On May 02 15:25:34, h...@stare.cz wrote:
> Ok, so my pflow interface is up,:
>
> pflow0: flags=141<UP,RUNNING,PROMISC> mtu 1492
> priority: 0
> pflow: sender: 0.0.0.0 receiver: 127.0.0.1:9995 version: 5
> groups: pflow
>
> The created states are exported:
>
> set state-defaults pflow, no-sync
> (Also pfctl -sr says so)
>
> The nfcapd is listening:
>
> # pgrep -fl nfcap
> 20264 /usr/local/bin/nfcapd -b 127.0.0.1 -4 -l /netflow -S 0 -w -D
>
> The flow packets are sent to the listening nfcapd:
>
> # tcpdump -i pflow0
> tcpdump: listening on pflow0, link-type RAW
> 15:10:25.500196 0.0.0.0.61175 > localhost.9995: udp 744 (DF) [tos 0x10]
> 15:11:44.512890 0.0.0.0.61175 > localhost.9995: udp 888 (DF) [tos 0x10]
> 15:12:44.562534 0.0.0.0.61175 > localhost.9995: udp 168 (DF) [tos 0x10]
> 15:13:44.681469 0.0.0.0.61175 > localhost.9995: udp 120 (DF) [tos 0x10]
> 15:14:40.690466 0.0.0.0.61175 > localhost.9995: udp 456 (DF) [tos 0x10]
> 15:15:47.701228 0.0.0.0.61175 > localhost.9995: udp 984 (DF) [tos 0x10]
> 15:16:41.709903 0.0.0.0.61175 > localhost.9995: udp 456 (DF) [tos 0x10]
>
> The running nfcapd is writing the captured files
> -rw-r--r-- 1 root wheel 276 May 2 15:10 nfcapd.201305021505
> -rw-r--r-- 1 root wheel 276 May 2 15:15 nfcapd.201305021510
> -rw-r--r-- 1 root wheel 276 May 2 15:15 nfcapd.current
>
> But none of the files contains any actual flows.
> They are all of size 276, probably just the header.
> At the end of every interval, the log says
>
> May 2 15:20:10 gw nfcapd[20264]: Ident: 'none' Flows: 0, Packets: 0,
> Bytes: 0, Sequence Errors: 0, Bad Packets: 0
> May 2 15:20:10 gw nfcapd[20264]: Total ignored packets: 0
>
> I must be missing something obvious.
> Can someone please give a hint?
Hm, setting the flow sender to 127.0.0.1 solved it
$ cat /etc/hostname.pflow0
flowsrc 127.0.0.1 flowdst 127.0.0.1:9995 pflowproto 5
That is, nfscapd didn't see any flows if the reports
were comming from 0.0.0.0; now that flowsrc is specified,
so the reports come from 127.0.0.1, everything is OK.
Is that intended?
Jan
