Hi Victor,
Do you have any IP filters, or SE Linux in place?
Tcpdump/wireshark captures packes below any IP filters, which means you see
them in wireshark, but they still could get blocked by the kernel the
network stack up to the socket.
Regards
- Peter
On 22.11.18 16:54, victor ruiz rivas wrote:
> I've cloned nfdump from git, Version: 1.6.17, compiled and installed
> perfectly without errors.
> I started nfcapd, I see it is listening on the proper port, it creates
> and rotates the files on the disk, but writes no
> flows to them.
> If I do a packet capture I see the flows in the netflow packets
> correctly decoding them as CFlow with wireshark.
> I can see some template flowsets and data flowsets but all the flow
> data files written to disk are the same size - 276 bytes, and nfdump
> shows
> no flows captured.
>
> server-collector:/opt/netflow # /opt/netflow/bin/nfcapd -w -E -T all
> -p 9995 -l /opt/netflow/share/data -S 2
>
> Add extension: 2 byte input/output interface index
> Add extension: 4 byte input/output interface index
> Add extension: 2 byte src/dst AS number
> Add extension: 4 byte src/dst AS number
> Add extension: dst tos, direction, src/dst mask
> Add extension: IPv4 next hop
> Add extension: IPv6 next hop
> Add extension: IPv4 BGP next IP
> Add extension: IPv6 BGP next IP
> Add extension: src/dst vlan id
> Add extension: 4 byte output packets
> Add extension: 8 byte output packets
> Add extension: 4 byte output bytes
> Add extension: 8 byte output bytes
> Add extension: 4 byte aggregated flows
> Add extension: 8 byte aggregated flows
> Add extension: in src/out dst mac address
> Add extension: in dst/out src mac address
> Add extension: MPLS Labels
> Add extension: IPv4 router IP addr
> Add extension: IPv6 router IP addr
> Add extension: router ID
> Add extension: BGP adjacent prev/next AS
> Add extension: time packet received
> Add extension: NSEL Common block
> Add extension: NSEL xlate ports
> Add extension: NSEL xlate IPv4 addr
> Add extension: NSEL xlate IPv6 addr
> Add extension: NSEL ACL ingress/egress acl ID
> Add extension: NSEL username
> Add extension: NSEL max username
> Add extension: nprobe/nfpcapd latency
> Add extension: NEL Common block
> Add extension: Compat NEL IPv4
> Add extension: NAT Port Block Allocation
> Bound to IPv4 host/IP: any, Port: 9995
> Startup.
> Init IPFIX: Max number of IPFIX tags: 65
> File Block Header:
> NumBlocks = 0
> Size = 0
> id = 2
>
> Ident: 'none' Flows: 0, Packets: 0, Bytes: 0, Sequence Errors: 0, Bad
> Packets: 0
> Total ignored packets: 0
> File Block Header:
> NumBlocks = 0
> Size = 0
> id = 2
>
> Ident: 'none' Flows: 0, Packets: 0, Bytes: 0, Sequence Errors: 0, Bad
> Packets: 0
> Total ignored packets: 0
> File Block Header:
> NumBlocks = 0
> Size = 0
> id = 2
>
> Ident: 'none' Flows: 0, Packets: 0, Bytes: 0, Sequence Errors: 0, Bad
> Packets: 0
> Total ignored packets: 0
>
> ...
>
> server-collector:/opt/netflow # ls -la /opt/netflow/share/data/2018/11/22/16
> total 24
> drwxr-xr-x 2 root root 4096 Nov 22 16:15 .
> drwxr-xr-x 4 root root 4096 Nov 22 16:05 ..
> -rw-r--r-- 1 root root 276 Nov 22 16:05 nfcapd.201811221600
> -rw-r--r-- 1 root root 276 Nov 22 16:10 nfcapd.201811221605
> -rw-r--r-- 1 root root 276 Nov 22 16:15 nfcapd.201811221610
> -rw-r--r-- 1 root root 276 Nov 22 16:15 nfcapd.201811221615
>
> ...
>
> server-collector:/opt/netflow # /opt/netflow/bin/nfdump -R
> /opt/netflow/share/data/2018/11/22/16
> Date first seen Duration Proto Src IP Addr:Port
> Dst IP Addr:Port Packets Bytes Flows
> No matched flows
>
> Attached goes an wireshark image capture showing de correct decoding
> of the flow packets.
>
> Please, can someone tell me why nfcapd fails to write data correctly?
>
>
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
--
Be nice to your netflow data. Use NfSen and nfdump :)
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
