[Nfsen-discuss] [PATCH] Can't use string ("live") as a HASH ref while "strict refs" in use at libexec/NfProfile.pm line 1238.

nfsen 1.3.8 added a $socket argument to DoRebuild (here compared to 1.3.6p1): sub DoRebuild { + my $socket = shift; my $profileinfo = shift; However, install.pl calls it without the extra argument: NfProfile::DoRebuild(\%profileinfo, $profile

Re: [Nfsen-discuss] Starting with nfsen/nfdump

On 06/06/2017 13:25, nfsen-discuss-requ...@lists.sourceforge.net wrote: At this point, I got some divergence of data comparing Cacti/nfsen/nfdump, e.g: timeslot Jun 02 2017 - 11:55 - Jun 02 2017 - 15:50 cacti: 650G nfsen: 617G nfdump: 575G nfsen just runs nfdump to show and aggregate flows. In

Re: [Nfsen-discuss] Error generating details graph: garbage in RPN

I saw the same issue when building new nfsen boxes on 16.04: https://sourceforge.net/p/nfsen/mailman/message/35850749/ Previous sources entries which had worked like 'ix-rtr1'   => { 'port' => '9001', 'col' => '#00ff00' }, had to be changed to 'ix_rtr1'   => { 'port' => '9001', 'col'

Re: [Nfsen-discuss] nfsen problem with Fortigate.

On 13/12/2017 08:36, nfsen-discuss-requ...@lists.sourceforge.net wrote: nfsen problem with Fortigate. WHen i check with tcpdump i got the following lines streaming Can you try with wireshark (tshark) as well: # tshark -i eth0 -nnV -s0 -d udp.port==9995,cflow udp port 9995 Initially you sho

Re: [Nfsen-discuss] nfsen problem with Fortigate.

On 13/12/2017 09:39, Brian Candler wrote: Look in your firewall settings to see if there is one to change the template sending interval, and crank it down to 5 minutes. You can find the settings here: it's "template-tx-timeout" you're looking for. https://github.com/ph

Re: [Nfsen-discuss] Nfsen giving huge values to Fortigate flows

My conclusion is that I've set up netflow on my Fortigate incorrectly, can anyone advise me as to how I should have it set? No, there is a known problem with processing flows from Fortigate.  If you want to help debug it, please head over to https://github.com/phaag/nfdump/issues/77 or https:

Re: [Nfsen-discuss] nfsen/ --commit-profile fails

Please send your mail again without HTML.  All that came through was: Date: Sun, 24 Dec 2017 16:14:58 +0100 (CET) From: Thomas Rottig To:nfsen-discuss@lists.sourceforge.net Subject: [Nfsen-discuss] nfsen/ --commit-profile fails Message-ID:<1713045567.45617.1514128498...@email.1und1.de> Content-Ty

Re: [Nfsen-discuss] Current Version Download Location?

Click on the "releases" label in github, it will take you to: https://github.com/phaag/nfdump/releases -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.lin

Re: [Nfsen-discuss] Problem creating the Details graphs

nfsen no longer works with hostnames with dashes in them (rrdtool thinks you are trying to subtract things).  You need to use underscores in your %sources.  Beware you'll probably need to rename some files and directories for your existing data and rrd graphs. Regards, Brian. --

Re: [Nfsen-discuss] How to do nat search

> Im trying to figure out how to use NFSen for NAT purposes 1. What type of device is generating the netflow records? 2. What *interface* on that device is generating the netflow records? If this is a Cisco router (and this router is doing NAT): modern versions of IOS can be configured to coll

Re: [Nfsen-discuss] How to do nat search

On 22/05/2018 17:31, Simon Mousey Smith wrote: The equipment is a Mikrotik router I have set the interfaces to use ONLY my internal bridge port and the clans that I require But the NFsen is STILL show 2 separate things 2018-05-22 17:19:54.880 0.000 TCP 192.168.88.100:58348

Re: [Nfsen-discuss] How to do nat search

On 22/05/2018 18:09, nfsen-discuss-requ...@lists.sourceforge.net wrote: Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte 2018-05-22 07:59:43.260 INVALID Ignore TCP 192.168.68.15:56509 -> 199.16.156.52:443 0.0.0.0:0 -> 0.

Re: [Nfsen-discuss] How to do nat search

I have tested with nfdump from git head, built with "./configure --enable-nfprofile --enable-nftrack --enable-nsel", and it all looks correct to me (see example below). I don't get the "0.0.0.0" entries that you got. Make sure you did "make install" and updated all the binaries, both nfdump a

Re: [Nfsen-discuss] How to do nat search

On 23/05/2018 09:59, Simon Mousey Smith wrote: Left nfsen running over nite and came into the office this morning, checked nfsen and we now have more data which looks about right :D 2018-05-23 09:44:33.860 INVALID Ignore TCP 192.168.48.130:60842 -> 3

Re: [Nfsen-discuss] custom output format in nfsen 1.3.8

On 18/09/2018 13:09, nfsen-discuss-requ...@lists.sourceforge.net wrote: I am just wondering how to use the "custom output format" if I want to display the "nel" format for instance. Any tipp for me? Have you tried "man nfdump"? There you will find:    -o format   Selects the output

Re: [Nfsen-discuss] custom output format in nfsen 1.3.8

On 19/09/2018 13:09, nfsen-discuss-requ...@lists.sourceforge.net wrote: The command line is not the problem. There is everything as expected. My problem is with the webinterface under the details tab. Ah right. When I try to list flows with custom output, I get this nice error message:

Re: [Nfsen-discuss] custom output format in nfsen 1.3.8

On 19/09/2018 20:23, nfsen-discuss-requ...@lists.sourceforge.net wrote: You have to choose "List flows", not "Stat TopN"! Then you get a dropdown menu for output and you can select "custom ..." Ah, gotcha.  Yep, it looks pretty broken. I can enter a format like "%ts %pr", then click the disk

Re: [Nfsen-discuss] aggregated graph from multiple profiles ?

On 28/09/2018 13:07, nfsen-discuss-requ...@lists.sourceforge.net wrote: lets suppose I have four profiles using following filters: udp and dst net 1.1.1.0/24 udp and dst net 1.1.2.0/24 udp and dst net 1.1.3.0/24 udp and dst net 1.1.4.0/24 I would like to display the summarization of the four pr

Re: [Nfsen-discuss] NFSen problems, outdated dependencies, possible memory leak (at least on FreeBSD).

nfsen is pretty much unmaintained.  I have several local patches that I use to get it to work under Ubuntu.  Unfortunately there's no tracker to submit them too. ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourcef

Re: [Nfsen-discuss] NFSen problems, outdated dependencies, possible memory leak (at least on FreeBSD).

On 14/11/2018 15:00, i...@maximka.de wrote: I put nfsen code unofficially on github[1] and tried to notify the author[2]. If you discover some new issues, you could add them to the unofficial repository tracker[3]. Three PRs sent. Cheers, Brian. __

Re: [Nfsen-discuss] NfSen hack-a-thon

On 13/09/2019 12:20, nfsen-discuss-requ...@lists.sourceforge.net wrote: * Something other than PHP :-) I also dislike PHP and deem it as the BASIC of our times. And nfsen uses perl for its backend - possibly the FORTRAN of our times?? Another idea: adding to nfdump the abi

Re: [Nfsen-discuss] NfSen hack-a-thon

On 16/09/2019 12:51, Adrian Popa wrote: The backend plugins work like that. Your plugin is called with the last 5 minute's worth of data pushed to it and you can manage/export it as you wish. The only requirement is to finish processing before the 5 minute mark, otherwise you'll have a positive

Re: [Nfsen-discuss] Understanding statistics summary chart.

On 09/10/2019 13:41, nfsen-discuss-requ...@lists.sourceforge.net wrote: Hi guys , Im trying to understand why can not match values dispalyed at traffic->all column with y axys value. AS shown on image bellow: nfsen.png

Re: [Nfsen-discuss] Unknown flow source error

After installing nfsen in my ubuntu 18.04 when i run " service nfsen status" nfens in active and running but i get error "Unknown flow source x.x.x.x" and .skip UDP packet so far 326 packets. Where exactly do you see this error? Are you looking at nfcapd logs, or somewhere else? nfsen does

Re: [Nfsen-discuss] Unknown flow source error

On 11/09/2020 14:42, cosmas charles wrote: sudo tcpdump -i enp38s0 port 9996 [sudo] password for coselem: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp38s0, link-type EN10MB (Ethernet), capture size 262144 bytes 16:31:03.113980 IP 172.16.x.x.49955 >

Re: [Nfsen-discuss] NFSen Timeslot

On 08/03/2021 14:18, nfsen-discuss-requ...@lists.sourceforge.net wrote: Did a new install of NFSen & NFDump. On the new install it do not allow me to select a time on the graph or specify a time window. Any ideas what could cause this ? Do you have javascript disabled? Does the time bar actu

Re: [Nfsen-discuss] NFSen Timeslot

On 09/03/2021 06:48, Pieter Bezuidenhout (P) wrote: There is no arrow to move  with either Time Window or Timeslot. One can also not change the tstart/tend values on the right 1. In Network view in developer console, are there any 4xx or 5xx errors from page fetches? I see all status 200, most

Re: [Nfsen-discuss] [ask] report with asn number

the problem is when i collect data and show it.. seems the AS number is always empty or 0. any solution? or am i missing something . appreciate your help The ASN is a field within the flow record, and nfcapd just stores whatever the router exports.  This means that your router needs to be r

Re: [Nfsen-discuss] [ask] report with asn number

On 02/05/2021 14:04, hendranata saputra wrote: I am using mikrotik router. Can u show me which configuration need to be change in order to be able to export asn number?. Does your Mikrotik router receive a full BGP table (~ 800,000 routes) from your upstream ISP?  If not, then it's not even w

Re: [Nfsen-discuss] [ask] report with asn number

On 02/05/2021 14:39, hendranata saputra wrote: Yes our bgp is establish and got prefix around 800k. So what next? I can see from fndump there is no AS information. Am i missing something? It looks like Mikrotik doesn't implement this. See: https://forum.mikrotik.com/viewtopic.php?t=92861 https

Re: [Nfsen-discuss] [ask] report with asn number

On 03/05/2021 01:45, hendranata yahoo wrote: i can see that nfcapd can run with nfasnupd to fill the empty AS number https://metacpan.org/pod/Net::NfDump in this case i am using nfcapd -x "nfasnupd %d/%f" full example: /opt/nfdump/bin/nfcapd -w -D -p 9997 -u netflow -g apache -B 20 -S 1

Re: [Nfsen-discuss] [ask] report with asn number

On 03/05/2021 09:00, hendranata yahoo wrote: okay thanks for your idea. what is the latest stable version of nfsen? The latest stable version is whatever tarball is published on sourceforge (1.3.8) - which is over 4 years old.  There is no public of

Re: [Nfsen-discuss] [ask] report with asn number

On 03/05/2021 09:36, hendranata yahoo wrote: i have tried your method and yes it is running okay.. but it seems only working in the LIVE profile. when i create a new profile.. it show empty graph even with filter any. when i check the service, it seems they running twice.. [root@netflow etc]#

Re: [Nfsen-discuss] nfcapd files > 2 GByte & nfdump

I have here nfcapd files bigger than two gigabytes. Looks like nfdump is not able to process them. Am I right? It is plausible, given that 2 GB = 2^31, so you may be hitting some 32-bit limitation somewhere. * What version of nfdump/nfcapd are you using? * What operating system are you runn

Re: [Nfsen-discuss] nfcapd files > 2 GByte & nfdump

On 10/08/2021 14:30, nfsen-discuss-requ...@lists.sourceforge.net wrote: Particularly I try to look at top talkers of these files, especially in the "inet6" domain: -rw-r--r--. 1 apache apache 3,5G 9. Aug 08:00 /usr/local/nfsen/profiles-data/live/ixia-poc/2021/08/09/nfcapd.202108090755 -rw-r--r

Re: [Nfsen-discuss] sflow from Arista Switch

> Can you run a TCPDUMP session to verify the switch is sending packets? Also: if UDP packets are arriving, then try tshark.  It's able to do detailed decoding of netflow packets, but I don't know about sflow. ___ Nfsen-discuss mailing list Nfsen-d

Re: [Nfsen-discuss] [ask] report with asn number

On 18/08/2021 09:45, Peter Haag wrote: nfsen is *very* old code, and actually I wanted to rewrite a new version, which got delayed and finally aborted for a number of reasons. I could consider to give it a go again, but I am still uncertain if it would still be used these days. Feedback would b

Re: [Nfsen-discuss] [ask] report with asn number

On 19/08/2021 07:35, Alfredo Sola wrote: Perhaps this chap has a fair idea of what the GUI could look like, although the backend (at least the last time I checked it out) is hacky: https://github.com/mbolli/nfsen-ng In my opinion, that UI is terrible.  I tr

Re: [Nfsen-discuss] [ask] report with asn number

On 25/08/2021 09:44, Peter Haag wrote: On 18.08.21 11:49, Brian Candler wrote: On 18/08/2021 09:45, Peter Haag wrote: nfsen is *very* old code, and actually I wanted to rewrite a new version, which got delayed and finally aborted for a number of reasons. I could consider to give it a go again

Re: [Nfsen-discuss] exporting as fields.

On 01/10/2021 13:53, nfsen-discuss-requ...@lists.sourceforge.net wrote: I already have a mikrotik => nfsen pair and can not see the asn field either. Mikrotik doesn't export AS number information, even if you have a full BGP table.  Looks like the same may be true of Huawei too. https://foru

Re: [Nfsen-discuss] unable to decode ipv6 address

> I see this when trying to view source ip What version of nfsen? And have you applied any patches to it? nfsen is unmaintained, and I find needs quite a few patches to keep it going.  There's a repo here with the patches applied: https://github.com/nsrc-org/nfsen You can look at the commit

Re: [Nfsen-discuss] from github - NOTE: *nfsen is no longer, under development*

On 21/01/2023 13:05, nfsen-discuss-requ...@lists.sourceforge.net wrote: if nfsen is no longer under development what is the next best thing for visualizing nfdump/sfdump data? FWIW, I am still using and installing nfsen. It works nicely for relatively small networks; a single virtual se

Re: [Nfsen-discuss] nfcapd collector issue

On 16/02/2023 12:45, nfsen-discuss-requ...@lists.sourceforge.net wrote: I have a fresh install from scratch, with nfdump 1.7.1 and nfsen 1.3.8, but when nfsen starts, nfcapd gives an error. *Syslog report*: Feb 15 09:59:41 nfsen[50860]: Starting nfcapd:(ccr1036cs ccr1036np)path does not exist: -

Re: [Nfsen-discuss] PortTracker Error reading stat.

On 17/02/2023 12:45, nfsen-discuss-requ...@lists.sourceforge.net wrote: [image: image.png] Your image was stripped from the digest and from the mailing list archives, so is not visible. Please copy-paste the error message as text. In PortTracker.pm there will be a line like this: my $PORTSD

Re: [Nfsen-discuss] PortTracker Error reading stat.

Update: I have tested this, and indeed it looks like port-tracker doesn't work with nfsen 1.3.9 / nfdump 1.7.1 out-of-the-box. I don't know what your system shows, but I get these in syslog: Mar  6 16:50:15 noc nfsen[15762]: /usr/local/bin/nftrack -L local3 -M /var/nfsen/profiles-data/live/b

Re: [Nfsen-discuss] PortTracker Error reading stat.

FYI, problem now fixed in nfdump master: https://github.com/phaag/nfdump/issues/432 ___ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Re: [Nfsen-discuss] Questions on nfsen automation

On 17/04/2023 13:38, Nikolaos Milas wrote: I know that nfsen includes features for alerts but I was wondering whether there have been implementations that integrate nfsen with Splunk or Elastic / ELK Stack and/or guidelines to follow with such implementation. I think there are two possible and

Re: [Nfsen-discuss] Questions on nfsen automation

On 18/04/2023 12:54, MAYER Hans wrote: If you are already using elasticsearch I would use elastiflow https://docs.elastiflow.com/docs/flowcoll/introduction/ There is also a flow collector available from elasticsearch and part of the ELK package but the one from elastiflow is the better one. El

Re: [Nfsen-discuss] Questions on nfsen automation

On 18/04/2023 14:20, Borja Marcos wrote: A bit overkill, but if you just want to decode Netflow/IPfix to inject it to Elasticsearch you can use Graylog. It's cool that Graylog now has IPFIX decoder built in: thanks for pointing that out. But Graylog isn't open source either: since Nov 2020

Re: [Nfsen-discuss] Questions on nfsen automation

On 20/04/2023 13:36, Nikolaos Milas wrote: I was wondering whether nfcapd 1.7 (from nfdump project) coupled with nfinflux (https://github.com/phaag/nfinflux/blob/master/README.md) would be a workable scenario. Splunk / Elastic would then be able to read data directly from an InfluxDB? As far

Re: [Nfsen-discuss] Questions on nfsen automation

On 21/04/2023 13:38, nfsen-discuss-requ...@lists.sourceforge.net wrote: Actually, our (non-profit) org has received a (limited) grant Ah, I didn't realise that. If you're a non-profit, then you can also get a free license for ntop-ng and nprobe: https://www.ntop.org/support/faq/do-you-charge