Re: Flow Tools
The problem with flow-tools is that they don't work with Netflow v9. I did find a UDP fanout device that worksjust as well: https://www.dcbnet.com/datasheet/pr6602ds.html On Wed, Mar 14, 2018, at 9:39 AM, Michael W. Lucas wrote: > > So long as you're on IPv4, flow-tools-ng is pretty decent. They > haven't been updated because they work well enough. Not grand, but > okay. > > And thanks for buying my book! > > ==ml > > On Tue, Mar 13, 2018 at 11:39:52AM -0400, Paul Ammann wrote: > > Hi > > > > I've got a problem and I'm hoping OBSD may be able to solve my problem. > > > > We bought new firewalls in 2017, but they can only send flow traffic to a > > single destination. We need to send flow traffic to 3 destinations. > > > > I have a copy of Michael Lucas' book Network Flow Analysis, and I've been > > reading about flow-tools and flowd. Unfortunately there doesn't seem to > > have been a lot of development on these tools since 2010. > > > > Are there any other tools that I may have missed that would help me solve > > my problem? > > > > Thank you in advanced. > > > > Paul > > -- > Michael W. Lucas https://mwl.io/ > nonfiction: https://www.michaelwlucas.com/ > fiction: https://www.michaelwarrenlucas.com/
Re: Flow Tools
On Fri, Mar 16, 2018 at 7:07 PM Stuart Henderson wrote: > On 2018/03/16 18:54, Michael Price wrote: > > On a 6.2 box with 6.2 ports and diff applied I get this. Let me know if > I'm doing something > > silly - usually use packages. > > > > > > ===> Verifying specs: bz2 c z ft bz2 c z X11 Xext Xrender cairo expat > ffi fontconfig > > freetype glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz iconv intl > lzma m nfdump pango-1.0 > > pangocairo-1.0 pangoft2-1.0 pcre pixman-1 png pthread rrd xcb xcb-render > xcb-shm xml2 > > > > Missing library for nfdump>=0.0 > > Ah I see what this is, please add > > net/nfdump,-main > > to LIB_DEPENDS-nfprofile in the port's Makefile. > > That did the trick. I only built on amd64. Installed on a machine already running nfcapd. Seems to be running fine and nfdump parses old and new files. Michael
Re: Flow Tools
On 2018/03/16 18:54, Michael Price wrote: > On a 6.2 box with 6.2 ports and diff applied I get this. Let me know if I'm > doing something > silly - usually use packages. > > > ===> Verifying specs: bz2 c z ft bz2 c z X11 Xext Xrender cairo expat ffi > fontconfig > freetype glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz iconv intl lzma > m nfdump pango-1.0 > pangocairo-1.0 pangoft2-1.0 pcre pixman-1 png pthread rrd xcb xcb-render > xcb-shm xml2 > > Missing library for nfdump>=0.0 Ah I see what this is, please add net/nfdump,-main to LIB_DEPENDS-nfprofile in the port's Makefile.
Re: Flow Tools
On a 6.2 box with 6.2 ports and diff applied I get this. Let me know if I'm doing something silly - usually use packages. ===> Verifying specs: bz2 c z ft bz2 c z X11 Xext Xrender cairo expat ffi fontconfig freetype glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz iconv intl lzma m nfdump pango-1.0 pangocairo-1.0 pangoft2-1.0 pcre pixman-1 png pthread rrd xcb xcb-render xcb-shm xml2 Missing library for nfdump>=0.0 Fatal error *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2182 '/usr/ports/pobj/nfdump-1.6.16/.buildwantlibs') *** Error 1 in /home/ports/net/nfdump (/usr/ports/infrastructure/mk/ bsd.port.mk:2425 'all') On Fri, Mar 16, 2018 at 3:18 PM, Michael Price wrote: > It will be a bit before I am at a machine to build ports. Only have access > to virtual machines running small instances right now. I would be happy to > test it tonight though. > > Michael > > On Fri, Mar 16, 2018 at 12:34 PM Stuart Henderson > wrote: > >> On 2018-03-16, Michael Price wrote: >> > It seems nfdump in ports is a bit behind the latest version though. >> 1.6.15 >> > in particular fixed a few security issues in nfcapd. >> > >> > Is sthen still the contact person for the port? I suppose I could >> submit a >> > patch. >> >> Oh, it moved so portroach no longer picks it up. Can you try this diff >> please? >> >> Index: Makefile >> === >> RCS file: /cvs/ports/net/nfdump/Makefile,v >> retrieving revision 1.21 >> diff -u -p -r1.21 Makefile >> --- Makefile10 Sep 2016 13:03:42 - 1.21 >> +++ Makefile16 Mar 2018 16:30:05 - >> @@ -3,24 +3,23 @@ >> COMMENT-main = tools to collect and process netflow data >> COMMENT-nfprofile =filters data from nfdump according to profiles >> >> -V =1.6.13 >> -DISTNAME = nfdump-$V >> +V =1.6.16 >> +GH_ACCOUNT = phaag >> +GH_PROJECT = nfdump >> +GH_TAGNAME = v$V >> FULLPKGNAME-main = nfdump-$V >> FULLPKGNAME-nfprofile =nfprofile-$V >> -REVISION-main =0 >> -REVISION-nfprofile = 0 >> + >> +SHARED_LIBS += nfdump0.0 # 0.0 >> >> CATEGORIES = net >> -HOMEPAGE = http://nfdump.sourceforge.net/ >> >> MAINTAINER = Stuart Henderson >> >> # BSD >> PERMIT_PACKAGE_CDROM = Yes >> >> -WANTLIB = c z >> - >> -MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=nfdump/} >> +WANTLIB = bz2 c z >> >> CONFIGURE_STYLE = gnu >> >> @@ -35,11 +34,18 @@ CONFIGURE_ARGS += --enable-compat15 \ >> >> MULTI_PACKAGES = -main -nfprofile >> >> -LIB_DEPENDS-main = net/flow-tools>=0.68.5 >> +LIB_DEPENDS-main = archivers/bzip2 \ >> + net/flow-tools>=0.68.5 >> WANTLIB-main = ${WANTLIB} ft >> + >> LIB_DEPENDS-nfprofile =net/rrdtool >> -WANTLIB-nfprofile =${WANTLIB} pthread rrd >> RUN_DEPENDS-nfprofile =nfdump-$V:net/nfdump,-main >> +WANTLIB-nfprofile = ${WANTLIB} >> +WANTLIB-nfprofile += X11 Xext Xrender cairo expat ffi fontconfig freetype >> +WANTLIB-nfprofile += glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz >> +WANTLIB-nfprofile += iconv intl lzma m nfdump pango-1.0 pangocairo-1.0 >> +WANTLIB-nfprofile += pangoft2-1.0 pcre pixman-1 png pthread rrd xcb >> +WANTLIB-nfprofile += xcb-render xcb-shm xml2 >> >> REORDER_DEPENDENCIES += ${PORTSDIR}/infrastructure/mk/automake.dep >> >> Index: distinfo >> === >> RCS file: /cvs/ports/net/nfdump/distinfo,v >> retrieving revision 1.9 >> diff -u -p -r1.9 distinfo >> --- distinfo17 Dec 2014 14:53:43 - 1.9 >> +++ distinfo16 Mar 2018 16:30:05 - >> @@ -1,2 +1,2 @@ >> -SHA256 (nfdump-1.6.13.tar.gz) = JRUzwxbJ/llTEvR3zbBR6cZnUX9J+ >> 3rFtDJJVzDkVpM= >> -SIZE (nfdump-1.6.13.tar.gz) = 662006 >> +SHA256 (nfdump-1.6.16.tar.gz) = sYR5IVxRqY+9+XPvVIRkeA56nZ9/ >> 5z5Pq5q37Io73I8= >> +SIZE (nfdump-1.6.16.tar.gz) = 1814857 >> Index: patches/patch-bin_Makefile_in >> === >> RCS file: patches/patch-bin_Makefile_in >> diff -N patches/patch-bin_Makefile_in >> --- /dev/null 1 Jan 1970 00:00:00 - >>
Re: Flow Tools
It will be a bit before I am at a machine to build ports. Only have access to virtual machines running small instances right now. I would be happy to test it tonight though. Michael On Fri, Mar 16, 2018 at 12:34 PM Stuart Henderson wrote: > On 2018-03-16, Michael Price wrote: > > It seems nfdump in ports is a bit behind the latest version though. > 1.6.15 > > in particular fixed a few security issues in nfcapd. > > > > Is sthen still the contact person for the port? I suppose I could submit > a > > patch. > > Oh, it moved so portroach no longer picks it up. Can you try this diff > please? > > Index: Makefile > === > RCS file: /cvs/ports/net/nfdump/Makefile,v > retrieving revision 1.21 > diff -u -p -r1.21 Makefile > --- Makefile10 Sep 2016 13:03:42 - 1.21 > +++ Makefile16 Mar 2018 16:30:05 - > @@ -3,24 +3,23 @@ > COMMENT-main = tools to collect and process netflow data > COMMENT-nfprofile =filters data from nfdump according to profiles > > -V =1.6.13 > -DISTNAME = nfdump-$V > +V =1.6.16 > +GH_ACCOUNT = phaag > +GH_PROJECT = nfdump > +GH_TAGNAME = v$V > FULLPKGNAME-main = nfdump-$V > FULLPKGNAME-nfprofile =nfprofile-$V > -REVISION-main =0 > -REVISION-nfprofile = 0 > + > +SHARED_LIBS += nfdump0.0 # 0.0 > > CATEGORIES = net > -HOMEPAGE = http://nfdump.sourceforge.net/ > > MAINTAINER = Stuart Henderson > > # BSD > PERMIT_PACKAGE_CDROM = Yes > > -WANTLIB = c z > - > -MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=nfdump/} > +WANTLIB = bz2 c z > > CONFIGURE_STYLE = gnu > > @@ -35,11 +34,18 @@ CONFIGURE_ARGS += --enable-compat15 \ > > MULTI_PACKAGES = -main -nfprofile > > -LIB_DEPENDS-main = net/flow-tools>=0.68.5 > +LIB_DEPENDS-main = archivers/bzip2 \ > + net/flow-tools>=0.68.5 > WANTLIB-main = ${WANTLIB} ft > + > LIB_DEPENDS-nfprofile =net/rrdtool > -WANTLIB-nfprofile =${WANTLIB} pthread rrd > RUN_DEPENDS-nfprofile =nfdump-$V:net/nfdump,-main > +WANTLIB-nfprofile = ${WANTLIB} > +WANTLIB-nfprofile += X11 Xext Xrender cairo expat ffi fontconfig freetype > +WANTLIB-nfprofile += glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz > +WANTLIB-nfprofile += iconv intl lzma m nfdump pango-1.0 pangocairo-1.0 > +WANTLIB-nfprofile += pangoft2-1.0 pcre pixman-1 png pthread rrd xcb > +WANTLIB-nfprofile += xcb-render xcb-shm xml2 > > REORDER_DEPENDENCIES += ${PORTSDIR}/infrastructure/mk/automake.dep > > Index: distinfo > === > RCS file: /cvs/ports/net/nfdump/distinfo,v > retrieving revision 1.9 > diff -u -p -r1.9 distinfo > --- distinfo17 Dec 2014 14:53:43 - 1.9 > +++ distinfo16 Mar 2018 16:30:05 - > @@ -1,2 +1,2 @@ > -SHA256 (nfdump-1.6.13.tar.gz) = > JRUzwxbJ/llTEvR3zbBR6cZnUX9J+3rFtDJJVzDkVpM= > -SIZE (nfdump-1.6.13.tar.gz) = 662006 > +SHA256 (nfdump-1.6.16.tar.gz) = > sYR5IVxRqY+9+XPvVIRkeA56nZ9/5z5Pq5q37Io73I8= > +SIZE (nfdump-1.6.16.tar.gz) = 1814857 > Index: patches/patch-bin_Makefile_in > === > RCS file: patches/patch-bin_Makefile_in > diff -N patches/patch-bin_Makefile_in > --- /dev/null 1 Jan 1970 00:00:00 - > +++ patches/patch-bin_Makefile_in 16 Mar 2018 16:30:05 - > @@ -0,0 +1,14 @@ > +$OpenBSD$ > + > +Index: bin/Makefile.in > +--- bin/Makefile.in.orig > bin/Makefile.in > +@@ -709,7 +709,7 @@ launch = launch.c launch.h > + lib_LTLIBRARIES = libnfdump.la > + libnfdump_la_SOURCES = $(common) $(util) $(filelzo) $(nflist) $(filter) > $(exporter) > + #libnfdump_la_LIBADD = -lz > +-libnfdump_la_LDFLAGS = -release 1.6.15 > ++libnfdump_la_LDFLAGS = > + nfdump_SOURCES = nfdump.c nfdump.h nfstat.c nfstat.h nfexport.c > nfexport.h \ > + $(nflowcache) $(nfprof) > + > Index: patches/patch-bin_util_c > === > RCS file: /cvs/ports/net/nfdump/patches/patch-bin_util_c,v > retrieving revision 1.1 > diff -u -p -r1.1 patch-bin_util_c > --- patches/patch-bin_util_c10 Sep 2016 13:03:42 - 1.1 > +++ patches/patch-bin_util_c16 Mar 2018 16:30:05 - > @@ -1,7 +1,8 @@ > $OpenBSD: patch-bin_util_c,v 1.1 2016/09/10 13:03:42 ajacoutot Exp $ > bin/util.c.origSat Sep 10 10:34:01 2016 > -+++ bin/util.c Sat Sep 10 10:35:46 2016 >
Re: Flow Tools
On 2018-03-16, Michael Price wrote: > It seems nfdump in ports is a bit behind the latest version though. 1.6.15 > in particular fixed a few security issues in nfcapd. > > Is sthen still the contact person for the port? I suppose I could submit a > patch. Oh, it moved so portroach no longer picks it up. Can you try this diff please? Index: Makefile === RCS file: /cvs/ports/net/nfdump/Makefile,v retrieving revision 1.21 diff -u -p -r1.21 Makefile --- Makefile10 Sep 2016 13:03:42 - 1.21 +++ Makefile16 Mar 2018 16:30:05 - @@ -3,24 +3,23 @@ COMMENT-main = tools to collect and process netflow data COMMENT-nfprofile =filters data from nfdump according to profiles -V =1.6.13 -DISTNAME = nfdump-$V +V =1.6.16 +GH_ACCOUNT = phaag +GH_PROJECT = nfdump +GH_TAGNAME = v$V FULLPKGNAME-main = nfdump-$V FULLPKGNAME-nfprofile =nfprofile-$V -REVISION-main =0 -REVISION-nfprofile = 0 + +SHARED_LIBS += nfdump0.0 # 0.0 CATEGORIES = net -HOMEPAGE = http://nfdump.sourceforge.net/ MAINTAINER = Stuart Henderson # BSD PERMIT_PACKAGE_CDROM = Yes -WANTLIB = c z - -MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=nfdump/} +WANTLIB = bz2 c z CONFIGURE_STYLE = gnu @@ -35,11 +34,18 @@ CONFIGURE_ARGS += --enable-compat15 \ MULTI_PACKAGES = -main -nfprofile -LIB_DEPENDS-main = net/flow-tools>=0.68.5 +LIB_DEPENDS-main = archivers/bzip2 \ + net/flow-tools>=0.68.5 WANTLIB-main = ${WANTLIB} ft + LIB_DEPENDS-nfprofile =net/rrdtool -WANTLIB-nfprofile =${WANTLIB} pthread rrd RUN_DEPENDS-nfprofile =nfdump-$V:net/nfdump,-main +WANTLIB-nfprofile = ${WANTLIB} +WANTLIB-nfprofile += X11 Xext Xrender cairo expat ffi fontconfig freetype +WANTLIB-nfprofile += glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz +WANTLIB-nfprofile += iconv intl lzma m nfdump pango-1.0 pangocairo-1.0 +WANTLIB-nfprofile += pangoft2-1.0 pcre pixman-1 png pthread rrd xcb +WANTLIB-nfprofile += xcb-render xcb-shm xml2 REORDER_DEPENDENCIES += ${PORTSDIR}/infrastructure/mk/automake.dep Index: distinfo === RCS file: /cvs/ports/net/nfdump/distinfo,v retrieving revision 1.9 diff -u -p -r1.9 distinfo --- distinfo17 Dec 2014 14:53:43 - 1.9 +++ distinfo16 Mar 2018 16:30:05 - @@ -1,2 +1,2 @@ -SHA256 (nfdump-1.6.13.tar.gz) = JRUzwxbJ/llTEvR3zbBR6cZnUX9J+3rFtDJJVzDkVpM= -SIZE (nfdump-1.6.13.tar.gz) = 662006 +SHA256 (nfdump-1.6.16.tar.gz) = sYR5IVxRqY+9+XPvVIRkeA56nZ9/5z5Pq5q37Io73I8= +SIZE (nfdump-1.6.16.tar.gz) = 1814857 Index: patches/patch-bin_Makefile_in === RCS file: patches/patch-bin_Makefile_in diff -N patches/patch-bin_Makefile_in --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-bin_Makefile_in 16 Mar 2018 16:30:05 - @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: bin/Makefile.in +--- bin/Makefile.in.orig bin/Makefile.in +@@ -709,7 +709,7 @@ launch = launch.c launch.h + lib_LTLIBRARIES = libnfdump.la + libnfdump_la_SOURCES = $(common) $(util) $(filelzo) $(nflist) $(filter) $(exporter) + #libnfdump_la_LIBADD = -lz +-libnfdump_la_LDFLAGS = -release 1.6.15 ++libnfdump_la_LDFLAGS = + nfdump_SOURCES = nfdump.c nfdump.h nfstat.c nfstat.h nfexport.c nfexport.h \ + $(nflowcache) $(nfprof) + Index: patches/patch-bin_util_c === RCS file: /cvs/ports/net/nfdump/patches/patch-bin_util_c,v retrieving revision 1.1 diff -u -p -r1.1 patch-bin_util_c --- patches/patch-bin_util_c10 Sep 2016 13:03:42 - 1.1 +++ patches/patch-bin_util_c16 Mar 2018 16:30:05 - @@ -1,7 +1,8 @@ $OpenBSD: patch-bin_util_c,v 1.1 2016/09/10 13:03:42 ajacoutot Exp $ bin/util.c.origSat Sep 10 10:34:01 2016 -+++ bin/util.c Sat Sep 10 10:35:46 2016 -@@ -41,6 +41,7 @@ +Index: bin/util.c +--- bin/util.c.orig bin/util.c +@@ -38,6 +38,7 @@ #include #include #include Index: pkg/PLIST-main === RCS file: /cvs/ports/net/nfdump/pkg/PLIST-main,v retrieving revision 1.5 diff -u -p -r1.5 PLIST-main --- pkg/PLIST-main 3 May 2013 01:16:36 - 1.5 +++ pkg/PLIST-main 16 Mar 2018 16:30:05 - @@ -8,6 +8,9 @@ @bin bin/nfexpire @bin bin/nfreplay @bin bin/sfcapd +lib/libnfdump.a +lib/libnfdump.la +@lib lib/libnfdump.so.${LIBnfdump_VERSION} @man man/man1/ft2nfdump.1 @man man/man1/nfanon.1 @man man/man1/nfcapd.1
Re: Flow Tools
It seems nfdump in ports is a bit behind the latest version though. 1.6.15 in particular fixed a few security issues in nfcapd. Is sthen still the contact person for the port? I suppose I could submit a patch. Michael On Wed, Mar 14, 2018 at 6:41 PM Diana Eichert wrote: > I 2nd nfdump, then again I like tcpdump too ;-) > > On Wed, 14 Mar 2018, Daniel Melameth wrote: > > > On Wed, Mar 14, 2018 at 3:06 AM, Gregory Edigarov > wrote: > >> Sorry, if I hijack the thread, but what do you guys use for netflow > >> analysis? > >> Only know nfsen in ports, but sometimes I need more versatile tool. > > > > nfdump is rather powerful if you don't need a pretty GUI; it's like > > tcpdump, but for NetFlow/IPFIX data. I have it scripted to produce > > regular reports, but also run it ad hoc. > > > > > > > >
Re: Flow Tools
I 2nd nfdump, then again I like tcpdump too ;-) On Wed, 14 Mar 2018, Daniel Melameth wrote: On Wed, Mar 14, 2018 at 3:06 AM, Gregory Edigarov wrote: Sorry, if I hijack the thread, but what do you guys use for netflow analysis? Only know nfsen in ports, but sometimes I need more versatile tool. nfdump is rather powerful if you don't need a pretty GUI; it's like tcpdump, but for NetFlow/IPFIX data. I have it scripted to produce regular reports, but also run it ad hoc.
Re: Flow Tools
On Wed, Mar 14, 2018 at 3:06 AM, Gregory Edigarov wrote: > Sorry, if I hijack the thread, but what do you guys use for netflow > analysis? > Only know nfsen in ports, but sometimes I need more versatile tool. nfdump is rather powerful if you don't need a pretty GUI; it's like tcpdump, but for NetFlow/IPFIX data. I have it scripted to produce regular reports, but also run it ad hoc.
Re: Flow Tools
On 03/14/2018 10:06 AM, Gregory Edigarov wrote: > Sorry, if I hijack the thread, but what do you guys use for netflow > analysis? This looks quite interesting https://github.com/robcowart/elastiflow I have not tried it but would like to when time allows. -- Tommy Nevtelen
Re: Flow Tools
On Wed, 14 Mar 2018, at 9:06 AM, Gregory Edigarov wrote: > Sorry, if I hijack the thread, but what do you guys use for netflow > analysis? > Only know nfsen in ports, but sometimes I need more versatile tool. > R works for me. https://www.r-project.org/ -- Steve P
Re: Flow Tools
Sorry, if I hijack the thread, but what do you guys use for netflow analysis? Only know nfsen in ports, but sometimes I need more versatile tool. On 13.03.18 20:35, Diana Eichert wrote: I've been using samplicator to fanout UDP flow data for years. https://github.com/sleinen/samplicator diana On Tue, 13 Mar 2018, Paul Ammann wrote: Hi I've got a problem and I'm hoping OBSD may be able to solve my problem. We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations. I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010. Are there any other tools that I may have missed that would help me solve my problem? Thank you in advanced. Paul
Re: Flow Tools
I've been using samplicator to fanout UDP flow data for years. https://github.com/sleinen/samplicator diana On Tue, 13 Mar 2018, Paul Ammann wrote: Hi I've got a problem and I'm hoping OBSD may be able to solve my problem. We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations. I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010. Are there any other tools that I may have missed that would help me solve my problem? Thank you in advanced. Paul
Re: Flow Tools
Peter Thanks Buddy ... I dont know How I missed that :) Got to try that out on OpenBSD So Thanks for the Tipp Peter... On 13 March 2018 at 17:03, Peter N. M. Hansteen wrote: > On 03/13/18 17:44, Tom Smyth wrote: >> Paul ... >> You could look at pmacct by Paulo Lucende he is a cool guy... >> It has multiple flow aggregation and translation capabilities ... >> I dont think it is in ports yet... id like to get off my ass and do it some >> day as i think it is awesome ... > > pmacct is in ports - http://openports.se/net/pmacct so likely > straightforward to get started > > - P > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > -- Kindest regards, Tom Smyth Mobile: +353 87 6193172 The information contained in this E-mail is intended only for the confidential use of the named recipient. If the reader of this message is not the intended recipient or the person responsible for delivering it to the recipient, you are hereby notified that you have received this communication in error and that any review, dissemination or copying of this communication is strictly prohibited. If you have received this in error, please notify the sender immediately by telephone at the number above and erase the message You are requested to carry out your own virus check before opening any attachment.
Re: Flow Tools
On 03/13/18 17:44, Tom Smyth wrote: > Paul ... > You could look at pmacct by Paulo Lucende he is a cool guy... > It has multiple flow aggregation and translation capabilities ... > I dont think it is in ports yet... id like to get off my ass and do it some > day as i think it is awesome ... pmacct is in ports - http://openports.se/net/pmacct so likely straightforward to get started - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Flow Tools
Paul ... You could look at pmacct by Paulo Lucende he is a cool guy... It has multiple flow aggregation and translation capabilities ... I dont think it is in ports yet... id like to get off my ass and do it some day as i think it is awesome ... On 13 Mar 2018 12:08, "Paul Ammann" wrote: > Hi > > I've got a problem and I'm hoping OBSD may be able to solve my problem. > > We bought new firewalls in 2017, but they can only send flow traffic to a > single destination. We need to send flow traffic to 3 destinations. > > I have a copy of Michael Lucas' book Network Flow Analysis, and I've been > reading about flow-tools and flowd. Unfortunately there doesn't seem to > have been a lot of development on these tools since 2010. > > Are there any other tools that I may have missed that would help me solve > my problem? > > Thank you in advanced. > > Paul > >
Re: Flow Tools
On 03/13/18 16:39, Paul Ammann wrote: > I've got a problem and I'm hoping OBSD may be able to solve my problem. > > We bought new firewalls in 2017, but they can only send flow traffic to a > single destination. We need to send flow traffic to 3 destinations. How do you generate the flows? pflow(4) or some other method? > I have a copy of Michael Lucas' book Network Flow Analysis, and I've been > reading about flow-tools and flowd. Unfortunately there doesn't seem to have > been a lot of development on these tools since 2010. > > Are there any other tools that I may have missed that would help me solve my > problem? I had to check by configuring a second pflow interface on my home gateway here, and it seems you can indeed have more than one pflow interface (the other option that comes to mind is some fairly specific rules for your netflow data with dup-to, but that may be pushing the number of hoops to jump through too far). Michael's book is probably still the best reference on netflow. I describe a setup with pflow and nfsen at http://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html - that post is from 2014 but the basics should still apply. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Flow Tools
Hi I've got a problem and I'm hoping OBSD may be able to solve my problem. We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations. I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010. Are there any other tools that I may have missed that would help me solve my problem? Thank you in advanced. Paul
Re: nfsend, nfdump and flow-tools - file formats and statistics
On p, febr 28, 2014 at 21:34:07 -0300, Giancarlo Razzolini wrote: > Em 28-02-2014 17:16, LEVAI Daniel escreveu: [...] > > 1) Using nfdump seems pretty straightforward, but no matter how I try to > > shape my output, I always get '1970-01-01 01:00:00.000' as "Date first > > seen" time. Also, "Duration" is always 0.000 ... Any ideas why? [...] > First of all, what flowproto do you have set in your pflow interface. I > had the same problem with the first time seem date, and I was using > flowproto 10. There had been some recent (as in 5.5) commits that seems > to correct this issue. I had to switch back to flowproto 5. Try that and > see if it helps. Thank you Giancarlo, that was the culprit for the time issue! I was using pflowproto 10, indeed. Changing it to 5 immediately solved this problem! Thanks again :) Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: nfsend, nfdump and flow-tools - file formats and statistics
Em 28-02-2014 17:16, LEVAI Daniel escreveu: > Hi! > > Under the spell of the recent undeadly article about pflow(4) and stuff, > I started to fool around with nfsen and pflow a bit. > The setup was really easy... I had the nfsen web interface up and > running and displaying uninteresting graphs in no time. (I must say, > the system is a 5.4-stable). > > But eventually, I wanted to see what kind of reports I can get from the > collected data using the command line. So I started to read about nfdump > and flow-tools' utilities. > > 1) Using nfdump seems pretty straightforward, but no matter how I try to > shape my output, I always get '1970-01-01 01:00:00.000' as "Date first > seen" time. Also, "Duration" is always 0.000 ... Any ideas why? > > 2) I tried to use the flow-tools utilities with the data captured by > nfcapd (from nfsen), but eg. flow-print and flow-report says: > flow-print: ftiheader_read(): Warning, bad magic number > flow-print: ftiheader_read(): failed > flow-print: ftio_init(): failed > ... when I try to open the nfcapd.* files. > Well, okay, but how can I use the captured data with flow-tools? Can I? > > > Thanks in advance for some insight :) > > > Daniel > First of all, what flowproto do you have set in your pflow interface. I had the same problem with the first time seem date, and I was using flowproto 10. There had been some recent (as in 5.5) commits that seems to correct this issue. I had to switch back to flowproto 5. Try that and see if it helps. -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: nfsend, nfdump and flow-tools - file formats and statistics
On Fri, 28 Feb 2014 21:16:34 +0100 LEVAI Daniel wrote: > 1) Using nfdump seems pretty straightforward, but no matter how I try > to shape my output, I always get '1970-01-01 01:00:00.000' as "Date > first seen" time. Also, "Duration" is always 0.000 ... Any ideas why? I get nice results with: nfdump -R /usr/local/var/nfsen/profiles-data/live/location03/ -n 20 -s srcip/bytes ...on FreeBSD though, but that shouldn't matter. -- Marko Cupać
nfsend, nfdump and flow-tools - file formats and statistics
Hi! Under the spell of the recent undeadly article about pflow(4) and stuff, I started to fool around with nfsen and pflow a bit. The setup was really easy... I had the nfsen web interface up and running and displaying uninteresting graphs in no time. (I must say, the system is a 5.4-stable). But eventually, I wanted to see what kind of reports I can get from the collected data using the command line. So I started to read about nfdump and flow-tools' utilities. 1) Using nfdump seems pretty straightforward, but no matter how I try to shape my output, I always get '1970-01-01 01:00:00.000' as "Date first seen" time. Also, "Duration" is always 0.000 ... Any ideas why? 2) I tried to use the flow-tools utilities with the data captured by nfcapd (from nfsen), but eg. flow-print and flow-report says: flow-print: ftiheader_read(): Warning, bad magic number flow-print: ftiheader_read(): failed flow-print: ftio_init(): failed ... when I try to open the nfcapd.* files. Well, okay, but how can I use the captured data with flow-tools? Can I? Thanks in advance for some insight :) Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: reporting a bug in ports/net/flow-tools?
On Tue, 27 Apr 2010 17:41 +0300, "Stas Miasnikou" wrote: > Michael W. Lucas: > > Sendbug doesn't seem to have a "ports" option, and my bug report > > doesn't have a single recommend solution in any case, so I'm asking > > here. > > > > The flow-log2rrd, flow-rpt2rrd, and flow-rptfmt programs in flow-tools > > each start with the line: > > > > #!/bin/env python > > > > This won't work on OpenBSD. OpenBSD's env is in /usr/bin, and python > > is installed (at least on my system) as /usr/local/bin/python2.5. > > There is no generic "python" command. These programs will run under > > any of the 3 python ports. > > The python packages tell you to make symbolic links when you install > them. Not sure about ports though. ports are the same, and after the install pkg_info will tell you again see the "Install Notice": $ pkg_info python Information for inst:python-2.5.4p2 Comment: interpreted object-oriented programming language Required by: libxslt-1.1.26 py-libxml-2.7.6 Description: Python is an interpreted, interactive, object-oriented programming language that combines remarkable power with very clear syntax. For an introduction to programming in Python you are referred to the Python Tutorial. The Python Library Reference documents built-in and standard types, constants, functions and modules. Finally, the Python Reference Manual describes the syntax and semantics of the core language in (perhaps too) much detail. Python's basic power can be extended with your own modules written in C or C++. On most systems such modules may be dynamically loaded. Python is also adaptable as an extension language for existing applications. See the internal documentation for hints. Maintainer: Damien Miller WWW: http://www.python.org/ Install notice: If you want to use this package as your default system python, as root create symbolic links like so (overwriting any previous default): ln -sf /usr/local/bin/python2.5 /usr/local/bin/python ln -sf /usr/local/bin/python2.5-config /usr/local/bin/python-config ln -sf /usr/local/bin/pydoc2.5 /usr/local/bin/pydoc
Re: reporting a bug in ports/net/flow-tools?
On Tue, Apr 27, 2010 at 05:36:15PM +0300, Antti Harri wrote: > On Tue, 27 Apr 2010, Michael W. Lucas wrote: > > >Hi, > > > >Sendbug doesn't seem to have a "ports" option, and my bug report > >doesn't have a single recommend solution in any case, so I'm asking > >here. > > > >The flow-log2rrd, flow-rpt2rrd, and flow-rptfmt programs in flow-tools > >each start with the line: > > > >#!/bin/env python > > > >This won't work on OpenBSD. OpenBSD's env is in /usr/bin, and python > >is installed (at least on my system) as /usr/local/bin/python2.5. > >There is no generic "python" command. These programs will run under > >any of the 3 python ports. > > > >I could argue that these should start with any of the following: > > > >#!/usr/bin/env python2.5 > >#!/usr/local/bin/python2.5 > >(repeat for python 2.4 and 2.6) > > > >So, what is the OpenBSD-style resolution for this sort of thing? > > > >I don't care what the solution is, I just want flow-tools to work out > >of the box. > > > >Out of curiosity, is there any interest in a port of the new > >flow-tools fork? It fixes many corruption bugs on 64-bit systems. > > > >Thanks, > > You should symlink one of the pythonX.Y binaries to 'python', > as post install message for python packages suggest. Fair enough. Python was one of many dependencies in an earlier install, so I missed that message. But that still leaves the bogus /bin/env problem in this particular package. ==ml -- Michael W. Lucasmwlu...@blackhelicopters.org http://www.MichaelWLucas.com/ Latest book: Cisco Routers for the Desperate, 2nd Edition http://www.CiscoRoutersForTheDesperate.com/
Re: reporting a bug in ports/net/flow-tools?
On 2010-04-27, Michael W. Lucas wrote: > Sendbug doesn't seem to have a "ports" option, and my bug report > doesn't have a single recommend solution in any case, so I'm asking > here. po...@openbsd.org or the maintainer are generally your preferred options. > The flow-log2rrd, flow-rpt2rrd, and flow-rptfmt programs in flow-tools > each start with the line: How are you finding this out? flow-log2rrd and flow-rpt2rrd do not make it into the package. flow-rptfmt is correctly patched to use the system python, see the port Makefile. > I could argue that these should start with any of the following: > > #!/usr/bin/env python2.5 > #!/usr/local/bin/python2.5 > (repeat for python 2.4 and 2.6) > > So, what is the OpenBSD-style resolution for this sort of thing? $ head -1 /usr/local/bin/flow-rptfmt #!/usr/local/bin/python2.5 > Out of curiosity, is there any interest in a port of the new > flow-tools fork? It fixes many corruption bugs on 64-bit systems. URL?
Re: reporting a bug in ports/net/flow-tools?
On Tue, Apr 27, 2010 at 9:36 AM, Antti Harri wrote: > You should symlink one of the pythonX.Y binaries to 'python', > as post install message for python packages suggest. Regardless of the symlink issue (which should be done anyways, IMO), /bin/env doesn't exist in the default OpenBSD install. The port should use /usr/bin/env.
Re: reporting a bug in ports/net/flow-tools?
On 2010-04-27, Antti Harri wrote: > > You should symlink one of the pythonX.Y binaries to 'python', > as post install message for python packages suggest. > If you see something from packages which needs this, please let ports@ or the maintainer know, this is a bug.
Re: reporting a bug in ports/net/flow-tools?
Michael W. Lucas: Sendbug doesn't seem to have a "ports" option, and my bug report doesn't have a single recommend solution in any case, so I'm asking here. The flow-log2rrd, flow-rpt2rrd, and flow-rptfmt programs in flow-tools each start with the line: #!/bin/env python This won't work on OpenBSD. OpenBSD's env is in /usr/bin, and python is installed (at least on my system) as /usr/local/bin/python2.5. There is no generic "python" command. These programs will run under any of the 3 python ports. The python packages tell you to make symbolic links when you install them. Not sure about ports though. I could argue that these should start with any of the following: #!/usr/bin/env python2.5 #!/usr/local/bin/python2.5 (repeat for python 2.4 and 2.6) So, what is the OpenBSD-style resolution for this sort of thing? I don't care what the solution is, I just want flow-tools to work out of the box. Out of curiosity, is there any interest in a port of the new flow-tools fork? It fixes many corruption bugs on 64-bit systems. Stas
Re: reporting a bug in ports/net/flow-tools?
On Tue, 27 Apr 2010, Michael W. Lucas wrote: Hi, Sendbug doesn't seem to have a "ports" option, and my bug report doesn't have a single recommend solution in any case, so I'm asking here. The flow-log2rrd, flow-rpt2rrd, and flow-rptfmt programs in flow-tools each start with the line: #!/bin/env python This won't work on OpenBSD. OpenBSD's env is in /usr/bin, and python is installed (at least on my system) as /usr/local/bin/python2.5. There is no generic "python" command. These programs will run under any of the 3 python ports. I could argue that these should start with any of the following: #!/usr/bin/env python2.5 #!/usr/local/bin/python2.5 (repeat for python 2.4 and 2.6) So, what is the OpenBSD-style resolution for this sort of thing? I don't care what the solution is, I just want flow-tools to work out of the box. Out of curiosity, is there any interest in a port of the new flow-tools fork? It fixes many corruption bugs on 64-bit systems. Thanks, You should symlink one of the pythonX.Y binaries to 'python', as post install message for python packages suggest. -- Antti Harri
reporting a bug in ports/net/flow-tools?
Hi, Sendbug doesn't seem to have a "ports" option, and my bug report doesn't have a single recommend solution in any case, so I'm asking here. The flow-log2rrd, flow-rpt2rrd, and flow-rptfmt programs in flow-tools each start with the line: #!/bin/env python This won't work on OpenBSD. OpenBSD's env is in /usr/bin, and python is installed (at least on my system) as /usr/local/bin/python2.5. There is no generic "python" command. These programs will run under any of the 3 python ports. I could argue that these should start with any of the following: #!/usr/bin/env python2.5 #!/usr/local/bin/python2.5 (repeat for python 2.4 and 2.6) So, what is the OpenBSD-style resolution for this sort of thing? I don't care what the solution is, I just want flow-tools to work out of the box. Out of curiosity, is there any interest in a port of the new flow-tools fork? It fixes many corruption bugs on 64-bit systems. Thanks, ==ml -- Michael W. Lucasmwlu...@blackhelicopters.org http://www.MichaelWLucas.com/ Latest book: Cisco Routers for the Desperate, 2nd Edition http://www.CiscoRoutersForTheDesperate.com/