Hi Mike and all, Yes, according to netstat it's listening on port 2000
I have found the problem My mistake, forgive my semi-intelligent mind It was wrong iptables configuration Flow-capture is listening on port 2000 But in my iptables I allow udp port 2005 Thanks for the reply Regards, Himawan On Sat, 2004-06-19 at 01:43, Mike Hunter wrote: > On Jun 16, "[EMAIL PROTECTED]" wrote: > > You're sure you're listening on 2000? I had this happen to me a few weeks > ago and I had forgotten to restart flow-caputre after messing with the > startup script. netstat confirms that you're listening on 2000? > > > Hi, > > I installed flow-tool 0.67 on Fedore Core 2. > > Router is Cisco 6509 that is configured to export v5. > > The flow-capture option: > > > > /usr/local/netflow/bin/flow-capture -w /var/netflow/ft > > 10.3.128.220/10.110.1.1/2000 -S5 -V5 -E1G -n 287 -N 0 -R > > /usr/local/netflow/bin/linkme > > > > and I can see my machine has received data from my router > > > > # tcpdump -n udp port 2000 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > > 15:53:21.461403 IP 10.110.1.1.50323 > 10.3.128.220.2000: UDP, length 1464 > > 15:53:30.462434 IP 10.110.1.1.50323 > 10.3.128.220.2000: UDP, length 1464 > > > > then I checked the /var/netflow/ft, and I can see the flow-capture has written the > > output to this directoty: > > > > -rw-r--r-- 1 root root 88 Jun 16 15:35 ft-v05.2004-06-16.153001+0400 > > -rw-r--r-- 1 root root 88 Jun 16 15:40 ft-v05.2004-06-16.153839+0400 > > -rw-r--r-- 1 root root 88 Jun 16 15:45 ft-v05.2004-06-16.154001+0400 > > -rw-r--r-- 1 root root 88 Jun 16 15:50 ft-v05.2004-06-16.154501+0400 > > -rw-r--r-- 1 root root 80 Jun 16 15:20 tmp-v05.2004-06-16.152000+0400 > > > > and I can see the symbolic link in /var/netflow directory is working fine as well. > > But if you check the filesize from the files in /var/netflow/ft, all are showing > > only 88. > > > > I though it was normal, until I run the flowscan script, and tail -f > > /var/log/flowscan: > > > > sleep 30... > > sleep 30... > > 2004/06/16 15:55:28 working on file /var/netflow/ft-v05.2004-06-16.155000+0400... > > 2004/06/16 15:55:28 flowscan-1.020 CUFlow: Cflow::find took 0 wallclock secs ( > > 0.00 usr + 0.00 sys = 0.00 CPU) for 88 flow file bytes, flow hit ratio: 0/0 > > 2004/06/16 15:55:28 flowscan-1.020 CUFlow: report took 0 wallclock secs ( 0.00 usr > > 0.00 sys + 0.00 cusr 0.01 csys = 0.01 CPU) > > > > I believe according to flowscan, there is no data from all files in > > /var/netflow/ft, except the netflow header > > > > I confirm this using flow-print: > > > > #flow-print < ft-v05.2004-06-16.164500+0400 > > srcIP dstIP prot srcPort dstPort octets packets > > > > I run ethereal to make sure, and I can see inside the netflow export packet > > (source IP, prot etc) > > It means nothing is wrong with the packet sent from the router to my machine > > > > I have tried to make localip:0 and remoteip:0 but same result > > > > Maybe problem on flow-capture to generate output file? > > I don't see somethin unusual in /var/log/message, except: > > Jun 16 15:38:38 zeus flow-capture[11368]: setsockopt(size=4194304) _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
