[Ntop-dev] Ntop-win32 collector -> output file

cesar.gallego at equant.com cesar.gallego at equant.com
Thu Nov 3 10:59:14 CET 2005 

Hi (Luca?),

Just subscribed to the ntop-dev list, but this is "private question".

By the way, Jean-Philippe Martin-Flatin told me that he knows you very
well. I was working towards my PhD with him in Lausanne, some years ago...

I recently purchased ntop-win32 (3.2) and nprobe-win32 (4.0). Running a
project for a customer. I'm planning to install nprobe on several servers
and use ntop as a collector. I have a problem with the format of the .flow
files generated by ntop. After spending one day in tracing through the perl
script that you provide, I opened the .flow files generated by ntop with an
hex editor. I have the impression that the format is not the one that the
perl scripts expect and the one mentioned in the doc. By the way, the
script works fine on the files generated by nprobe (raw binary dump, no
formatting).

I take the liberty of attaching a 12-flows file generated by ntop. Thow the
data are unusable by anyone, this is the reason why I submit it to the
"private" list. Here is what I can see with an hex editor:

Bytes       Hex               Decimal/Ascii     Comment
1-4         30 36 30 30       0600              OK: 600 bytes in file
5-6         00 05             5                 OK: nprobe is exporting in
netflow V5
7-8         00 0C             12                OK: Number of flows in
file/PDU
9-28                                            OK: Rest of flow header
(sysuptime, unixs, unixns, seq, engT, engID)
29-32       0D 0A EF AD       13.10.239.173     PROBLEM: First byte is
wrong. IP address should be 10.239.173.XXX

Looks like NTOP is writing to the file the 0x0D byte systematically before
each source and dest IP address.

I must confess I'm in a big trouble on my project. If I need to dump files
with nprobe, I'll make my measurement chain much more complex, since I'll
have to convert to CSV, import to flow-tools, merge all files (to preserve
time sequence), export to CSV and finally feed my capacity-planning tool
which expects a netflow-like information. If I would be able to have the
right format, I could just customized the perl script that reads .flow
files to generate the format expected by my capacity planning tool.

Are you aware of this issue? Did anyone already report it? Any fix planned?

Thanks in advance !

Ciao

(See attached file: 1130840882.flow)

César Gallego, Ph. D.
Equant Solutions & Services / Global Professional Services
Equant
Rue de Lyon 89-91
CH-1203 Geneva
Switzerland
Phone:             +41 22 339 93 84
http://www.equant.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: =?iso-8859-1?Q?1130840882.flow?=
Type: application/octet-stream
Size: 47216 bytes
Desc: not available
Url : http://listgateway.unipi.it/pipermail/ntop-dev/attachments/20051103/e370daaa/iso-8859-1Q1130840882-0001.obj

More information about the Ntop-dev mailing list