I'd like to "split the stream" and get that Netflow to more servers. I've got a small problem, all of our network equipment will do Netflow, but only to two destinations, and both of them are being used right now, so I can't get the data. > I'm working on a research project requires Netflow data. > I' wrote to the list a few weeks ago, but will restate my problem and things I've tried.
DOCSFLOW EXPORT TO GOOGLE DOCS GRAYED OUT FULL
> I got sidetracked by the holidays, and am back on this problem full time now (but of course with less time available now to meet my short deadline.) There may be an access control layer (packet filter, SELINUX, whatever ) in between. Packets you see in tcpdump are not necessarilyįorwarded to the application socket. Obviously your OS/Kernel prevents the socket from receiving data. When I run "tcpdump port 9996" I see a lot of the following: > I do however have 12 routers currently pointing to this server, all on port 9996 so it should be seeing something. which I believe means that it is not seeing any flow data.
> This is supposed to give me stdout for the flow data but it just sits there and I see nothing. > nfcapd -E -l /var/local/nfdump/flows -p 9996 > At the suggestion of the Peter, I tried running this: > I tried using nfdump and nfreplay to see the contents of the stored flow files and they all appear to be empty except for headers. > I was trying to originally run it with the following flags: If there is somewhere else, something else I should be looking at I don't know what or where at this point.Ĭc: Re: Using NFDUMP as an aggregator. SO I tried to read the nfcapd files with the below flows]# nfdump -r nfcapd.200912290735 -n 20ĭate flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes FlowsĪnd I get nothing. There is no firewall or anything in the way at the moment. So I know that nfcapd is running, and rotating in 5minute increments. rw-r-r- 1 root root 276 Dec 29 07:40 nfcapd.current I wait 20 minutes or so, and then do a flows]# ll I'm running the command as root, and root and I don't think the ACL are in the way. OK Peter, I turned off SELinux, and the firewall. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. The recipient should check this e-mail and any attachments for the presence of viruses. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. If you have received this e-mail in error please notify the sender. This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. Is this possible or do I need to create some special or custom solution? I realize that with the -I flag I can set base and subdirectories initially, but I would like it to be dynamic and allow new subdirectories (based upon IP) to be created when a new feed comes in. I have 12 or more devices feeding into my nfcapd server on the same inbound port and would like to break the stored feeds out by IP Address in addition to year-month-day/hour like this:
The -S8 indicates a format of %Y-%m-%d/%H (year-month-day/hour) Utilizing nfcapd with the -S allows us to set sub directory structure based upon date/time I'm running one NFCPAD to capture all traffic coming in on port 9997
0 kommentar(er)
