NFSEN supports IPFIX very nicely. We’re using inline JFlow / IPFIX on the mx
series very successfully.
Thanks
Scott
On Dec 22, 2014, at 11:30 AM, Duddilla, Srikanth
<[email protected]> wrote:
> Peter,
> Can you clarify if nfsen supports IPFIX?
>
> Thanks
>
> From: Adrian Popa [mailto:[email protected]]
> Sent: Monday, December 22, 2014 12:18 AM
> To: Duddilla, Srikanth
> Cc: NFSen-Discuss
> Subject: RE: [Nfsen-discuss] nfcapd is not capturing any data.
>
> I just noticed one more thing in your capture - the netflow version exported
> is 10, istead of 9. Wireshark thinks it's IPFIX. I'm not sure if nfsen fully
> supports IPFIX. Peter can probably clear this.
>
> In the mean time see if you can export v9.
>
> On 21 Dec 2014 23:49, "Duddilla, Srikanth"
> <[email protected]> wrote:
> Adrian, Thank you for this info. I will see what I can research.
>
> Adrian and nfsen group,
> Nfsen list group, I appreciate your direction also on this.
> Using lancope replicator and being the servers Linux servers (not actual
> routes), I am looking on how to investigate further.
>
> Thanks
>
> From: Adrian Popa [mailto:[email protected]]
> Sent: Sunday, December 21, 2014 10:53 AM
> To: Duddilla, Srikanth
> Subject: RE: [Nfsen-discuss] nfcapd is not capturing any data.
>
> Ok, in the last screenshot you can see that the payload hasn't been
> completely decoded because of the missing template packet. Either a template
> is never sent, or your capture was not long enough (I had some routers
> sending templates every 30 min), or the capture is truncated (<1500 bytes).
>
> If your exporter sends valid netflow v9 data it should send a template as
> well, at least when flow exporting starts.
>
> You should also keep this discusion with the mailing list - somebody else
> might be able to help as well.
>
> God luck!
>
> On 19 Dec 2014 21:11, "Duddilla, Srikanth"
> <[email protected]> wrote:
> Hello Adrian,
> I have expanded rest of the items including Ethernet and IP protocols below.
> Thanks
>
>
> <image001.png>
>
>
> <image002.png>
>
>
> <image003.png>
>
>
> Thanks
>
>
>
> From: Adrian Popa [mailto:[email protected]]
> Sent: Friday, December 19, 2014 12:49 PM
> To: Duddilla, Srikanth
> Subject: RE: [Nfsen-discuss] nfcapd is not capturing any data.
>
> Can you also expand the flow records fields that should be next in the
> packet? They should list source/dst addresses and ports
>
> On 19 Dec 2014 18:05, "Duddilla, Srikanth"
> <[email protected]> wrote:
> Hello Adrian,
> Thanks you for your direction.
> Since I am attaching a screen shot, I am only sending this response to you. I
> appreciate your help in getting to bottom of this.
>
> Here is the process that I am working through For now this is how it is set
> up. There are plans to have only virtual instances in the future in
> production.
>
> 1) Data is coming from multiple packets to lancope replicator Physical
> instance Linux server
>
> 2) Lancope replicator physical instance is sending data as it is to
> lancope replicator virtual instance Linux server (for our lab purposes).
>
> 3) Lancope replicator virtual instance is sending data to our lab Linux
> server.
>
> 4) All of the three mentioned are Linux servers (not Cisco routers), so
> flow exporter command does not work (May be I need to install some software
> on this Linux servers to make it to work.
>
> So I captured the data being sent from lancope replicator virtual instance to
> our lab server and was able to see the fields. Copying the screen shot below.
>
>
> This part of the process is where nfsen comes into play.
> 5) I installed nfsen on our lab Linux server, and I could see empty
> graphs in the nfsen web interface for our lab server.
>
> 6) I back tracked them to and found out then nfcapd files are being
> created with no data.
>
> 7) As you suggested I ran capture and could see the fields, which
> implies that it is sending templates.
>
> 8) Rest of the details are in my previous email. I can gather any other
> details that are not in my previous emails. Looking for some
> direction/resolution.
>
>
>
> <image004.png>
>
>
>
> Thanks
>
> From: Adrian Popa [mailto:[email protected]]
> Sent: Wednesday, December 17, 2014 1:18 AM
> To: Duddilla, Srikanth
> Cc: [email protected]
> Subject: Re: [Nfsen-discuss] nfcapd is not capturing any data.
>
> Netflow data is not written to file until it is decoded. The decoding of the
> fields is done after the collector receives a special "template" packet that
> describes the fields. It is possible that in some cases your exporter is not
> sending this template data often enough. You should be able to test this by
> stopping the exporter and restarting exporting (it should send a template
> packet). Alternatively, start a packet capture (full packets), leave it
> running for a while (>5 minutes), load it into wireshark, decode the packets
> payloads with the "cflow" dissector and see if you see the actual fields. If
> you don't, then you didn't capture a template packet and you should see your
> exporter's configuration.
>
> Good luck!
>
> On Mon, Dec 15, 2014 at 11:09 PM, Duddilla, Srikanth
> <[email protected]> wrote:
> Hello,
> I need help in trouble shooting why nfcapd is not collecting any data.
> I installed and started nfsen. Nfcapd is not collecting any data. Nfcapd data
> files are always created with 276 bytes which I presume is the header.
> I have checked if port 1501 that is receiving any data and which it does.
> Nfsen process is running and status show collector is running.
> I noticed nfsen live profile is displaying error “ERR Channel info file
> missing for channel 'Linux-Host-eth1' in 'live' Files: 0 Size: 0”.
>
> # nfdump -r
> /data/nfsen/profiles-data/live/Linux-Host-eth1/nfcapd.current.23479
> Date flow start Duration Proto Src IP Addr:Port Dst IP
> Addr:Port Packets Bytes Flows
>
> # tcpdump -i eth1 'udp port 1501'|head -3
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 13:56:51.749999 IP xxxx-xxxx.xxxx.xxxxx.net.33018 >
> netflow-proc1.ngid.centurylink.net.saiscm: UDP, length 242
> 13:56:51.750219 IP xxxx-xxxx.xxxx.xxxxx.net.33018 >
> netflow-proc1.ngid.centurylink.net.saiscm: UDP, length 242
> 13:56:51.751272 IP xxxx-xxxx.xxxx.xxxxx.net.33018 >
> netflow-proc1.ngid.centurylink.net.saiscm: UDP, length 316
> 74 packets captured
> 74 packets received by filter
> 0 packets dropped by kernel
>
> # ps -ef |grep nfsen
> netflow 23481 1 0 08:56 ? 00:00:00 /usr/local/bin/nfcapd -w -D
> -p 1501 -u netflow -g www -B 200000 -S 1 -P /data/nfsen/var/run/p1501.pid -z
> -I Linux-Host-eth1 -l /data/nfsen/profiles-data/live/Linux-Host-eth1
> netflow 23740 1 0 09:40 ? 00:00:19 /usr/bin/perl -w
> /data/nfsen/bin/nfsend
> netflow 23741 23740 0 09:40 ? 00:00:00 /data/nfsen/bin/nfsend-comm
> root 24655 23124 0 13:47 pts/0 00:00:00 grep nfsen
>
> # ls -ltr /data/nfsen/profiles-data/live/Linux-Host-eth1/2014/12/15|tail
> -rw-r--r-- 1 netflow www 276 Dec 15 12:40 nfcapd.201412151235
> -rw-r--r-- 1 netflow www 276 Dec 15 12:45 nfcapd.201412151240
> -rw-r--r-- 1 netflow www 276 Dec 15 12:50 nfcapd.201412151245
> -rw-r--r-- 1 netflow www 276 Dec 15 12:55 nfcapd.201412151250
> -rw-r--r-- 1 netflow www 276 Dec 15 13:00 nfcapd.201412151255
> -rw-r--r-- 1 netflow www 276 Dec 15 13:05 nfcapd.201412151300
> -rw-r--r-- 1 netflow www 276 Dec 15 13:10 nfcapd.201412151305
> -rw-r--r-- 1 netflow www 276 Dec 15 13:15 nfcapd.201412151310
> -rw-r--r-- 1 netflow www 276 Dec 15 13:20 nfcapd.201412151315
> -rw-r--r-- 1 netflow www 276 Dec 15 13:25 nfcapd.201412151320
>
> # ls -l /data/nfsen/profiles-data/live/Linux-Host-eth1/
> total 12
> drwxr-xr-x 4 netflow www 4096 Dec 1 00:05 2014
> -rw-r--r-- 1 netflow www 276 Dec 15 13:20 nfcapd.current.23479
> -rw-r--r-- 1 netflow www 276 Dec 15 08:50 nfcapd.current.31558
>
> # nfsen status
> NfSen version: 1.3.5
> NfSen status:
> Collector for (Linux-Host-eth1) port 1501 is running [23481].
> nfsen daemon: pid: [23740] is running.
>
> # nfsen --get-profile live
> name live
> group (nogroup)
> tcreate Wed Nov 19 08:55:00 2014
> tstart Wed Dec 31 17:00:00 1969
> tend Mon Dec 15 12:15:00 2014
> updated Mon Dec 15 12:15:00 2014
> expire 0 hours
> size 0
> maxsize 0
> type live
> locked 0
> status OK
> version 130
> channel Linux-Host-eth1 sign: + colour: #ff0000 order: 1 sourcelist:
> Linux-Host-eth1 ERR Channel info file missing for channel
> 'Linux-Host-eth1' in 'live'
> Files: 0 Size: 0
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Here is my config file. Nfsen.conf
> $BASEDIR = "/data/nfsen";
> $BINDIR="${BASEDIR}/bin";
> $LIBEXECDIR="${BASEDIR}/libexec";
> $CONFDIR="${BASEDIR}/etc";
> $HTMLDIR = "/var/www/nfsen/";
> $DOCDIR="${HTMLDIR}/doc";
> $VARDIR="${BASEDIR}/var";
> $PROFILESTATDIR="${BASEDIR}/profiles-stat";
> $PROFILEDATADIR="${BASEDIR}/profiles-data";
> $BACKEND_PLUGINDIR="${BASEDIR}/plugins";
> $FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
> $PREFIX = '/usr/local/bin';
> $USER = "netflow";
> $WWWUSER = "www";
> $WWWGROUP = "www";
> $BUFFLEN = 200000;
> $SUBDIRLAYOUT = 1;
> $ZIPcollected = 1;
> $ZIPprofiles = 1;
> $PROFILERS = 2;
> $DISKLIMIT = 98;
> $PROFILERS = 6;
> %sources = (
> 'Linux-Host-eth1' => { 'port' => '1501', 'col' => '#ff0000', 'type' =>
> 'netflow' },
> );
> $low_water = 90;
> $syslog_facility = 'local3';
> @plugins = (
> # profile # module
> # [ '*', 'demoplugin' ],
> );
> %PluginConf = (
> # For plugin demoplugin
> demoplugin => {
> # scalar
> param2 => 42,
> # hash
> param1 => { 'key' => 'value' },
> },
> # for plugin otherplugin
> otherplugin => [
> # array
> 'mary had a little lamb'
> ],
> );
> $MAIL_FROM = '[email protected]';
> $SMTP_SERVER = 'localhost';
> $MAIL_BODY = q{
> Alert '@alert@' triggered at timeslot @timeslot@
> };
> 1;
>
> Thanks
> Srikanth Duddilla (Sree)
> Email: [email protected]
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender by
> reply e-mail and destroy all copies of the communication and any attachments.
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender by
> reply e-mail and destroy all copies of the communication and any attachments.
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender by
> reply e-mail and destroy all copies of the communication and any attachments.
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender by
> reply e-mail and destroy all copies of the communication and any attachments.
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender by
> reply e-mail and destroy all copies of the communication and any attachments.
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation
> now.http://goparallel.sourceforge.net_______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
