Thanks Peter, do I need to change something here? If so let me know how
please. ( tell me how to do it FROM 1.2.3.4 since I'll use that to lock
down to only allow from the router that I have that's sending nf data)
[root@me ~]# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
121K 138M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
536 17402 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
5 457 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
6 312 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
1410K 966M REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 295K packets, 105M bytes)
pkts bytes target prot opt in out source
destination
[root@me ~]#
Aaron
-----Original Message-----
From: Peter Haag [mailto:ph...@users.sourceforge.net]
Sent: Monday, April 01, 2013 8:44 AM
To: Aaron
Cc: nfdump-discuss@lists.sourceforge.net
Subject: Re: [Nfdump-discuss] nfdump on centos 6 - my first time -
assistance please
Make sure, you do have open all your firewall and SE Linux rules.
tcpdump captures the packet before the kernel sees it. Therefore something
in the chain blocks your packets.
- Peter
On 30/3/13 3:56 PM, Aaron wrote:
> Hi All, I'm new to the list, and also new to nfdump/nfsen. I have
> begun trying to install and get running nfdump, please provide
> guidance where you are able... I also haven't begun installing nfsen
> since I thought that nfdump needed to work first before nfsen should
> be installed, and I am thinking that nfdump may not be working yet...let
me know what you think.
>
>
>
> I'm following the instructions on this site...
> http://www.3open.org/d/tips/install_nfdump_on_centos_5 ...the only
> thing I haven't done on this site is the part at the bottom titled
> "init script for nfcapd" ...do I need to do that part? If so how?
>
>
>
> I've gotten through most all the steps and I see the following...it
> seems the files are being built but I don't see anything in the files...
>
>
>
> I do know that my router is sending netflow exported data to udp 9995
> since tcpdump on this host shows it arriving here.
>
>
>
> [root@me ~]# ls -la /var/cache/nfdump/2013
>
> total 12
>
> drwxr-xr-x. 3 netflow netflow 4096 Mar 29 09:45 .
>
> drwxr-xr-x. 3 netflow netflow 4096 Mar 30 10:45 ..
>
> drwxr-xr-x. 4 netflow netflow 4096 Mar 30 00:05 03
>
>
>
> [root@me ~]# ls -la /var/cache/nfdump/2013/03
>
> total 16
>
> drwxr-xr-x. 4 netflow netflow 4096 Mar 30 00:05 .
>
> drwxr-xr-x. 3 netflow netflow 4096 Mar 29 09:45 ..
>
> drwxr-xr-x. 17 netflow netflow 4096 Mar 29 23:05 29
>
> drwxr-xr-x. 13 netflow netflow 4096 Mar 30 10:05 30
>
>
>
> [root@me ~]# ls -la /var/cache/nfdump/2013/03/30
>
> total 52
>
> drwxr-xr-x. 13 netflow netflow 4096 Mar 30 10:05 .
>
> drwxr-xr-x. 4 netflow netflow 4096 Mar 30 00:05 ..
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 01:00 00
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 02:00 01
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 03:00 02
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 04:00 03
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 05:00 04
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 06:00 05
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 07:00 06
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 08:00 07
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 09:00 08
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 10:00 09
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 10:45 10
>
>
>
> [root@me ~]# ls -la /var/cache/nfdump/2013/03/30/10
>
> total 44
>
> drwxr-xr-x. 2 netflow netflow 4096 Mar 30 10:45 .
>
> drwxr-xr-x. 13 netflow netflow 4096 Mar 30 10:05 ..
>
> -rw-r--r--. 1 netflow netflow 276 Mar 30 10:05 nfcapd.201303301000
>
> -rw-r--r--. 1 netflow netflow 276 Mar 30 10:10 nfcapd.201303301005
>
> -rw-r--r--. 1 netflow netflow 276 Mar 30 10:15 nfcapd.201303301010
>
> -rw-r--r--. 1 netflow netflow 276 Mar 30 10:20 nfcapd.201303301015
>
> -rw-r--r--. 1 netflow netflow 276 Mar 30 10:25 nfcapd.201303301020
>
> -rw-r--r--. 1 netflow netflow 276 Mar 30 10:30 nfcapd.201303301025
>
> -rw-r--r--. 1 netflow netflow 276 Mar 30 10:35 nfcapd.201303301030
>
> -rw-r--r--. 1 netflow netflow 276 Mar 30 10:40 nfcapd.201303301035
>
> -rw-r--r--. 1 netflow netflow 276 Mar 30 10:45 nfcapd.201303301040
>
>
>
> [root@me ~]# nfdump -R
> /var/cache/nfdump/2013/03/30/10/nfcapd.201303301000
>
> Date first seen Duration Proto Src IP Addr:Port Dst
> IP Addr:Port Packets Bytes Flows
>
> No matched flows
>
>
>
> [root@me ~]# nfdump -R
> /var/cache/nfdump/2013/03/30/10/nfcapd.201303301005
>
> Date first seen Duration Proto Src IP Addr:Port Dst
> IP Addr:Port Packets Bytes Flows
>
> No matched flows
>
>
>
> [root@me ~]# nfdump -R
> /var/cache/nfdump/2013/03/30/10/nfcapd.201303301040
>
> Date first seen Duration Proto Src IP Addr:Port Dst
> IP Addr:Port Packets Bytes Flows
>
> No matched flows
>
>
>
> [root@me ~]# tcpdump -i eth0 -nn | grep -i 9995
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
>
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535
> bytes
>
> 10:51:56.504510 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 252
>
> 10:51:57.506593 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 880
>
> 10:51:59.510514 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 708
>
> 10:52:00.513018 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1336
>
> 10:52:00.513521 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:00.513597 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:00.513620 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:00.513641 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:00.513661 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1392
>
> 10:52:00.513722 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:00.513754 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:00.513805 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:00.513820 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 368
>
> 10:52:01.515624 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:01.516152 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:01.517030 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:01.517087 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:01.517100 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> 10:52:01.517111 IP 1.2.0.5.1372 > 3.4.150.93.9995: UDP, length 1452
>
> ^C114 packets captured
>
> 114 packets received by filter
>
> 0 packets dropped by kernel
>
>
>
>
>
> Aaron
>
>
>
>
>
>
> ----------------------------------------------------------------------
> -------- Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise
> to greatness in Intel's independent game demo contest. Compete for
> recognition, cash, and the chance to get your game on Steam.
> $5K grand prize plus 10 genre and skill prizes. Submit your demo by
> 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
