov 05, 2015 3:35 am
by xerez
jdalrymple wrote:`grep fprobe /var/log/messages`

Re: the Windows problem, try restarting 1 thing at a time. Next time try the Windows service without restarting NNA. NNA is typically very stable and doesn't require restarting.

Code: Select all

[root@linux user]# grep fprobe /var/log/messages
Nov  3 14:03:28 linux fprobe[10228]: [CRIT]: Uknown data link type 239. Use -K option.
[root@linux user]#
If I just restart the windows service, NNA get data again ("Top 5 Talkers" is still empty). I think the problem is when I pause and resume it, no?

Re: Is possible monitor the source of the network from a dev

Posted: Thu Nov 05, 2015 3:29 pm
by tgriep
Try running the fprobe command on the remote linux system like below and see if the NA server starts to receive data.

Code: Select all

fprobe -K18 192.168.10.99:2055
This is the explanation of the -K option.
-K <bytes>
Link layer header size. By default fprobe take this information from libpcap, but sometimes obtained size unsuitable for our purpose. It occurs, for example, on trunk interfaces in
VLAN enviroment, where link layer header contain additional VLAN header
What version of Netflow did you setup on the Windows system? Try setting it to Version 5 to see if that helps.

Re: Is possible monitor the source of the network from a dev

Posted: Fri Nov 06, 2015 5:03 am
by xerez
tgriep wrote:Try running the fprobe command on the remote linux system like below and see if the NA server starts to receive data.

Code: Select all

fprobe -K18 192.168.10.99:2055
This is the explanation of the -K option.
-K <bytes>
Link layer header size. By default fprobe take this information from libpcap, but sometimes obtained size unsuitable for our purpose. It occurs, for example, on trunk interfaces in
VLAN enviroment, where link layer header contain additional VLAN header
What version of Netflow did you setup on the Windows system? Try setting it to Version 5 to see if that helps.
NNA continue without receive data.

Sorry I followed this instructions for Windows: https://assets.nagios.com/downloads/nag ... alyzer.pdf

So I have installed "Flow Exporter" and not "Netflow".

Re: Is possible monitor the source of the network from a dev

Posted: Fri Nov 06, 2015 3:42 pm
by ssax
So you are not receiving anything still with the tcpdump? Are you sure there's not something in the middle blocking it?
All times are UTC-05:00
Page 3 of 4

Powered by phpBB® Forum Software © phpBB Limited