[Nfdump-discuss] state stored somewhere obscure? nfdump no longer writes incoming flows to files?

Mon, 23 Jul 2012 14:00:28 -0700 

I had nfdump working, successfully collecting flows from a single source 
(128.84.56.36), thus:

     /opt/app/nfdump/bin/nfcapd -p 9995 -b 128.84.12.147 -l /opt/flows/Data -S 
7 -t 600 -w -P /var/run/nfcapd.pid -D -B 256000 -z

. I then tried to reconfigure, in preparation for having multiple flow 
sources, thus:

    /opt/app/nfdump/bin/nfcapd -p 9995 -b 128.84.12.147 -S 7 -t 600 -w -P 
/var/run/nfcapd.pid -D -B 256000 -z -n 
testxtfw,128.84.56.36,/opt/flows/Data/testxtfw -n 
prodxtfw,128.84.107.4,/opt/flows/Data/testxtfw ...

, and, not being able to get anything other than empty 276-byte flow 
files, decided to revert to my previous configuration.

Now I get nothing but empty 276-byte flow files, where I previously had a 
working config.

Flow traffic is arriving:

16:53:42.266759 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 804
16:53:48.714480 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 620
16:53:53.936530 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 440
16:53:59.074668 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 380
16:54:00.791164 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 1416
16:54:00.897028 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 1424
16:54:01.120101 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 1416
16:54:01.273505 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 1424
16:54:01.403860 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 1408
16:54:01.623874 IP 128.84.56.36.28761 > 128.84.12.147.9995: UDP, length 1408

, and, to all appearances, is making it to the nfcapd process:

socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4
bind(4, {sa_family=AF_INET, sin_port=htons(9995), 
sin_addr=inet_addr("128.84.12.147")}, 16) = 0
listen(4, 128)                          = -1 EOPNOTSUPP (Operation not 
supported)
getsockopt(4, SOL_SOCKET, SO_RCVBUF, [17179998208], [4]) = 0
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [256000], 4) = 0
getsockopt(4, SOL_SOCKET, SO_RCVBUF, [17180131326], [4]) = 0
recvfrom(4, 
"\0\t\0\fsS^wP\vx\334\0\0PZ\0\0\0\0\1\0\0d\0\33\260,\200T\f\223"..., 65535, 0, 
{sa_family=AF_INET, sin_port=htons(28761), sin_addr=inet_addr("128.84.56.36")}, 
[16]) = 916

, but it never actually writes them to the files. I rebooted my server 
just in case something was wedged in the IP stack, to no avail.

Is there some state information, that might be leftover from my failed 
attempt to use -n ..., -n ..., that I need to reconfigure? I have a 
non-working installation here and I'm really stymied.

Thanks for any info,

--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to