OK Peter, I turned off SELinux, and the firewall... I'm running the command as
root, and root and I don't think the ACL are in the way...
Here's what I ran:
[r...@centosbase flows]# nfcapd -w -D -l /var/local/nfdump/flows -p
9996 -B 128000 -R 10.17.143.2/9996
I wait 20 minutes or so, and then do a list:
[r...@centosbase flows]# ll
-rw-r--r-- 1 root root 276 Dec 29 07:20 nfcapd.200912290715
-rw-r--r-- 1 root root 276 Dec 29 07:25 nfcapd.200912290720
-rw-r--r-- 1 root root 276 Dec 29 07:30 nfcapd.200912290725
-rw-r--r-- 1 root root 276 Dec 29 07:35 nfcapd.200912290730
-rw-r--r-- 1 root root 276 Dec 29 07:40 nfcapd.200912290735
-rw-r--r-- 1 root root 276 Dec 29 07:40 nfcapd.current
So I know that nfcapd is running, and rotating in 5minute increments. There is
no firewall or anything in the way at the moment. SO I tried to read the
nfcapd files with the below command:
[r...@centosbase flows]# nfdump -r nfcapd.200912290735 -n 20
Date flow start Duration Proto Src IP Addr:Port
Dst IP Addr:Port Packets Bytes Flows
And I get nothing... If there is somewhere else, something else I should be
looking at I don't know what or where at this point...
-----Original Message-----
From: Peter Haag [mailto:[email protected]]
Sent: Monday, December 28, 2009 4:26 PM
To: Isherwood, Jeffrey - AES
Cc: '[email protected]'
Subject: Re: [Nfdump-discuss] Using NFDUMP as an aggregator...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeffrey Wrote:
> I was trying to originally run it with the following flags:
> nfcapd -D -p 9996 -l /var/local/nfdump/flows -R 10.17.142.56/9996
> I tried using nfdump and nfreplay to see the contents of the stored flow
> files and they all appear to be empty except for headers.
>
> At the suggestion of the Peter, I tried running this:
> nfcapd -E -l /var/local/nfdump/flows -p 9996
> This is supposed to give me stdout for the flow data but it just sits there
> and I see nothing... which I believe means that it is not seeing any flow
> data.
>
> I do however have 12 routers currently pointing to this server, all on port
> 9996 so it should be seeing something. When I run "tcpdump port 9996" I see
> a lot of the following:
>
> 09:06:33.163439 IP 10.17.29.22.64629 > 10.17.142.42.palace-5: UDP, length 696
Peter Haag Wrote:
Obviously your OS/Kernel prevents the socket from receiving data. Packets you
see in tcpdump are not necessarily
forwarded to the application socket. There may be an access control layer
(packet filter, SELINUX, whatever ) in between.
Check your filters/rules ACL layers.
- Peter
This e-mail and any files transmitted with it may be proprietary and are
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely
those of the author and do not necessarily represent those of ITT Corporation.
The recipient should check this e-mail and any attachments for the presence of
viruses. ITT accepts no liability for any damage caused by any virus
transmitted by this e-mail.
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
