In the top menubar, ntopng lists all the known observationPoint Ids in the dropdown menu: this way a network analyst can select the observationPoint he wants to visualise while hiding flows from a different observation point. When flows are sent by nProbe, they are uniquely marked with the observationPoint Id that is honoured by ntopng during flow collection and reported in the web interface. In nProbe the observationPoint is set with the -E flag as follows: Depending on the site size, a site can have one or multiple probes. Each nProbe instance can be configured to set a numerical value for the observationPoint Id that uniquely identifies a site. The problem we want to solve is: how-to to cluster flows becoming from the same site regardless of the probe IP that originates them, avoid merging them with those coming from other sites, but still have the ability so see them as a whole at the interface level where flows are collected. In the latest ntopng and nProbe dev versions (soon to become stable), we have implemented the concept of observation point, that in IPFIX is defined as a location in the network where packets can be observed. ntopng allows you to create up to 32 virtual flow collection interfaces that can be used to avoid merging collected flows: unfortunately they are not enough when collecting flows from 100+ routers. Beside the number of flows to be collected, another key point is to be able to visualize the informations in a simple yet effective way.
Collecting flows on large networks with hundred of routers can be challenging.
0 kommentar(er)
