Thread: [Nfdump-discuss] nfcapd not seeing packets
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
nfdump-discuss
|
From: Nicholas M. <Nic...@me...> - 2012-04-10 05:41:49
|
Hi I am having trouble receiving flows at nfcapd. I am exporting version 5 netflows (cflow) from a juniper router. I am export them both to my PC running Wireshark and my nfcapd on port 9996. The interval is 5 and there is traffic on the interfaces involved. I simultaneously send the flows to Wireshark on my pc and it decodes them as version 5 flows properly. However, on the nfcapd I see no data being logged. If I run "nfcapd -E -p 9996 -I FW -l /data/nfsen/test/ -s 5" I don't see any packets logged to STDOUT, even though I simultaneously see the packets hit the server (tcpport port 9996) and also I get the same flows sent to my PC at the same time. All I get is this: [root@ausydmon04 test]# nfcapd -E -p 9996 -I FW -l /data/nfsen/test/ -s 5 File Block Header: NumBlocks = 0 Size = 0 id = 2 Any idea where I could be going wrong? I am running nfcapd as root. [root@ausydmon04 test]# nfcapd -V nfcapd: Version: 1.6.6 $Date: 2012-03-11 11:57:45 +0100 (Sun, 11 Mar 2012) $ Thanks, Nick. _________________________________________________________________________________________ This email has been scanned by the MessageLabs Email Security System on behalf of Medibank Health Solutions. For more information please visit http://www.symanteccloud.com _________________________________________________________________________________________ |
|
From: Peter H. <ph...@us...> - 2012-04-10 08:15:36
|
Hi Nick, I guess you have some packet filters somewhere on your system. wireshark reads network data at a very low level. System filters or SElinux features follow up the chain and nfcapd sits on top of all. This means something blocks your network data somewhere in your network data chain. Hope, this help. - Peter On 4/10/12 7:14, Nicholas Mooney wrote: > Hi > > > > I am having trouble receiving flows at nfcapd. > > > > I am exporting version 5 netflows (cflow) from a juniper router. I am export them both to my PC running Wireshark and my > nfcapd on port 9996. The interval is 5 and there is traffic on the interfaces involved. > > > > I simultaneously send the flows to Wireshark on my pc and it decodes them as version 5 flows properly. > > > > However, on the nfcapd I see no data being logged. If I run “nfcapd -E -p 9996 -I FW -l /data/nfsen/test/ -s 5” I don’t > see any packets logged to STDOUT, even though I simultaneously see the packets hit the server (tcpport port 9996) and > also I get the same flows sent to my PC at the same time. > > > > All I get is this: > > > > [root@ausydmon04 test]# nfcapd -E -p 9996 -I FW -l /data/nfsen/test/ -s 5 > > File Block Header: > > NumBlocks = 0 > > Size = 0 > > id = 2 > > > > Any idea where I could be going wrong? I am running nfcapd as root. > > > > [root@ausydmon04 test]# nfcapd -V > > nfcapd: Version: 1.6.6 $Date: 2012-03-11 11:57:45 +0100 (Sun, 11 Mar 2012) $ > > > > > > Thanks, Nick. > > > _________________________________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System on behalf of Medibank Health Solutions. > For more information please visit http://www.symanteccloud.com > _________________________________________________________________________________________ > > > This body part will be downloaded on demand. > > > > This body part will be downloaded on demand. -- -- Be nice to your netflow data |
|
From: Nicholas M. <Nic...@me...> - 2012-04-10 22:38:24
|
Hi Peter You were right. I installed the same software nfdump software (version 1.6.6) on a development BSD machine and had the flows capturing and printing with "-E" within a couple of minutes. Must be something about my first machine filtering packets after tcpdump. Nick. -----Original Message----- From: Peter Haag [mailto:ph...@us...] Sent: Tuesday, 10 April 2012 6:15 PM To: Nicholas Mooney Cc: nfd...@li... Subject: Re: [Nfdump-discuss] nfcapd not seeing packets Hi Nick, I guess you have some packet filters somewhere on your system. wireshark reads network data at a very low level. System filters or SElinux features follow up the chain and nfcapd sits on top of all. This means something blocks your network data somewhere in your network data chain. Hope, this help. - Peter On 4/10/12 7:14, Nicholas Mooney wrote: > Hi > > > > I am having trouble receiving flows at nfcapd. > > > > I am exporting version 5 netflows (cflow) from a juniper router. I am > export them both to my PC running Wireshark and my nfcapd on port 9996. The interval is 5 and there is traffic on the interfaces involved. > > > > I simultaneously send the flows to Wireshark on my pc and it decodes them as version 5 flows properly. > > > > However, on the nfcapd I see no data being logged. If I run "nfcapd -E > -p 9996 -I FW -l /data/nfsen/test/ -s 5" I don't see any packets > logged to STDOUT, even though I simultaneously see the packets hit the server (tcpport port 9996) and also I get the same flows sent to my PC at the same time. > > > > All I get is this: > > > > [root@ausydmon04 test]# nfcapd -E -p 9996 -I FW -l /data/nfsen/test/ > -s 5 > > File Block Header: > > NumBlocks = 0 > > Size = 0 > > id = 2 > > > > Any idea where I could be going wrong? I am running nfcapd as root. > > > > [root@ausydmon04 test]# nfcapd -V > > nfcapd: Version: 1.6.6 $Date: 2012-03-11 11:57:45 +0100 (Sun, 11 Mar > 2012) $ > > > > > > Thanks, Nick. > > > ______________________________________________________________________ > ___________________ This email has been scanned by the MessageLabs > Email Security System on behalf of Medibank Health Solutions. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ > ___________________ > > > This body part will be downloaded on demand. > > > > This body part will be downloaded on demand. -- -- Be nice to your netflow data _________________________________________________________________________________________ This email has been scanned by the MessageLabs Email Security System on behalf of Medibank Health Solutions. For more information please visit http://www.symanteccloud.com _________________________________________________________________________________________ |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X