Hi Peter You were right. I installed the same software nfdump software (version 1.6.6) on a development BSD machine and had the flows capturing and printing with "-E" within a couple of minutes. Must be something about my first machine filtering packets after tcpdump.
Nick. -----Original Message----- From: Peter Haag [mailto:[email protected]] Sent: Tuesday, 10 April 2012 6:15 PM To: Nicholas Mooney Cc: [email protected] Subject: Re: [Nfdump-discuss] nfcapd not seeing packets Hi Nick, I guess you have some packet filters somewhere on your system. wireshark reads network data at a very low level. System filters or SElinux features follow up the chain and nfcapd sits on top of all. This means something blocks your network data somewhere in your network data chain. Hope, this help. - Peter On 4/10/12 7:14, Nicholas Mooney wrote: > Hi > > > > I am having trouble receiving flows at nfcapd. > > > > I am exporting version 5 netflows (cflow) from a juniper router. I am > export them both to my PC running Wireshark and my nfcapd on port 9996. The interval is 5 and there is traffic on the interfaces involved. > > > > I simultaneously send the flows to Wireshark on my pc and it decodes them as version 5 flows properly. > > > > However, on the nfcapd I see no data being logged. If I run "nfcapd -E > -p 9996 -I FW -l /data/nfsen/test/ -s 5" I don't see any packets > logged to STDOUT, even though I simultaneously see the packets hit the server (tcpport port 9996) and also I get the same flows sent to my PC at the same time. > > > > All I get is this: > > > > [root@ausydmon04 test]# nfcapd -E -p 9996 -I FW -l /data/nfsen/test/ > -s 5 > > File Block Header: > > NumBlocks = 0 > > Size = 0 > > id = 2 > > > > Any idea where I could be going wrong? I am running nfcapd as root. > > > > [root@ausydmon04 test]# nfcapd -V > > nfcapd: Version: 1.6.6 $Date: 2012-03-11 11:57:45 +0100 (Sun, 11 Mar > 2012) $ > > > > > > Thanks, Nick. > > > ______________________________________________________________________ > ___________________ This email has been scanned by the MessageLabs > Email Security System on behalf of Medibank Health Solutions. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > ___________________ > > > This body part will be downloaded on demand. > > > > This body part will be downloaded on demand. -- -- Be nice to your netflow data _________________________________________________________________________________________ This email has been scanned by the MessageLabs Email Security System on behalf of Medibank Health Solutions. For more information please visit http://www.symanteccloud.com _________________________________________________________________________________________ ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
