I just tried this command: nfcapd -p 9996 -l /var/local/nfdump/flows -R 10.15.1.3/9996
In an attempt to log locally and forward all flows to our research lab network's Netflow analyzer... the Netflow analyzer is not showing any incoming traffic... and the /var/local/nfdump/flows directory is rotating files: -rw-r--r-- 1 root root 276 Dec 17 11:04 nfcapd.200912171102 -rw-r--r-- 1 root root 276 Dec 17 11:14 nfcapd.200912171109 -rw-r--r-- 1 root root 276 Dec 17 11:19 nfcapd.200912171114 -rw-r--r-- 1 root root 276 Dec 17 11:19 nfcapd.current They are all the same size... and I'm not convinced that I'm actually receiving flows on this server, never mind forwarding them along... -----Original Message----- From: Isherwood, Jeffrey - AES Sent: Thursday, December 17, 2009 11:53 AM To: '[email protected]' Cc: '[email protected]' Subject: RE: [Nfdump-discuss] Using NFDUMP as an aggregator... Thank you Peter, I am looking at Samplicator now... I just updated the team leader for this research project, and he asked me to verify that if the raw netflow data is coming in from multiple sources (like 200 or so) all inbound on the same port (9996) that the nfcapd will capture it all, the samplicator can then forward it to 2 reseach labs and a managed services contractor (to do with what they all will). Will Samplicator replicate and forward the nfcapd data with our altering it? Will the server running nfcapd keep a copy of the Netflow data or does it forward and forget? I think (personal opinion) that if would be preferable if it held onto the data, if for simply no other reason than for verification and redundancy. So I guess I'm going to start over (since I messed up the installation of nfsen and apache, and couldn't get the web pages to yield data, probably a permissions problem). I'll install NFDUMP (nfcapd comes with nfdump) and Samplicator and see what I can do... I think from looking at the documentation tho, that if I'm not using nfsen, I'll need to automate or script nfcapd to get it running. Thanks... PS: Vince, thanks for the pointer to the flow-fanout that looks like a good "fall back option". I don't think it would allow me to retain copies of the flows on the server, which I need to do... but I could use it to send an extra copy somewhere else. Jeffrey -----Original Message----- From: Peter Haag [mailto:[email protected]] Sent: Thursday, December 17, 2009 2:02 AM To: Isherwood, Jeffrey - AES Cc: '[email protected]' Subject: Re: [Nfdump-discuss] Using NFDUMP as an aggregator... >> Isherwood, Jeffrey - AES wrote: >> I would like to take the output from our Netflow devices and send it to 3 to >> 4 >> different locations to accommodate managed services contractors, network >> staff, >> customer support and research initiatives... >> >> I'm looking to collect flows from all across the enterprise, store them and >> redirect them out to other people/units that have need of them. Most >> equipment >> I've looked at has a limit of two Netflow destinations each, so I thought >> that >> NFDUMP might be the solution. No - nfcapd just can forward the flows for daisy chaining the flow traffic. To fan out to many places, have a look into samplicator: http://freshmeat.net/projects/samplicator/ from my colleague Simon Leinen. Hop, this helps - Peter This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
