Re: [Nfsen-discuss] Unknown flow source error

Fri, 11 Sep 2020 08:09:20 -0700 

On 11/09/2020 14:42, cosmas charles wrote:

sudo tcpdump -i enp38s0 port 9996
[sudo] password for coselem:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp38s0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:31:03.113980 IP 172.16.x.x.49955 > coselem-HP-ProBook-4330s.9996: UDP, length 1464 16:31:03.114361 IP 172.16.x.x.49955 > coselem-HP-ProBook-4330s.9996: UDP, length 1464 16:31:03.114459 IP 172.16.x.x.49955 > coselem-HP-ProBook-4330s.9996: UDP, length 1464 

when i i check the status of nfsen i get the following informations.

$ service nfsen status
● nfsen.service - NfSen Service

   Loaded: loaded (/etc/systemd/system/nfsen.service; enabled; vendor 
preset: enabled)

   Active: active (running) since Fri 2020-09-11 07:46:29 EAT; 8h ago
 Main PID: 1632 (nfsend)
    Tasks: 4 (limit: 4555)
   CGroup: /system.slice/nfsen.service

           ├─1516 /opt/nfdump/bin/nfcapd -w -D -p 9996 -u netflow -g 
www-data -B 200000 -S 1 -P /opt/nfsen/var/r
           ├─1522 /opt/nfdump/bin/nfcapd -w -D -p 9995 -u netflow -g 
www-data -B 200000 -S 1 -P /opt/nfsen/var/r

           ├─1632 /usr/bin/perl -w /opt/nfsen/bin/nfsend
           └─1633 /opt/nfsen/bin/nfsend-comm


Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Unknown flow 
source: '172.16.x.x'
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Skip UDP 
packet. Ignored packets so far 311 packets
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Unknown flow 
source: '172.16.x.x'
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Skip UDP 
packet. Ignored packets so far 312 packets
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Unknown flow 
source: '172.16.1x.x'
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Skip UDP 
packet. Ignored packets so far 313 packets
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Unknown flow 
source: '172.16.x.x'


and my nfse.conf sources are configured as shown below
%sources = (

    'upstream1'    => { 'port' => '9995', 'col' => '#0000ff', 'type' 
=> 'netflow' },

    'peer1'        => { 'port' => '9996', 'IP' => '172.16.x.x' },
    'peer2'        => { 'port' => '9996', 'IP' => '172.16.y.y' },
);

and only router 172.16.x.x. is configured to sink packets to my laptop 
with the destination address of my laptop where nfsen is installed. 
but nothing is displayed on the browser,



I don't know why you're hiding x and y; these are private IP addresses 
and are not reachable over the Internet.



The most likely answer is that they're going to port 9996 but the 
*source* IP address is not 172.16.x.x or 172.16.y.y.  Typically, routers 
have a command to set the source address of netflow packets, and if you 
don't use this, it will be the address of the interface that they egress 
from.



You should also check the full command line to nfcapd; the systemctl 
status output is truncated.


Good luck,

Brian.



_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss






















					Reply via email to