I got sidetracked by the holidays, and am back on this problem full time now
(but of course with less time available now to meet my short deadline.)
I' wrote to the list a few weeks ago, but will restate my problem and things
I've tried... I'm running out of time...
I'm working on a research project requires Netflow data. I've got a small
problem, all of our network equipment will do Netflow, but only to two
destinations, and both of them are being used right now, so I can't get the
data. I'd like to "split the stream" and get that Netflow to more servers...
here's what I have in mind:
Allow all the devices to continue to send feed #1 to the "authorized corporate
Netflow analyzer"
Stand up a new server, and send feed #2 from all the devices to the new server
that receives all inbound flows, store a copy locally (for integrity) and then
redirect the flows outbound to multiple analyzers (managed services providers,
R&D folks etc...)
______
I thought that I'd use NFDUMP/NFCAPD to do it, but I seem to be having problems
pulling this off. It could be operator error, but if it is, I cannot see where
I am going wrong. Both nfdump & nfcapd are installed, and they run, but nfcapd
does not seem to be collecting anything.
I was trying to originally run it with the following flags:
nfcapd -D -p 9996 -l /var/local/nfdump/flows -R 10.17.142.56/9996
I tried using nfdump and nfreplay to see the contents of the stored flow files
and they all appear to be empty except for headers.
At the suggestion of the Peter, I tried running this:
nfcapd -E -l /var/local/nfdump/flows -p 9996
This is supposed to give me stdout for the flow data but it just sits there and
I see nothing... which I believe means that it is not seeing any flow data.
I do however have 12 routers currently pointing to this server, all on port
9996 so it should be seeing something. When I run "tcpdump port 9996" I see a
lot of the following:
09:06:33.163439 IP 10.17.29.22.64629 > 10.17.142.42.palace-5: UDP, length 696
So I know that the routers are sending stuff, but apparently nfcapd is not
seeing it. Is anybody else doing this sort of thing? If so, how are you doing
it? If these ARE the right tools to use, does anybody have a clue as to where
I'm going wrong?
All help greatly appreciated.
This e-mail and any files transmitted with it may be proprietary and are
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely
those of the author and do not necessarily represent those of ITT Corporation.
The recipient should check this e-mail and any attachments for the presence of
viruses. ITT accepts no liability for any damage caused by any virus
transmitted by this e-mail.
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
