Since Netflow v9 uses a templated payload, the collector needs to receive a
packet describing the template format (what fields are exported). After
this packet is received, data is processed and saved. You will see the same
thing with wireshark - when you try to decode the payload with the cflow
dissector - until a template packet is received, the payload can't be
decoded.
Normally template packets should be sent out periodically, but it may
depend on the volume of data being exported.
On Tue, Dec 12, 2017 at 5:16 PM, Oguzhan Kayhan <oguz...@kayhan.name.tr>
wrote:
> Hello all,
> I'M trying to get nfsen information from fortigate 100D.
> for test purposes, i enabled both sflow and netflow on fortigate
>
> Wan port config is as :
>
> --------------
> config system interface
> edit "wan1"
> set vdom "root"
> set mode pppoe
> set allowaccess ping
> set type physical
> set netflow-sampler both
> set sflow-sampler enable
> set sample-rate 512
> set polling-interval 30
> ----------------
> config system sflow
> set collector-ip 10.1.1.13
> set collector-port 9994
> set source-ip 10.1.3.2
> end
> config system netflow
> set collector-ip 10.1.1.13
> set collector-port 9995
> set source-ip 10.1.3.2
> set active-flow-timeout 1
> end
> -----------------------
>
>
>
> WHen i check with tcpdump i got the following lines streaming
>
> tcpdump -i any -n udp port 9995 -T cnfp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535
> bytes
> 17:10:37.819012 IP 10.1.3.2.2614 > 10.1.1.13.9995: NetFlow v9, 2921178.370
> uptime, 1513091437.000000115, 1 recs
>
>
> and
>
> tcpdump -i any -n udp port 9994 -T cnfp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535
> bytes
> 17:13:21.684219 IP 10.1.3.2.2349 > 10.1.1.13.9994: NetFlow v0, 0.001
> uptime, 167838466.000000000, 5 recs
> started 0.001, last 0.512
> 0.0.55.41:32 > 174.32.37.22:13312 >> 0.0.0.1
> 0 tos 0, 184 (4121 octets)
> started 2423041.105, last 3117853.792
> 0.0.0.1:46687 > 0.0.0.144:14226 >> 0.0.0.1
> 17 tos 0, 4 (128 octets)
> started 803098.648, last 2206.628
> 64.0.57.6:0 > 234.87.195.175:5891 >> 227.25.78.189
> 17 tos 151, 3437380716 <(343)%20738-0716> (3899816432 octets)
>
> -----------------------
>
> My nfsen.conf file is:
>
> 'peer1' => { 'port' => '9995', 'IP' => '10.1.3.2',
> 'col'=>'#0000ff','type'=>'netflow' },
>
>
> 'peer2' => { 'port' => '9994', 'IP' => '10.1.3.2',
> 'col'=>'#0000cf','type'=>'sflow' },
>
>
>
>
>
> But there is no data collecting..
> I can see sflow and netflow collectors on ps -ef..
> but on folder there is only 276 bytes of data for both peers.
>
> Any ideas??
>
>
> Thank you
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
