Hi,
I have been searching on Internet and browsing the documentation of
NfSen project in order to learn how to distinguish netflows coming from
different routers to a single port. I didn't find anything on the
documentation but I found a discussion on nfsen-discuss list
(http://sourceforge.net/p/nfsen/mailman/message/25585501/)
On 2010-06-22 at 14:27:12 Peter Haag answered Michael P. Carel :
nfsen is able to distinguish sources according to ports and/or IPs. See
also etc/nfsen-dist.conf in the tar ball.
NfSen puts all flows from a given IP address and port into the same
file, which means you can not split sources from
same IP/port into different fles.
Hope, this helps
- Peter
I personally tried this configuration for the sources array (based on
Peter's mail and nfsen-dist.conf)
%sources = (
'router1' => { 'port' => '9995', 'IP' => '10.0.1.120', 'type' =>
'netflow' },
'router2' => { 'port' => '9995', 'IP' => '10.0.1.121', 'type' =>
'netflow' },
);
The problem was that one collector did not start
[root@localhost libexec]# /etc/init.d/nfsen start
Starting nfcapd:(router1 router2): collector did not start - see logfile
Starting nfsend.
Looking at the nfcapd processes I realised they were running with wrong
parameters
- according to the nfcapd man page, in order to distinguish sources from
IP, port it must be run with "-n <Ident,IP,base_directory>"
and not using -I or -l.
- My only nfcapd process was running with -I and -l
/usr/bin/nfcapd -w -D -p 9995 -u netflow -g apache -B 200000 -S 1 -P
/data/nfsen/var/run/p9995.pid -z -I uyr -l
/data/nfsen/profiles-data/live/router2
- I also digged into the code and couldnt find anything relating to
nfcapd and "-n <Ident,IP,base_directory>" parametrization
My question is: Am I doing something wrong? or is this a feature that
got deprecated?
BTW, I know the UDP buffer limitations of using a single port, I just
wanted to try to used it as a filter without having to mantain two
configurations: one for nfsen and the other for iptables
Regards, Nicolás.
--
Logo U&R
*Nicolás Matsunaga*
Gerente de Tecnología
Tel. +54 (11) 5235-9903
nmatsun...@uyr.com.ar <mailto:nmatsun...@uyr.com.ar>
Av. de Mayo 605 p. 13 of. B
Ciudad de Buenos Aires
Argentina
www.uyr.com.ar <http://www.uyr.com.ar>
Piensa si es realmente necesario imprimir este correo.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
