for your help!
Under my practical circumstance of collecting Netflow data ,I must use the
tcpdump
method to capture the Netflow data .
I'v pack the flow-import using the ft-0.56-importpcap.diff (the URL is
http://www.net.informatik.tu-muenchen.de/~robin/flowtools/ft-0.56-importpcap.diff ).
This is a little patch that adds support for importing NetFlow packets in libpcap
format, so I can capture raw UDP NetFlow data with tcpdump and import it with
flow-import (using parameter -f1 to specify pcap format). But the effect has't
accord with what I had expected .
the /usr/local/netflow/bin/flow-capture-init file is writed:
#!/bin/sh
# description: Start Flow-Capture
# chkconfig: 2345 95 00
case "$1" in
'start')
tcpdump -i eth1 -n udp port 555 -s 5000 -w - |/usr/local/netflow/bin/flow-import -V5
-b big -f1|/usr/local/netflow/bin/flow-capture -w /var/netflow/ft 0/0/555 -S5 -V5 -E1G
-n 287 -N 0 -R /usr/local/netflow/bin/linkme
touch /var/lock/subsys/startflows
;;
'stop')
killall -9 /usr/local/netflow/bin/flow-capture
rm -f /var/lock/subsys/startflows
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
####################################
After the flow-capture-init has't produced the ft* files, I use the flow-cat and
flow-stat to see the content
of the ft* files. the stdout show I ft* file have't collect a netflow data flow.
I have try the command :tcpdump -i eth1 -n udp port 555 -s 5000 -w -
|/usr/local/netflow/bin/flow-import -b big -V1 -f1|/usr/local/netflow/bin/flow-print
-p >/usr/local/netflow/bin/a.txt
tcpdump: listening on eth1
flow-import: ftpdu_seq_check: expected=282766298 received=348947179 lost=66180881
flow-import: ftpdu_seq_check: expected=348947269 received=282766298 lost=-66180972
108 packets received by filter
5 packets dropped by kernel
[EMAIL PROTECTED] /]# vi /usr/local/netflow/bin/a.txt
#
# mode: streaming
# compress: off
# byte order: big
# stream version: 3
# export version: 5
# comments: flow-import
#
srcIP dstIP prot srcPort dstPort octets packets
166.253.232.144 190.137.226.159 1 0 3331 939524096 16777216
1.1.226.159 137.145.215.131 17 13568 47512 3053977600 167772160
40.83.226.159 48.96.120.129 6 28311 5965 2415919104 50331648
25.204.127.202 41.98.46.207 6 20480 61414 3037986816 100663296
39.83.226.159 8.201.17.210 6 60822 13618 2415919104 50331648
1.1.226.159 119.26.240.63 17 13568 29801 2315255808 16777216
65.206.226.159 36.22.143.128 6 62989 20480 2986541056 285212672
12.210.226.159 218.24.146.62 6 62726 20480 2718040064 134217728
220.5.226.159 133.7.49.65 6 23559 11769 671088640 16777216
19.47.226.159 185.249.46.207 6 52729 20480 419561472 83886080
68.100.122.166 1.1.226.159 17 64753 13568 3909287936 201326592
246.65.179.208 251.21.72.210 1 0 3331 2818572288 50331648
41.83.226.159 115.39.163.80 17 43348 51736 2365587456 50331648
215.50.233.217 176.6.226.159 17 260 13568 2516910080 335544320
146.109.6.194 128.124.226.159 6 39173 41664 4261412864 67108864
35.138.226.159 69.202.229.61 6 14958 13317 950735616 2147680256
97.150.29.195 111.32.122.202 6 6792 6400 4026531840 67108864
100.100.121.61 12.128.38.202 6 20480 56980 570556416 83886080
211.159.226.159 52.88.136.221 6 36600 20480 3657891840 671088640
....................................................
The stdout show the some wrong information, because the srcport and the dstport are
impossbile
in reason, and always too big port number.
what should I do ?
thank!
ChunJing Han
[EMAIL PROTECTED]
2004-07-20
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
