John C. A. Bambenek, CISSP | 3 Dec 20:33 2007
Picon

nfdump with a tap?

I have an odd environment where I'd like to capture netflow data but using the router isn't an option.  I do have a tap hanging off the router and a machine that sees all traffic in and out... will nfdump be able to generate netflow data off of that?

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@...
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
Peter Haag | 4 Dec 08:48 2007
Picon

Re: NFSEN again


Hi Manuela,

--On November 28, 2007 19:28:32 -0300 Manuela Lima <manuela@...> wrote:

| Hi everyone,
|
| actually I didn't know that and installed nfdump version 1.5.2 'cause the 1.5.6
| doesn't want to be installed on my ultra sun 5.
|
| Don't ask me why, but it just won't do it. I've already tried everything, or at
| least almost everything and it doesn't work.

There is an important difference in linking and loading!
--with-rrdpath is a hint for the linker to correctly compile and link a binary.
But you need to make sure, that the loader finds all required libraries. That's something
your installer of rrdtool should have take care of. On your OpenBSD make sure to check
with ldconfig -r that the patch of your rrd library is listed, otherwise the program
does not get liked correctly. If not doen add your rrdlib path to the shlib_dirs=..
variable in rc.conf

    - Peter

|
| I used this command:
|
| $ ./configure --enable-nfprofile --with-rrdpath=/usr/local/rrdtool
| checking for gcc... gcc
| checking for C compiler default output file name... a.out
| checking whether the C compiler works... yes
| checking whether we are cross compiling... no
| checking for suffix of executables...
| checking for suffix of object files... o
| checking whether we are using the GNU C compiler... yes
| checking whether gcc accepts -g... yes
| checking for gcc option to accept ANSI C... none needed
| checking for special C compiler options needed for large files... no
| checking for _FILE_OFFSET_BITS value needed for large files... no
| checking for _LARGE_FILES value needed for large files... no
| checking for gcc... (cached) gcc
| checking whether we are using the GNU C compiler... (cached) yes
| checking whether gcc accepts -g... (cached) yes
| checking for gcc option to accept ANSI C... (cached) none needed
| checking whether we are using SunPro C... no
| checking for bison... no
| checking for byacc... no
| checking for flex... flex
| checking for yywrap in -lfl... yes
| checking lex output file root... lex.yy
| checking whether yytext is a pointer... yes
| checking for a BSD-compatible install... /usr/bin/install -c
| checking how to run the C preprocessor... gcc -E
| checking for egrep... grep -E
| checking for ANSI C header files... yes
| checking for sys/types.h... yes
| checking for sys/stat.h... yes
| checking for stdlib.h... yes
| checking for string.h... yes
| checking for memory.h... yes
| checking for strings.h... yes
| checking for inttypes.h... yes
| checking for stdint.h... yes
| checking for unistd.h... yes
| checking for rrd_update in -lrrd... no
| configure: error: Can not link librrd. Please specify --with-rrdpath=..
| configure failed!
|
| It appears to me that nfdump is not finding the rrdtools, but I looked for it
| and it is installed where I pointed in the configure command.
|
| Any help would be appreciated..
|
| Thanksss.
| --
| Abs,
|
| Manuela Lima
| Bolsista CAT/CBPF
|
| ------------------------------------------
| CBPF WebMail -  http://www.cbpf.br
|
|
| -------------------------------------------------------------------------
| SF.Net email is sponsored by: The Future of Linux Business White Paper
| from Novell.  From the desktop to the data center, Linux is going
| mainstream.  Let it simplify your IT future.
| http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
| _______________________________________________
| Nfdump-discuss mailing list
| Nfdump-discuss@...
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

--
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.haag@... Web: http://www.switch.ch/
Jens Link | 4 Dec 08:49 2007
Picon

Re: nfdump with a tap?

"John C. A. Bambenek, CISSP" <bambenek.infosec@...> writes:

> I have an odd environment where I'd like to capture netflow data but
> using the router isn't an option.  I do have a tap hanging off the
> router and a machine that sees all traffic in and out... will nfdump
> be able to generate netflow data off of that?

You might use fprobe (http://fprobe.sourceforge.net/) to capture the data
and export it to nfdump. Worked pretty well for me some time ago.

cheers 

Jens
--

-- 
sage <at> guug Berlin: http://www.guug.de/lokal/berlin/index.html
    		  http://www.openbc.com/go/invita/4269460

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Manuela Lima | 6 Dec 01:20 2007
Picon

Environment Variable

Hi everyone!

Does anyone knows which is the environment variable responsible for set the path
to librrd?

Thanks

--
Abs,

Manuela Lima
Bolsista CAT/CBPF

------------------------------------------
CBPF WebMail -  http://www.cbpf.br 

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Bjørn Skovlund Rydén | 7 Dec 11:31 2007
Picon

Any way to do statistics on src/dst_peer_as?

Hi list,

I was wondering if there's any way to do statistics on dst_peer_as and
src_peer_as? Or more excactly to filter on those. It seems to be part of the
sflow dumps I receive from my Foundry MLX.

Thanks in advance,
Bjørn

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
Ralf Kleineisel | 14 Dec 12:35 2007
Picon

nfcapd memory leak?

Hi,

is there a memory leak in nfcapd? The nfcapd processes start at 8 MB for
each process group (two processes) and use another 32 MB every 24 hours.
The increase is quite linearly. After a few days they use up all memory
and I have to kill and restart them, but this means I lose data.

Is this a bug?

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Peter Haag | 14 Dec 13:46 2007
Picon

Re: nfcapd memory leak?


Hi Ralf

--On December 14, 2007 12:35:35 +0100 Ralf Kleineisel
<ralf.kleineisel@...> wrote:

| Hi,
|
| is there a memory leak in nfcapd? The nfcapd processes start at 8 MB for
| each process group (two processes) and use another 32 MB every 24 hours.
| The increase is quite linearly. After a few days they use up all memory
| and I have to kill and restart them, but this means I lose data.

Hmm .. I can not reproduce that. I have nfcapd processes running for moths with still
small memory footprint, as expected.

Can you send me off list the command line you start nfcapd?

    - Peter
|
| Is this a bug?
|
| -------------------------------------------------------------------------
| SF.Net email is sponsored by:
| Check out the new SourceForge.net Marketplace.
| It's the best place to buy or sell services
| for just about anything Open Source.
| http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
| _______________________________________________
| Nfdump-discuss mailing list
| Nfdump-discuss@...
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

--
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.haag@... Web: http://www.switch.ch/
Manuela Lima | 18 Dec 19:55 2007
Picon

Problem compiling nfdump

Hi everyone,

I'm still getting problems during the ./configure from nfdump. Now, appears to
me the message in the end of the ./ configure commmand:

$ ./configure LDFLAGS='-L /usr/X11R6/lib -L /opt/csw/lib -L /opt/csw/include' >
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking for _LARGE_FILES value needed for large files... no
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking for gcc option to accept ANSI C... (cached) none needed
checking whether we are using SunPro C... no
checking for bison... no
checking for byacc... no
checking for flex... flex
checking for yywrap in -lfl... yes
checking lex output file root... lex.yy
checking whether yytext is a pointer... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for rrd_update in -lrrd... yes
checking rrd.h usability... yes
checking rrd.h presence... yes
checking for rrd.h... yes
configure: error: Can not load rrd library. Not in loader search path!

What could possibly be now?

Thanks in advance!
--
Abs,

Manuela Lima
Bolsista CAT/CBPF

------------------------------------------
CBPF WebMail -  http://www.cbpf.br 

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Werner Schram | 18 Dec 22:22 2007
Picon
Picon

Re: Problem compiling nfdump

Hi Manuela,

It means that your os does not know where to look for the rrd library, 
this is probably caused by rrdtool's slightly odd default instalation 
location (/usr/local/rrdtool). If you compile rrdtool with 'configure 
--prefix=/usr/local', it will be installed in a more standard location, 
which means that the library is automaticaly in your library search path.

Or if you really want rrdtool to be in /usr/local/rrdtool, on Linux you 
can add this path to /etc/ld.so.conf and then run ldconfig. On Freebsd 
you can change the ldconfig_paths in /etc/rc.conf.

Regards,
Werner

Manuela Lima schreef:
> Hi everyone,
>
> I'm still getting problems during the ./configure from nfdump. Now, appears to
> me the message in the end of the ./ configure commmand:
>
> $ ./configure LDFLAGS='-L /usr/X11R6/lib -L /opt/csw/lib -L /opt/csw/include' >
> checking for gcc... gcc
> checking for C compiler default output file name... a.out
> checking whether the C compiler works... yes
> checking whether we are cross compiling... no
> checking for suffix of executables...
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ANSI C... none needed
> checking for special C compiler options needed for large files... no
> checking for _FILE_OFFSET_BITS value needed for large files... no
> checking for _LARGE_FILES value needed for large files... no
> checking for gcc... (cached) gcc
> checking whether we are using the GNU C compiler... (cached) yes
> checking whether gcc accepts -g... (cached) yes
> checking for gcc option to accept ANSI C... (cached) none needed
> checking whether we are using SunPro C... no
> checking for bison... no
> checking for byacc... no
> checking for flex... flex
> checking for yywrap in -lfl... yes
> checking lex output file root... lex.yy
> checking whether yytext is a pointer... yes
> checking for a BSD-compatible install... /usr/bin/install -c
> checking how to run the C preprocessor... gcc -E
> checking for egrep... grep -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking for rrd_update in -lrrd... yes
> checking rrd.h usability... yes
> checking rrd.h presence... yes
> checking for rrd.h... yes
> configure: error: Can not load rrd library. Not in loader search path!
>
> What could possibly be now?
>
> Thanks in advance!
> --
> Abs,
>
> Manuela Lima
> Bolsista CAT/CBPF
>
> ------------------------------------------
> CBPF WebMail -  http://www.cbpf.br 
>
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by:
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services
> for just about anything Open Source.
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>   

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Manuela Lima | 19 Dec 03:09 2007
Picon

Re: Problem compiling nfdump

Hi everyone!

I already tryed this stuff Werner said, but it didn't worked for me.

Anyone else has another idea?

Thanks..

Quoting Werner Schram <Werner.Schram@...>:

> Hi Manuela,
>
> It means that your os does not know where to look for the rrd library,
> this is probably caused by rrdtool's slightly odd default instalation
> location (/usr/local/rrdtool). If you compile rrdtool with 'configure
> --prefix=/usr/local', it will be installed in a more standard location,
> which means that the library is automaticaly in your library search path.
>
> Or if you really want rrdtool to be in /usr/local/rrdtool, on Linux you
> can add this path to /etc/ld.so.conf and then run ldconfig. On Freebsd
> you can change the ldconfig_paths in /etc/rc.conf.
>
> Regards,
> Werner
>
> Manuela Lima schreef:
> > Hi everyone,
> >
> > I'm still getting problems during the ./configure from nfdump. Now, appears
> to
> > me the message in the end of the ./ configure commmand:
> >
> > $ ./configure LDFLAGS='-L /usr/X11R6/lib -L /opt/csw/lib -L
> /opt/csw/include' >
> > checking for gcc... gcc
> > checking for C compiler default output file name... a.out
> > checking whether the C compiler works... yes
> > checking whether we are cross compiling... no
> > checking for suffix of executables...
> > checking for suffix of object files... o
> > checking whether we are using the GNU C compiler... yes
> > checking whether gcc accepts -g... yes
> > checking for gcc option to accept ANSI C... none needed
> > checking for special C compiler options needed for large files... no
> > checking for _FILE_OFFSET_BITS value needed for large files... no
> > checking for _LARGE_FILES value needed for large files... no
> > checking for gcc... (cached) gcc
> > checking whether we are using the GNU C compiler... (cached) yes
> > checking whether gcc accepts -g... (cached) yes
> > checking for gcc option to accept ANSI C... (cached) none needed
> > checking whether we are using SunPro C... no
> > checking for bison... no
> > checking for byacc... no
> > checking for flex... flex
> > checking for yywrap in -lfl... yes
> > checking lex output file root... lex.yy
> > checking whether yytext is a pointer... yes
> > checking for a BSD-compatible install... /usr/bin/install -c
> > checking how to run the C preprocessor... gcc -E
> > checking for egrep... grep -E
> > checking for ANSI C header files... yes
> > checking for sys/types.h... yes
> > checking for sys/stat.h... yes
> > checking for stdlib.h... yes
> > checking for string.h... yes
> > checking for memory.h... yes
> > checking for strings.h... yes
> > checking for inttypes.h... yes
> > checking for stdint.h... yes
> > checking for unistd.h... yes
> > checking for rrd_update in -lrrd... yes
> > checking rrd.h usability... yes
> > checking rrd.h presence... yes
> > checking for rrd.h... yes
> > configure: error: Can not load rrd library. Not in loader search path!
> >
> > What could possibly be now?
> >
> > Thanks in advance!
> > --
> > Abs,
> >
> > Manuela Lima
> > Bolsista CAT/CBPF
> >
> > ------------------------------------------
> > CBPF WebMail -  http://www.cbpf.br
> >
> >
> > -------------------------------------------------------------------------
> > SF.Net email is sponsored by:
> > Check out the new SourceForge.net Marketplace.
> > It's the best place to buy or sell services
> > for just about anything Open Source.
> >
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> > _______________________________________________
> > Nfdump-discuss mailing list
> > Nfdump-discuss@...
> > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> >
>

--
Abs,

Manuela Lima
Bolsista CAT/CBPF

------------------------------------------
CBPF WebMail -  http://www.cbpf.br 

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Gmane