Hello,
Wondering if anyone happens to have nfcapd running on the latest version
(2.1) of pfsense. if so where did you get the package, and did you have
to jump threw any hoops to get it to operate?
thanks for your time/responses,
greg
more details:
I'm attempting to run nfcapd on a pfsense box ( freebsd 8.3-REL-p11 amd64)
without luck. all the cap files it creates are 'empty'. If I use
softflowd it works as expected (but i don't want to use softflowd as its
killing the cpu which apparently is a common/known issue when using it on
multiple interfaces (We have 12 local interfaces to monitor on this device).
empty files:
[2.1-RELEASE][root@fw01]/var/netflow(103): nfdump -r
nfcapd.201311121517
Date flow start Duration Proto Src IP Addr:Port Dst
IP Addr:Port Packets Bytes Flows
I've tried a few varitions of the command line arguments and also attempted
to ship the flows off to another host, which is were I ultimately want to
get to. Here are a few:
nfcapd -w -D -p 9996 -R 10.11.0.4 -B 200000 -S 1 -z -I test -l
/var/netflow/test
nfcapd -R 10.11.0.4 -b 69.58.11.23 -I firewall -n
firewall,69.58.11.23,/var/netflow/ -t 60 -T all
69.58.11.23 is the IP of the external interface, 10.11.0.4 is the host
i'd like to send the flows to. /var/netflow contains files of the same
size, with nothing in them.
-rw-r--r-- 1 root wheel 276 Nov 12 15:05 nfcapd.201311121504
-rw-r--r-- 1 root wheel 276 Nov 12 15:06 nfcapd.201311121505
-rw-r--r-- 1 root wheel 276 Nov 12 15:07 nfcapd.201311121506
-rw-r--r-- 1 root wheel 276 Nov 12 15:08 nfcapd.201311121507
the link is a 100 megabit link and it is busy all the time, currently it
is doing about 80 megabits in and 30 out.
syslog shows (using nfcapd -R 10.11.0.4 -b 69.58.102.156 -I firewall -n
firewall,69.58.11.23,/var/netflow/ -t 60 -T all -D)
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 2 byte input/output
interface index
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte input/output
interface index
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 2 byte src/dst AS number
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte src/dst AS number
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: dst tos, direction,
src/dst mask
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv4 next hop
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv6 next hop
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv4 BGP next IP
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv6 BGP next IP
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: src/dst vlan id
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte output packets
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 8 byte output packets
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte output bytes
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 8 byte output bytes
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 4 byte aggregated flows
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: 8 byte aggregated flows
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: in src/out dst mac
address
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: in dst/out src mac
address
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: MPLS Labels
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv4 router IP addr
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: IPv6 router IP addr
Nov 12 16:01:54 fw01 nfcapd[46797]: Add extension: router ID
Nov 12 16:01:54 fw01 nfcapd[47144]: Startup.
each time I start it i see the interfaces go into promiscuous mode:
bge0: promiscuous mode enabled
igb0_vlan116: promiscuous mode enabled
igb0_vlan117: promiscuous mode enabled
igb0_vlan118: promiscuous mode enabled
igb0_vlan119: promiscuous mode enabled
igb0_vlan120: promiscuous mode enabled
igb0_vlan111: promiscuous mode enabled
igb0_vlan112: promiscuous mode enabled
igb0_vlan113: promiscuous mode enabled
igb0_vlan114: promiscuous mode enabled
igb0_vlan115: promiscuous mode enabled
bge0: promiscuous mode enabled
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
