I've been trying to get flow-tools to work for the past couple of days
but I all the flow files seem to be empty. I was using ntop for a little
while to test out flow reporting (and it worked) but I think I'm going
to move over to Cacti so I can get netflow and snmp all in one place.
I'm running this on Ubuntu btw. Any ideas on what I can do?
There aren't any firewall rules to prevent anything
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I can see all of the incoming flows
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:49:23.288138 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length
1464
15:49:34.283227 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length
936
15:49:48.290208 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length
1464
15:49:55.287958 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length
1464
15:50:02.288658 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length
1464
15:50:03.288547 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length
1464
15:50:04.289581 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length
1464
15:50:07.293188 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length
1464
15:50:08.325804 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length
1464
I start up flow-capture
sudo flow-capture -V5 -d7 -E5M -S1 -w /var/flow/ams 0/0/2058
I can see that the port is up but it's not in the listening state if
that makes a difference
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:*
LISTEN 4400/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN 4579/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 4887/sshd
tcp6 0 0 :::22 :::*
LISTEN 4887/sshd
udp 0 0 0.0.0.0:2058 0.0.0.0:*
5131/flow-capture
udp 0 0 127.0.0.1:161 0.0.0.0:*
4500/snmpd
udp 0 0 0.0.0.0:68 0.0.0.0:*
3988/dhclient3
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program
name Path
unix 2 [ ACC ] STREAM LISTENING 13342 4400/mysqld
/var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 13222
4308/dbus-daemon /var/run/dbus/system_bus_socket
I see all of the flow files being created
Cacti:/var/flow/ams/2009/2009-04/2009-04-17$ ls -l
total 32
-rw-r--r-- 1 root root 88 2009-04-17 15:30 ft-v05.2009-04-17.152325-0400
-rw-r--r-- 1 root root 88 2009-04-17 15:44 ft-v05.2009-04-17.153001-0400
-rw-r--r-- 1 root root 88 2009-04-17 15:53 ft-v05.2009-04-17.155206-0400
-rw-r--r-- 1 root root 88 2009-04-17 16:00 ft-v05.2009-04-17.155424-0400
-rw-r--r-- 1 root root 88 2009-04-17 16:01 ft-v05.2009-04-17.160001-0400
-rw-r--r-- 1 root root 88 2009-04-17 16:15 ft-v05.2009-04-17.160344-0400
-rw-r--r-- 1 root root 88 2009-04-17 16:30 ft-v05.2009-04-17.161501-0400
-rw-r--r-- 1 root root 80 2009-04-17 16:30
tmp-v05.2009-04-17.163001-0400
But there's nothing in them
flow-print < ft-v05.2009-04-17.152325-0400
srcIP dstIP prot srcPort dstPort octets
packets
not sure what this means but it scrolls by in the message log
Cacti:~$ tail /var/log/messages
Apr 17 16:03:52 Cacti flow-capture[5659]: remove/1 0 files
Apr 17 16:03:52 Cacti flow-capture[5659]: remove/2 0 files
Apr 17 16:03:53 Cacti flow-capture[5659]: remove/1 0 files
Apr 17 16:03:53 Cacti flow-capture[5659]: remove/2 0 files
Apr 17 16:03:54 Cacti flow-capture[5659]: remove/1 0 files
Apr 17 16:03:54 Cacti flow-capture[5659]: remove/2 0 files
Apr 17 16:03:55 Cacti flow-capture[5659]: remove/1 0 files
Apr 17 16:03:55 Cacti flow-capture[5659]: remove/2 0 files
Apr 17 16:03:56 Cacti flow-capture[5659]: remove/1 0 files
Apr 17 16:03:56 Cacti flow-capture[5659]: remove/2 0 files
I am running the NIC in promiscuous mode because I can't change the
settings on the routers just yet but they're pointed at another VM on my
machine. Would this not work because it's not being pointed at
flow-tools? Ok well I just ran it on the machine that all the flows are
pointed to and it's not creating the flow files
eth0 Link encap:Ethernet HWaddr 00:0c:29:72:d8:d9
inet addr:172.19.10.24 Bcast:172.19.10.255
Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe72:d8d9/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:22694 errors:0 dropped:0 overruns:0 frame:0
TX packets:1597 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6293072 (6.2 MB) TX bytes:201679 (201.6 KB)
Interrupt:19 Base address:0x2000
_______________________________________________
Flow-tools mailing list
[email protected]
http://mailman.splintered.net/mailman/listinfo/flow-tools
