ft2nfdump with flow-tools-0.68 ?

I'm trying to compile nfdump 1.6.1 with ftconv enabled however I'm getting the following error:

$ ./configure --prefix=/usr/local/nfdump-1.6.1 --enable-ftconv --enable-nfprofile --with-ftpath=/usr/local/flow-tools/
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking whether gcc and cc understand -c and -o together... yes
checking whether we are using SunPro C... no
checking for bison... no
checking for byacc... byacc
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... -lfl
checking whether yytext is a pointer... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking for zlibVersion in -lz... yes
configure: error: ftlib.h file not found in flow-tools directory '/usr/local/flow-tools/'. Use --with-ftpath=PATH

Re: ft2nfdump with flow-tools-0.68 ?

There are 2 different versions of flow-tools. The one I used and which compiles is on:
http://www.splintered.net/sw/flow-tools/

I guess you using the one available at Google Code. This may require some minor modification to the code.
If you need it only for ft2nfdump, use the original one.

Regards

	- Peter

On 4/9/10 5:40, Ian B wrote:
> I'm trying to compile nfdump 1.6.1 with ftconv enabled however I'm getting the following error:
> 
> $ ./configure --prefix=/usr/local/nfdump-1.6.1 --enable-ftconv --enable-nfprofile --with-ftpath=/usr/local/flow-tools/
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... /bin/mkdir -p
> checking for gawk... gawk
> checking whether make sets $(MAKE)... yes
> checking for gcc... gcc
> checking for C compiler default output file name... a.out
> checking whether the C compiler works... yes
> checking whether we are cross compiling... no
> checking for suffix of executables...
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ISO C89... none needed
> checking for style of include used by make... GNU

Re: ft2nfdump with flow-tools-0.68 ?

Thanks - yes, I was using the one available at Google Code. I've since tried compiling against v0.66 from
splintered.net however I'm having exactly the same issue!?

My compile environment is RHEL 5.4 (gcc-4.1.2, glibc-2.5-42, kernel-2.6.18) on i686

Ian.

--- On Fri, 9/4/10, Peter Haag <peter.haag@...> wrote:

> From: Peter Haag <peter.haag@...>
> Subject: Re: [Nfdump-discuss] ft2nfdump with flow-tools-0.68 ?
> To: "Ian B" <porjo38@...>,
"nfdump-discuss@... >>
"'nfdump-discuss@...'"" <nfdump-discuss@...orge.net>
> Received: Friday, 9 April, 2010, 5:01 PM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> There are 2 different versions of flow-tools. The one I
> used and which compiles is on:
> http://www.splintered.net/sw/flow-tools/
> 
> I guess you using the one available at Google Code. This
> may require some minor modification to the code.
> If you need it only for ft2nfdump, use the original one.
> 
> Regards
> 
>     - Peter

Re: ft2nfdump with flow-tools-0.68 ?

Hi Ivan,
The versions at splintered.net should actually work. However, it seems, as there are also compile issues
on some
Linuxes. Therefore I made a small patch for the flow-tools version available at Google Code.

o Install flow-tools from Google code.
o Apply the patch appended to nfdump-1.6.1

Recompile nfdump.

Hope, this helps

	- Peter

On 4/12/10 5:03, Ian B wrote:
> Thanks - yes, I was using the one available at Google Code. I've since tried compiling against v0.66 from
splintered.net however I'm having exactly the same issue!?
> 
> My compile environment is RHEL 5.4 (gcc-4.1.2, glibc-2.5-42, kernel-2.6.18) on i686
> 
> Ian.
> 
> 
> --- On Fri, 9/4/10, Peter Haag <peter.haag@...> wrote:
> 
>> From: Peter Haag <peter.haag@...>
>> Subject: Re: [Nfdump-discuss] ft2nfdump with flow-tools-0.68 ?
>> To: "Ian B" <porjo38@...>,
"nfdump-discuss@... >>

Re: ft2nfdump with flow-tools-0.68 ?

Thankyou, that patch worked nicely :)

--- On Mon, 12/4/10, Peter Haag <peter.haag@...> wrote:

> From: Peter Haag <peter.haag@...>
> Subject: Re: [Nfdump-discuss] ft2nfdump with flow-tools-0.68 ?
> To: "Ian B" <porjo38@...>
> Cc: nfdump-discuss@...
> Received: Monday, 12 April, 2010, 4:19 PM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Ivan,
> The versions at splintered.net should actually work.
> However, it seems, as there are also compile issues on some
> Linuxes. Therefore I made a small patch for the flow-tools
> version available at Google Code.
> 
> o Install flow-tools from Google code.
> o Apply the patch appended to nfdump-1.6.1
> 
> Recompile nfdump.
> 
> Hope, this helps
> 
>     - Peter
> 
> On 4/12/10 5:03, Ian B wrote:
> > Thanks - yes, I was using the one available at Google

Re: Version 9 netflow templates

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@...
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: Version 9 netflow templates

This looks like a CISCO ASA.
Please note: Although nfdump supports netflow v9, it does not yet support ASA templates.
ASA templates are *VERY* different from standard v9 netflow data.

	- Peter

On 4/20/10 15:01, Riza Kamalie wrote:
> Hi,
> 
> I am currently using a netflow version 9 to record the firewall flows from a Cisco ASR1K.
> Does NFDUMP support version 9 templates cause I'm not seeing the data in the flows that I require?
> 
> Snippet of the firewall netflow template ID's below.
> 
> 
> FW_SRC_INTF_ID
> 
> 10
> 
> 2
> 
> Ingress SNMP IF Index
> 
> FW_DST_INTF_ID
> 
> 14
> 
> 2
> 
> Egress SNMP IF Index
> 
> FW_SRC_VRF_ID
> 
> 234
> 
> 4
> 
> Ingress (Initiator) Virtual Routing/Forwarding Identifier
> (vrf id)
> 
> FW_DST_VRF_ID
> 
> 235
> 
> 4
> 
> Egress (Responder) Virtual Routing/Forwarding Identifier
> (vrf id)
> 
> FW_VRF_NAME
> 
> 236
> 
> 32
> 
> VRF Name
> 
> FW_XLATE_SRC_ADDR_IPV4
> 
> 225
> 
> 4
> 
> Mapped Source IPv4 Address
> 
> FW_XLATE_DST_ADDR_IPV4
> 
> 226
> 
> 4
> 
> Mapped Destination IPv4 Address
> 
> FW_XLATE_SRC_PORT
> 
> 227
> 
> 2
> 
> Mapped Source Port
> 
> FW_XLATE_DST_PORT
> 
> 228
> 
> 2
> 
> Mapped Destination Port
> 
> FW_EVENT
> 
> 233
> 
> 1
> 
> High level event code
> 0 - Ignore (invalid)
> 1 - Flow Created
> 2 - Flow Deleted
> 3 - Flow Denied
> 4 - Flow Alert (Need to add to standard)
> 
> FW_EXT_EVENT
> 
> 35001
> 
> 2
> 
> Extended Event code.  These values provided additional information about the event (TBD on values - value
descriptions may be sent as options records.)
> Enterprise private
> 
> FW_EVENT_TIME_MSEC
> 
> 323
> 
> 8
> 
> Time event occurred in milliseconds since 0000 UTC Jan 1st 1970
> (use 324 if micro or 325 if nano)
> 
> 
> 
> 
> Riza Kamalie
> 
> Core Data Networks
> Vodacom SA
> Email:  riza.kamalie@...<mailto:wouter.schoonees@...>
> Phone: 021 940 9295
> Mobile: 082 998 3360
> Fax:     021 940 9102
> 
> [cid:image001.png@...]
> 
> This e-mail is classified C2 - Vodacom Restricted. The information is for use internally in Vodacom, and
may also be shared with authorised third-parties
> 
> 
> 
> 
> ?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> 
> 
> 
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

--

-- 
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.haag@... Web: http://www.switch.ch/

Re: Version 9 netflow templates

Thanks Peter, is support for this on your roadmap? 

Or alternatively will nfdump support "user configurable" fields for variable flow data/templates as
version 9 as intended for in the near future?  

Regards
Riza

-----Original Message-----
From: Peter Haag [mailto:peter.haag@...] 
Sent: Tuesday, April 20, 2010 4:03 PM
To: Riza Kamalie
Cc: nfdump-discuss@...
Subject: Re: [Nfdump-discuss] Version 9 netflow templates

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This looks like a CISCO ASA.
Please note: Although nfdump supports netflow v9, it does not yet support ASA templates.
ASA templates are *VERY* different from standard v9 netflow data.

	- Peter

On 4/20/10 15:01, Riza Kamalie wrote:
> Hi,
> 
> I am currently using a netflow version 9 to record the firewall flows from a Cisco ASR1K.
> Does NFDUMP support version 9 templates cause I'm not seeing the data in the flows that I require?
> 
> Snippet of the firewall netflow template ID's below.
> 
> 
> FW_SRC_INTF_ID
> 
> 10
> 
> 2
> 
> Ingress SNMP IF Index
> 
> FW_DST_INTF_ID
> 
> 14
> 
> 2
> 
> Egress SNMP IF Index
> 
> FW_SRC_VRF_ID
> 
> 234
> 
> 4
> 
> Ingress (Initiator) Virtual Routing/Forwarding Identifier (vrf id)
> 
> FW_DST_VRF_ID
> 
> 235
> 
> 4
> 
> Egress (Responder) Virtual Routing/Forwarding Identifier (vrf id)
> 
> FW_VRF_NAME
> 
> 236
> 
> 32
> 
> VRF Name
> 
> FW_XLATE_SRC_ADDR_IPV4
> 
> 225
> 
> 4
> 
> Mapped Source IPv4 Address
> 
> FW_XLATE_DST_ADDR_IPV4
> 
> 226
> 
> 4
> 
> Mapped Destination IPv4 Address
> 
> FW_XLATE_SRC_PORT
> 
> 227
> 
> 2
> 
> Mapped Source Port
> 
> FW_XLATE_DST_PORT
> 
> 228
> 
> 2
> 
> Mapped Destination Port
> 
> FW_EVENT
> 
> 233
> 
> 1
> 
> High level event code
> 0 - Ignore (invalid)
> 1 - Flow Created
> 2 - Flow Deleted
> 3 - Flow Denied
> 4 - Flow Alert (Need to add to standard)
> 
> FW_EXT_EVENT
> 
> 35001
> 
> 2
> 
> Extended Event code.  These values provided additional information 
> about the event (TBD on values - value descriptions may be sent as 
> options records.) Enterprise private
> 
> FW_EVENT_TIME_MSEC
> 
> 323
> 
> 8
> 
> Time event occurred in milliseconds since 0000 UTC Jan 1st 1970 (use 
> 324 if micro or 325 if nano)
> 
> 
> 
> 
> Riza Kamalie
> 
> Core Data Networks
> Vodacom SA
> Email:  
> riza.kamalie@...<mailto:wouter.schoonees@...>
> Phone: 021 940 9295
> Mobile: 082 998 3360
> Fax:     021 940 9102
> 
> [cid:image001.png@...]
> 
> This e-mail is classified C2 - Vodacom Restricted. The information is 
> for use internally in Vodacom, and may also be shared with authorised 
> third-parties
> 
> 
> 
> 
> ?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "
> 
> 
> 
> 
> ----------------------------------------------------------------------
> -------- Download Intel&#174; Parallel Studio Eval Try the new 
> software tools for yourself. Speed compiling, find bugs proactively, 
> and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> 
> 
> 
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

- --
_______ SWITCH - The Swiss Education and Research Network ______ Peter Haag,  Security Engineer,  Member of
SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.haag@... Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBS820If5AbZRALNr/AQJe8AP+Ovl6KvNzS+tMxTR0Sv/tlDokpS0WFn4A
20d0613z+z3LR4cFcsZXzlyLKvb3OnhOswaKhgpL0XVSvWLzBCppwPkwmTQhBJjC
tbpWnYqnfy0YQbat9VnzbLHsBuIOuLDbjYaZSVgdlrezoqHGwTr9GRUaIHb9zLig
XK2oyV2yBh4=
=uIYe
-----END PGP SIGNATURE-----
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@...
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Re: Version 9 netflow templates

On 4/20/10 16:38, Riza Kamalie wrote:
> Thanks Peter, is support for this on your roadmap? 

Yes - it's on the roadmap. In the meantime you may want to try the version nfdump-1.5.7-nsel which includes
patches from
CISCO to support ASA.

> 
> Or alternatively will nfdump support "user configurable" fields for variable flow data/templates as
version 9 as intended for in the near future?  

I don't know, what you mean by that.

	- Peter
> 
> Regards
> Riza
> 
> -----Original Message-----
> From: Peter Haag [mailto:peter.haag@...] 
> Sent: Tuesday, April 20, 2010 4:03 PM
> To: Riza Kamalie
> Cc: nfdump-discuss@...
> Subject: Re: [Nfdump-discuss] Version 9 netflow templates
> 
> 
> This looks like a CISCO ASA.
> Please note: Although nfdump supports netflow v9, it does not yet support ASA templates.
> ASA templates are *VERY* different from standard v9 netflow data.
> 
> 	- Peter
> 
> On 4/20/10 15:01, Riza Kamalie wrote:
>> Hi,
> 
>> I am currently using a netflow version 9 to record the firewall flows from a Cisco ASR1K.
>> Does NFDUMP support version 9 templates cause I'm not seeing the data in the flows that I require?
> 
>> Snippet of the firewall netflow template ID's below.
> 
> 
>> FW_SRC_INTF_ID
> 
>> 10
> 
>> 2
> 
>> Ingress SNMP IF Index
> 
>> FW_DST_INTF_ID
> 
>> 14
> 
>> 2
> 
>> Egress SNMP IF Index
> 
>> FW_SRC_VRF_ID
> 
>> 234
> 
>> 4
> 
>> Ingress (Initiator) Virtual Routing/Forwarding Identifier (vrf id)
> 
>> FW_DST_VRF_ID
> 
>> 235
> 
>> 4
> 
>> Egress (Responder) Virtual Routing/Forwarding Identifier (vrf id)
> 
>> FW_VRF_NAME
> 
>> 236
> 
>> 32
> 
>> VRF Name
> 
>> FW_XLATE_SRC_ADDR_IPV4
> 
>> 225
> 
>> 4
> 
>> Mapped Source IPv4 Address
> 
>> FW_XLATE_DST_ADDR_IPV4
> 
>> 226
> 
>> 4
> 
>> Mapped Destination IPv4 Address
> 
>> FW_XLATE_SRC_PORT
> 
>> 227
> 
>> 2
> 
>> Mapped Source Port
> 
>> FW_XLATE_DST_PORT
> 
>> 228
> 
>> 2
> 
>> Mapped Destination Port
> 
>> FW_EVENT
> 
>> 233
> 
>> 1
> 
>> High level event code
>> 0 - Ignore (invalid)
>> 1 - Flow Created
>> 2 - Flow Deleted
>> 3 - Flow Denied
>> 4 - Flow Alert (Need to add to standard)
> 
>> FW_EXT_EVENT
> 
>> 35001
> 
>> 2
> 
>> Extended Event code.  These values provided additional information 
>> about the event (TBD on values - value descriptions may be sent as 
>> options records.) Enterprise private
> 
>> FW_EVENT_TIME_MSEC
> 
>> 323
> 
>> 8
> 
>> Time event occurred in milliseconds since 0000 UTC Jan 1st 1970 (use 
>> 324 if micro or 325 if nano)
> 
> 
> 
> 
>> Riza Kamalie
> 
>> Core Data Networks
>> Vodacom SA
>> Email:  
>> riza.kamalie@...<mailto:wouter.schoonees@...>
>> Phone: 021 940 9295
>> Mobile: 082 998 3360
>> Fax:     021 940 9102
> 
>> [cid:image001.png@...]
> 
>> This e-mail is classified C2 - Vodacom Restricted. The information is 
>> for use internally in Vodacom, and may also be shared with authorised 
>> third-parties
> 
> 
> 
> 
>> ?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "
> 
> 
> 
> 
>> ----------------------------------------------------------------------
>> -------- Download Intel&#174; Parallel Studio Eval Try the new 
>> software tools for yourself. Speed compiling, find bugs proactively, 
>> and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
> 
> 
> 
>> _______________________________________________
>> Nfdump-discuss mailing list
>> Nfdump-discuss@...
>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 
?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "

--

-- 
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag,  Security Engineer,  Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA  FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box,  CH-8021   Zurich, Switzerland
E-mail: peter.haag@... Web: http://www.switch.ch/