Hi, I installed flow-tool 0.67 on Fedore Core 2. Router is Cisco 6509 that is configured to export v5. The flow-capture option:
/usr/local/netflow/bin/flow-capture -w /var/netflow/ft 10.3.128.220/10.110.1.1/2000 -S5 -V5 -E1G -n 287 -N 0 -R /usr/local/netflow/bin/linkme and I can see my machine has received data from my router # tcpdump -n udp port 2000 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:53:21.461403 IP 10.110.1.1.50323 > 10.3.128.220.2000: UDP, length 1464 15:53:30.462434 IP 10.110.1.1.50323 > 10.3.128.220.2000: UDP, length 1464 then I checked the /var/netflow/ft, and I can see the flow-capture has written the output to this directoty: -rw-r--r-- 1 root root 88 Jun 16 15:35 ft-v05.2004-06-16.153001+0400 -rw-r--r-- 1 root root 88 Jun 16 15:40 ft-v05.2004-06-16.153839+0400 -rw-r--r-- 1 root root 88 Jun 16 15:45 ft-v05.2004-06-16.154001+0400 -rw-r--r-- 1 root root 88 Jun 16 15:50 ft-v05.2004-06-16.154501+0400 -rw-r--r-- 1 root root 80 Jun 16 15:20 tmp-v05.2004-06-16.152000+0400 and I can see the symbolic link in /var/netflow directory is working fine as well. But if you check the filesize from the files in /var/netflow/ft, all are showing only 88. I though it was normal, until I run the flowscan script, and tail -f /var/log/flowscan: sleep 30... sleep 30... 2004/06/16 15:55:28 working on file /var/netflow/ft-v05.2004-06-16.155000+0400... 2004/06/16 15:55:28 flowscan-1.020 CUFlow: Cflow::find took 0 wallclock secs ( 0.00 usr + 0.00 sys = 0.00 CPU) for 88 flow file bytes, flow hit ratio: 0/0 2004/06/16 15:55:28 flowscan-1.020 CUFlow: report took 0 wallclock secs ( 0.00 usr 0.00 sys + 0.00 cusr 0.01 csys = 0.01 CPU) I believe according to flowscan, there is no data from all files in /var/netflow/ft, except the netflow header I confirm this using flow-print: #flow-print < ft-v05.2004-06-16.164500+0400 srcIP dstIP prot srcPort dstPort octets packets I run ethereal to make sure, and I can see inside the netflow export packet (source IP, prot etc) It means nothing is wrong with the packet sent from the router to my machine I have tried to make localip:0 and remoteip:0 but same result Maybe problem on flow-capture to generate output file? I don't see somethin unusual in /var/log/message, except: Jun 16 15:38:38 zeus flow-capture[11368]: setsockopt(size=4194304) Appreciate for any help Regards. Himawan Nugroho _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
