I've had a collection and analysis sytem based on flow-tools for years now, but for the six months or so, I've been using ft2nfdump and nfdump for analysis of the collected flow data and I'm completely sold. I want to switch over to nfcapd a skip the ft2nfdump step and then try Nfsen out.
Currently, I'm getting Netflow data from one router. It's sending the data to two systems. The older system is an old Solaris box running flow-capture. The newer system is RHEL5 where I'm trying to run nfcapd. I can't get the nfcapd service to collect packets. It's the same flow as the flow-capture system sees and I've captured the incoming Netflow data from the router on both systems and verified that the packets match. Nfcapd starts, but doesn't appear to see anything. The system has two network interfaces, eth0 and eth1. Eth0 is on the subnet with the router. Eth1 is behind a NAT looking at somethine else. The IP on eth0 is (munged) router.subnet.aaa.bbb. The router is directing netflow data to port 9990 (confirmed using tcpdump). I'm nfcapd with the command: nfcapd -z -b router.subnet.aaa.bbb -p 9990 -l /var/NetFlow -I any -S 2 -w -e -P /var/NetFlow/nfcapd.pid -D The pid file is created and the default subdirectory structure appears under /var/NetFlow, but nothing is entered. Am I submitting the command incorrectly? Thank you, - Andy Johnston -- Andy Johnston ([email protected]) IT Security UMBC, Division of Information Technology work:410-455-2583 fax:410-455-1065
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
