Re: [Flow-tools] empty flow files?

[Jeremy Webb]

Thanks for the quick reply.  When I run netstat I get the following:
Proto Recv-Q Send-Q Local Address           Foreign Address         State    
   PID/Program name
tcp        0      0 127.0.0.1:32768         0.0.0.0:*               LISTEN   
   1890/xinetd
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN   
   1580/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN   
   1581/portmap
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN   
   3890/perl
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN   
   1817/X
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN   
   1983/proftpd: (acce
tcp        0      0 0.0.0.0:983             0.0.0.0:*               LISTEN   
   1649/rpc.statd
tcp        0      0 :::80                   :::*                    LISTEN   
   5646/httpd2
tcp        0      0 :::22                   :::*                    LISTEN   
   1867/sshd
tcp        0      0 :::443                  :::*                    LISTEN   
   5646/httpd2
udp        0      0 0.0.0.0:2055            0.0.0.0:*                        
   16318/flow-capture

Flow-capture appears to be on port 2055, but doesn't specifically say 
"LISTEN" like the things above it.  Could this be a sign of the issue?

- Burr
----Original Message Follows----
From: Mike Hunter <[EMAIL PROTECTED]>
To: Jeremy Webb <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: [Flow-tools] empty flow files?
Date: Thu, 9 Sep 2004 13:57:36 -0700
On Sep 09, "Jeremy Webb" wrote:
[snip]
> I have set up flow-tools in conjunction with flowscan.  Everything 
appears
> to be working correctly, other than the fact that my flow files appear to
> be empty.  Each one has a file size of only 108 bytes.  When something 
like
> this occurs, what usually seems to be the problem?  Is it usually a 
problem
> with the configuration of the router sending the flows, or is it usually 
a
> problem with the flow-tools configuration not processing what it is
> receiving correctly?
>
> This is the kind of stuff I see in my flowscan log:
>
> 2004/09/09 10:50:04 working on file ft-v05.2004-09-09.104500-0600...
> 2004/09/09 10:50:04 flowscan-1.020 CUFlow: Cflow::find took  0 wallclock
> secs ( 0.01 usr +  0.00 sys =  0.01 CPU) for 108 flow file bytes, flow 
hit
> ratio: 0/0
> 2004/09/09 10:50:04 flowscan-1.020 CUFlow: report took  0 wallclock secs 
(
> 0.00 usr +  0.00 sys =  0.00 CPU)
> sleep 30...
> sleep 30...
>
> When I view tcpdump, I see a whole lot of this (moving in pretty 
quickly):
>
> 14:21:56.662608 IP 192.168.254.254.56133 > 65.105.158.157.2055: UDP,
> length: 1464
> 14:21:56.662813 IP 192.168.254.254.56133 > 65.105.158.157.2055: UDP,
> length: 1464
> 14:21:56.663306 IP 192.168.254.254.56133 > 65.105.158.157.2055: UDP,
> length: 1464
> 14:21:56.663593 IP 192.168.254.254.56133 > 65.105.158.157.2055: UDP,
> length: 1464
>
> This is my router config:
>
> ip flow-export version 5 peer-as
> ip flow-export source-interface Loopback 0       (This was added as a
> suggestion to fix our issue.)
> ip flow-export destination 65.105.158.157 2055
> ip flow-cache timeout active 1
> ip route-cache flow    (This was assigned to all interfaces.)
>
> Thanks for your help.

What does sockstat -4 (freebsd) or netstat -l -4 (linux) say?  Is 
flow-capture
listening on the correct port?  I got burned once because I updated the
config file but forgot to restart the flow-capture process.

Mike
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools