Good Morning, I've been playing with the latest nfsen snapshot as I'm setting up our new netflow server and I've reached an interesting issue. I copied across our live profile from our old server as the upgrade instructions suggest, I then proceeded to install the new version. (After figuring out exporting LDFLAGS and CFLAGS before running ./configure for both nfSen and nfDump, both are installed with a prefix of /usr/local/nfsen/).
Upon loading the new version of nfSen in my webbrowser I was pleased to see the familiar graph from the old data. So I decided to play with the new channels system and was surprised that every time I created a new "profile" a blank graph/zero'd stats was presented to me. This isn't what I expected from the behavour of the previous version I was using. This appears to happen with Real/Shadow, 1:1/Individual. So over the weekend I had a think, and this morning I came in and decided to use flow-fanout from our production server to this new server (incidentally the only reason I still have flow tools installed). Once I had new data coming into the new server I was presented with modern data.... nice. I was then surprised that when I created new channels/profiles the graphs/stats contained data for the most recently captured data, ie, the data captured by the snapshot version but not the imported data. Have I missed something in the upgrade process? I can confirm that my versions of nfdump and nfsen are at the required snap shots and nfdump was compiled with nfprofile and sflowd. When I create the profiles with the copied data they do sit and process for large amounts of the time, and looking at the process list nfprofile is being run. /usr/local/nfsen/bin//nfprofile -t 1175424300 -I -p /usr/local/nfsen/profiles -P /usr/local/nfsen/profiles -S 1 -M /usr/local/nfsen/profiles/live/lubar -r nfcapd.200704011145 >From logs I don't seem to see anything obvious, when creating a multi chanel shadow in /var/log/debug I see these: May 7 10:46:33 hackett nfsen[67085]: Run profiler: '-I -p /usr/local/nfsen/profiles -P /usr/local/nfsen/profiles -S 1' '-M /usr/local/nfsen/profiles/live/lubar -r nfcapd.200705010825' May 7 10:46:33 hackett nfsen[67085]: profile opts: Monitoring#Computer_Center#6#Networking#lubar May 7 10:46:33 hackett nfsen[67085]: profile opts: Monitoring#Computer_Center#6#Systems#lubar May 7 10:46:33 hackett nfsen[67085]: profile opts: Monitoring#Computer_Center#6#CIS#lubar May 7 10:46:33 hackett nfsen[67085]: profile opts: Monitoring#Computer_Center#6#Admin#lubar May 7 10:46:33 hackett nfsen[67085]: comm child[67805] terminated with no exit value But no obvious errors, the above output looks no different from older data to data captured on the new server. Thanks to Peter for an absolutly brilliant tool, I've also managed to get PortTracker to work for me (for the first time) and it truly is a can opener. ;) For reference the transferred profile is 1 source at 286Gb for 7 months. Any ideas would be greatly appreciated as I'd really like the ability to create channels on data from the production server. Pete. Peter A. Wood e: [EMAIL PROTECTED] Network Security Specialist Technical Services Group Lancaster University ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
