1. nc -u 127.0.0.1 9999 < 2005011719 2. tcpdump -i lo0 -np -T cnfp port 9999
22:20:17.564479 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v0, 0.045 uptime, 3 419717328.3419717328, 1 recs 22:20:17.564691 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow vc255, 3232570.778 uptime, 3267297173.000458754, 31203 recs 22:20:17.564916 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v455, 1115.648 upti me, 0.420610048, 3131 recs 22:20:17.565130 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v0, 403701.760 upti me, 3482752603.3276195843, 0 recs 22:20:17.565359 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow vcbd4, 3419718.212 uptime, 93918420.001771008, 49476 recs 22:20:17.565577 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v599, 1771.008 upti me, 0.320667648, 5021 recs 22:20:17.565749 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v0, 0.096 uptime, 3 419718280.3419721184, 2 recs 22:20:17.565962 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow vc346, 1035020.377 uptime, 3267297173.000458754, 52359 recs 22:20:17.566189 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow vc2be, 458.754 upti me, 2.000000096, 65429 recs 22:20:17.566401 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v0, 471007.232 upti me, 3276196840.3276203583, 0 recs Similar, that netflow from a file it is restored incorrectly! 3. Here so the stream netflow with cisco looks: 22:23:18.032121 IP ***.4.50515 > ***.210.9800: NetFlow v5, 1555970 .492 uptime, 1108408998.028044204, #3665659854, 30 recs 22:23:18.032238 IP ***.50515 > ***.9800: NetFlow v5, 1555970 .492 uptime, 1108408998.028044204, #3665659884, 30 recs 22:23:18.032366 IP ***.50515 > ***.9800: NetFlow v5, 1555970 .492 uptime, 1108408998.028044204, #3665659914, 30 recs --- Kind Regards, Aleksey On 14 Feb 2005 at 21:56, Aleksey Kuznetsov wrote: > On 14 Feb 2005 at 10:39, Mike Hunter wrote: > > > By default, flow-capture listens for 15 minutes and then produces a > > file with all the netflow it's gotten in that time...have you let it wait > > 15 minutes? > > No. > > > > > To test your network/filrewall setup, can you make sure that > > 00100 allow ip from any to any via lo0 > > > > > nc -l -p 9999 > > > > echo HELLO | nc localhost 9999 > > > > Works? I know it shouldn't be a problem, but we should make sure. > > > > nc it is necessary to start with an option '-u ' - UDP mode. > > With the help tcpdump it is possible to see packages, > but in a file they are not kept! > > tcpdump -i lo0 port 9999 > > 21:41:41.015337 IP localhost.63113 > localhost.9999: UDP, length: 8192 > 21:41:41.015548 IP localhost.63113 > localhost.9999: UDP, length: 8192 > 21:41:41.015799 IP localhost.63113 > localhost.9999: UDP, length: 8192 > 21:41:41.016010 IP localhost.63113 > localhost.9999: UDP, length: 8192 > > --- > > At gathering netflow it is direct with Cisco with the help flow- > capture (on port 9800) everything is all right! > > The file constantly increases! > > With the help tcpdump it is visible, that UDP-packages here it is > less: > > 21:52:17.007546 IP ******.50515 > ******.9800: UDP, length: 1464 > 21:52:17.007669 IP ******.50515 > ******.9800: UDP, length: 1464 > 21:52:17.007797 IP ******.50515 > ******.9800: UDP, length: 1464 > 21:52:17.007919 IP ******.50515 > ******.9800: UDP, length: 1464 > > Whether in it put? > > --- > > Kind Regards, Aleksey > > > Mike > > > > On Feb 14, "Aleksey Kuznetsov" wrote: > > > > > So I also have tried to make, but it has turned out nothing! > > > > > > 1. flow-capture -V5 -z5 -n1 -w /2/tmp 127.0.0.1/127.0.0.1/9999 > > > > > > 2. ps -ax | grep flow-capture > > > > > > 3753 ?? Ss 0:00,00 flow-capture -V5 -z5 -n1 -w /2/tmp > > > 127.0.0.1/127.0.0.1.9999 > > > > > > 3. ls -l 2005011719 > > > > > > -rw-r--r-- 1 root wheel 165216792 14 feb 21:17 2005011719 > > > > > > 4. nc 127.0.0.1 9999 < 2005011719 > > > > > > 5. ls -l > > > > > > total 2 > > > -rw-r--r-- 1 root wheel 84 14 ЖЕЧ 21:23 > > > tmp-v05.2005-02-14.212313+0300 > > > > > > Other variants? > > > > > > Kind Regards, Aleksey > > > > > > > > > On 14 Feb 2005 at 9:28, Mike Hunter wrote: > > > > > > > On Feb 13, "Aleksey Kuznetsov" wrote: > > > > > > > > > Hello! > > > > > > > > > > I have data netflow, collected with the help netcat. > > > > > It is possible to transfer them in a format flow-tools? > > > > > > > > It's kind of ghetto, but you could do this: > > > > > > > > flow-capture ... 127.0.0.1/127.0.0.1/9999 > > > > > > > > nc localhost 9999 < my_flow_stuff > > > > > > > > I didn't see an option in flow-import to do it more cleanly... > > > > > > > > > > > > > > > > > > _______________________________________________ > Flow-tools mailing list > [EMAIL PROTECTED] > http://mailman.splintered.net/mailman/listinfo/flow-tools > > _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
