Additional info:
flow-receive 0/0/9110 | flow-print flow-receive: setsockopt(size=4194304) flow-receive: Cleaning up flow-receive: flows stored/dropped by filter 0/0 Returns no results. flow-receive 0/0/9105 | flow-print flow-receive: setsockopt(size=4194304) flow-receive: New exporter: time=1109188436 src_ip=192.168.47.xxx dst_ip=192.168.47.yyy d_version=5 I took a look at the tcpdump files more closely from the two devices but can see no difference in the output in ethereal. It sees 29 flow records in both packets from each network device. I also downloaded the 0.67 tarball and built it. Same result as above. Ian > -----Original Message----- > From: [EMAIL PROTECTED] > Sent: Wednesday, February 23, 2005 9:52 AM > To: '[email protected]' > Subject: [Flow-tools] problems with flow capture > > > I hope that someone can help me with capturing version 5 > netflow from 2 > source devices using 2 different ports. > Background: > > Flow Collector > Os: Debian Linux ip 192.168.47.yyy > Flow-tools: dpkg -l| fgrep flow-tools > ii flow-tools 0.67-6 collects and processes NetFlow data > kernel 2.4.27-1-386 > > Flow Devices: > Cisco 6509s for both devices, I am told configured exactly alike > > > We have setup successfully a single flow using UDP port 9105 > from 6509 with > ip 192.168.47.xxx using the command line below and getting > netflow files > every minute: > > /usr/bin/flow-capture -w /var/flow/router1 -n 1439 -E 200G > 192.168.47.yyy/192.168.47.xxx/9105 > > I have another source 6509 with ip of 130.199.xxx.xx using > UDP port 9110 and > using the command line below get 92 byte files for each > minute. This is a > much busier device than router1 which is creating larger > files. Flow-stat > shows router2 files to have no data, while the same command > on router1 shows > traffic. > > /usr/bin/flow-capture-router2 -w /var/flow/router2 -n 1439 -V 5 > 192.168.47.yyy/130.199.xxx.xx/9110 > If I do not use the -V flag, I get no files created at all. > > Flow-stat output: > > #flow-cat ft-v05.2005-02-23.091801-0500 |flow-stat -f0 > # --- ---- ---- Report Information --- --- --- > # > # Fields: Total > # Symbols: Disabled > # Sorting: None > # Name: Overall Summary > # > # Args: flow-stat -f0 > > > I have run tcpdump using the command line "tcpdump -ni port > 9110" which > shows traffic being received as below: > > 09:27:20.852231 IP 130.199.xxx.xx.50968 > > 192.168.47.xxx.9110: UDP, length: > 1416 > 09:27:20.852536 IP 130.199.xxx.xx.50968 > > 192.168.47.xxx.9110: UDP, length: > 1416 > > I also captured the tcpdump traffic to a file and looked at > it in Ethereal > and confirmed that it was v5. > > I run netstat -l -4: > > iidsdbsvr:/etc/flow-tools/cfg# netstat -l -4 > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address > State > tcp 0 0 *:ssh *:* > LISTEN > tcp 0 0 localhost.localdom:smtp *:* > LISTEN > udp 0 0 flow-tools.s47.bnl:9105 *:* > udp 0 0 flow-tools.s47.bnl:9110 *:* > > > Only entry in syslog: > > Feb 23 09:11:53 iidsdbsvr flow-capture-anubis[6187]: > setsockopt(size=4194304) > > What debug levels are available with the -d switch? Is the > output logged to > syslog? > > > Please let me know if you need any additional information. > > Thanks, > Ian > _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
