nProbe icon indicating copy to clipboard operation
nProbe copied to clipboard
verified publisher icon ntop

nProbe not exporting all flows and IEs to ntopng

Open simonemainardi opened this issue 4 years ago • 0 comments

nProbe only exports a subset of flows and without all IEs to ntopng. Example:

./nprobe -i ../nDPI/tests/pcap/tls_certificate_too_long.pcap --zmq tcp://127.0.0.1:1234 -T "@NTOPNG@ %TLS_CIPHER %TLS_VERSION %SRC_TO_DST_MAX_THROUGHPUT %JA3C_HASH %JA3S_HASH" --zmq-format j --json-labels

This causes only two flows to be collected and without all IEs such as the JA3 hashes

image

image

If I add export to text files, then much more flows arrive and they contain all the IEs

./nprobe -i ../nDPI/tests/pcap/tls_certificate_too_long.pcap --zmq tcp://127.0.0.1:1234 -T "@NTOPNG@ %TLS_CIPHER %TLS_VERSION %SRC_TO_DST_MAX_THROUGHPUT %JA3C_HASH %JA3S_HASH" --zmq-format j --json-labels -D t -P /tmp/

image

image

simonemainardi avatar Nov 09 '21 15:11 simonemainardi