Scuritnizer Reports and NProbe Pro

Scrutinizer is an enterprise/business class NetFlow and sFlow analysis tool. Scrutinizer provides historical trends of the company's critical network interfaces as well as the details on:

Who: The end system causing the traffic
What: The application/protocol that is being used
When: The time frame it has been occurring for
Where: The network connection that is affected

Moderators: scottr, Moderator Team

Post Reply
jadams
Posts: 3
Joined: Fri Oct 10, 2014 4:03 pm

Scuritnizer Reports and NProbe Pro

Post by jadams » Fri Oct 10, 2014 4:12 pm

Hello,

I have NProbe Pro v7 with the SIP/RTP plugin pointed at Scrutinizer. I am currently getting 3 NProbe Reports - Host Jitter by SSRC (src), Host Jitter by SSRC (dst), and Host to host jitter by SSRC/codec.

My problem is that I don't know how many NProbe reports are available for SIP/RTP and I don't know what data elements I would need to send from Nprobe to get those reports that may or may not exist. Is there any documentation that covers the reports that are available in Scrutinizer and what Netflow/IPFIX data elements would need to be received to make that report available?

Here is what I'm sending from NProbe currently:

"%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %APPL_LATENCY_MS %RTP_FIRST_SSRC %RTP_FIRST_TS %RTP_LAST_SSRC %RTP_LAST_TS %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST %RTP_IN_PAYLOAD_TYPE %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA %RTP_SIP_CALL_ID %RTP_RTT %RTP_DTMF_TONES"

Thanks,

Josh

User avatar
tomp
Site Admin
Posts: 315
Joined: Wed Jul 27, 2005 10:53 am
Location: Sunny Sanford Maine
Contact:

Re: Scuritnizer Reports and NProbe Pro

Post by tomp » Fri Oct 10, 2014 4:26 pm

Hi Josh,

This is the template I run for our PBX.This template includes latency information and http url.

%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_DST_PORT %L4_SRC_PORT %TCP_FLAGS %SRC_TOS %PROTOCOL %CLIENT_NW_DELAY_MS %SERVER_NW_DELAY_MS %APPL_LATENCY_MS %HTTP_URL %HTTP_RET_CODE %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %RTP_FIRST_SSRC %RTP_FIRST_TS %RTP_LAST_SSRC %RTP_LAST_TS %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST %RTP_IN_PAYLOAD_TYPE %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA %RTP_SIP_CALL_ID %SIP_CALL_ID %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_CODECS %SIP_INVITE_TIME %SIP_TRYING_TIME %SIP_RINGING_TIME %SIP_INVITE_OK_TIME %SIP_INVITE_FAILURE_TIME %SIP_BYE_TIME %SIP_BYE_OK_TIME %SIP_CANCEL_TIME %SIP_CANCEL_OK_TIME %SIP_RTP_IPV4_SRC_ADDR %SIP_RTP_L4_SRC_PORT %SIP_RTP_IPV4_DST_ADDR %SIP_RTP_L4_DST_PORT %SIP_FAILURE_CODE %SIP_REASON_CAUSE

This template yields the following available reports specific to SIP/RTP

Host Jitter by SSRC (src)
Host Jitter by SSRC (dst)
Host to Host Jitter by SSRC/Codec
Host to Host Jitter by SSRC/ToS

It looks like the only one you're missing is SSRC/ToS

If you export %SIP_CALLING_PARTY %SIP_CALLED_PARTY you can see the caller ID of both parties in "flow view"

Note: my template will allow for reporting around latency and applications as well as HTTP URLs.

- Tom

jadams
Posts: 3
Joined: Fri Oct 10, 2014 4:03 pm

Re: Scuritnizer Reports and NProbe Pro

Post by jadams » Fri Oct 17, 2014 2:52 pm

Thank you for your reply. I have modified my NProbe Pro service config accordingly. I'm getting some odd behavior. The NProbe-specific reports are being generated but the numbers seem almost random and are definitely inaccurate (packet loss so high the call would be useless). If I go to FlowView every single RTP and SIP metric I'm sending is populated with -NIT-. I have two different NProbes, each configured similarly that are both exhibiting this behavior. The same occurs with my original NProbe configuration as well.

My NProbe Service Config:

nprobe /i nprobe_service --collector 10.10.10.10:2055 --interface 3 --local-networks 10.30.250.0/24,192.168.11.0/28,172.24.118.0/24 --flow-version 10 --local-traffic-direction --in-iface-idx 1 --out-iface-idx 2 --lifetime-timeout 60 --idle-timeout 15 --flow-templ "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_DST_PORT %L4_SRC_PORT %TCP_FLAGS %SRC_TOS %PROTOCOL %CLIENT_NW_DELAY_MS %SERVER_NW_DELAY_MS %APPL_LATENCY_MS %HTTP_URL %HTTP_RET_CODE %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %RTP_FIRST_SSRC %RTP_FIRST_TS %RTP_LAST_SSRC %RTP_LAST_TS %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST %RTP_IN_PAYLOAD_TYPE %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA %RTP_SIP_CALL_ID %SIP_CALL_ID %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_CODECS %SIP_INVITE_TIME %SIP_TRYING_TIME %SIP_RINGING_TIME %SIP_INVITE_OK_TIME %SIP_INVITE_FAILURE_TIME %SIP_BYE_TIME %SIP_BYE_OK_TIME %SIP_CANCEL_TIME %SIP_CANCEL_OK_TIME %SIP_RTP_IPV4_SRC_ADDR %SIP_RTP_L4_SRC_PORT %SIP_RTP_IPV4_DST_ADDR %SIP_RTP_L4_DST_PORT %SIP_FAILURE_CODE %SIP_REASON_CAUSE"

User avatar
tomp
Site Admin
Posts: 315
Joined: Wed Jul 27, 2005 10:53 am
Location: Sunny Sanford Maine
Contact:

Re: Scuritnizer Reports and NProbe Pro

Post by tomp » Mon Oct 20, 2014 10:25 am

Are there any errors kicked out when you run that command manually?

What is the exact version you're running? I'm definitely running an older build, but I found it's stable.

nprobe_6.13.130420_svn3410_proplugins/

jadams
Posts: 3
Joined: Fri Oct 10, 2014 4:03 pm

Re: Scuritnizer Reports and NProbe Pro

Post by jadams » Thu Oct 23, 2014 10:22 am

I'm running version v.7.0.140924. I have made some modifications to my configuration:

nprobe /i nprobe_service --collector xxx.xx.xxx.xxx:2055 --interface 3 --local-networks xxx.xx.xxx.x/24,xxx.xxx.xxx.x/28,xx.xx.xxx.x/24 --flow-version 10 --local-traffic-direction --lifetime-timeout 60 --idle-timeout 15 --flow-templ "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_DST_PORT %L4_SRC_PORT %TCP_FLAGS %SRC_TOS %PROTOCOL %CLIENT_NW_LATENCY_MS %SERVER_NW_LATENCY_MS %APPL_LATENCY_MS %HTTP_URL %HTTP_RET_CODE %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC %RTP_FIRST_SSRC %RTP_FIRST_TS %RTP_LAST_SSRC %RTP_LAST_TS %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST %RTP_IN_PAYLOAD_TYPE %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA %RTP_SIP_CALL_ID %SIP_CALL_ID %SIP_CALLING_PARTY %SIP_CALLED_PARTY %SIP_RTP_CODECS %SIP_INVITE_TIME %SIP_TRYING_TIME %SIP_RINGING_TIME %SIP_INVITE_OK_TIME %SIP_INVITE_FAILURE_TIME %SIP_BYE_TIME %SIP_BYE_OK_TIME %SIP_CANCEL_TIME %SIP_CANCEL_OK_TIME %SIP_RTP_IPV4_SRC_ADDR %SIP_RTP_L4_SRC_PORT %SIP_RTP_IPV4_DST_ADDR %SIP_RTP_L4_DST_PORT %SIP_FAILURE_CODE %SIP_REASON_CAUSE"

When running it as console I get the following errors:

23/Oct/2014 10:18:53 [template.c:1410] WARNING: Unable to locate template 'SIP_RTP_IPV6_SRC_ADDR'. Discarded.
23/Oct/2014 10:18:53 [template.c:1410] WARNING: Unable to locate template 'SIP_RTP_IPV6_DST_ADDR'. Discarded.
23/Oct/2014 10:18:53 [template.c:1410] WARNING: Unable to locate template 'SIP_RTP_IPV6_SRC_ADDR'. Discarded.
23/Oct/2014 10:18:53 [template.c:1410] WARNING: Unable to locate template 'SIP_RTP_IPV6_DST_ADDR'. Discarded.

I am still seeing -NIT-s in flow view for all RTP and SIP parameters. I have sniffed packets at the NProbe box and have confirmed that NProbe is sending SIP/RTP information to Scrutinizer.

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests