Running fprobe-1.1, feeding nfsen 1.3.6 using nfdump 1.6.6 on CentOS-5. The data is being collected on a port-mirrored port from a HP-5412zl switch. The mirrored port is the LAN side of my firewall.
My issue is that nfsen is only showing traffic which flows in one direction (from the internet into my LAN). However if I do a tcpdump on the eth that fprobe is listening to, it sees all traffic (inbound and outbound).
I saw this issue once before. I had a 3Com 4900 which had a port with multiple VLANs sent to a port-mirror. Fprobe correctly collected all traffic in both directions from all VLANs involved. When that switch was replaced with a Dell 3448, I only saw a single direction (I believe it was inbound) collected. I got around this issue by defining VLAN interfaces and attaching individual fprobe processes to each VLAN interface.
However in this case I'm not VLAN'd on this port at all. So I don't understand what is going wrong.
Does anyone have any idea why my flows are not being collected in both directions?
Its really strange because fprobe in theory should see same packets as tcpdump. Please, show the command line for fprobe and tcpdump. Can you provide part of real traffic in pcap format captured by 'tcpdump -w'?
It is weirder than that.
If I use tcpdump dst net foo and not src net foo, I see the inbound traffic.
If I use tcpdump src net foo and not dst net foo, I see (almost) nothing.
If I use tcpdump vlan and src net foo and not dst net foo, I see the traffic I am expecting.
So my work-around has been to have two fprobe instances on the same interface:
/usr/local/sbin/fprobe -fvlan -K18 -i eth1 -e 120 -q 10240 $TARGET:9999
/usr/local/sbin/fprobe -fip -i eth1 -e 120 -q 10240 $TARGET:9998
…and further refine those with the usual local nfsen filters (src net foo and not dst net foo) and (dst net foo and not src net foo) and I see what I want.
I don't understand A) why the traffic shows up if I say "tcpdump" but not if I specify filters; or B) why I have to specify VLAN tagging for half my traffic.
Like I said, weird.
I'll see about a tcpdump capture for you.