I'm trying to use nfcapd to capture data from a Cisco router, and it is only generating empty 276 byte files in the flow directory. I'm using OSSIM, with the latest version of nfcapd (1.6.3) downloaded from the Sourceforge site and compiled from source.
The router is configured properly - I've been harvesting flows from it with the FlowViewer toolset for a long time. ip flow-export source FastEthernet0/0 ip flow-export version 5 ip flow-export destination [ossim server IP] 9997 Nfcapd is listening to the proper port. # ps ax | grep nfcap 3418 ? S< 0:00 /usr/bin/nfcapd -w -D -I router -p 9997 -u www-data -g www-data -B 200000 -S 7 -l /var/cache/nfdump/flows/live/router -P /var/nfsen/run/router.pid # lsof -i:9997 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME nfcapd 3418 www-data 4u IPv4 220197 UDP *:9997 Tcpdump shows the traffic coming in. # tcpdump udp port 9997 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 09:15:18.183766 IP [router].51912 > [ossim server].9997: UDP, length 1464 09:15:22.190789 IP [router].51912 > [ossim server].9997: UDP, length 1464 For some reason, even though the traffic is coming in to the port that nfcapd is listening to, it's just not recognizing it as Netflow traffic. I've restarted the daemon, restarted the machine, changed ports, removed and reconfigured the flow-export rules on the router; nothing seems to make nfcapd recognize this traffic properly. Does anyone have any ideas for other things I could try? I don't know where else to look for possible solutions. -- Matt Gracie (716) 888-8378 Information Security Administrator [email protected] Canisius College ITS Buffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
