headers
Kirk Olson | 6 May 2013 22:49
Picon

http flow request not displaying flows

In March I rebooted the Ubuntu system running the flow-tools installation. After the reboot an http request for flow information returns no data although the apache service seems to be running fine. I can also see flows being captured in the /var/netflow directory.
 
I am sure this is more of an Ubuntu admin question so I apologize for my ignorance. Does anyone have any ideas?
 
Kirk Olson
_______________________________________________
Flow-tools mailing list
flow-tools@...
http://mailman.splintered.net/mailman/listinfo/flow-tools
Permalink | Reply | 2 comments |
headers
Ivan Korjavin | 28 Mar 2013 07:51
Picon

Strange ip addresses in flow_capture log files

On my freebsd box:

#uname -rimp
9.1-STABLE amd64 amd64 GENERIC
flow_tools:

> pkg_info -x flow
Information for flow-tools-0.68_7:

Collector is ng_flow, started with

    /usr/sbin/ngctl mkpeer ipfw: netflow 30 iface0
    /usr/sbin/ngctl name ipfw:30 netflow

    /usr/sbin/ngctl msg netflow: setdlt {iface=0 dlt=12}
    /usr/sbin/ngctl msg netflow: setifindex {iface=0 index=5}
    /usr/sbin/ngctl msg netflow: settimeouts {inactive=15 active=150}
    /usr/sbin/ngctl mkpeer netflow: ksocket export inet/dgram/udp
    /usr/sbin/ngctl msg netflow:export connect inet/127.0.0.1:9995
And ipfw rule:

02750  59239017674  33111253913522 ngtee 30 ip from any to any via em0
Exported with flow_fanout for flow_capture.

# ps axww | grep flow
15106 ??  Ss        2:50,08 /usr/local/bin/flow-fanout -p
/var/run/flow-capture/flow-fanout.pid 127.0.0.1/0.0.0.0/9995
127.0.0.1/127.0.0.1/9556
16367 ??  Ss       11:28,63 /usr/local/bin/flow-capture -n 95 -N 3 -z
5 -S 5 -E270G -w /var/netflow -p
/var/run/flow-capture/flow-capture.pid 127.0.0.1/0.0.0.0/9556

In log files i see :
Mar 28 09:05:00 rubin flow-capture[16367]: STAT: now=1364439900
startup=1364227269 src_ip=127.0.0.1 dst_ip=65.121.97.1 d_ver=5 pkts=1
flows=30 lost=0 reset=0 filter_drops=0
Mar 28 09:05:00 rubin flow-capture[16367]: STAT: now=1364439900
startup=1364227269 src_ip=127.0.0.1 dst_ip=255.127.0.0 d_ver=5
pkts=1458 flows=43711 lost=21989 reset=1395 filter_drops=0
Mar 28 09:05:00 rubin flow-capture[16367]: STAT: now=1364439900
startup=1364227269 src_ip=127.0.0.1 dst_ip=109.112.100.32 d_ver=5
pkts=446 flows=13380 lost=15933 reset=401 filter_drops=0
Mar 28 09:05:00 rubin flow-capture[16367]: STAT: now=1364439900
startup=1364227269 src_ip=127.0.0.1 dst_ip=12.79.228.1 d_ver=5 pkts=4
flows=120 lost=0 reset=3 filter_drops=0
Mar 28 09:05:00 rubin flow-capture[16367]: STAT: now=1364439900
startup=1364227269 src_ip=127.0.0.1 dst_ip=105.110.100.44 d_ver=5
pkts=465 flows=13950 lost=16443 reset=411 filter_drops=0
Mar 28 09:05:00 rubin flow-capture[16367]: STAT: now=1364439900
startup=1364227269 src_ip=127.0.0.1 dst_ip=8.0.0.0 d_ver=5 pkts=88
flows=2611 lost=210 reset=85 filter_drops=0
Mar 28 09:05:00 rubin flow-capture[16367]: STAT: now=1364439900
startup=1364227269 src_ip=127.0.0.1 dst_ip=82.111.119.115 d_ver=5
pkts=449 flows=13412 lost=11044 reset=409 filter_drops=0

What is that ips in dst_ip 65.121.97.1 , 255.127.0.0, 109.112.100.32 etc?

I was tryed start flow_capture without flow_fanout and nothing was changed.

Is it flow_capture bug, or collector bug? Or maybe its  my fault in some config?
Permalink | Reply | 0 comments |
headers
Carlos Contreras | 12 Dec 2012 02:20
Picon
Favicon

Flowdumper not working after installing Cflow

Hi,

I have installed cflow according to the instructions on the flow-tools README file however despite I have several flow files, I am not able to get any output at all using the flowdumper program, I have included the full compile process and the actual test so if you can advice me about the possible problem

I have captured the install of Cflow in case you see any errors on the make process

root <at> carlos-VirtualBox:/home/carlos/Downloads/Cflow-1.053# perl Makefile.PL CCFLAGS='-DOSU' LIBS='-lft'
Found flow-tools... using "-DOSU -I../../lib -I../../lib/.. -L../../lib -lft -lz".
Note (probably harmless): No library found for -lft
Writing Makefile for Cflow
Writing MYMETA.yml
root <at> carlos-VirtualBox:/home/carlos/Downloads/Cflow-1.053# locate lft
/etc/bash_completion.d/lftp
/usr/lib/udisks/udisks-helper-ata-smart-selftest
/usr/share/locale-langpack/en_AU/LC_MESSAGES/lftp.mo
/usr/share/locale-langpack/en_GB/LC_MESSAGES/lftp.mo
/usr/share/locale-langpack/zh_CN/LC_MESSAGES/lftp.mo
root <at> carlos-VirtualBox:/home/carlos/Downloads/Cflow-1.053# make
Skip blib/lib/Cflow.pm (unchanged)
cc -c  -I../../lib -I../../lib/.. -DOSU -O2 -g   -DVERSION=\"1.053\" -DXS_VERSION=\"1.053\" -fPIC "-I/usr/lib/perl/5.14/CORE"   Cflow.c
Running Mkbootstrap for Cflow ()
chmod 644 Cflow.bs
rm -f blib/arch/auto/Cflow/Cflow.so
cc  -shared -O2 -g -L/usr/local/lib -fstack-protector Cflow.o  -o blib/arch/auto/Cflow/Cflow.so     \
             \
     
chmod 755 blib/arch/auto/Cflow/Cflow.so
cp Cflow.bs blib/arch/auto/Cflow/Cflow.bs
chmod 644 blib/arch/auto/Cflow/Cflow.bs
/usr/bin/perl "-Iblib/arch" "-Iblib/lib" flowdumper.PL flowdumper
cp flowdumper blib/script/flowdumper
/usr/bin/perl -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/flowdumper
Manifying blib/man1/flowdumper.1p
Manifying blib/man3/Cflow.3pm
/usr/bin/perl "-Iblib/arch" "-Iblib/lib" Makefile3.PL Makefile3
Writing Makefile for Cflow
Writing MYMETA.yml
root <at> carlos-VirtualBox:/home/carlos/Downloads/Cflow-1.053# make install
Skip blib/lib/Cflow.pm (unchanged)
cc -c   -D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g   -DVERSION=\"1.053\" -DXS_VERSION=\"1.053\" -fPIC "-I/usr/lib/perl/5.14/CORE"   Cflow.c
Running Mkbootstrap for Cflow ()
chmod 644 Cflow.bs
rm -f blib/arch/auto/Cflow/Cflow.so
cc  -shared -O2 -g -L/usr/local/lib -fstack-protector Cflow.o  -o blib/arch/auto/Cflow/Cflow.so     \
       -lnsl      \
     
chmod 755 blib/arch/auto/Cflow/Cflow.so
cp Cflow.bs blib/arch/auto/Cflow/Cflow.bs
chmod 644 blib/arch/auto/Cflow/Cflow.bs
/usr/bin/perl "-Iblib/arch" "-Iblib/lib" flowdumper.PL flowdumper
cp flowdumper blib/script/flowdumper
/usr/bin/perl -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/flowdumper
Manifying blib/man1/flowdumper.1p
Manifying blib/man3/Cflow.3pm
/usr/bin/perl "-Iblib/arch" "-Iblib/lib" Makefile3.PL Makefile3
Writing Makefile for Cflow
Writing MYMETA.yml
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Installing /usr/local/man/man1/flowdumper.1p
Appending installation info to /usr/local/lib/perl/5.14.2/perllocal.pod
root <at> carlos-VirtualBox:/home/carlos/Downloads/Cflow-1.053#


carlos <at> carlos-VirtualBox:/usr/local/flow-tools/2012/2012-11/2012-11-11$ ls
ft-v05.2012-11-11.101114-0600  ft-v05.2012-11-11.110000-0600
ft-v05.2012-11-11.101500-0600  ft-v05.2012-11-11.110500-0600
ft-v05.2012-11-11.102000-0600  ft-v05.2012-11-11.111000-0600
ft-v05.2012-11-11.102500-0600  ft-v05.2012-11-11.111500-0600
ft-v05.2012-11-11.103000-0600  ft-v05.2012-11-11.112000-0600
ft-v05.2012-11-11.103500-0600  ft-v05.2012-11-11.112500-0600
ft-v05.2012-11-11.104000-0600  ft-v05.2012-11-11.113000-0600
ft-v05.2012-11-11.104500-0600  ft-v05.2012-11-11.113500-0600
ft-v05.2012-11-11.105000-0600  ft-v05.2012-11-11.114000-0600
ft-v05.2012-11-11.105500-0600  ft-v05.2012-11-11.114500-0600
carlos <at> carlos-VirtualBox:/usr/local/flow-tools/2012/2012-11/2012-11-11$ sudo flowdumper -s ft-v05.2012-11-11*
[sudo] password for carlos:
carlos <at> carlos-VirtualBox:/usr/local/flow-tools/2012/2012-11/2012-11-11$ sudo flowdumper -s ft-v05.2012-11-11*
carlos <at> carlos-VirtualBox:/usr/local/flow-tools/2012/2012-11/2012-11-11$ flowdumper




^C
carlos <at> carlos-VirtualBox:/usr/local/flow-tools/2012/2012-11/2012-11-11$ sudo flowdumper -s ft-v05.2012-11-11*
carlos <at> carlos-VirtualBox:/usr/local/flow-tools/2012/2012-11/2012-11-11$ 
_______________________________________________
Flow-tools mailing list
flow-tools@...
http://mailman.splintered.net/mailman/listinfo/flow-tools
Permalink | Reply | 0 comments |
headers
Amine Mouadden | 4 Dec 2012 15:52
Picon
Favicon

(no subject)

_______________________________________________
Flow-tools mailing list
flow-tools@...
http://mailman.splintered.net/mailman/listinfo/flow-tools
Permalink | Reply | 0 comments |
headers
Craig Weinhold | 26 Oct 2012 05:34
Favicon

Good bye, traditional netflow

If you use Cisco products, you may be interested that they've announced the impending end for "traditional
netflow" on the ASR1000 line of routers.  Here is the announcement, which includes a link to a whitepaper
for migrating traditional to flexible netflow:

  http://www.cisco.com/en/US/prod/collateral/routers/ps9343/eol_C51-718332.html

Traditional netflow is what you have if your interfaces have any of these commands:

 ip route-cache flow
 ip flow ingress
 ip flow egress

The announcement only affects the ASR 1000 series of routers right now, but it points out that newer
platforms like the Catalyst 6500/Sup2T, the Catalyst 4500/Sup7E, and the Catalyst 3850 are exclusively
supporting flexible netflow. I suspect that the next generation of ISR routers follows suit.

-Craig
Permalink | Reply | 0 comments |
headers
Drew Weaver | 8 Oct 2012 18:13

Netflow v5 pretty much dead what is everyone migrating to?

With Netflow v5’s life shortening every day what software package are people who are using flow-tools switching to?

 

It seems like Netflow v9, ipfix, jflow and sflow are all viable technologies; is there a package like flow-tools that has collector and tools that works with all of those?

 

Thanks,

-Drew

 

_______________________________________________
Flow-tools mailing list
flow-tools@...
http://mailman.splintered.net/mailman/listinfo/flow-tools
Permalink | Reply | 3 comments |
headers
Konstantin V. Krotov | 20 Jul 2012 13:08
Picon
Favicon

how get flow fith flow-nfilter for incoming and outgoing traffic per some net?

hello, list!
Plese, give:
how get flow fith flow-nfilter for incoming and outgoing traffic per 
some net for one request?
like nfdump tool:
nfdump 'ip xx.xx.xx.xx'?

--

-- 
WBR, Konstantin V. Krotov
CJSs "Information Systems"
mailto: kkv@...
phone: +7 (8332) 51-35-95
Permalink | Reply | 3 comments |
headers
David Faught | 11 Apr 2012 21:45
Picon

Where did the community go?

>From the lack of activity and a few of the last entries, I am slowly
figuring out that flow-tools community support has pretty much
dissolved.  So what are people doing instead of flow-tools?  Has
everyone gone and bought Lancope Stealthwatch or stayed with open
source and gone to SiLK (http://tools.netsa.cert.org/index.html)??

I have quite a lot of time and effort wrapped up in using flow-tools
and both Dave Plonka's FlowScan and Joe Loiacono's FlowViewer.  If I
need to eventually convert away from flow-tools to SiLK, I would
ideally want a simple way to convert both historical data in
flow-tools format and both of these higher level tools' feeds.

Or maybe someone will pick up the pieces and continue with flow-tools
development?

Thoughts???

Cheers,
Dave
Permalink | Reply | 10 comments |
headers
David Faught | 14 Mar 2012 14:24
Picon

flow file header timestamps

Hi,  I am currently running a CentOS 5.7 server with flow-tools-0.68.5.1,
FlowViewer 3.3.1, and JKFlow 3.5.2 with FlowScan 1.006.  This is kind of an
odd server as it receives all the NetFlow data via scp from 2 other servers
also running flow-tools.  Every 5 minutes when these other servers process
their newly captured files, the files are copied to this server and a shell
script with the following lines in it is triggered:

    $flowpath/flow-cat $flowdir/rmtserv1/$infiles > /tmp/flowfile1
    $flowpath/flow-cat $flowdir/rmtserv2/$infiles > /tmp/flowfile2
    $flowpath/flow-merge -z2 /tmp/flowfile1 /tmp/flowfile2 >
$flowdir/$infile

The first 2 lines combine any unprocessed files from each of the remote
collector servers to temporary files,
then the 3rd line uses flow-merge to properly combine those temporary
files.

The problem is that somewhere in this process the file header timestamps
are lost so that

    flow-cat -t "strtime" -T "endtime" $flowdir

doesn't work.  This was working fine with the original uncombined flow
files.

Doing this command (note the debug level > 5):

    flow-cat -t "03/13/2012 08:58:59" -T "03/13/2012 12:00:01" -d 9 2>&1
$PREFIX/saved  | more

gives a bunch of lines like this:

    flow-cat:  i=0
    flow-cat: name=/var/local/flows/saved/ft-v05.2012-02-29.231500-0500
size=4971055  time=0
    flow-cat: name=/var/local/flows/saved/ft-v05.2012-03-02.095500-0500
size=7335032  time=0
    ...

where the times at the end are all zeros.

Although the doc for flow-merge has a line in it that describes the "-p"
switch to preload headers, the command does not actually support this.

So the questions is - how can I combine flow files from 2 different capture
servers with the proper header timestamps?

Thanks for any help.

Cheers,
Dave
Permalink | Reply | 0 comments |
headers
Charles Sprickman | 11 Feb 2012 01:06
Picon
Favicon
Gravatar

Other options

Hello,

As was mentioned earlier today, flow-tools is a little long in the
tooth and it looks like lots of other projects have popped up to
fill the void.

That said, of the remaining list subs, what are you folks using or
considering moving to?

I'm particularly interested in any collector that's able to provide
some of the less technical staff with the ability to look at flow
data easily.  My wish list would include the following data somewhat
easily accessible:

-being able to tell a customer what's eating up their bandwidth ("oh
look, you've got 20Mb/s of outbound BitTorrent traffic, time to
write an IT policy on that").
-accurate traffic counts, ideally something that could even be used
for billing purposes.
-some basic alerting, such as a huge jump in PPS to any particular host.
-network-wide usage info (ie: X% of traffic is http, Y% is nntp, etc.)

Being able to do the one-offs listed above in a browser is a big plus...

Thanks,

Charles
Permalink | Reply | 0 comments |
headers
Drew Weaver | 11 Feb 2012 00:35

IPFIX

Is there any plan to support IPFIX in flow-tools?

 

Thanks,

-Drew

 

_______________________________________________
Flow-tools mailing list
flow-tools@...
http://mailman.splintered.net/mailman/listinfo/flow-tools
Permalink | Reply | 2 comments |

Gmane