Peter, My sincere and profuse thanks.
I was blithely assuming that, since tcpdump could see the incoming packets, they must not be blocked by iptables. I am an idiot. One new rule in iptables took care of it. - Andy On Wed, Aug 11, 2010 at 12:40 PM, Peter Haag <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 10/8/10 9:35 PM, Andy Johnston wrote: > > I've had a collection and analysis sytem based on flow-tools for years > now, > > but for the six months or so, I've been using ft2nfdump and nfdump for > > analysis of the collected flow data and I'm completely sold. I want to > > switch over to nfcapd a skip the ft2nfdump step and then try Nfsen out. > > > > Currently, I'm getting Netflow data from one router. It's sending the > data > > to two systems. The older system is an old Solaris box running > > flow-capture. The newer system is RHEL5 where I'm trying to run nfcapd. > I > > can't get the nfcapd service to collect packets. It's the same flow as > the > > flow-capture system sees and I've captured the incoming Netflow data from > > the router on both systems and verified that the packets match. Nfcapd > > starts, but doesn't appear to see anything. > > > > > > The system has two network interfaces, eth0 and eth1. Eth0 is on the > subnet > > with the router. Eth1 is behind a NAT looking at somethine else. > > The IP on eth0 is (munged) router.subnet.aaa.bbb. The router is > directing > > netflow data to port 9990 (confirmed using tcpdump). > > > > I'm nfcapd with the command: > > > > nfcapd -z -b router.subnet.aaa.bbb -p 9990 -l /var/NetFlow -I any -S 2 > -w > > -e -P /var/NetFlow/nfcapd.pid -D > > yes - that's all correct. Any SE-Linux - firewall rules somewhere? > > For testing: ommit -D and add -E > > - Peter > > > > > > The pid file is created and the default subdirectory structure appears > under > > /var/NetFlow, but nothing is entered. > > > > > > Am I submitting the command incorrectly? > > > > Thank you, > > > > - Andy Johnston > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > This SF.net email is sponsored by > > > > Make an app they can't live without > > Enter the BlackBerry Developer Challenge > > http://p.sf.net/sfu/RIM-dev2dev > > > > > > > > _______________________________________________ > > Nfdump-discuss mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (Darwin) > > iQCVAwUBTGLSbf5AbZRALNr/AQJgPAP/bC65vCivdcx5YiRgXvJrijD9iPrATT6G > 2bJzR8D0Xeu9RM7KF6t3FWlLlQSmTvnHBeceT43iyydySU4aMjotFxXtbEFsUGUx > mKUcq59eALh1j0SLHGhhsyQ3OfoiN2EmZQ3a2B6FKXH4ElktaG5lqgHZU3XjaevX > qQLh8pqjzMQ= > =mOtU > -----END PGP SIGNATURE----- > > -- Andy Johnston ([email protected]) IT Security UMBC, Division of Information Technology work:410-455-2583 fax:410-455-1065
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
