<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>I’ve been trying to get flow-tools to work for the
past couple of days but I all the flow files seem to be empty. I was using ntop
for a little while to test out flow reporting (and it worked) but I think I’m
going to move over to Cacti so I can get netflow and snmp all in one place. I’m
running this on Ubuntu btw. Any ideas on what I can do?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>There aren’t any firewall rules to prevent anything<o:p></o:p></p>
<p class=MsoNormal>Chain INPUT (policy ACCEPT)<o:p></o:p></p>
<p class=MsoNormal>target prot opt
source
destination<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Chain FORWARD (policy ACCEPT)<o:p></o:p></p>
<p class=MsoNormal>target prot opt source destination<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Chain OUTPUT (policy ACCEPT)<o:p></o:p></p>
<p class=MsoNormal>target prot opt
source
destination<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I can see all of the incoming flows<o:p></o:p></p>
<p class=MsoNormal>tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode<o:p></o:p></p>
<p class=MsoNormal>listening on eth0, link-type EN10MB (Ethernet), capture size
96 bytes<o:p></o:p></p>
<p class=MsoNormal>15:49:23.288138 IP 192.168.1.6.49866 > 172.19.10.23.2058:
UDP, length 1464<o:p></o:p></p>
<p class=MsoNormal>15:49:34.283227 IP 192.168.1.6.49866 > 172.19.10.23.2058:
UDP, length 936<o:p></o:p></p>
<p class=MsoNormal>15:49:48.290208 IP 192.168.1.6.49866 > 172.19.10.23.2058:
UDP, length 1464<o:p></o:p></p>
<p class=MsoNormal>15:49:55.287958 IP 192.168.1.6.49866 > 172.19.10.23.2058:
UDP, length 1464<o:p></o:p></p>
<p class=MsoNormal>15:50:02.288658 IP 192.168.1.6.49866 > 172.19.10.23.2058:
UDP, length 1464<o:p></o:p></p>
<p class=MsoNormal>15:50:03.288547 IP 192.168.1.6.49866 > 172.19.10.23.2058:
UDP, length 1464<o:p></o:p></p>
<p class=MsoNormal>15:50:04.289581 IP 192.168.1.6.49866 > 172.19.10.23.2058:
UDP, length 1464<o:p></o:p></p>
<p class=MsoNormal>15:50:07.293188 IP 192.168.1.6.49866 > 172.19.10.23.2058:
UDP, length 1464<o:p></o:p></p>
<p class=MsoNormal>15:50:08.325804 IP 192.168.1.6.49866 > 172.19.10.23.2058:
UDP, length 1464<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I start up flow-capture<o:p></o:p></p>
<p class=MsoNormal>sudo flow-capture -V5 -d7 -E5M -S1 -w /var/flow/ams 0/0/2058<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I can see that the port is up but it’s not in the
listening state if that makes a difference<o:p></o:p></p>
<p class=MsoNormal>Active Internet connections (only servers)<o:p></o:p></p>
<p class=MsoNormal>Proto Recv-Q Send-Q Local
Address Foreign
Address
State PID/Program name<o:p></o:p></p>
<p class=MsoNormal>tcp
0 0
127.0.0.1:3306
0.0.0.0:*
LISTEN 4400/mysqld<o:p></o:p></p>
<p class=MsoNormal>tcp
0 0
0.0.0.0:80
0.0.0.0:*
LISTEN 4579/apache2<o:p></o:p></p>
<p class=MsoNormal>tcp
0 0
0.0.0.0:22
0.0.0.0:*
LISTEN 4887/sshd<o:p></o:p></p>
<p class=MsoNormal>tcp6
0 0
:::22
:::*
LISTEN 4887/sshd<o:p></o:p></p>
<p class=MsoNormal>udp
0 0
0.0.0.0:2058
0.0.0.0:*
5131/flow-capture<o:p></o:p></p>
<p class=MsoNormal>udp
0 0
127.0.0.1:161
0.0.0.0:*
4500/snmpd<o:p></o:p></p>
<p class=MsoNormal>udp
0 0
0.0.0.0:68
0.0.0.0:*
3988/dhclient3<o:p></o:p></p>
<p class=MsoNormal>Active UNIX domain sockets (only servers)<o:p></o:p></p>
<p class=MsoNormal>Proto RefCnt Flags
Type
State I-Node
PID/Program name Path<o:p></o:p></p>
<p class=MsoNormal>unix 2 [ ACC
] STREAM
LISTENING 13342
4400/mysqld
/var/run/mysqld/mysqld.sock<o:p></o:p></p>
<p class=MsoNormal>unix 2 [ ACC
] STREAM
LISTENING 13222 4308/dbus-daemon
/var/run/dbus/system_bus_socket<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I see all of the flow files being created<o:p></o:p></p>
<p class=MsoNormal>Cacti:/var/flow/ams/2009/2009-04/2009-04-17$ ls -l<o:p></o:p></p>
<p class=MsoNormal>total 32<o:p></o:p></p>
<p class=MsoNormal>-rw-r--r-- 1 root root 88 2009-04-17 15:30
ft-v05.2009-04-17.152325-0400<o:p></o:p></p>
<p class=MsoNormal>-rw-r--r-- 1 root root 88 2009-04-17 15:44
ft-v05.2009-04-17.153001-0400<o:p></o:p></p>
<p class=MsoNormal>-rw-r--r-- 1 root root 88 2009-04-17 15:53
ft-v05.2009-04-17.155206-0400<o:p></o:p></p>
<p class=MsoNormal>-rw-r--r-- 1 root root 88 2009-04-17 16:00
ft-v05.2009-04-17.155424-0400<o:p></o:p></p>
<p class=MsoNormal>-rw-r--r-- 1 root root 88 2009-04-17 16:01
ft-v05.2009-04-17.160001-0400<o:p></o:p></p>
<p class=MsoNormal>-rw-r--r-- 1 root root 88 2009-04-17 16:15
ft-v05.2009-04-17.160344-0400<o:p></o:p></p>
<p class=MsoNormal>-rw-r--r-- 1 root root 88 2009-04-17 16:30
ft-v05.2009-04-17.161501-0400<o:p></o:p></p>
<p class=MsoNormal>-rw-r--r-- 1 root root 80 2009-04-17 16:30
tmp-v05.2009-04-17.163001-0400<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>But there’s nothing in them<o:p></o:p></p>
<p class=MsoNormal>flow-print < ft-v05.2009-04-17.152325-0400<o:p></o:p></p>
<p class=MsoNormal>srcIP
dstIP
prot srcPort dstPort octets
packets<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>not sure what this means but it scrolls by in the message
log<o:p></o:p></p>
<p class=MsoNormal>Cacti:~$ tail /var/log/messages<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:52 Cacti flow-capture[5659]: remove/1 0 files<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:52 Cacti flow-capture[5659]: remove/2 0 files<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:53 Cacti flow-capture[5659]: remove/1 0 files<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:53 Cacti flow-capture[5659]: remove/2 0 files<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:54 Cacti flow-capture[5659]: remove/1 0 files<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:54 Cacti flow-capture[5659]: remove/2 0 files<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:55 Cacti flow-capture[5659]: remove/1 0 files<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:55 Cacti flow-capture[5659]: remove/2 0 files<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:56 Cacti flow-capture[5659]: remove/1 0 files<o:p></o:p></p>
<p class=MsoNormal>Apr 17 16:03:56 Cacti flow-capture[5659]: remove/2 0 files<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I am running the NIC in promiscuous mode because I can’t
change the settings on the routers just yet but they’re pointed at another
VM on my machine. Would this not work because it’s not being pointed at
flow-tools? Ok well I just ran it on the machine that all the flows are pointed
to and it’s not creating the flow files<o:p></o:p></p>
<p class=MsoNormal>eth0 Link encap:Ethernet
HWaddr 00:0c:29:72:d8:d9<o:p></o:p></p>
<p class=MsoNormal> inet
addr:172.19.10.24 Bcast:172.19.10.255 Mask:255.255.255.0<o:p></o:p></p>
<p class=MsoNormal> inet6
addr: fe80::20c:29ff:fe72:d8d9/64 Scope:Link<o:p></o:p></p>
<p class=MsoNormal> UP
BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1<o:p></o:p></p>
<p class=MsoNormal> RX
packets:22694 errors:0 dropped:0 overruns:0 frame:0<o:p></o:p></p>
<p class=MsoNormal> TX
packets:1597 errors:0 dropped:0 overruns:0 carrier:0<o:p></o:p></p>
<p class=MsoNormal>
collisions:0 txqueuelen:1000<o:p></o:p></p>
<p class=MsoNormal> RX
bytes:6293072 (6.2 MB) TX bytes:201679 (201.6 KB)<o:p></o:p></p>
<p class=MsoNormal>
Interrupt:19 Base address:0x2000<o:p></o:p></p>
</div>
</body>
</html>