From mthibodeau at conceptreseau.net Wed May 20 07:49:27 2009 From: mthibodeau at conceptreseau.net (Marquis Thibodeau) Date: Wed May 20 07:49:39 2009 Subject: [Flow-tools] Help needed on FlowTracker Message-ID: <1242820174_51@server20.conceptreseau.net> Hi, I'm a new user of Flow-tools. I'm able to view and graph with Flow Viewer and Flow Grapher with no problem. But when I set a Tracking object, nothing is returned and graphed. I have started the collector and the grapher but the graph is always with the "0" value.? In the collector log, I saw that the return value is always "0". and when I put the same criteria in the Viewer or the Grapher. I get go result. Any idea/help. Thanks Marquis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20090520/2c7eef86/attachment.htm From jloiacon at csc.com Fri May 22 09:19:56 2009 From: jloiacon at csc.com (Joe Loiacono) Date: Fri May 22 09:20:11 2009 Subject: [Flow-tools] Help needed on FlowTracker In-Reply-To: <1242820174_51@server20.conceptreseau.net> Message-ID: flow-tools-bounces@list.splintered.net wrote on 05/20/2009 07:49:27 AM: > Hi, > I?m a new user of Flow-tools. I?m able to view and graph with Flow > Viewer and Flow Grapher with no problem? > But when I set a Tracking object, nothing is returned and graphed? I > have started the collector and the grapher but the graph is always > with the ?0? value?? > In the collector log, I saw that the return value is always ?0?? and > when I put the same criteria in the Viewer or the Grapher? I get go result? ^^ Did you mean you "get *no* result"? If you are getting a good response from FlowGrapher or FlowViewer, but no result in FlowTracker, then you would want to look first at the permissions that the owner of FlowTracker_Collector has. Also review your FlowViewer_Configuration file values for $filter_directory, and $rrdtool_directory and the permissions on those directories. Also set $debug_tracker to "Y", and check out the DEBUG_TRACKER and DEBUG_GRAPHER output for hints. We'll get it going ... Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20090522/b71e8834/attachment.htm From mthibodeau at conceptreseau.net Mon May 25 10:53:36 2009 From: mthibodeau at conceptreseau.net (Marquis Thibodeau) Date: Mon May 25 10:53:46 2009 Subject: [Flow-tools] Help needed on FlowTracker In-Reply-To: Message-ID: <1243263217_155@server20.conceptreseau.net> Always getting ?0? as result. For now, I?m running as root so I don?t thing I have permission issu but let know what permission I should have ? I had already activated the DEBUG but I don?t see anything that could help me and/or ring a bell Any idea Thanks _____ De : Joe Loiacono [mailto:jloiacon@csc.com] Envoy? : 22 mai 2009 09:20 ? : Marquis Thibodeau Cc : flow-tools@list.splintered.net Objet : Re: [Flow-tools] Help needed on FlowTracker flow-tools-bounces@list.splintered.net wrote on 05/20/2009 07:49:27 AM: > Hi, > I?m a new user of Flow-tools. I?m able to view and graph with Flow > Viewer and Flow Grapher with no problem > But when I set a Tracking object, nothing is returned and graphed I > have started the collector and the grapher but the graph is always > with the ?0? value ? > In the collector log, I saw that the return value is always ?0? and > when I put the same criteria in the Viewer or the Grapher I get go result ^^ Did you mean you "get *no* result"? If you are getting a good response from FlowGrapher or FlowViewer, but no result in FlowTracker, then you would want to look first at the permissions that the owner of FlowTracker_Collector has. Also review your FlowViewer_Configuration file values for $filter_directory, and $rrdtool_directory and the permissions on those directories. Also set $debug_tracker to "Y", and check out the DEBUG_TRACKER and DEBUG_GRAPHER output for hints. We'll get it going ... Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20090525/b734df56/attachment.htm From Robert.Hahn at Teradata.com Wed May 27 13:29:19 2009 From: Robert.Hahn at Teradata.com (Hahn, Robert) Date: Wed May 27 13:29:27 2009 Subject: [Flow-tools] RE: flow-export against flow-gen -V 5 files: exaddr missing from wire but present in ascii? Message-ID: > I am using flow-export version 1.26 against files created > w/flow-gen version 5 '-V 5' and outputting wire format via flow-export > '-f 4'. > $Id: flow-export.c,v 1.26 2004/03/31 03:11:14 maf Exp $ > > It seems to be missing the exaddr field 'Exporter IP address' > which I do need and which is present in ascii delimited output '-f 2' > as the 4th ordinal. Is this by design? Am I missing something? > > It is in the flow-gen output: > > struct fts3rec_v5 { > u_int32 unix_secs; /* Current seconds since 0000 UTC 1970 */ > u_int32 unix_nsecs; /* Residual nanoseconds since 0000 UTC 1970 > */ > u_int32 sysUpTime; /* Current time in millisecs since router > booted */ > u_int32 exaddr; /* Exporter IP address */ > etc. > I don't see it in struct ftpdu_v5 > Thanks in advance for any guidance! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20090527/817336ee/attachment.htm From plonka at doit.wisc.edu Wed May 27 13:56:29 2009 From: plonka at doit.wisc.edu (Dave Plonka) Date: Wed May 27 13:57:08 2009 Subject: [Flow-tools] RE: flow-export against flow-gen -V 5 files: exaddr missing from wire but present in ascii? In-Reply-To: References: Message-ID: <20090527175629.GA3764@doit.wisc.edu> Hi Robert, On Wed, May 27, 2009 at 01:29:19PM -0400, Hahn, Robert wrote: > > I am using flow-export version 1.26 against files created > > w/flow-gen version 5 '-V 5' and outputting wire format via flow-export > > '-f 4'. > > $Id: flow-export.c,v 1.26 2004/03/31 03:11:14 maf Exp $ > > > > It seems to be missing the exaddr field 'Exporter IP address' > > which I do need and which is present in ascii delimited output '-f 2' > > as the 4th ordinal. Is this by design? Am I missing something? Yes and yes... I'll try to clarify: > > It is in the flow-gen output: > I don't see it in struct ftpdu_v5 The exporter IP address is not in the wire format because it is the merely the source IP address from the IP header of the packet. It would be redundant and error-prone to repeat it in the structured payload of the packet. When a process uses the socket API to receive from the "wire", i.e. when it receives the payload from a UDP datagram, it can call the recvfrom() system call, which returns the content and also the remote IP (source) address and port number. It's only when flow-tools stores flow information to a file that it needs to save or "remember" the exporter IP address (because otherwise it would be lost); it is implicitly there in the IP packet header (as the source IP address) when transmitted on the wire. Dave P.S. There are some protocols that support forwarding of information on the wire from one host to another, in which case they would want to preserve the original source IP address (e.g., the exporter IP address) but NetFlow is not one that supports that sort of forwarding. -- plonka@doit.wisc.edu http://net.doit.wisc.edu/~plonka/ Madison, WI From Robert.Hahn at Teradata.com Wed May 27 14:38:05 2009 From: Robert.Hahn at Teradata.com (Hahn, Robert) Date: Wed May 27 14:38:09 2009 Subject: [Flow-tools] RE: flow-export against flow-gen -V 5 files: exaddrmissing from wire but present in ascii? In-Reply-To: <20090527175629.GA3764@doit.wisc.edu> References: <20090527175629.GA3764@doit.wisc.edu> Message-ID: Thanks! (I'm a total newbie with netflow and these tools). I think 'exporter' identifies the router, like e.g. exporterIPv4Address in IPFIX and as you say doesn't belong in 'wire' format flow-export output. So if I need the exporter, I could instead use flow-export -f 0 (cflowd) with CF_ROUTERMASK set/defaulted in the mask_fields? (Or ascii but I want binary format). > > Hi Robert, > > On Wed, May 27, 2009 at 01:29:19PM -0400, Hahn, Robert wrote: > > > I am using flow-export version 1.26 against files created > > > w/flow-gen version 5 '-V 5' and outputting wire format via > > > flow-export '-f 4'. > > > $Id: flow-export.c,v 1.26 2004/03/31 03:11:14 maf Exp $ > > > > > > It seems to be missing the exaddr field 'Exporter IP address' > > > which I do need and which is present in ascii delimited > output '-f 2' > > > as the 4th ordinal. Is this by design? Am I missing something? > > Yes and yes... I'll try to clarify: > > > > It is in the flow-gen output: > > > I don't see it in struct ftpdu_v5 > > The exporter IP address is not in the wire format because it > is the merely the source IP address from the IP header of the packet. > It would be redundant and error-prone to repeat it in the > structured payload of the packet. > > When a process uses the socket API to receive from the > "wire", i.e. when it receives the payload from a UDP > datagram, it can call the recvfrom() system call, which > returns the content and also the remote IP (source) address > and port number. > > It's only when flow-tools stores flow information to a file > that it needs to save or "remember" the exporter IP address > (because otherwise it would be lost); it is implicitly there > in the IP packet header (as the source IP address) when > transmitted on the wire. > > Dave > > P.S. There are some protocols that support forwarding of > information on the wire from one host to another, in which > case they would want to preserve the original source IP > address (e.g., the exporter IP > address) but NetFlow is not one that supports that sort of forwarding. > > -- > plonka@doit.wisc.edu http://net.doit.wisc.edu/~plonka/ Madison, WI >