-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Isherwood, Jeffrey - AES wrote:
> I just tried this command:
>
> nfcapd -p 9996 -l /var/local/nfdump/flows -R 10.15.1.3/9996
>
> In an attempt to log locally and forward all flows to our research lab
> network's Netflow analyzer... the Netflow analyzer is not showing any
> incoming traffic... and the /var/local/nfdump/flows directory is rotating
> files:
>
> -rw-r--r-- 1 root root 276 Dec 17 11:04 nfcapd.200912171102
> -rw-r--r-- 1 root root 276 Dec 17 11:14 nfcapd.200912171109
> -rw-r--r-- 1 root root 276 Dec 17 11:19 nfcapd.200912171114
> -rw-r--r-- 1 root root 276 Dec 17 11:19 nfcapd.current
True the files are empty, which means you do not get any netflow data from your
devices.
You can verify that with temporarily setting -E. ./nfcapd -E .....
All received flows are printed out to stdout. You may also use plain tcpdump,
to see if any traffic comes from any router.
- Peter
>
> They are all the same size... and I'm not convinced that I'm actually
> receiving flows on this server, never mind forwarding them along...
>
>
> -----Original Message-----
> From: Isherwood, Jeffrey - AES
> Sent: Thursday, December 17, 2009 11:53 AM
> To: 'peter.h...@switch.ch'
> Cc: 'nfdump-discuss@lists.sourceforge.net'
> Subject: RE: [Nfdump-discuss] Using NFDUMP as an aggregator...
>
> Thank you Peter, I am looking at Samplicator now...
>
> I just updated the team leader for this research project, and he asked me to
> verify that if the raw netflow data is coming in from multiple sources (like
> 200 or so) all inbound on the same port (9996) that the nfcapd will capture
> it all, the samplicator can then forward it to 2 reseach labs and a managed
> services contractor (to do with what they all will). Will Samplicator
> replicate and forward the nfcapd data with our altering it?
>
> Will the server running nfcapd keep a copy of the Netflow data or does it
> forward and forget? I think (personal opinion) that if would be preferable
> if it held onto the data, if for simply no other reason than for verification
> and redundancy.
>
> So I guess I'm going to start over (since I messed up the installation of
> nfsen and apache, and couldn't get the web pages to yield data, probably a
> permissions problem).
>
> I'll install NFDUMP (nfcapd comes with nfdump) and Samplicator and see what I
> can do... I think from looking at the documentation tho, that if I'm not
> using nfsen, I'll need to automate or script nfcapd to get it running.
>
> Thanks...
>
> PS: Vince, thanks for the pointer to the flow-fanout that looks like a good
> "fall back option". I don't think it would allow me to retain copies of the
> flows on the server, which I need to do... but I could use it to send an
> extra copy somewhere else.
>
>
> Jeffrey
>
>
> -----Original Message-----
> From: Peter Haag [mailto:peter.h...@switch.ch]
> Sent: Thursday, December 17, 2009 2:02 AM
> To: Isherwood, Jeffrey - AES
> Cc: 'nfdump-discuss@lists.sourceforge.net'
> Subject: Re: [Nfdump-discuss] Using NFDUMP as an aggregator...
>
>>> Isherwood, Jeffrey - AES wrote:
>>> I would like to take the output from our Netflow devices and send it to 3
>>> to 4
>>> different locations to accommodate managed services contractors, network
>>> staff,
>>> customer support and research initiatives...
>>>
>>> I'm looking to collect flows from all across the enterprise, store them and
>>> redirect them out to other people/units that have need of them. Most
>>> equipment
>>> I've looked at has a limit of two Netflow destinations each, so I thought
>>> that
>>> NFDUMP might be the solution.
>
> No - nfcapd just can forward the flows for daisy chaining the flow traffic.
> To fan out to many places, have a look into
> samplicator: http://freshmeat.net/projects/samplicator/ from my
> colleague Simon Leinen.
>
> Hop, this helps
>
> - Peter
>
> This e-mail and any files transmitted with it may be proprietary and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this e-mail in error please notify the sender.
> Please note that any views or opinions presented in this e-mail are solely
> those of the author and do not necessarily represent those of ITT
> Corporation. The recipient should check this e-mail and any attachments for
> the presence of viruses. ITT accepts no liability for any damage caused by
> any virus transmitted by this e-mail.
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: peter.h...@switch.ch Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSysouP5AbZRALNr/AQLlmgQAndgV0Oe7bI3ZII0m5bPN81smdBOXsZFG
/7ZmrjvOzs9Qv4nIyMdHY38fQCV9dPc9EVP2PZc2rZheFAmaL9XqDE4iJ+7TxZmF
F/caG2twHZpIW/J5RIUk7WiXSjsD2MoHTuuaRvhkktLW/BlOELz5irk3shn7hltD
RD32BvBRrBs=
=LgHw
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
