What OS are you using? What does netstat/sockstat/lsof say about the status of port 9110? It seems like this has to be some kind of issue that's local to the machine, like a firewall (although I saw your tcpdump)....
On Feb 23, "Ballantyne, Ian" wrote: > > > Additional info: > > flow-receive 0/0/9110 | flow-print > flow-receive: setsockopt(size=4194304) > flow-receive: Cleaning up > flow-receive: flows stored/dropped by filter 0/0 > > Returns no results. > > flow-receive 0/0/9105 | flow-print > flow-receive: setsockopt(size=4194304) > flow-receive: New exporter: time=1109188436 src_ip=192.168.47.xxx > dst_ip=192.168.47.yyy d_version=5 > > I took a look at the tcpdump files more closely from the two devices but can > see no difference in the output in ethereal. It sees 29 flow records in both > packets from each network device. > > I also downloaded the 0.67 tarball and built it. Same result as above. > > Ian > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > Sent: Wednesday, February 23, 2005 9:52 AM > > To: '[email protected]' > > Subject: [Flow-tools] problems with flow capture > > > > > > I hope that someone can help me with capturing version 5 > > netflow from 2 > > source devices using 2 different ports. > > Background: > > > > Flow Collector > > Os: Debian Linux ip 192.168.47.yyy > > Flow-tools: dpkg -l| fgrep flow-tools > > ii flow-tools 0.67-6 collects and processes NetFlow data > > kernel 2.4.27-1-386 > > > > Flow Devices: > > Cisco 6509s for both devices, I am told configured exactly alike > > > > > > We have setup successfully a single flow using UDP port 9105 > > from 6509 with > > ip 192.168.47.xxx using the command line below and getting > > netflow files > > every minute: > > > > /usr/bin/flow-capture -w /var/flow/router1 -n 1439 -E 200G > > 192.168.47.yyy/192.168.47.xxx/9105 > > > > I have another source 6509 with ip of 130.199.xxx.xx using > > UDP port 9110 and > > using the command line below get 92 byte files for each > > minute. This is a > > much busier device than router1 which is creating larger > > files. Flow-stat > > shows router2 files to have no data, while the same command > > on router1 shows > > traffic. > > > > /usr/bin/flow-capture-router2 -w /var/flow/router2 -n 1439 -V 5 > > 192.168.47.yyy/130.199.xxx.xx/9110 > > If I do not use the -V flag, I get no files created at all. > > > > Flow-stat output: > > > > #flow-cat ft-v05.2005-02-23.091801-0500 |flow-stat -f0 > > # --- ---- ---- Report Information --- --- --- > > # > > # Fields: Total > > # Symbols: Disabled > > # Sorting: None > > # Name: Overall Summary > > # > > # Args: flow-stat -f0 > > > > > > I have run tcpdump using the command line "tcpdump -ni port > > 9110" which > > shows traffic being received as below: > > > > 09:27:20.852231 IP 130.199.xxx.xx.50968 > > > 192.168.47.xxx.9110: UDP, length: > > 1416 > > 09:27:20.852536 IP 130.199.xxx.xx.50968 > > > 192.168.47.xxx.9110: UDP, length: > > 1416 > > > > I also captured the tcpdump traffic to a file and looked at > > it in Ethereal > > and confirmed that it was v5. > > > > I run netstat -l -4: > > > > iidsdbsvr:/etc/flow-tools/cfg# netstat -l -4 > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign Address > > State > > tcp 0 0 *:ssh *:* > > LISTEN > > tcp 0 0 localhost.localdom:smtp *:* > > LISTEN > > udp 0 0 flow-tools.s47.bnl:9105 *:* > > udp 0 0 flow-tools.s47.bnl:9110 *:* > > > > > > Only entry in syslog: > > > > Feb 23 09:11:53 iidsdbsvr flow-capture-anubis[6187]: > > setsockopt(size=4194304) > > > > What debug levels are available with the -d switch? Is the > > output logged to > > syslog? > > > > > > Please let me know if you need any additional information. > > > > Thanks, > > Ian > > > _______________________________________________ > Flow-tools mailing list > [EMAIL PROTECTED] > http://mailman.splintered.net/mailman/listinfo/flow-tools _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
