<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7652.24">
<TITLE>RE: [Flow-tools] Empty flow files</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Where can I see the syslog files?<BR>
It's not netflow v9, these are older routers<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Craig Weinhold [<A HREF="mailto:craig.weinhold@cdw.com">mailto:craig.weinhold@cdw.com</A>]<BR>
Sent: Fri 4/17/2009 9:53 PM<BR>
To: Schultz, Brian<BR>
Subject: Re: [Flow-tools] Empty flow files<BR>
<BR>
What does syslog say? flow-tools does a good job of logging errors.<BR>
<BR>
Could the netflow format be v9 ? flow-tools won't understand it.<BR>
<BR>
-Craig<BR>
<BR>
<BR>
On Fri, 17 Apr 2009, Schultz, Brian wrote:<BR>
<BR>
> I?ve been trying to get flow-tools to work for the past couple of days but I all the flow files seem to be empty. I was using ntop for a little while to test out flow reporting (and it worked) but I think I?m going to move over to Cacti so I can get netflow and snmp all in one place. I?m running this on Ubuntu btw. Any ideas on what I can do?<BR>
><BR>
> There aren?t any firewall rules to prevent anything<BR>
> Chain INPUT (policy ACCEPT)<BR>
> target prot opt source destination<BR>
><BR>
> Chain FORWARD (policy ACCEPT)<BR>
> target prot opt source destination<BR>
><BR>
> Chain OUTPUT (policy ACCEPT)<BR>
> target prot opt source destination<BR>
><BR>
> I can see all of the incoming flows<BR>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<BR>
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<BR>
> 15:49:23.288138 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464<BR>
> 15:49:34.283227 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 936<BR>
> 15:49:48.290208 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464<BR>
> 15:49:55.287958 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464<BR>
> 15:50:02.288658 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464<BR>
> 15:50:03.288547 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464<BR>
> 15:50:04.289581 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464<BR>
> 15:50:07.293188 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464<BR>
> 15:50:08.325804 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 1464<BR>
><BR>
> I start up flow-capture<BR>
> sudo flow-capture -V5 -d7 -E5M -S1 -w /var/flow/ams 0/0/2058<BR>
><BR>
> I can see that the port is up but it?s not in the listening state if that makes a difference<BR>
> Active Internet connections (only servers)<BR>
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name<BR>
> tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 4400/mysqld<BR>
> tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4579/apache2<BR>
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4887/sshd<BR>
> tcp6 0 0 :::22 :::* LISTEN 4887/sshd<BR>
> udp 0 0 0.0.0.0:2058 0.0.0.0:* 5131/flow-capture<BR>
> udp 0 0 127.0.0.1:161 0.0.0.0:* 4500/snmpd<BR>
> udp 0 0 0.0.0.0:68 0.0.0.0:* 3988/dhclient3<BR>
> Active UNIX domain sockets (only servers)<BR>
> Proto RefCnt Flags Type State I-Node PID/Program name Path<BR>
> unix 2 [ ACC ] STREAM LISTENING 13342 4400/mysqld /var/run/mysqld/mysqld.sock<BR>
> unix 2 [ ACC ] STREAM LISTENING 13222 4308/dbus-daemon /var/run/dbus/system_bus_socket<BR>
><BR>
> I see all of the flow files being created<BR>
> Cacti:/var/flow/ams/2009/2009-04/2009-04-17$ ls -l<BR>
> total 32<BR>
> -rw-r--r-- 1 root root 88 2009-04-17 15:30 ft-v05.2009-04-17.152325-0400<BR>
> -rw-r--r-- 1 root root 88 2009-04-17 15:44 ft-v05.2009-04-17.153001-0400<BR>
> -rw-r--r-- 1 root root 88 2009-04-17 15:53 ft-v05.2009-04-17.155206-0400<BR>
> -rw-r--r-- 1 root root 88 2009-04-17 16:00 ft-v05.2009-04-17.155424-0400<BR>
> -rw-r--r-- 1 root root 88 2009-04-17 16:01 ft-v05.2009-04-17.160001-0400<BR>
> -rw-r--r-- 1 root root 88 2009-04-17 16:15 ft-v05.2009-04-17.160344-0400<BR>
> -rw-r--r-- 1 root root 88 2009-04-17 16:30 ft-v05.2009-04-17.161501-0400<BR>
> -rw-r--r-- 1 root root 80 2009-04-17 16:30 tmp-v05.2009-04-17.163001-0400<BR>
><BR>
> But there?s nothing in them<BR>
> flow-print < ft-v05.2009-04-17.152325-0400<BR>
> srcIP dstIP prot srcPort dstPort octets packets<BR>
><BR>
> not sure what this means but it scrolls by in the message log<BR>
> Cacti:~$ tail /var/log/messages<BR>
> Apr 17 16:03:52 Cacti flow-capture[5659]: remove/1 0 files<BR>
> Apr 17 16:03:52 Cacti flow-capture[5659]: remove/2 0 files<BR>
> Apr 17 16:03:53 Cacti flow-capture[5659]: remove/1 0 files<BR>
> Apr 17 16:03:53 Cacti flow-capture[5659]: remove/2 0 files<BR>
> Apr 17 16:03:54 Cacti flow-capture[5659]: remove/1 0 files<BR>
> Apr 17 16:03:54 Cacti flow-capture[5659]: remove/2 0 files<BR>
> Apr 17 16:03:55 Cacti flow-capture[5659]: remove/1 0 files<BR>
> Apr 17 16:03:55 Cacti flow-capture[5659]: remove/2 0 files<BR>
> Apr 17 16:03:56 Cacti flow-capture[5659]: remove/1 0 files<BR>
> Apr 17 16:03:56 Cacti flow-capture[5659]: remove/2 0 files<BR>
><BR>
> I am running the NIC in promiscuous mode because I can?t change the settings on the routers just yet but they?re pointed at another VM on my machine. Would this not work because it?s not being pointed at flow-tools? Ok well I just ran it on the machine that all the flows are pointed to and it?s not creating the flow files<BR>
> eth0 Link encap:Ethernet HWaddr 00:0c:29:72:d8:d9<BR>
> inet addr:172.19.10.24 Bcast:172.19.10.255 Mask:255.255.255.0<BR>
> inet6 addr: fe80::20c:29ff:fe72:d8d9/64 Scope:Link<BR>
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1<BR>
> RX packets:22694 errors:0 dropped:0 overruns:0 frame:0<BR>
> TX packets:1597 errors:0 dropped:0 overruns:0 carrier:0<BR>
> collisions:0 txqueuelen:1000<BR>
> RX bytes:6293072 (6.2 MB) TX bytes:201679 (201.6 KB)<BR>
> Interrupt:19 Base address:0x2000<BR>
><BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>