Hello, i'm from Russia, so sorry my english please. We have: 1. Sensor: # uname -a FreeBSD HOST 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Sat Oct 8 16:37:12 MSD 2011 root@HOST:/usr/obj/usr/src/sys/MYKERNEL amd64 # date Wed Oct 19 09:50:03 MSD 2011 # pkg_info | grep softflowd softflowd-0.9.8_2 Softflowd is flow-based network traffic analyser with expor Start softflowd daemon like: /usr/local/sbin/softflowd -v 9 -i lan -n COLLECTOR:9998 -p /var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -m 819200 -t maxlife=20m -t general=20m -t tcp=20m 2. Collector # uname -a Linux COLLECTOR 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux # date Срд Окт 19 09:49:48 MSD 2011 # nfcapd -V nfcapd: Version: 1.6.1 $LastChangedDate: 2010-03-05 07:50:35 +0100 (Fri, 05 Mar 2010) $ $Id: nfcapd.c 51 2010-01-29 09:01:54Z haag $ Start collector nfcapd like: /usr/local/bin/nfcapd -w -D -z -n SENSOR sensor_ip /tmp/netflowv9 -p 9998 -t 300 -u username -g usergroup -P /tmp/netflowv9/9998.pid -x /tmp/netflowv9/nfcapdmv -B 200000 So, we have this: # nfdump -r nfcapd.201110190940 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows ... ... 2011-08-30 16:16:29.631 4294958.395 TCP 10.7.8.51:3032 -> 194.186.138.86:55571 3 144 1 2011-08-30 16:16:29.631 4294958.395 TCP 10.7.8.51:3033 -> 85.234.28.15:40435 3 144 1 2011-08-30 16:16:29.631 4294958.395 TCP 10.7.8.51:3034 -> 85.143.60.93:37867 3 144 1 2011-08-30 16:31:20.713 4294591.301 UDP 10.7.8.51:39759 -> 213.142.50.205:28909 6 348 1 2011-08-30 16:31:22.295 4294965.814 TCP 10.7.8.223:59668 -> 83.149.29.243:8888 4 216 1 2011-08-30 16:31:22.295 4294965.814 TCP 83.149.29.243:8888 -> 10.7.8.223:59668 3 164 1 2011-08-30 16:16:31.643 4294958.359 TCP 10.7.8.51:3038 -> 82.151.198.182:49674 3 144 1 2011-08-30 16:31:22.728 4294419.301 UDP 10.7.8.51:39759 -> 178.70.190.49:47659 6 348 1 2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 -> 95.32.209.62:10951 1 95 1 2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 -> 94.45.20.135:35691 1 95 1 2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 -> 95.31.31.38:42219 1 95 1 2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 -> 95.134.28.165:49557 1 95 1 2011-08-30 16:31:23.415 4294966.609 TCP 10.7.8.51:4677 -> 95.72.152.15:59368 5 294 1 2011-08-30 16:31:23.415 4294966.609 TCP 95.72.152.15:59368 -> 10.7.8.51:4677 3 128 1 ... ... Wrong "Date flow start" and "Duration Proto" ... PS: On the page http://www.freebsd.org/ru/ports/net-mgmt.html for port softflowd-0.9.8_2 we need packages: gettext-0.18.1.1, gmake-3.82, libiconv-1.13.1_1, but we haven't install gmake-3.82 before ... It can be a reason?
Now we install nfdump on Sensor machine: # pkg_info | grep nfdump nfdump-1.6.4 Command-line tools to collect and process NetFlow data Same problem ...
Now i try this: #softflowd -i lan -n 127.0.0.1:9998 -p /var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -t maxlife=300 #nfcapd -w -D -z -n local,127.0.0.1,/tmp/netflowv9 -p 9998 -t 300 -P /tmp/netflowv9/9998.pid -B 200000 And we have norm output: # nfdump -r nfcapd.201110192310 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2011-10-19 23:09:20.381 0.000 TCP 64.4.62.124:81 -> 10.7.8.230:1825 1 40 1 2011-10-19 23:11:47.595 12.775 TCP 10.7.8.230:1847 -> 74.125.79.104:80 17 4589 1 2011-10-19 23:11:47.595 12.775 TCP 74.125.79.104:80 -> 10.7.8.230:1847 31 28173 1 2011-10-19 23:11:56.585 3.477 TCP 10.7.8.230:1862 -> 74.125.79.104:80 22 4825 1 2011-10-19 23:11:56.585 3.477 TCP 74.125.79.104:80 -> 10.7.8.230:1862 46 49094 1 2011-10-19 23:09:17.224 317.015 ICMP 10.7.8.20:0 -> 8.8.8.8:8.0 309 18540 1 2011-10-19 23:09:17.314 316.015 ICMP 8.8.8.8:0 -> 10.7.8.20:0.0 306 18360 1 2011-10-19 23:09:18.014 320.709 ICMP 10.7.8.230:0 -> 8.8.8.8:8.0 189 11340 1 ... ... Summary: total flows: 55, total bytes: 483200, total packets: 3268, avg bps: 11975, avg pps: 10, avg bpp: 147 Time window: 2011-10-19 23:09:16 - 2011-10-19 23:14:39 Total flows processed: 55, Blocks skipped: 0, Bytes read: 2912 Sys: 0.002s flows/second: 24336.3 Wall: 0.000s flows/second: 77355.8
softflowd is not longer in this bugtracker
closing bugs resolved before openssh-8.9