-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Isherwood, Jeffrey - AES wrote:
> I got sidetracked by the holidays, and am back on this problem full time now
> (but of course with less time available now to meet my short deadline.)
>
> I' wrote to the list a few weeks ago, but will restate my problem and things
> I've tried... I'm running out of time...
>
> I'm working on a research project requires Netflow data. I've got a small
> problem, all of our network equipment will do Netflow, but only to two
> destinations, and both of them are being used right now, so I can't get the
> data. I'd like to "split the stream" and get that Netflow to more servers...
> here's what I have in mind:
>
> Allow all the devices to continue to send feed #1 to the "authorized
> corporate Netflow analyzer"
>
> Stand up a new server, and send feed #2 from all the devices to the new
> server that receives all inbound flows, store a copy locally (for integrity)
> and then redirect the flows outbound to multiple analyzers (managed services
> providers, R&D folks etc...)
>
> ______
> I thought that I'd use NFDUMP/NFCAPD to do it, but I seem to be having
> problems pulling this off. It could be operator error, but if it is, I
> cannot see where I am going wrong. Both nfdump & nfcapd are installed, and
> they run, but nfcapd does not seem to be collecting anything.
>
> I was trying to originally run it with the following flags:
> nfcapd -D -p 9996 -l /var/local/nfdump/flows -R 10.17.142.56/9996
> I tried using nfdump and nfreplay to see the contents of the stored flow
> files and they all appear to be empty except for headers.
>
> At the suggestion of the Peter, I tried running this:
> nfcapd -E -l /var/local/nfdump/flows -p 9996
> This is supposed to give me stdout for the flow data but it just sits there
> and I see nothing... which I believe means that it is not seeing any flow
> data.
>
> I do however have 12 routers currently pointing to this server, all on port
> 9996 so it should be seeing something. When I run "tcpdump port 9996" I see
> a lot of the following:
>
> 09:06:33.163439 IP 10.17.29.22.64629 > 10.17.142.42.palace-5: UDP, length 696
Obviously your OS/Kernel prevents the socket from receiving data. Packets you
see in tcpdump are not necessarily
forwarded to the application socket. There may be an access control layer
(packet filter, SELINUX, whatever ) in between.
Check your filters/rules ACL layers.
- Peter
>
> So I know that the routers are sending stuff, but apparently nfcapd is not
> seeing it. Is anybody else doing this sort of thing? If so, how are you
> doing it? If these ARE the right tools to use, does anybody have a clue as
> to where I'm going wrong?
>
> All help greatly appreciated.
>
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSzkibf5AbZRALNr/AQJBdgP+KSJA6KqhJb0ggkUQBAUb0z2be7589y66
Fja7WqgNZN6oS/YhWBbvpHtjcfQqsXZEUtfB/i0k2HV3Dto1Vqt99gcHWKG+SrRl
f2+/R5FpA3iWjuYBK83bB7114sa0XlHv+xJvonQSvveL31tNz/wGIm6LNi6RN3vQ
qZ5fnDSRNBw=
=2bQU
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
