[Flow-tools] problems with flow capture

Wed, 23 Feb 2005 06:53:47 -0800 

I hope that someone can help me with capturing version 5 netflow from 2
source devices using 2 different ports.
Background:

Flow Collector
Os: Debian Linux ip 192.168.47.yyy
Flow-tools: dpkg -l| fgrep flow-tools
ii  flow-tools     0.67-6         collects and processes NetFlow data
kernel 2.4.27-1-386

Flow Devices:
Cisco 6509s for both devices, I am told configured exactly alike


We have setup successfully a single flow using UDP port 9105 from 6509 with
ip 192.168.47.xxx using the command line below and getting netflow files
every minute:

/usr/bin/flow-capture -w /var/flow/router1 -n 1439 -E 200G
192.168.47.yyy/192.168.47.xxx/9105

I have another source 6509 with ip of 130.199.xxx.xx using UDP port 9110 and
using the command line below get 92 byte files for each minute. This is a
much busier device than router1 which is creating larger files. Flow-stat
shows router2 files to have no data, while the same command on router1 shows
traffic.

/usr/bin/flow-capture-router2 -w /var/flow/router2 -n 1439 -V 5
192.168.47.yyy/130.199.xxx.xx/9110
If I do not use the -V flag, I get no files created at all.

Flow-stat output:

#flow-cat ft-v05.2005-02-23.091801-0500 |flow-stat -f0
#  --- ---- ---- Report Information --- --- ---
#
# Fields:    Total
# Symbols:   Disabled
# Sorting:   None
# Name:      Overall Summary
#
# Args:      flow-stat -f0


I have run tcpdump using the command line  "tcpdump -ni port 9110" which
shows traffic being received as below:

09:27:20.852231 IP 130.199.xxx.xx.50968 > 192.168.47.xxx.9110: UDP, length:
1416
09:27:20.852536 IP 130.199.xxx.xx.50968 > 192.168.47.xxx.9110: UDP, length:
1416

I also captured the tcpdump traffic to a file and looked at it in Ethereal
and confirmed that it was v5.

I run netstat -l -4:

iidsdbsvr:/etc/flow-tools/cfg# netstat -l -4
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 localhost.localdom:smtp *:*                     LISTEN
udp        0      0 flow-tools.s47.bnl:9105 *:*
udp        0      0 flow-tools.s47.bnl:9110 *:*


Only entry in syslog:

Feb 23 09:11:53 iidsdbsvr flow-capture-anubis[6187]:
setsockopt(size=4194304)

What debug levels are available with the -d switch? Is the output logged to
syslog?


Please let me know if you need any additional information.

Thanks,
Ian 







_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to