Netflow data is not written to file until it is decoded. The decoding of
the fields is done after the collector receives a special "template" packet
that describes the fields. It is possible that in some cases your exporter
is not sending this template data often enough. You should be able to test
this by stopping the exporter and restarting exporting (it should send a
template packet). Alternatively, start a packet capture (full packets),
leave it running for a while (>5 minutes), load it into wireshark, decode
the packets payloads with the "cflow" dissector and see if you see the
actual fields. If you don't, then you didn't capture a template packet and
you should see your exporter's configuration.
Good luck!
On Mon, Dec 15, 2014 at 11:09 PM, Duddilla, Srikanth <
srikanth.duddi...@centurylink.com> wrote:
>
> Hello,
>
> I need help in trouble shooting why nfcapd is not collecting any data.
>
> I installed and started nfsen. Nfcapd is not collecting any data. Nfcapd
> data files are always created with 276 bytes which I presume is the header.
>
> I have checked if port 1501 that is receiving any data and which it does.
>
> Nfsen process is running and status show collector is running.
>
> I noticed nfsen live profile is displaying error “ERR Channel info file
> missing for channel 'Linux-Host-eth1' in 'live' Files: 0 Size: 0”.
>
>
>
> # *nfdump -r
> /data/nfsen/profiles-data/live/Linux-Host-eth1/nfcapd.current.23479*
>
> Date flow start Duration Proto Src IP Addr:Port Dst
> IP Addr:Port Packets Bytes Flows
>
>
>
> *# tcpdump -i eth1 'udp port 1501'|head -3
> *
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
>
> 13:56:51.749999 IP xxxx-xxxx.xxxx.xxxxx.net.33018 >
> netflow-proc1.ngid.centurylink.net.saiscm: UDP, length 242
>
> 13:56:51.750219 IP xxxx-xxxx.xxxx.xxxxx.net.33018 >
> netflow-proc1.ngid.centurylink.net.saiscm: UDP, length 242
>
> 13:56:51.751272 IP xxxx-xxxx.xxxx.xxxxx.net.33018 >
> netflow-proc1.ngid.centurylink.net.saiscm: UDP, length 316
>
> 74 packets captured
>
> 74 packets received by filter
>
> 0 packets dropped by kernel
>
>
>
> # *ps -ef |grep nfsen*
>
> netflow 23481 1 0 08:56 ? 00:00:00 /usr/local/bin/nfcapd -w
> -D -p 1501 -u netflow -g www -B 200000 -S 1 -P
> /data/nfsen/var/run/p1501.pid -z -I Linux-Host-eth1 -l
> /data/nfsen/profiles-data/live/Linux-Host-eth1
>
> netflow 23740 1 0 09:40 ? 00:00:19 /usr/bin/perl -w
> /data/nfsen/bin/nfsend
>
> netflow 23741 23740 0 09:40 ? 00:00:00 /data/nfsen/bin/nfsend-comm
>
> root 24655 23124 0 13:47 pts/0 00:00:00 grep nfsen
>
>
>
> # *ls -ltr /data/nfsen/profiles-data/live/Linux-Host-eth1/2014/12/15|tail*
>
> -rw-r--r-- 1 netflow www 276 Dec 15 12:40 nfcapd.201412151235
>
> -rw-r--r-- 1 netflow www 276 Dec 15 12:45 nfcapd.201412151240
>
> -rw-r--r-- 1 netflow www 276 Dec 15 12:50 nfcapd.201412151245
>
> -rw-r--r-- 1 netflow www 276 Dec 15 12:55 nfcapd.201412151250
>
> -rw-r--r-- 1 netflow www 276 Dec 15 13:00 nfcapd.201412151255
>
> -rw-r--r-- 1 netflow www 276 Dec 15 13:05 nfcapd.201412151300
>
> -rw-r--r-- 1 netflow www 276 Dec 15 13:10 nfcapd.201412151305
>
> -rw-r--r-- 1 netflow www 276 Dec 15 13:15 nfcapd.201412151310
>
> -rw-r--r-- 1 netflow www 276 Dec 15 13:20 nfcapd.201412151315
>
> -rw-r--r-- 1 netflow www 276 Dec 15 13:25 nfcapd.201412151320
>
>
>
> # *ls -l /data/nfsen/profiles-data/live/Linux-Host-eth1/*
>
> total 12
>
> drwxr-xr-x 4 netflow www 4096 Dec 1 00:05 2014
>
> -rw-r--r-- 1 netflow www 276 Dec 15 13:20 nfcapd.current.23479
>
> -rw-r--r-- 1 netflow www 276 Dec 15 08:50 nfcapd.current.31558
>
>
>
> # *nfsen status*
>
> NfSen version: 1.3.5
>
> NfSen status:
>
> Collector for (Linux-Host-eth1) port 1501 is running [23481].
>
> nfsen daemon: pid: [23740] is running.
>
>
>
> # *nfsen --get-profile live*
>
> name live
>
> group (nogroup)
>
> tcreate Wed Nov 19 08:55:00 2014
>
> tstart Wed Dec 31 17:00:00 1969
>
> tend Mon Dec 15 12:15:00 2014
>
> updated Mon Dec 15 12:15:00 2014
>
> expire 0 hours
>
> size 0
>
> maxsize 0
>
> type live
>
> locked 0
>
> status OK
>
> version 130
>
> *channel Linux-Host-eth1 sign: + colour: #ff0000 order: 1
> sourcelist: Linux-Host-eth1 ERR Channel info file missing for channel
> 'Linux-Host-eth1' in 'live'*
>
> * Files: 0 Size: 0*
>
>
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> *Here is my config file. Nfsen.conf*
>
> $BASEDIR = "/data/nfsen";
>
> $BINDIR="${BASEDIR}/bin";
>
> $LIBEXECDIR="${BASEDIR}/libexec";
>
> $CONFDIR="${BASEDIR}/etc";
>
> $HTMLDIR = "/var/www/nfsen/";
>
> $DOCDIR="${HTMLDIR}/doc";
>
> $VARDIR="${BASEDIR}/var";
>
> $PROFILESTATDIR="${BASEDIR}/profiles-stat";
>
> $PROFILEDATADIR="${BASEDIR}/profiles-data";
>
> $BACKEND_PLUGINDIR="${BASEDIR}/plugins";
>
> $FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
>
> $PREFIX = '/usr/local/bin';
>
> $USER = "netflow";
>
> $WWWUSER = "www";
>
> $WWWGROUP = "www";
>
> $BUFFLEN = 200000;
>
> $SUBDIRLAYOUT = 1;
>
> $ZIPcollected = 1;
>
> $ZIPprofiles = 1;
>
> $PROFILERS = 2;
>
> $DISKLIMIT = 98;
>
> $PROFILERS = 6;
>
> %sources = (
>
> 'Linux-Host-eth1' => { 'port' => '1501', 'col' => '#ff0000', 'type'
> => 'netflow' },
>
> );
>
> $low_water = 90;
>
> $syslog_facility = 'local3';
>
> @plugins = (
>
> # profile # module
>
> # [ '*', 'demoplugin' ],
>
> );
>
> %PluginConf = (
>
> # For plugin demoplugin
>
> demoplugin => {
>
> # scalar
>
> param2 => 42,
>
> # hash
>
> param1 => { 'key' => 'value' },
>
> },
>
> # for plugin otherplugin
>
> otherplugin => [
>
> # array
>
> 'mary had a little lamb'
>
> ],
>
> );
>
> $MAIL_FROM = 'y...@from.example.net';
>
> $SMTP_SERVER = 'localhost';
>
> $MAIL_BODY = q{
>
> Alert '@alert@' triggered at timeslot @timeslot@
>
> };
>
> 1;
>
>
>
> Thanks
>
> Srikanth Duddilla (Sree)
>
> Email: srikanth.duddi...@centurylink.com
>
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> by reply e-mail and destroy all copies of the communication and any
> attachments.
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
