Hi, flow-tools logs to syslog facility LOCAL6.
Look at /etc/syslog.conf, you might have to configure it to catch those messages. ==ml On Sat, Apr 18, 2009 at 08:58:10AM -0400, Schultz, Brian wrote: > Where can I see the syslog files? > It's not netflow v9, these are older routers > > > -----Original Message----- > From: Craig Weinhold [mailto:[email protected]] > Sent: Fri 4/17/2009 9:53 PM > To: Schultz, Brian > Subject: Re: [Flow-tools] Empty flow files > > What does syslog say? flow-tools does a good job of logging errors. > > Could the netflow format be v9 ? flow-tools won't understand it. > > -Craig > > > On Fri, 17 Apr 2009, Schultz, Brian wrote: > > > I?ve been trying to get flow-tools to work for the past couple of days but > > I all the flow files seem to be empty. I was using ntop for a little while > > to test out flow reporting (and it worked) but I think I?m going to move > > over to Cacti so I can get netflow and snmp all in one place. I?m running > > this on Ubuntu btw. Any ideas on what I can do? > > > > There aren?t any firewall rules to prevent anything > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > I can see all of the incoming flows > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > > 15:49:23.288138 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:49:34.283227 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 936 > > 15:49:48.290208 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:49:55.287958 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:02.288658 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:03.288547 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:04.289581 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:07.293188 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:08.325804 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > > > I start up flow-capture > > sudo flow-capture -V5 -d7 -E5M -S1 -w /var/flow/ams 0/0/2058 > > > > I can see that the port is up but it?s not in the listening state if that > > makes a difference > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign Address State > > PID/Program name > > tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN > > 4400/mysqld > > tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN > > 4579/apache2 > > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN > > 4887/sshd > > tcp6 0 0 :::22 :::* LISTEN > > 4887/sshd > > udp 0 0 0.0.0.0:2058 0.0.0.0:* > > 5131/flow-capture > > udp 0 0 127.0.0.1:161 0.0.0.0:* > > 4500/snmpd > > udp 0 0 0.0.0.0:68 0.0.0.0:* > > 3988/dhclient3 > > Active UNIX domain sockets (only servers) > > Proto RefCnt Flags Type State I-Node PID/Program name > > Path > > unix 2 [ ACC ] STREAM LISTENING 13342 4400/mysqld > > /var/run/mysqld/mysqld.sock > > unix 2 [ ACC ] STREAM LISTENING 13222 4308/dbus-daemon > > /var/run/dbus/system_bus_socket > > > > I see all of the flow files being created > > Cacti:/var/flow/ams/2009/2009-04/2009-04-17$ ls -l > > total 32 > > -rw-r--r-- 1 root root 88 2009-04-17 15:30 ft-v05.2009-04-17.152325-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 15:44 ft-v05.2009-04-17.153001-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 15:53 ft-v05.2009-04-17.155206-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 16:00 ft-v05.2009-04-17.155424-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 16:01 ft-v05.2009-04-17.160001-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 16:15 ft-v05.2009-04-17.160344-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 16:30 ft-v05.2009-04-17.161501-0400 > > -rw-r--r-- 1 root root 80 2009-04-17 16:30 tmp-v05.2009-04-17.163001-0400 > > > > But there?s nothing in them > > flow-print < ft-v05.2009-04-17.152325-0400 > > srcIP dstIP prot srcPort dstPort octets > > packets > > > > not sure what this means but it scrolls by in the message log > > Cacti:~$ tail /var/log/messages > > Apr 17 16:03:52 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:52 Cacti flow-capture[5659]: remove/2 0 files > > Apr 17 16:03:53 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:53 Cacti flow-capture[5659]: remove/2 0 files > > Apr 17 16:03:54 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:54 Cacti flow-capture[5659]: remove/2 0 files > > Apr 17 16:03:55 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:55 Cacti flow-capture[5659]: remove/2 0 files > > Apr 17 16:03:56 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:56 Cacti flow-capture[5659]: remove/2 0 files > > > > I am running the NIC in promiscuous mode because I can?t change the > > settings on the routers just yet but they?re pointed at another VM on my > > machine. Would this not work because it?s not being pointed at flow-tools? > > Ok well I just ran it on the machine that all the flows are pointed to and > > it?s not creating the flow files > > eth0 Link encap:Ethernet HWaddr 00:0c:29:72:d8:d9 > > inet addr:172.19.10.24 Bcast:172.19.10.255 Mask:255.255.255.0 > > inet6 addr: fe80::20c:29ff:fe72:d8d9/64 Scope:Link > > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > > RX packets:22694 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:1597 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:6293072 (6.2 MB) TX bytes:201679 (201.6 KB) > > Interrupt:19 Base address:0x2000 > > > > > _______________________________________________ > Flow-tools mailing list > [email protected] > http://mailman.splintered.net/mailman/listinfo/flow-tools -- Michael W. Lucas [email protected], [email protected] http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate, 2nd Edition http://www.CiscoRoutersForTheDesperate.com/ _______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
