I think I can see a problem.
If a router sends you flow PDUs:
router------------------------------------------> nc -u -l -p 9999 > file
abcde fghij klmno pqrst uvwxy
What gets written to disk on the collector is
abcdefghijklmnopqrstuvwxy
When you then use nc to blast it back to itself, the UDP packets will look
different:
nc 127.0.0.1 < file ----------------------------------------> flow-capture
abcdefghij klmnopqrst uvwxy
So flow-capture is presented with
abcdefghij
As a UDP packet, which could be one and a half flow PDUs, which would
cause it to not work right.
Does that make sense? I'm worried that with netcat you lose the gaps
between the packets, which is a loss of information.
Mike
PS this looks interesting:
http://mailman.splintered.net/pipermail/flow-tools/2004-July/002249.html
On Feb 14, "Aleksey Kuznetsov" wrote:
> 1. nc -u 127.0.0.1 9999 < 2005011719
>
> 2. tcpdump -i lo0 -np -T cnfp port 9999
>
> 22:20:17.564479 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v0, 0.045
> uptime, 3
> 419717328.3419717328, 1 recs
> 22:20:17.564691 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow vc255,
> 3232570.778
> uptime, 3267297173.000458754, 31203 recs
> 22:20:17.564916 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v455, 1115.648
> upti
> me, 0.420610048, 3131 recs
> 22:20:17.565130 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v0, 403701.760
> upti
> me, 3482752603.3276195843, 0 recs
> 22:20:17.565359 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow vcbd4,
> 3419718.212
> uptime, 93918420.001771008, 49476 recs
> 22:20:17.565577 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v599, 1771.008
> upti
> me, 0.320667648, 5021 recs
> 22:20:17.565749 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v0, 0.096
> uptime, 3
> 419718280.3419721184, 2 recs
> 22:20:17.565962 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow vc346,
> 1035020.377
> uptime, 3267297173.000458754, 52359 recs
> 22:20:17.566189 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow vc2be, 458.754
> upti
> me, 2.000000096, 65429 recs
> 22:20:17.566401 IP 127.0.0.1.64542 > 127.0.0.1.9999: NetFlow v0, 471007.232
> upti
> me, 3276196840.3276203583, 0 recs
>
> Similar, that netflow from a file it is restored incorrectly!
>
> 3. Here so the stream netflow with cisco looks:
>
> 22:23:18.032121 IP ***.4.50515 > ***.210.9800: NetFlow v5, 1555970
> .492 uptime, 1108408998.028044204, #3665659854, 30 recs
> 22:23:18.032238 IP ***.50515 > ***.9800: NetFlow v5, 1555970
> .492 uptime, 1108408998.028044204, #3665659884, 30 recs
> 22:23:18.032366 IP ***.50515 > ***.9800: NetFlow v5, 1555970
> .492 uptime, 1108408998.028044204, #3665659914, 30 recs
>
> ---
>
> Kind Regards, Aleksey
>
> On 14 Feb 2005 at 21:56, Aleksey Kuznetsov wrote:
>
> > On 14 Feb 2005 at 10:39, Mike Hunter wrote:
> >
> > > By default, flow-capture listens for 15 minutes and then produces a
> > > file with all the netflow it's gotten in that time...have you let it wait
> > > 15 minutes?
> >
> > No.
> >
> > >
> > > To test your network/filrewall setup, can you make sure that
> >
> > 00100 allow ip from any to any via lo0
> >
> > >
> > > nc -l -p 9999
> > >
> > > echo HELLO | nc localhost 9999
> > >
> > > Works? I know it shouldn't be a problem, but we should make sure.
> > >
> >
> > nc it is necessary to start with an option '-u ' - UDP mode.
> >
> > With the help tcpdump it is possible to see packages,
> > but in a file they are not kept!
> >
> > tcpdump -i lo0 port 9999
> >
> > 21:41:41.015337 IP localhost.63113 > localhost.9999: UDP, length: 8192
> > 21:41:41.015548 IP localhost.63113 > localhost.9999: UDP, length: 8192
> > 21:41:41.015799 IP localhost.63113 > localhost.9999: UDP, length: 8192
> > 21:41:41.016010 IP localhost.63113 > localhost.9999: UDP, length: 8192
> >
> > ---
> >
> > At gathering netflow it is direct with Cisco with the help flow-
> > capture (on port 9800) everything is all right!
> >
> > The file constantly increases!
> >
> > With the help tcpdump it is visible, that UDP-packages here it is
> > less:
> >
> > 21:52:17.007546 IP ******.50515 > ******.9800: UDP, length: 1464
> > 21:52:17.007669 IP ******.50515 > ******.9800: UDP, length: 1464
> > 21:52:17.007797 IP ******.50515 > ******.9800: UDP, length: 1464
> > 21:52:17.007919 IP ******.50515 > ******.9800: UDP, length: 1464
> >
> > Whether in it put?
> >
> > ---
> >
> > Kind Regards, Aleksey
> >
> > > Mike
> > >
> > > On Feb 14, "Aleksey Kuznetsov" wrote:
> > >
> > > > So I also have tried to make, but it has turned out nothing!
> > > >
> > > > 1. flow-capture -V5 -z5 -n1 -w /2/tmp 127.0.0.1/127.0.0.1/9999
> > > >
> > > > 2. ps -ax | grep flow-capture
> > > >
> > > > 3753 ?? Ss 0:00,00 flow-capture -V5 -z5 -n1 -w /2/tmp
> > > > 127.0.0.1/127.0.0.1.9999
> > > >
> > > > 3. ls -l 2005011719
> > > >
> > > > -rw-r--r-- 1 root wheel 165216792 14 feb 21:17 2005011719
> > > >
> > > > 4. nc 127.0.0.1 9999 < 2005011719
> > > >
> > > > 5. ls -l
> > > >
> > > > total 2
> > > > -rw-r--r-- 1 root wheel 84 14 ��� 21:23
> > > > tmp-v05.2005-02-14.212313+0300
> > > >
> > > > Other variants?
> > > >
> > > > Kind Regards, Aleksey
> > > >
> > > >
> > > > On 14 Feb 2005 at 9:28, Mike Hunter wrote:
> > > >
> > > > > On Feb 13, "Aleksey Kuznetsov" wrote:
> > > > >
> > > > > > Hello!
> > > > > >
> > > > > > I have data netflow, collected with the help netcat.
> > > > > > It is possible to transfer them in a format flow-tools?
> > > > >
> > > > > It's kind of ghetto, but you could do this:
> > > > >
> > > > > flow-capture ... 127.0.0.1/127.0.0.1/9999
> > > > >
> > > > > nc localhost 9999 < my_flow_stuff
> > > > >
> > > > > I didn't see an option in flow-import to do it more cleanly...
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
