>for your help!
> Under my practical circumstance of collecting Netflow data ,I must use the
> tcpdump
>method to capture the Netflow data .
> I'v pack the flow-import using the ft-0.56-importpcap.diff (the URL is
>http://www.net.informatik.tu-muenchen.de/~robin/flowtools/ft-0.56-importpcap.diff ).
>This is a little patch that adds support for importing NetFlow packets in libpcap
>format, so I can capture raw UDP NetFlow data with tcpdump and import it with
>flow-import (using parameter -f1 to specify pcap format). But the effect has't
>accord with what I had expected .
> the /usr/local/netflow/bin/flow-capture-init file is writed:
>#!/bin/sh
># description: Start Flow-Capture
># chkconfig: 2345 95 00
>
>case "$1" in
>'start')
>
>tcpdump -i eth1 -n udp port 555 -s 5000 -w - |/usr/local/netflow/bin/flow-import -V5
>-b big -f1|/usr/local/netflow/bin/flow-capture -w /var/netflow/ft 0/0/555 -S5 -V5
>-E1G -n 287 -N 0 -R /usr/local/netflow/bin/linkme
>touch /var/lock/subsys/startflows
>;;
>'stop')
>
>killall -9 /usr/local/netflow/bin/flow-capture
>rm -f /var/lock/subsys/startflows
>;;
>
>*)
>
>echo "Usage: $0 { start | stop }"
>;;
>
>esac
>exit 0
>####################################
>After the flow-capture-init has't produced the ft* files, I use the flow-cat and
>flow-stat to see the content
> of the ft* files. the stdout show I ft* file have't collect a netflow data flow.
>
>I have try the command :tcpdump -i eth1 -n udp port 555 -s 5000 -w -
>|/usr/local/netflow/bin/flow-import -b big -V1 -f1|/usr/local/netflow/bin/flow-print
>-p >/usr/local/netflow/bin/a.txt
>tcpdump: listening on eth1
>flow-import: ftpdu_seq_check: expected=282766298 received=348947179 lost=66180881
>flow-import: ftpdu_seq_check: expected=348947269 received=282766298 lost=-66180972
>
>108 packets received by filter
>5 packets dropped by kernel
>
>[EMAIL PROTECTED] /]# vi /usr/local/netflow/bin/a.txt
>
>#
># mode: streaming
># compress: off
># byte order: big
># stream version: 3
># export version: 5
># comments: flow-import
>#
>srcIP dstIP prot srcPort dstPort octets packets
>166.253.232.144 190.137.226.159 1 0 3331 939524096 16777216
>1.1.226.159 137.145.215.131 17 13568 47512 3053977600 167772160
>40.83.226.159 48.96.120.129 6 28311 5965 2415919104 50331648
>25.204.127.202 41.98.46.207 6 20480 61414 3037986816 100663296
>39.83.226.159 8.201.17.210 6 60822 13618 2415919104 50331648
>1.1.226.159 119.26.240.63 17 13568 29801 2315255808 16777216
>65.206.226.159 36.22.143.128 6 62989 20480 2986541056 285212672
>12.210.226.159 218.24.146.62 6 62726 20480 2718040064 134217728
>220.5.226.159 133.7.49.65 6 23559 11769 671088640 16777216
>19.47.226.159 185.249.46.207 6 52729 20480 419561472 83886080
>68.100.122.166 1.1.226.159 17 64753 13568 3909287936 201326592
>246.65.179.208 251.21.72.210 1 0 3331 2818572288 50331648
>41.83.226.159 115.39.163.80 17 43348 51736 2365587456 50331648
>215.50.233.217 176.6.226.159 17 260 13568 2516910080 335544320
>146.109.6.194 128.124.226.159 6 39173 41664 4261412864 67108864
>35.138.226.159 69.202.229.61 6 14958 13317 950735616 2147680256
>97.150.29.195 111.32.122.202 6 6792 6400 4026531840 67108864
>100.100.121.61 12.128.38.202 6 20480 56980 570556416 83886080
>211.159.226.159 52.88.136.221 6 36600 20480 3657891840 671088640
>
> ....................................................
>The stdout show the some wrong information, because the srcport and the dstport are
>impossbile
>in reason, and always too big port number.
>what should I do ?
>thank!
>
> ChunJing Han
>[EMAIL PROTECTED]
> 2004-07-20
= = = = = = = = = = = = = = = = = = = =
致
礼!
ChunJing Han
[EMAIL PROTECTED]
2004-07-20
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
