I've been using nfcapd for Netflow ingest. The command that is being
used on the "relay" system is this:
/usr/local/bin/nfcapd -p 9995 -b xxx.yyy.zzz.230 -R 192.168.1.42/9995 -B
100000 -l /netflow/ext -w
My understanding was that the path /netflow/ext (in my case above) was
used as a transient buffer, and that the files would be deleted once
they were successfully passed to the remote (192.168.1.42 in my case).
The files/flows ARE being received by 192.168.1.42, and imported into
Hive/HBase. But the files on the intermediate machine all pile up and
have to be deleted manually.
Have I mis-configured something or is this the expected behavior?
Thanks,
Terry
--
Terry Healy
Cyber Security Operations
Brookhaven National Laboratory
Building 515, Upton N.Y. 11973
