On 11/09/2020 14:42, cosmas charles wrote:
sudo tcpdump -i enp38s0 port 9996
[sudo] password for coselem:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp38s0, link-type EN10MB (Ethernet), capture size 262144
bytes
16:31:03.113980 IP 172.16.x.x.49955 > coselem-HP-ProBook-4330s.9996:
UDP, length 1464
16:31:03.114361 IP 172.16.x.x.49955 > coselem-HP-ProBook-4330s.9996:
UDP, length 1464
16:31:03.114459 IP 172.16.x.x.49955 > coselem-HP-ProBook-4330s.9996:
UDP, length 1464
when i i check the status of nfsen i get the following informations.
$ service nfsen status
● nfsen.service - NfSen Service
Loaded: loaded (/etc/systemd/system/nfsen.service; enabled; vendor
preset: enabled)
Active: active (running) since Fri 2020-09-11 07:46:29 EAT; 8h ago
Main PID: 1632 (nfsend)
Tasks: 4 (limit: 4555)
CGroup: /system.slice/nfsen.service
├─1516 /opt/nfdump/bin/nfcapd -w -D -p 9996 -u netflow -g
www-data -B 200000 -S 1 -P /opt/nfsen/var/r
├─1522 /opt/nfdump/bin/nfcapd -w -D -p 9995 -u netflow -g
www-data -B 200000 -S 1 -P /opt/nfsen/var/r
├─1632 /usr/bin/perl -w /opt/nfsen/bin/nfsend
└─1633 /opt/nfsen/bin/nfsend-comm
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Unknown flow
source: '172.16.x.x'
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Skip UDP
packet. Ignored packets so far 311 packets
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Unknown flow
source: '172.16.x.x'
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Skip UDP
packet. Ignored packets so far 312 packets
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Unknown flow
source: '172.16.1x.x'
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Skip UDP
packet. Ignored packets so far 313 packets
Sep 11 16:36:24 coselem-HP-ProBook-4330s nfcapd[1516]: Unknown flow
source: '172.16.x.x'
and my nfse.conf sources are configured as shown below
%sources = (
'upstream1' => { 'port' => '9995', 'col' => '#0000ff', 'type'
=> 'netflow' },
'peer1' => { 'port' => '9996', 'IP' => '172.16.x.x' },
'peer2' => { 'port' => '9996', 'IP' => '172.16.y.y' },
);
and only router 172.16.x.x. is configured to sink packets to my laptop
with the destination address of my laptop where nfsen is installed.
but nothing is displayed on the browser,
I don't know why you're hiding x and y; these are private IP addresses
and are not reachable over the Internet.
The most likely answer is that they're going to port 9996 but the
*source* IP address is not 172.16.x.x or 172.16.y.y. Typically, routers
have a command to set the source address of netflow packets, and if you
don't use this, it will be the address of the interface that they egress
from.
You should also check the full command line to nfcapd; the systemctl
status output is truncated.
Good luck,
Brian.
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss