Re: [Nfdump-discuss] Multiple sources for nfsen and nfdump questions

[Peter H. <ha...@sw...>]

-----BEGIN PGP SIGNED MESSAGE-----

Hi Chelo,

- --On February 15, 2006 12:40:17 +0100 Chelo Malagon <che...@re...> wrote:

| Hello all,
| I have two questions for the list.
| We have thinking on putting into production nfsen+nfdump in our network
| (RedIRIS, Spanish Reserach and academic network). We are talking
| about feeding nfsen with 31 sources (all the routers in our
| backbone). Has anybody experience about working with this hight
| number of sources in nfsen? Till now, I have been testing nfsen with
| a few sources (two or three).

I think Maurizio Molina from Dante did some tests with more than 20 sources.
In theory there is ( should be ) no limitation in NfSen, unless the system
resources. My own tests are limited to 7 sources.

|
| Another two questions are related to nfdump. The first one is: is it
| possible to use flow-capture format file together with nfsen (I
| think flow-export utility in flow-tools suit allow to export flows to
| the nfdump format). The other is, as our

nfdump has a fast converter 'ft2nfdump' which reads flow-tools format files.
See the man page for ft2nfdump as well as the nfdump README file.
Not: this is a command line binary and not integrated into NfSen.
NfSen requires native nfdump files.


| network is already configured, all
| the routers (the 31 mentioned above) send flows to the
| flow machine at the same UDP port. As far as I know one
| nfcapd process is needed for each netflow stream, so I presume if I
| have just one nfcapd process listening in that port the nfsen is not
| going to work properly, right? and the only solution could be to
| procees what arrives to that UDP single port with flow-fanout tool,
| spliting the flows according to the src router and send each
| flow to one UDP local port, having an nfcapd pocess listening in each
| port as usual. Any other solution?

This may be solved in a next version of nfdump ( not yet 1.5 ).
As of today each source sends flows to a dedicated port to prevent
socket buffer bottlenecks in the collecting system OS.
However, there is nothing, which prevents you to send flows to a single port.
As of today nfcapd is not able to separate the various sources. It will further
complain in the syslog file due to mismatching sequence numbers, but will
store the flows as expected. You will see a single source only.

|
| Thanks in advance
| Chelo
|
|
|
|
| -------------------------------------------------------
| This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
| for problems?  Stop!  Download the new AJAX search engine that makes
| searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
| http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
| _______________________________________________
| Nfdump-discuss mailing list
| Nfd...@li...
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
|



- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH,  Limmatquai 138,  CH-8001 Zurich,  Switzerland
E-mail: pet...@sw... Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iQCVAwUBQ/MZyv5AbZRALNr/AQF+vwP/ec0ZineEQJsHJO7yEcc8Eg3+uwMY68fD
jSBWjFXWVrchXsiufQji+noRYZmk61uEZYyO1NgnevGYJyBU2zMyRXg3EJ2lfpH4
77ihmJLXSay5bzxWtx9vj49rzgvTmyYGx5hBhVjnlNgzsfWSG/JDWKWH4ecoVBEb
f5eHg10kH7g=
=Nh76
-----END PGP SIGNATURE-----