02. 11. 2021 Giovanni Davide Saccá NetEye, Unified Monitoring

nBox to NetEye Elastic Module

A customer asked me to analyze their network flows, with a solution oriented towards using an nBox that collects NetFlow data from a router located away from the branch office, takes it in for analysis, and then sends it to a NetEye Elastic module, which act as an analysis console for that NetFlow data.

The first step involves choosing how to use the nBox, i.e., whether it should receive traffic on a dedicated socket, and where the correct configuration of the nprobe.conf file would thus have the directive:

[–c=6363]

or whether the nBox should receive traffic through a Span Port or Mirror Port, configured on board a network device such as a switch; in this case the correct configuration of the nprobe.conf file is with the directive:

[-i=nBox_physical_interface_destination_of_the_Span_Port].

In the use case under consideration, it was decided to use a Span Port, specifically to configure it as a switch, which physically connected the router port (whose NetFlow is to be analyzed) to the nBox port.

Consider the minimum network needs in terms of the physical layer, looking at the following diagram:

If the router and nBox cannot connect on the same switch, it may be useful configure a remote span port on your Layer2 Network Schema, from the switch where the router is plugged in and the switch where the nBox is plugged in, or it may be more comfortable using a TAP device: the nBox can operate in both cases.

In case you’d like the details and instructions for configuring NetFlow on a Cisco router, I’ve put here the CLI of a Cisco entry level device:


If you’d like details and guidance on how to configure the span port on a Cisco switch for example, do a search with the keywords Configuration Guide and Span Port.

Once the necessary wiring has been completed and the router and switch have been configured, it’s time to configure the nBox to send the NetFlow data received.

Proceed from the nBox Web GUI by selecting the Menu Application > nProbe.

Set the nProbe interface connected to the switch to ON,

Then configure the FQDN and port where Elastic is listening. The default port is 2055, as shown in the following screenshot:

After that, restart nProbe via the web GUI or an SSH session, and remember to also take a look at the bottom left of this web page, and follow the link Flow Export Format that will allow you to select the field you want to include in the emitted NetFlow:
Then you can ask an Elastic specialist to configure an Index for you, probably a Filebeat, and then once the Elastic environment is configured using the Elastic WEB GUI, check that the NetFlow has been received by executing a query as follows:
Remember to specify to the Elastic WEB GUI the IP address belonging to the nBox as netflow.exporter.address, and also check from the Index Management Menu of Elastic for the presence of the index dedicated to NetFlow as shown here:
Giovanni Davide Saccá

Giovanni Davide Saccá

Consultant at Würth Phoenix Dear all my name is Davide and I was born in San Donato Milanese. Since I was a guy I have always be intrigued by PC and so I took my first steps with my Commodore VIC-20. Before joining Würth Phoenix as SI consultant, I worked first as Network Engineer for several ISP (Internet Service Provider) in the late 90s, then for the first ASP (Application Service Provider) and then as Responsible IT Network and Security. My various ITIL and Vendor certifications allowed me to be able to cooperate in the writing of Policy and Procedure for PCI-DSS and ISO27001 compliance. I like tennis, music, motorcycle and go on nature walks with my family.

Author

Giovanni Davide Saccá

Consultant at Würth Phoenix Dear all my name is Davide and I was born in San Donato Milanese. Since I was a guy I have always be intrigued by PC and so I took my first steps with my Commodore VIC-20. Before joining Würth Phoenix as SI consultant, I worked first as Network Engineer for several ISP (Internet Service Provider) in the late 90s, then for the first ASP (Application Service Provider) and then as Responsible IT Network and Security. My various ITIL and Vendor certifications allowed me to be able to cooperate in the writing of Policy and Procedure for PCI-DSS and ISO27001 compliance. I like tennis, music, motorcycle and go on nature walks with my family.

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive