Hello all i have a VM host running Debian 6.0 setup as a router with shorewall
firewall with all the ULOG stuff i think i need below is my the relevant
/etc/shorewall/rules file.
SECTION ESTABLISHED
# NetFlow logging
LOG:ULOG all net
LOG:ULOG net all
SECTION RELATED
# NetFlow logging
LOG:ULOG all net
LOG:ULOG net all
SECTION NEW
# NetFlow logging
LOG:ULOG all net
LOG:ULOG net all
I have also installed fprobe-ulog and have it set to use 10.0.0.120:9995 the ip
and port nfsen should be listening to on the Debian 6.0 machine. As a test i
installed nfdump on the Debian 6.0 machine and can get it to show me flows like
below, so i think fprobe-ulog and nfdump are working?
nfdump -R /var/cache/nfdump -s port/bytes
Top 10 Port ordered by bytes:
Date first seen Duration Proto Port Flows(%) Packets(%) Bytes(%) pps bps bpp
2014-09-22 13:53:53.605 15221.057 any 80 6695( 8.5) 723694(61.2) 701.7 M(84.9)
47 368787 969
2014-09-22 17:29:39.138 128.549 any 38512 2( 0.0) 428984(36.3) 430.6 M(52.1)
3337 26.8 M 1003
2014-09-22 17:10:16.429 3443.145 any 8006 23392(29.7) 204238(17.3) 55.2 M( 6.7)
59 128239 270
2014-09-22 13:53:51.953 15225.580 any 443 15501(19.7) 159944(13.5) 32.1 M( 3.9)
10 16889 200
2014-09-22 15:39:44.574 7783.499 any 40290 5( 0.0) 24141( 2.0) 23.9 M( 2.9) 3
24548 989
2014-09-22 13:54:34.155 15114.461 any 25 804( 1.0) 13416( 1.1) 12.1 M( 1.5) 0
6407 902
2014-09-22 13:53:51.951 15216.207 any 10276 114( 0.1) 20223( 1.7) 11.6 M( 1.4)
1 6107 574
2014-09-22 14:52:03.249 11724.909 any 19813 60( 0.1) 15049( 1.3) 11.0 M( 1.3) 1
7490 729
2014-09-22 15:12:10.689 78.888 any 27650 2( 0.0) 9443( 0.8) 9.9 M( 1.2) 119 1.0
M 1045
2014-09-22 17:11:18.368 1315.212 any 49025 6( 0.0) 5205( 0.4) 6.0 M( 0.7) 3
36435 1150
Summary: total flows: 78818, total bytes: 826.3 M, total packets: 1.2 M, avg
bps: 434086, avg pps: 77, avg bpp: 698
Time window: 2014-09-22 13:53:51 - 2014-09-22 18:07:39
Total flows processed: 78818, Blocks skipped: 0, Bytes read: 4099600
Sys: 0.015s flows/second: 4927048.8 Wall: 0.015s flows/second: 5235337.1
I have nfsen installed on another machine/VM on the LAN 10.0.0.120 and i can
see the webpage and a bunch of empty graphs and have added the below line to
/etc/nfsen.conf followed by a perl install.pl etc/nfsen.conf from withing the
nfsen directory
%sources = (
'gw1' => {'port'=>'9995','col'=>'#0000ff','type'=>'netflow'},
);
So now i need to figure out why the Debian 6.0 box will not send flows to the
VM with nfsen on it PLEASE HELP new at all this.
Computer King CaN-Mail Surveillance King
http://computerking.ca http://canmail.org http://surveillanceking.net
Surveillance - Sales Service - Hosting Backup
Internet Based Surveillance Systems
Custom Service Pac kages
Secure IMAP Email - Automated Remote Backups - Photo Blogs - Online ERP and
Accounting Packages
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
