Thank you adrian.
It's been about 10 hours. and still no data.
For netflow template packet might be expected (not normal to receive in
that long time) what about sflow?
Does it need also?
I am listening on two protocols to get smting useful
On Wed, Dec 13, 2017 at 11:19 AM, Adrian Popa <adrian.popa...@gmail.com>
wrote:
> Since Netflow v9 uses a templated payload, the collector needs to receive
> a packet describing the template format (what fields are exported). After
> this packet is received, data is processed and saved. You will see the same
> thing with wireshark - when you try to decode the payload with the cflow
> dissector - until a template packet is received, the payload can't be
> decoded.
>
> Normally template packets should be sent out periodically, but it may
> depend on the volume of data being exported.
>
> On Tue, Dec 12, 2017 at 5:16 PM, Oguzhan Kayhan <oguz...@kayhan.name.tr>
> wrote:
>
>> Hello all,
>> I'M trying to get nfsen information from fortigate 100D.
>> for test purposes, i enabled both sflow and netflow on fortigate
>>
>> Wan port config is as :
>>
>> --------------
>> config system interface
>> edit "wan1"
>> set vdom "root"
>> set mode pppoe
>> set allowaccess ping
>> set type physical
>> set netflow-sampler both
>> set sflow-sampler enable
>> set sample-rate 512
>> set polling-interval 30
>> ----------------
>> config system sflow
>> set collector-ip 10.1.1.13
>> set collector-port 9994
>> set source-ip 10.1.3.2
>> end
>> config system netflow
>> set collector-ip 10.1.1.13
>> set collector-port 9995
>> set source-ip 10.1.3.2
>> set active-flow-timeout 1
>> end
>> -----------------------
>>
>>
>>
>> WHen i check with tcpdump i got the following lines streaming
>>
>> tcpdump -i any -n udp port 9995 -T cnfp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535
>> bytes
>> 17:10:37.819012 IP 10.1.3.2.2614 > 10.1.1.13.9995: NetFlow v9,
>> 2921178.370 uptime, 1513091437.000000115, 1 recs
>>
>>
>> and
>>
>> tcpdump -i any -n udp port 9994 -T cnfp
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535
>> bytes
>> 17:13:21.684219 IP 10.1.3.2.2349 > 10.1.1.13.9994: NetFlow v0, 0.001
>> uptime, 167838466.000000000, 5 recs
>> started 0.001, last 0.512
>> 0.0.55.41:32 > 174.32.37.22:13312 >> 0.0.0.1
>> 0 tos 0, 184 (4121 octets)
>> started 2423041.105, last 3117853.792
>> 0.0.0.1:46687 > 0.0.0.144:14226 >> 0.0.0.1
>> 17 tos 0, 4 (128 octets)
>> started 803098.648, last 2206.628
>> 64.0.57.6:0 > 234.87.195.175:5891 >> 227.25.78.189
>> 17 tos 151, 3437380716 <(343)%20738-0716> (3899816432 octets)
>>
>> -----------------------
>>
>> My nfsen.conf file is:
>>
>> 'peer1' => { 'port' => '9995', 'IP' => '10.1.3.2',
>> 'col'=>'#0000ff','type'=>'netflow' },
>>
>>
>> 'peer2' => { 'port' => '9994', 'IP' => '10.1.3.2',
>> 'col'=>'#0000cf','type'=>'sflow' },
>>
>>
>>
>>
>>
>> But there is no data collecting..
>> I can see sflow and netflow collectors on ps -ef..
>> but on folder there is only 276 bytes of data for both peers.
>>
>> Any ideas??
>>
>>
>> Thank you
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Nfsen-discuss mailing list
>> Nfsen-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
