On 13/8/10 6:53 PM, Andy Johnston wrote:
> Peter,
>
> My sincere and profuse thanks.
>
> I was blithely assuming that, since tcpdump could see the incoming packets,
> they must not be blocked by iptables.
>
> I am an idiot.
No problem! - I wish all problem could be solved that easy :)
- Peter
>
> One new rule in iptables took care of it.
>
> - Andy
>
>
>
> On Wed, Aug 11, 2010 at 12:40 PM, Peter Haag <[email protected]> wrote:
>
>
>
> On 10/8/10 9:35 PM, Andy Johnston wrote:
>>>> I've had a collection and analysis sytem based on flow-tools for years
> now,
>>>> but for the six months or so, I've been using ft2nfdump and nfdump for
>>>> analysis of the collected flow data and I'm completely sold. I want to
>>>> switch over to nfcapd a skip the ft2nfdump step and then try Nfsen out.
>>>>
>>>> Currently, I'm getting Netflow data from one router. It's sending the
> data
>>>> to two systems. The older system is an old Solaris box running
>>>> flow-capture. The newer system is RHEL5 where I'm trying to run nfcapd.
> I
>>>> can't get the nfcapd service to collect packets. It's the same flow as
> the
>>>> flow-capture system sees and I've captured the incoming Netflow data from
>>>> the router on both systems and verified that the packets match. Nfcapd
>>>> starts, but doesn't appear to see anything.
>>>>
>>>>
>>>> The system has two network interfaces, eth0 and eth1. Eth0 is on the
> subnet
>>>> with the router. Eth1 is behind a NAT looking at somethine else.
>>>> The IP on eth0 is (munged) router.subnet.aaa.bbb. The router is
> directing
>>>> netflow data to port 9990 (confirmed using tcpdump).
>>>>
>>>> I'm nfcapd with the command:
>>>>
>>>> nfcapd -z -b router.subnet.aaa.bbb -p 9990 -l /var/NetFlow -I any -S 2
> -w
>>>> -e -P /var/NetFlow/nfcapd.pid -D
>
> yes - that's all correct. Any SE-Linux - firewall rules somewhere?
>
> For testing: ommit -D and add -E
>
> - Peter
>>>>
>>>>
>>>> The pid file is created and the default subdirectory structure appears
> under
>>>> /var/NetFlow, but nothing is entered.
>>>>
>>>>
>>>> Am I submitting the command incorrectly?
>>>>
>>>> Thank you,
>>>>
>>>> - Andy Johnston
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
> ------------------------------------------------------------------------------
>>>> This SF.net email is sponsored by
>>>>
>>>> Make an app they can't live without
>>>> Enter the BlackBerry Developer Challenge
>>>> http://p.sf.net/sfu/RIM-dev2dev
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Nfdump-discuss mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>>
>>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
