On Jun 16, "[EMAIL PROTECTED]" wrote: You're sure you're listening on 2000? I had this happen to me a few weeks ago and I had forgotten to restart flow-caputre after messing with the startup script. netstat confirms that you're listening on 2000?
> Hi, > I installed flow-tool 0.67 on Fedore Core 2. > Router is Cisco 6509 that is configured to export v5. > The flow-capture option: > > /usr/local/netflow/bin/flow-capture -w /var/netflow/ft 10.3.128.220/10.110.1.1/2000 > -S5 -V5 -E1G -n 287 -N 0 -R /usr/local/netflow/bin/linkme > > and I can see my machine has received data from my router > > # tcpdump -n udp port 2000 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 15:53:21.461403 IP 10.110.1.1.50323 > 10.3.128.220.2000: UDP, length 1464 > 15:53:30.462434 IP 10.110.1.1.50323 > 10.3.128.220.2000: UDP, length 1464 > > then I checked the /var/netflow/ft, and I can see the flow-capture has written the > output to this directoty: > > -rw-r--r-- 1 root root 88 Jun 16 15:35 ft-v05.2004-06-16.153001+0400 > -rw-r--r-- 1 root root 88 Jun 16 15:40 ft-v05.2004-06-16.153839+0400 > -rw-r--r-- 1 root root 88 Jun 16 15:45 ft-v05.2004-06-16.154001+0400 > -rw-r--r-- 1 root root 88 Jun 16 15:50 ft-v05.2004-06-16.154501+0400 > -rw-r--r-- 1 root root 80 Jun 16 15:20 tmp-v05.2004-06-16.152000+0400 > > and I can see the symbolic link in /var/netflow directory is working fine as well. > But if you check the filesize from the files in /var/netflow/ft, all are showing > only 88. > > I though it was normal, until I run the flowscan script, and tail -f > /var/log/flowscan: > > sleep 30... > sleep 30... > 2004/06/16 15:55:28 working on file /var/netflow/ft-v05.2004-06-16.155000+0400... > 2004/06/16 15:55:28 flowscan-1.020 CUFlow: Cflow::find took 0 wallclock secs ( 0.00 > usr + 0.00 sys = 0.00 CPU) for 88 flow file bytes, flow hit ratio: 0/0 > 2004/06/16 15:55:28 flowscan-1.020 CUFlow: report took 0 wallclock secs ( 0.00 usr > 0.00 sys + 0.00 cusr 0.01 csys = 0.01 CPU) > > I believe according to flowscan, there is no data from all files in /var/netflow/ft, > except the netflow header > > I confirm this using flow-print: > > #flow-print < ft-v05.2004-06-16.164500+0400 > srcIP dstIP prot srcPort dstPort octets packets > > I run ethereal to make sure, and I can see inside the netflow export packet (source > IP, prot etc) > It means nothing is wrong with the packet sent from the router to my machine > > I have tried to make localip:0 and remoteip:0 but same result > > Maybe problem on flow-capture to generate output file? > I don't see somethin unusual in /var/log/message, except: > Jun 16 15:38:38 zeus flow-capture[11368]: setsockopt(size=4194304) _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
