ntopng-data 3.2+dfsg1-1 / usr / share / doc / ntopng / README.zmq

This file is indexed.

/usr/share/doc/ntopng/README.zmq is in ntopng-data 3.2+dfsg1-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
(sFlow/NetFlow) Flow Collection via ZMQ
---------------------------------------
As described in http://www.ntop.org/nprobe/why-nprobejsonzmq-instead-of-native-sflownetflow-support-in-ntopng/
ntopng does not natively handle netflow but it rather does that via ZMQ.

In ZMQ we have reverted the NetFlow collector/probe paradigm. When used via ZMQ ntopng connects to the
flow source (nProbe in this case) it subscribes to the specified topic so that only the interesting
information is received.

Example:
Suppose you start nprobe on host IP 1.2.3.4 and ntopng on host IP 5.6.7.8. Instruct nProbe to
create a ZMQ endpoint on all host interfaces at port 5556. In this case nProbe waits for
ntopng connections. This way you can attach/detach as many ntopng instances you like
without having to reconfigure nProbe
# nprobe --zmq "tcp://*:5556" -i eth1 -n none

Then you need to start ntopng to connect to the above doing
# ntopng -i tcp://1.2.3.4:5556

NOTE: The --zmq parameter has a double dash '-'


Using ZMQ Behind a Firewall
---------------------------
The above ZMQ communication paradigm might not work in case there is a firewall between nProbe
and ntopng.

* Scenario A
- Both nProbe and ntop are on the same private network (firewall protected)
The firewall does not create any trouble to ZMQ communications.

* Scenario B
- nProbe is on a public network/IP
- ntopng is on a private network/IP protected by a firewall
In this case the ZMQ paradigm works well as ntopng connects to nProbe.

* Scenario C
- nProbe is on a private network/IP
- ntopng is on a public network/IP protected by a firewall
In this case the ZMQ paradigm does not work as the firewall prevents ntopng (connection initiator)
to connect tp nProbe. In this case you need to revert the ZMQ paradigm by swapping
roles of nProbe/ntopng. This can be done as follows. Suppose nprobe runs n host IP 192.168.1.100 and
ntopng on host IP 46.101.x.y. In this case you need to start the applications as follows

# nprobe --zmq-probe-mode --zmq "tcp://46.101.x.y:5556" -i eth1 -n none
# ntopng -i "tcp://*:5556c"

NOTES
- A small (lowercase) 'c' letter has been added in the ntopng configuration to indicate that
  this ZMQ socket is running in collector mode
- In essence you revert the roles of nProbe and ntopng. In this setup they behave as 
  NetFlow/IPFIX probes do.

APT Browse - Built by Thomas Orozco.