From flow-tools at list.splintered.net Sat Apr 11 19:38:43 2009 From: flow-tools at list.splintered.net (VIAGRA ® Official Site) Date: Sat Apr 11 19:38:46 2009 Subject: [Flow-tools] RE: Dear flow-tools@list.splintered.net Pharmacy Message 3380738 Message-ID: <20090411-43846.2932.qmail@mujeeb-67608d70> An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20090411/a2ed8037/attachment.htm -------------- next part -------------- About this mailing: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice. ?2009 Microsoft | Unsubscribe at http://spicyadore.com | More news at http://spicyadore.com | Prvacy at http://spicyadore.com Microsoft Corporation, One Microsoft Way, Redmond, WA 98052 From Brian.Schultz at AtlasAir.com Fri Apr 17 17:23:45 2009 From: Brian.Schultz at AtlasAir.com (Schultz, Brian) Date: Fri Apr 17 17:24:03 2009 Subject: [Flow-tools] Empty flow files Message-ID: I've been trying to get flow-tools to work for the past couple of days but I all the flow files seem to be empty. I was using ntop for a little while to test out flow reporting (and it worked) but I think I'm going to move over to Cacti so I can get netflow and snmp all in one place. I'm running this on Ubuntu btw. Any ideas on what I can do? There aren't any firewall rules to prevent anything Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I can see all of the incoming flows tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 15:49:23.288138 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 15:49:34.283227 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 936 15:49:48.290208 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 15:49:55.287958 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 15:50:02.288658 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 15:50:03.288547 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 15:50:04.289581 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 15:50:07.293188 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 15:50:08.325804 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 I start up flow-capture sudo flow-capture -V5 -d7 -E5M -S1 -w /var/flow/ams 0/0/2058 I can see that the port is up but it's not in the listening state if that makes a difference Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 4400/mysqld tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4579/apache2 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4887/sshd tcp6 0 0 :::22 :::* LISTEN 4887/sshd udp 0 0 0.0.0.0:2058 0.0.0.0:* 5131/flow-capture udp 0 0 127.0.0.1:161 0.0.0.0:* 4500/snmpd udp 0 0 0.0.0.0:68 0.0.0.0:* 3988/dhclient3 Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 13342 4400/mysqld /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 13222 4308/dbus-daemon /var/run/dbus/system_bus_socket I see all of the flow files being created Cacti:/var/flow/ams/2009/2009-04/2009-04-17$ ls -l total 32 -rw-r--r-- 1 root root 88 2009-04-17 15:30 ft-v05.2009-04-17.152325-0400 -rw-r--r-- 1 root root 88 2009-04-17 15:44 ft-v05.2009-04-17.153001-0400 -rw-r--r-- 1 root root 88 2009-04-17 15:53 ft-v05.2009-04-17.155206-0400 -rw-r--r-- 1 root root 88 2009-04-17 16:00 ft-v05.2009-04-17.155424-0400 -rw-r--r-- 1 root root 88 2009-04-17 16:01 ft-v05.2009-04-17.160001-0400 -rw-r--r-- 1 root root 88 2009-04-17 16:15 ft-v05.2009-04-17.160344-0400 -rw-r--r-- 1 root root 88 2009-04-17 16:30 ft-v05.2009-04-17.161501-0400 -rw-r--r-- 1 root root 80 2009-04-17 16:30 tmp-v05.2009-04-17.163001-0400 But there's nothing in them flow-print < ft-v05.2009-04-17.152325-0400 srcIP dstIP prot srcPort dstPort octets packets not sure what this means but it scrolls by in the message log Cacti:~$ tail /var/log/messages Apr 17 16:03:52 Cacti flow-capture[5659]: remove/1 0 files Apr 17 16:03:52 Cacti flow-capture[5659]: remove/2 0 files Apr 17 16:03:53 Cacti flow-capture[5659]: remove/1 0 files Apr 17 16:03:53 Cacti flow-capture[5659]: remove/2 0 files Apr 17 16:03:54 Cacti flow-capture[5659]: remove/1 0 files Apr 17 16:03:54 Cacti flow-capture[5659]: remove/2 0 files Apr 17 16:03:55 Cacti flow-capture[5659]: remove/1 0 files Apr 17 16:03:55 Cacti flow-capture[5659]: remove/2 0 files Apr 17 16:03:56 Cacti flow-capture[5659]: remove/1 0 files Apr 17 16:03:56 Cacti flow-capture[5659]: remove/2 0 files I am running the NIC in promiscuous mode because I can't change the settings on the routers just yet but they're pointed at another VM on my machine. Would this not work because it's not being pointed at flow-tools? Ok well I just ran it on the machine that all the flows are pointed to and it's not creating the flow files eth0 Link encap:Ethernet HWaddr 00:0c:29:72:d8:d9 inet addr:172.19.10.24 Bcast:172.19.10.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe72:d8d9/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:22694 errors:0 dropped:0 overruns:0 frame:0 TX packets:1597 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6293072 (6.2 MB) TX bytes:201679 (201.6 KB) Interrupt:19 Base address:0x2000 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20090417/d09be5ce/attachment.htm From Brian.Schultz at AtlasAir.com Sat Apr 18 08:58:10 2009 From: Brian.Schultz at AtlasAir.com (Schultz, Brian) Date: Sat Apr 18 08:59:23 2009 Subject: [Flow-tools] Empty flow files References: Message-ID: Where can I see the syslog files? It's not netflow v9, these are older routers -----Original Message----- From: Craig Weinhold [mailto:craig.weinhold@cdw.com] Sent: Fri 4/17/2009 9:53 PM To: Schultz, Brian Subject: Re: [Flow-tools] Empty flow files What does syslog say? flow-tools does a good job of logging errors. Could the netflow format be v9 ? flow-tools won't understand it. -Craig On Fri, 17 Apr 2009, Schultz, Brian wrote: > I?ve been trying to get flow-tools to work for the past couple of days but I all the flow files seem to be empty. I was using ntop for a little while to test out flow reporting (and it worked) but I think I?m going to move over to Cacti so I can get netflow and snmp all in one place. I?m running this on Ubuntu btw. Any ideas on what I can do? > > There aren?t any firewall rules to prevent anything > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > I can see all of the incoming flows > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 15:49:23.288138 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:49:34.283227 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 936 > 15:49:48.290208 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:49:55.287958 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:02.288658 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:03.288547 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:04.289581 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:07.293188 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:08.325804 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > I start up flow-capture > sudo flow-capture -V5 -d7 -E5M -S1 -w /var/flow/ams 0/0/2058 > > I can see that the port is up but it?s not in the listening state if that makes a difference > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 4400/mysqld > tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4579/apache2 > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4887/sshd > tcp6 0 0 :::22 :::* LISTEN 4887/sshd > udp 0 0 0.0.0.0:2058 0.0.0.0:* 5131/flow-capture > udp 0 0 127.0.0.1:161 0.0.0.0:* 4500/snmpd > udp 0 0 0.0.0.0:68 0.0.0.0:* 3988/dhclient3 > Active UNIX domain sockets (only servers) > Proto RefCnt Flags Type State I-Node PID/Program name Path > unix 2 [ ACC ] STREAM LISTENING 13342 4400/mysqld /var/run/mysqld/mysqld.sock > unix 2 [ ACC ] STREAM LISTENING 13222 4308/dbus-daemon /var/run/dbus/system_bus_socket > > I see all of the flow files being created > Cacti:/var/flow/ams/2009/2009-04/2009-04-17$ ls -l > total 32 > -rw-r--r-- 1 root root 88 2009-04-17 15:30 ft-v05.2009-04-17.152325-0400 > -rw-r--r-- 1 root root 88 2009-04-17 15:44 ft-v05.2009-04-17.153001-0400 > -rw-r--r-- 1 root root 88 2009-04-17 15:53 ft-v05.2009-04-17.155206-0400 > -rw-r--r-- 1 root root 88 2009-04-17 16:00 ft-v05.2009-04-17.155424-0400 > -rw-r--r-- 1 root root 88 2009-04-17 16:01 ft-v05.2009-04-17.160001-0400 > -rw-r--r-- 1 root root 88 2009-04-17 16:15 ft-v05.2009-04-17.160344-0400 > -rw-r--r-- 1 root root 88 2009-04-17 16:30 ft-v05.2009-04-17.161501-0400 > -rw-r--r-- 1 root root 80 2009-04-17 16:30 tmp-v05.2009-04-17.163001-0400 > > But there?s nothing in them > flow-print < ft-v05.2009-04-17.152325-0400 > srcIP dstIP prot srcPort dstPort octets packets > > not sure what this means but it scrolls by in the message log > Cacti:~$ tail /var/log/messages > Apr 17 16:03:52 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:52 Cacti flow-capture[5659]: remove/2 0 files > Apr 17 16:03:53 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:53 Cacti flow-capture[5659]: remove/2 0 files > Apr 17 16:03:54 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:54 Cacti flow-capture[5659]: remove/2 0 files > Apr 17 16:03:55 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:55 Cacti flow-capture[5659]: remove/2 0 files > Apr 17 16:03:56 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:56 Cacti flow-capture[5659]: remove/2 0 files > > I am running the NIC in promiscuous mode because I can?t change the settings on the routers just yet but they?re pointed at another VM on my machine. Would this not work because it?s not being pointed at flow-tools? Ok well I just ran it on the machine that all the flows are pointed to and it?s not creating the flow files > eth0 Link encap:Ethernet HWaddr 00:0c:29:72:d8:d9 > inet addr:172.19.10.24 Bcast:172.19.10.255 Mask:255.255.255.0 > inet6 addr: fe80::20c:29ff:fe72:d8d9/64 Scope:Link > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > RX packets:22694 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1597 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:6293072 (6.2 MB) TX bytes:201679 (201.6 KB) > Interrupt:19 Base address:0x2000 > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20090418/d6522d9d/attachment-0001.htm From mwlucas at blackhelicopters.org Sat Apr 18 09:47:28 2009 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Sat Apr 18 09:47:53 2009 Subject: [Flow-tools] Empty flow files In-Reply-To: References: Message-ID: <20090418134728.GA53439@bewilderbeast.blackhelicopters.org> Hi, flow-tools logs to syslog facility LOCAL6. Look at /etc/syslog.conf, you might have to configure it to catch those messages. ==ml On Sat, Apr 18, 2009 at 08:58:10AM -0400, Schultz, Brian wrote: > Where can I see the syslog files? > It's not netflow v9, these are older routers > > > -----Original Message----- > From: Craig Weinhold [mailto:craig.weinhold@cdw.com] > Sent: Fri 4/17/2009 9:53 PM > To: Schultz, Brian > Subject: Re: [Flow-tools] Empty flow files > > What does syslog say? flow-tools does a good job of logging errors. > > Could the netflow format be v9 ? flow-tools won't understand it. > > -Craig > > > On Fri, 17 Apr 2009, Schultz, Brian wrote: > > > I?ve been trying to get flow-tools to work for the past couple of days but I all the flow files seem to be empty. I was using ntop for a little while to test out flow reporting (and it worked) but I think I?m going to move over to Cacti so I can get netflow and snmp all in one place. I?m running this on Ubuntu btw. Any ideas on what I can do? > > > > There aren?t any firewall rules to prevent anything > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > > > I can see all of the incoming flows > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > > 15:49:23.288138 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:49:34.283227 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 936 > > 15:49:48.290208 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:49:55.287958 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:02.288658 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:03.288547 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:04.289581 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:07.293188 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > 15:50:08.325804 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > > > I start up flow-capture > > sudo flow-capture -V5 -d7 -E5M -S1 -w /var/flow/ams 0/0/2058 > > > > I can see that the port is up but it?s not in the listening state if that makes a difference > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > > tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 4400/mysqld > > tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4579/apache2 > > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4887/sshd > > tcp6 0 0 :::22 :::* LISTEN 4887/sshd > > udp 0 0 0.0.0.0:2058 0.0.0.0:* 5131/flow-capture > > udp 0 0 127.0.0.1:161 0.0.0.0:* 4500/snmpd > > udp 0 0 0.0.0.0:68 0.0.0.0:* 3988/dhclient3 > > Active UNIX domain sockets (only servers) > > Proto RefCnt Flags Type State I-Node PID/Program name Path > > unix 2 [ ACC ] STREAM LISTENING 13342 4400/mysqld /var/run/mysqld/mysqld.sock > > unix 2 [ ACC ] STREAM LISTENING 13222 4308/dbus-daemon /var/run/dbus/system_bus_socket > > > > I see all of the flow files being created > > Cacti:/var/flow/ams/2009/2009-04/2009-04-17$ ls -l > > total 32 > > -rw-r--r-- 1 root root 88 2009-04-17 15:30 ft-v05.2009-04-17.152325-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 15:44 ft-v05.2009-04-17.153001-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 15:53 ft-v05.2009-04-17.155206-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 16:00 ft-v05.2009-04-17.155424-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 16:01 ft-v05.2009-04-17.160001-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 16:15 ft-v05.2009-04-17.160344-0400 > > -rw-r--r-- 1 root root 88 2009-04-17 16:30 ft-v05.2009-04-17.161501-0400 > > -rw-r--r-- 1 root root 80 2009-04-17 16:30 tmp-v05.2009-04-17.163001-0400 > > > > But there?s nothing in them > > flow-print < ft-v05.2009-04-17.152325-0400 > > srcIP dstIP prot srcPort dstPort octets packets > > > > not sure what this means but it scrolls by in the message log > > Cacti:~$ tail /var/log/messages > > Apr 17 16:03:52 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:52 Cacti flow-capture[5659]: remove/2 0 files > > Apr 17 16:03:53 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:53 Cacti flow-capture[5659]: remove/2 0 files > > Apr 17 16:03:54 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:54 Cacti flow-capture[5659]: remove/2 0 files > > Apr 17 16:03:55 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:55 Cacti flow-capture[5659]: remove/2 0 files > > Apr 17 16:03:56 Cacti flow-capture[5659]: remove/1 0 files > > Apr 17 16:03:56 Cacti flow-capture[5659]: remove/2 0 files > > > > I am running the NIC in promiscuous mode because I can?t change the settings on the routers just yet but they?re pointed at another VM on my machine. Would this not work because it?s not being pointed at flow-tools? Ok well I just ran it on the machine that all the flows are pointed to and it?s not creating the flow files > > eth0 Link encap:Ethernet HWaddr 00:0c:29:72:d8:d9 > > inet addr:172.19.10.24 Bcast:172.19.10.255 Mask:255.255.255.0 > > inet6 addr: fe80::20c:29ff:fe72:d8d9/64 Scope:Link > > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > > RX packets:22694 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:1597 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:6293072 (6.2 MB) TX bytes:201679 (201.6 KB) > > Interrupt:19 Base address:0x2000 > > > > > _______________________________________________ > Flow-tools mailing list > flow-tools@splintered.net > http://mailman.splintered.net/mailman/listinfo/flow-tools -- Michael W. Lucas mwlucas@BlackHelicopters.org, mwlucas@FreeBSD.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: Cisco Routers for the Desperate, 2nd Edition http://www.CiscoRoutersForTheDesperate.com/ From jloiacon at csc.com Mon Apr 20 11:29:14 2009 From: jloiacon at csc.com (Joe Loiacono) Date: Mon Apr 20 11:29:24 2009 Subject: [Flow-tools] Empty flow files In-Reply-To: Message-ID: flow-capture logs for me to: /var/log/cflowd.log. Looks like cacti is intermediate and sending to system messages at /var/log/messages? My typical messages: 3076 Apr 20 15:15:17 dbcollect flow-capture[20686]: remove/2 2009/2009-03/2009-03-29/ft-v07.2009-03-29.234501+0000 3077 Apr 20 15:16:37 dbcollect flow-capture[20686]: ftpdu_seq_check(): src_ip=192.168.16.1 dst_ip=172.16.253.32 d_version=7 expecting=3971473012 received=3971473039 lost=27 3078 Apr 20 15:17:36 dbcollect flow-capture[20662]: remove/2 ./2009/2009-01/2009-01-07/ft-v01.2009-01-07.153000+0000 3079 Apr 20 15:18:00 dbcollect flow-capture[20173]: STAT: now=1240240680 startup=1235616206 src_ip=172.17.100.36 dst_ip=172.16.253.32 d_ver=5 pkts=42903148 flows=1243414628 lost=100678 reset=432 filter_drops=0 Your 'remove' messages are flow-capture doing directory trimming to meet your requirements of 5M total space. It goes through the motions but there's no need ( .. 0 files) since you're not close to 5M. Can you try it completely independently from cacti as a check? Joe "Schultz, Brian" Sent by: flow-tools-bounces@list.splintered.net 04/18/2009 08:58 AM To "Craig Weinhold" cc flow-tools@list.splintered.net Subject RE: [Flow-tools] Empty flow files Where can I see the syslog files? It's not netflow v9, these are older routers -----Original Message----- From: Craig Weinhold [mailto:craig.weinhold@cdw.com] Sent: Fri 4/17/2009 9:53 PM To: Schultz, Brian Subject: Re: [Flow-tools] Empty flow files What does syslog say? flow-tools does a good job of logging errors. Could the netflow format be v9 ? flow-tools won't understand it. -Craig On Fri, 17 Apr 2009, Schultz, Brian wrote: > I?ve been trying to get flow-tools to work for the past couple of days but I all the flow files seem to be empty. I was using ntop for a little while to test out flow reporting (and it worked) but I think I?m going to move over to Cacti so I can get netflow and snmp all in one place. I?m running this on Ubuntu btw. Any ideas on what I can do? > > There aren?t any firewall rules to prevent anything > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > I can see all of the incoming flows > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 15:49:23.288138 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:49:34.283227 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 936 > 15:49:48.290208 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:49:55.287958 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:02.288658 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:03.288547 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:04.289581 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:07.293188 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > 15:50:08.325804 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464 > > I start up flow-capture > sudo flow-capture -V5 -d7 -E5M -S1 -w /var/flow/ams 0/0/2058 > > I can see that the port is up but it?s not in the listening state if that makes a difference > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 4400/mysqld > tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4579/apache2 > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4887/sshd > tcp6 0 0 :::22 :::* LISTEN 4887/sshd > udp 0 0 0.0.0.0:2058 0.0.0.0:* 5131/flow-capture > udp 0 0 127.0.0.1:161 0.0.0.0:* 4500/snmpd > udp 0 0 0.0.0.0:68 0.0.0.0:* 3988/dhclient3 > Active UNIX domain sockets (only servers) > Proto RefCnt Flags Type State I-Node PID/Program name Path > unix 2 [ ACC ] STREAM LISTENING 13342 4400/mysqld /var/run/mysqld/mysqld.sock > unix 2 [ ACC ] STREAM LISTENING 13222 4308/dbus-daemon /var/run/dbus/system_bus_socket > > I see all of the flow files being created > Cacti:/var/flow/ams/2009/2009-04/2009-04-17$ ls -l > total 32 > -rw-r--r-- 1 root root 88 2009-04-17 15:30 ft-v05.2009-04-17.152325-0400 > -rw-r--r-- 1 root root 88 2009-04-17 15:44 ft-v05.2009-04-17.153001-0400 > -rw-r--r-- 1 root root 88 2009-04-17 15:53 ft-v05.2009-04-17.155206-0400 > -rw-r--r-- 1 root root 88 2009-04-17 16:00 ft-v05.2009-04-17.155424-0400 > -rw-r--r-- 1 root root 88 2009-04-17 16:01 ft-v05.2009-04-17.160001-0400 > -rw-r--r-- 1 root root 88 2009-04-17 16:15 ft-v05.2009-04-17.160344-0400 > -rw-r--r-- 1 root root 88 2009-04-17 16:30 ft-v05.2009-04-17.161501-0400 > -rw-r--r-- 1 root root 80 2009-04-17 16:30 tmp-v05.2009-04-17.163001-0400 > > But there?s nothing in them > flow-print < ft-v05.2009-04-17.152325-0400 > srcIP dstIP prot srcPort dstPort octets packets > > not sure what this means but it scrolls by in the message log > Cacti:~$ tail /var/log/messages > Apr 17 16:03:52 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:52 Cacti flow-capture[5659]: remove/2 0 files > Apr 17 16:03:53 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:53 Cacti flow-capture[5659]: remove/2 0 files > Apr 17 16:03:54 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:54 Cacti flow-capture[5659]: remove/2 0 files > Apr 17 16:03:55 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:55 Cacti flow-capture[5659]: remove/2 0 files > Apr 17 16:03:56 Cacti flow-capture[5659]: remove/1 0 files > Apr 17 16:03:56 Cacti flow-capture[5659]: remove/2 0 files > > I am running the NIC in promiscuous mode because I can?t change the settings on the routers just yet but they?re pointed at another VM on my machine. Would this not work because it?s not being pointed at flow-tools? Ok well I just ran it on the machine that all the flows are pointed to and it?s not creating the flow files > eth0 Link encap:Ethernet HWaddr 00:0c:29:72:d8:d9 > inet addr:172.19.10.24 Bcast:172.19.10.255 Mask:255.255.255.0 > inet6 addr: fe80::20c:29ff:fe72:d8d9/64 Scope:Link > UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 > RX packets:22694 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1597 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:6293072 (6.2 MB) TX bytes:201679 (201.6 KB) > Interrupt:19 Base address:0x2000 > _______________________________________________ Flow-tools mailing list flow-tools@splintered.net http://mailman.splintered.net/mailman/listinfo/flow-tools -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20090420/744ad733/attachment.htm