It is possible (though unlikely) that the packets you see don't contain
flow data, but contain flow template data. You should do a packet capture
for about 5 minutes and analyse it with wireshark (select Decode as... ->
Cflow).
You should check your router to see if you have "flow-time expire" set or
not. You should set it to 5 minutes, to force the expiry of your flows
every 5 minutes. This will ensure you get your data constantly, not all at
once when the cache entry expires.
On Mon, Jan 23, 2012 at 1:18 PM, James Davis <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> (running nfcapd 1.6.5, compiled from source on Debian 6.0.1)
>
> I'm launching nfcapd with the following command line options
>
> nfcapd -P nfcapd.pid -D -t 300 -w -l /var/netflow -p 49500
>
> but most of the files created are empty and have 0 size. From this
> morning for example:
>
> - -rw-r--r-- 1 root root 0 Jan 23 06:00 nfcapd.201201230555
> - -rw-r--r-- 1 root root 0 Jan 23 06:05 nfcapd.201201230600
> - -rw-r--r-- 1 root root 0 Jan 23 06:10 nfcapd.201201230605
> - -rw-r--r-- 1 root root 0 Jan 23 06:15 nfcapd.201201230610
> - -rw-r--r-- 1 root root 0 Jan 23 06:20 nfcapd.201201230615
> - -rw-r--r-- 1 root root 0 Jan 23 06:25 nfcapd.201201230620
> - -rw-r--r-- 1 root root 655360 Jan 23 06:30 nfcapd.201201230625
> - -rw-r--r-- 1 root root 0 Jan 23 06:35 nfcapd.201201230630
> - -rw-r--r-- 1 root root 0 Jan 23 06:40 nfcapd.201201230635
> - -rw-r--r-- 1 root root 0 Jan 23 06:45 nfcapd.201201230640
> - -rw-r--r-- 1 root root 0 Jan 23 06:50 nfcapd.201201230645
> - -rw-r--r-- 1 root root 0 Jan 23 06:55 nfcapd.201201230650
> - -rw-r--r-- 1 root root 0 Jan 23 07:00 nfcapd.201201230655
>
> tcpdump shows a handful of UDP packets arriving every second, so I
> don't think it's a problem with the data not arriving at the
> collector. Any suggestions as to how I debug this further?
>
> Regards,
>
> James
>
> - --
> James Davis 0300 999 2340 (+44 1235 822340)
> Senior CSIRT Member
> Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iF4EAREIAAYFAk8dQh0ACgkQjsS2Y6D6yLwhuAEAkUZHFzEl2UATHf+5BHfKTwBi
> tLTkQXEZttk9gEDA+ygBAMAeVh0dgkD0dO/sQN+RGVpK8SVwoFLZoPWrRwK88nbn
> =Hxjc
> -----END PGP SIGNATURE-----
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>
>
>
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
