Re: [Nfdump-discuss] nfdump on Centos 6 problem

[Evgheni D. <Evg...@en...>]

Hi Fabian,

 

I use nfdump 1.6.10 & nfsen 1.3.6-p1 on CentOS 6 minimal without any issues.

 

The preparation steps are:

1)      yum install httpd php wget gcc make rrdtool-devel flex byacc

2)      edit /etc/selinux/config – set SELINUX=disabled

3)      iptables -I INPUT -p udp -m state --state NEW -m udp --dport 9995 -j
ACCEPT

change the port to the one you need ^

4)      /etc/init.d/iptables save

5)      chkconfig httpd on

6)      Reboot the machine to disable SElinux completely.

7)      Install nfdump and nfsen

8)      Start nfsen, open it in web browser

 

Regards,

Evgheni

 

From: Fabián Mejía [mailto:ing...@gm...] 
Sent: 23 May 2013 18:19
To: nfd...@li...
Subject: [Nfdump-discuss] nfdump on Centos 6 problem

 

Hello all

I installed nfdump-1.6.10 and nfsen-1.3.6p1 on Centos 6.    I started on a
minimal installation.  After, all dependencies was installed with yum from
regular Centos repository and some packet from epel repository (flow-tools).
My router is sending netflow data to 9996 udp port.
nfsen seems to work well, I can see graphs from live profile but without
data.
I think nfdump do not work well, because iptables and ip6tables are stopped
on the server, SELinux is in disabled mode and tcpdump shows received
packets but nfdump saves empty files:

# tcpdump -i eth2 -n udp port 9996
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
15:57:28.220558 IP 10.10.0.1.60709 > 192.168.168.10.palace-5: UDP, length 72
15:57:55.213269 IP 10.10.0.1.60709 > 192.168.168.10.palace-5: UDP, length
168
15:58:22.229552 IP 10.10.0.1.60709 > 192.168.168.10.palace-5: UDP, length
168
15:58:49.207766 IP 10.10.0.1.60709 > 192.168.168.10.palace-5: UDP, length
168
15:59:16.194815 IP 10.10.0.1.60709 > 192.168.168.10.palace-5: UDP, length
120
15:59:28.197556 IP 10.10.0.1.60709 > 192.168.168.10.palace-5: UDP, length
120

# ls -al
total 96
drwxr-xr-x. 2 apache apache 4096 may 22 16:25 .
drwxrwxr-x. 3 apache apache 4096 may 22 16:25 ..
-rw-r--r--. 1 apache apache  276 may 22 14:40 nfcapd.201305221435
-rw-r--r--. 1 apache apache  276 may 22 14:45 nfcapd.201305221440
-rw-r--r--. 1 apache apache  276 may 22 14:50 nfcapd.201305221445
-rw-r--r--. 1 apache apache  276 may 22 14:55 nfcapd.201305221450
-rw-r--r--. 1 apache apache  276 may 22 15:00 nfcapd.201305221455
-rw-r--r--. 1 apache apache  276 may 22 15:05 nfcapd.201305221500
-rw-r--r--. 1 apache apache  276 may 22 15:10 nfcapd.201305221505
-rw-r--r--. 1 apache apache  276 may 22 15:15 nfcapd.201305221510
-rw-r--r--. 1 apache apache  276 may 22 15:20 nfcapd.201305221515
-rw-r--r--. 1 apache apache  276 may 22 15:25 nfcapd.201305221520
-rw-r--r--. 1 apache apache  276 may 22 15:30 nfcapd.201305221525
-rw-r--r--. 1 apache apache  276 may 22 15:35 nfcapd.201305221530
-rw-r--r--. 1 apache apache  276 may 22 15:40 nfcapd.201305221535
-rw-r--r--. 1 apache apache  276 may 22 15:45 nfcapd.201305221540
-rw-r--r--. 1 apache apache  276 may 22 15:50 nfcapd.201305221545
-rw-r--r--. 1 apache apache  276 may 22 15:55 nfcapd.201305221550
-rw-r--r--. 1 apache apache  276 may 22 16:00 nfcapd.201305221555
-rw-r--r--. 1 apache apache  276 may 22 16:05 nfcapd.201305221600
-rw-r--r--. 1 apache apache  276 may 22 16:10 nfcapd.201305221605
-rw-r--r--. 1 apache apache  276 may 22 16:15 nfcapd.201305221610
-rw-r--r--. 1 apache apache  276 may 22 16:20 nfcapd.201305221615
-rw-r--r--. 1 apache apache  276 may 22 16:25 nfcapd.201305221620


# nfdump -r nfcapd.201305221620 'any'
Date first seen          Duration Proto      Src IP Addr:Port          Dst
IP Addr:Port   Packets    Bytes Flows
No matched flows


I found this similar issue in this list but it is no solved:  

http://sourceforge.net/mailarchive/forum.php?thread_name=1364867767.65514.Ya
hooMailNeo%40web122006.mail.ne1.yahoo.com
<http://sourceforge.net/mailarchive/forum.php?thread_name=1364867767.65514.Y
ahooMailNeo%40web122006.mail.ne1.yahoo.com&forum_name=nfdump-discuss>
&forum_name=nfdump-discuss

Does anybody know the solution?

Any help is welcome.




Saludos,
 
Fabián