Page 1 of 1

Best way to segregate IPv4 from IPv6 traffic in Scrut reports?

Posted: Mon Jan 30, 2017 11:18 am
by fossicker
I have a homemade nprobe running Debian Jessie x86, it's an old 32-bit (previously snort) appliance with one 100Mb management interface and six Intel GbE interfaces. Because it's only a 32-bit CPU, and because Luca Deri no longer supports nprobe on x86, I compiled nprobe and nDPI from scratch using old sources I found on github from 2011. It's a fully functional nprobe but with no licensed addons. Right now I have nprobe watching eth0 which is jacked into a switch span port of my LAN uplink.

Is there a way that I can run two nprobes, one to export IPv4 and another to export IPv6, showing up as separate instances in Scrutinizer? Or would you recommend running a basic nprobe -V 9, and then use Scrutinizer reporting to segregate IPv4 from IPv6?

What's the difference between an Interface and an Instance in Scrutinizer?

I am working from ... templates/

When I run a basic nprobe:
./nprobe -a -n -i eth0 -t 60 -d 15 -V 9 -G
I get Interface 0 in Scrutinizer and IPv4 and IPv6 traffic appears together in Reports.

Here's another nprobe I've been playing with, this seems to give me Instance 1 and Instance 2. What is the difference between an Instance and an Interface? Instance 0 seems to give me only IPv4, while Instance 2 gives me both IPv4 and IPv6.

nprobe -E "0:1" -f "!tcp" -a -n -i eth0 -u 1 -Q 2 -t 60 -d 15 -1 "[email protected],[email protected]" -V 10 -T "%IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %L4_DST_PORT %L4_SRC_PORT %IN_BYTES %FLOW_START_MILLISECONDS %FLOW_END_MILLISECONDS %PROTOCOL %IPV4_SRC_MASK %IPV4_DST_MASK %IN_SRC_MAC %OUT_DST_MAC" -G