Re: [Nfsen-discuss] nfsen vs flow-tool. Exporter id tag.

[Peter H. <ph...@us...>]

Hi Andrey,
Filtering according the router IP address works only, if you collect this information.
Have a look into one of your nfcapd file such as ./nfdump -r /path/to/nfcapd.xxx -c 1 -o raw
This shows you all the fields in a record, what you have collected. If the router address
does no show up, you need to add this extension in nfsen.conf:

%sources = (
    'monitor'  => { 'port' => '60181', 'col' => '#0000ff', 'type' => 'netflow', 'optarg' => '-T13' },
);

See also nfcapd(1) for all extensions. If you don't care disk space, use -Tall, so nfcapd gets all it
understands from the exporter.

	- Peter

On 2/14/13 16:51, Andrey Teslenko wrote:
> *Hello,
> *
> I tried to use nfsen instead flow-tools.
> I tried to convert flow-files in to nfdump format with ft2nfdump utility.
> I have more than 20 routers in my network and all of them exported data to the single host-collector.
> All data collected succesfully and nfsen "live" profile worked fine.
> 
> Filters such as: "src/dst AS", "src/dst IP", "src/dst IF" work fine.
> 
> BUT.
> 
> How I must to write filter, to see statistics from "src/dst IF" from specific export source.
> SNMP indexes on some router are identical, so I need filtered by exporter-ip such as Loopback ip-address or some one
> else ID.
> 
> Example:
> 
> #sh ip flow export
> Flow export v5 is enabled for main cache
>   Export source and destination details :
>   VRF ID : Default
>     Source(1)       213.xx.xx.3 (Loopback0)
>     Destination(1)  62.xx.xx.xx (60181)
> 
> 
> In native data of flow-tools this field called — exporter id.
> *Can I be sure that after convertation data by ft2nfdump this information not disapear?*
> 
> 
> Currently i try to use such filter options as:
> 
>  Router IP
>            router ip <ipaddr>
>            Filter the flows according the IP address of the exporting router.
> 
> But I got empty results.
> 
> ** nfdump -M /home/netflow/flows/live/upstreams  -T  -r nfcapd.201302141434 -n 10 -s ip/flows
> nfdump filter:
> *router ip 213.xx.xx.3*
> Top 10 IP Addr ordered by flows:
> Date first seen          Duration Proto           IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
> 
> Summary: total flows: 0, total bytes: 0, total packets: 0, avg bps: 0, avg pps: 0, avg bpp: 0
> Time window: 2013-02-14 14:04:52 - 2013-02-14 14:35:48
> Total flows processed: 689084, Blocks skipped: 0, Bytes read: 46858276
> Sys: 0.144s flows/second: 4785006.5  Wall: 1.391s flows/second: 495145.8
> 
> *
> Can i hope it will work If I will switch all my routers directly to nfdump collector (without convertation), but
> continue using single source to collect data from all routers?
> *
> %sources = (
>     'monitor'  => { 'port' => '60181', 'col' => '#0000ff', 'type' => 'netflow' },
> );**
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> 
> 
> 
> _______________________________________________
> Nfsen-discuss mailing list
> Nfs...@li...
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
> 

-- 
--
Be nice to your netflow data