Joe,
'flowd-reader -c' takes any flowd capture as input. If the capture contains
IPv6, the output will include IPv6 addresses which'll break flow-import.
You can certainly use a subset of netflow-original (e.g., leave out L4 info if
you like). Using more than netflow-original will just waste router/server CPU
and export bandwidth since flowd silently drops other fields anyway. Think of
flowd as a netflow-original + IPv6 collector...
Re sync issues... While the import is taking place, other scripts might
mistakenly think the "ft-" file is complete when it's not. Here is a revised
script that uses FT's "tmp-" file name to avoid that case:
#!/usr/bin/perl
# "flowd2ft" crontab script to move flowd capture files into flow-tools
# -- flow-tools variables
our $ftImport = "/usr/local/netflow/bin/flow-import"; # where ft's
flow-import is
our $ftDir = "/var/log/flow-tools-capture"; # where ft's capture
files go
our $ftTZ = "-0500"; # timezone for ft
capture files
our $ftPeriod = 300; # seconds per ft
capture file and cron interval
# -- flowd variables
our $flowdReader = "/usr/local/bin/flowd-reader"; # where flowd-reader is
our $flowdConf = "/usr/local/etc/flowd.conf"; # where flowd.conf is
our $flowdHup = "10"; # SIGUSR1
our ($flowdPid, $flowdLog);
### START OF NEW STUFF
our $ftStem = sprintf("v05.%04d-%02d-%02d.%02d%02d%02d$ftTZ", $year + 1900,
$mon + 1, $mday, $hour, $min, $sec);
our $ftFile = "tmp-$ftStem";
our $ftFileFinal = "ft-$ftStem";
### END OF NEW STUFF
open(IN, $flowdConf) || die "Could not read $flowdConf";
while ( <IN> ) {
if (/^\s*logfile ["]?([^"\s]+)/) { $flowdLog = $1; }
if (/^\s*pidfile ["]?([^"\s]+)/) { $flowdPid = $1; }
}
close(IN);
exit if (! -f $flowdLog); # exit silently on empty file
die "$flowdPid does not exist: $!" if (! -f $flowdPid);
my $pid = `cat $flowdPid`;
`mv $flowdLog $flowdLog.tmp`;
die "$flowdPid ($pid) invalid: $!" if (! kill $flowdHup, $pid);
`$flowdReader -c $flowdLog.tmp | $flowImport -f 2 -V 5 -z 1 > $ftDir/$ftFile`;
unlink("$flowdLog.tmp");
`mv $ftDir/$ftFile $ftDir/$ftFileFinal`; ##### ALSO NEW
-Craig
On Wed, 19 May 2010, Joe Loiacono wrote:
>
> Craig,
>
> Thanks for the 'flowd2ft' script to enable conversion between flowd V9
> captures and flow-tools ft files (
> http://mailman.splintered.net/pipermail/flow-tools/2009-March/003765.html )
>
> From your accompanying email message of Mar 13, 2009:
>
> > Naturally it only supports for V5 fields (use 'record netflow-original'
> > when setting up Cisco flexible netflow).
>
> Does this require that the exporter be set this way only? In other words,
> will 'flowd-reader -c' be able to take any v9 file and convert it for
> flow-tools (V5 only - which is OK), or just those exported with 'record
> netflow-original'?
>
> Second question:
>
> Do you have to be careful syncing up the cron times with the flowd file times?
>
> Many thanks!
>
> Joe
>
>
> From: Craig Weinhold <[email protected]>
> To: Adam Powers <[email protected]>
> Cc: "<[email protected]>" <[email protected]>
> Date: 04/22/2010 01:04 PM
> Subject: Re: [Flow-tools] NetFlow v9 support in flow-tools?
>
> ________________________________
>
>
>
> There's an active flow-tools code fork, but it also lacks netflow v9 support:
> http://code.google.com/p/flow-tools/updates/list
>
> Adding v9 to flow-tools is not that easy; the fixed-length file structure
> currently used doesn't lend itself to the arbitarry field/protocol
> capabilities of netflow v9. It's a substantial effort.
>
> See this post for a workaround (for IPv4 only):
> http://mailman.splintered.net/pipermail/flow-tools/2009-March/003765.html
>
> -Craig
>
>
>
> On Thu, 22 Apr 2010, Adam Powers wrote:
>
> > A colleague of mine mentioned the other day that he heard someone had
> > updated flow-tools to support NetFlow v9. Truth? I can’t find anything
> > about such support.
> >
> > --
> >
> > Adam Powers
> > NetFlow Ninja & CTO
> > Lancope, Inc.
> > c. 678.725.1028
> > e. [email protected]
> > _______________________________________________
> Flow-tools mailing list
> [email protected]
> http://mailman.splintered.net/mailman/listinfo/flow-tools
>
> _______________________________________________
Flow-tools mailing list
[email protected]
http://mailman.splintered.net/mailman/listinfo/flow-tools
