I dont know if nfsen/nfdump can process netflow v9 templated payload. Last
time I tried cant do it.
El mié., 13 dic. 2017 a las 9:39, Adrian Popa (<adrian.popa...@gmail.com>)
escribió:
> I don't know about sflow, sorry...
>
> On Wed, Dec 13, 2017 at 10:35 AM, Oguzhan Kayhan <oguz...@kayhan.name.tr>
> wrote:
>
>> Thank you adrian.
>> It's been about 10 hours. and still no data.
>> For netflow template packet might be expected (not normal to receive in
>> that long time) what about sflow?
>> Does it need also?
>> I am listening on two protocols to get smting useful
>>
>>
>> On Wed, Dec 13, 2017 at 11:19 AM, Adrian Popa <adrian.popa...@gmail.com>
>> wrote:
>>
>>> Since Netflow v9 uses a templated payload, the collector needs to
>>> receive a packet describing the template format (what fields are exported).
>>> After this packet is received, data is processed and saved. You will see
>>> the same thing with wireshark - when you try to decode the payload with the
>>> cflow dissector - until a template packet is received, the payload can't be
>>> decoded.
>>>
>>> Normally template packets should be sent out periodically, but it may
>>> depend on the volume of data being exported.
>>>
>>> On Tue, Dec 12, 2017 at 5:16 PM, Oguzhan Kayhan <oguz...@kayhan.name.tr>
>>> wrote:
>>>
>>>> Hello all,
>>>> I'M trying to get nfsen information from fortigate 100D.
>>>> for test purposes, i enabled both sflow and netflow on fortigate
>>>>
>>>> Wan port config is as :
>>>>
>>>> --------------
>>>> config system interface
>>>> edit "wan1"
>>>> set vdom "root"
>>>> set mode pppoe
>>>> set allowaccess ping
>>>> set type physical
>>>> set netflow-sampler both
>>>> set sflow-sampler enable
>>>> set sample-rate 512
>>>> set polling-interval 30
>>>> ----------------
>>>> config system sflow
>>>> set collector-ip 10.1.1.13
>>>> set collector-port 9994
>>>> set source-ip 10.1.3.2
>>>> end
>>>> config system netflow
>>>> set collector-ip 10.1.1.13
>>>> set collector-port 9995
>>>> set source-ip 10.1.3.2
>>>> set active-flow-timeout 1
>>>> end
>>>> -----------------------
>>>>
>>>>
>>>>
>>>> WHen i check with tcpdump i got the following lines streaming
>>>>
>>>> tcpdump -i any -n udp port 9995 -T cnfp
>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>>> decode
>>>> listening on any, link-type LINUX_SLL (Linux cooked), capture size
>>>> 65535 bytes
>>>> 17:10:37.819012 IP 10.1.3.2.2614 > 10.1.1.13.9995: NetFlow v9,
>>>> 2921178.370 uptime, 1513091437.000000115, 1 recs
>>>>
>>>>
>>>> and
>>>>
>>>> tcpdump -i any -n udp port 9994 -T cnfp
>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>>> decode
>>>> listening on any, link-type LINUX_SLL (Linux cooked), capture size
>>>> 65535 bytes
>>>> 17:13:21.684219 IP 10.1.3.2.2349 > 10.1.1.13.9994: NetFlow v0, 0.001
>>>> uptime, 167838466.000000000, 5 recs
>>>> started 0.001, last 0.512
>>>> 0.0.55.41:32 > 174.32.37.22:13312 >> 0.0.0.1
>>>> 0 tos 0, 184 (4121 octets)
>>>> started 2423041.105, last 3117853.792
>>>> 0.0.0.1:46687 > 0.0.0.144:14226 >> 0.0.0.1
>>>> 17 tos 0, 4 (128 octets)
>>>> started 803098.648, last 2206.628
>>>> 64.0.57.6:0 > 234.87.195.175:5891 >> 227.25.78.189
>>>> 17 tos 151, 3437380716 <(343)%20738-0716> (3899816432 octets)
>>>>
>>>> -----------------------
>>>>
>>>> My nfsen.conf file is:
>>>>
>>>> 'peer1' => { 'port' => '9995', 'IP' => '10.1.3.2',
>>>> 'col'=>'#0000ff','type'=>'netflow' },
>>>>
>>>>
>>>> 'peer2' => { 'port' => '9994', 'IP' => '10.1.3.2',
>>>> 'col'=>'#0000cf','type'=>'sflow' },
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> But there is no data collecting..
>>>> I can see sflow and netflow collectors on ps -ef..
>>>> but on folder there is only 276 bytes of data for both peers.
>>>>
>>>> Any ideas??
>>>>
>>>>
>>>> Thank you
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Nfsen-discuss mailing list
>>>> Nfsen-discuss@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>>>
>>>>
>>>
>>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
--
JOSE MANUEL AGUDO CUESTA
Ingeniero de Redes y Seguridad
Servicios Informáticos - C.P.D.
Universidad de Salamanca
+34 923 294 500 ext. 1398
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
