[netflow-tools] Conversion from DAG to Netflow
Damien Miller
djm at mindrot.org
Wed Feb 14 18:08:29 EST 2007
On Mon, 12 Feb 2007, Santosh Rao wrote:
> I've been unsuccessfully trying to convert files in DAG format to Netflow.
> To achieve this I first converted the DAG files to pcap using tshark and
> then exported the pcap files using softflowd to a Netflow collector
> (flow-capture). But every time I do the export from pcap, softflowd seems to
> ignore all the IP packets. The exact output that I get is:
>
> # softflowd -r 26f0000.pcap -n 192.168.1.7:8819 -d
> softflowd v0.9.8 starting data collection
> Exporting flows to [192.168.1.7]:8819
> Shutting down after pcap EOF
> Shutting down on user request
> Number of active flows: 0
> Packets processed: 0
> Fragments: 0
> Ignored packets: 6918507 (6918507 non-IP, 0 too short)
I don't know what DAG is, but your problem is described in the line above.
softflowd is not recognising your pcap file as containing IP packets.
There are two possibilities the come to mind: first, your packet capture
may be corrupted enough to not be recognisable by softflow, but still
be a valid pcap format. Second, the pcap file may have been written with
a datalink type that softflowd does not support.
Can you dump the file with "tcpdump -vvr 26f000.pcap"? If tcpdump can read
it then perhaps it is a datalink type problem. Does running softflowd with
the "-D" (debug) option give any indication of what is wrong?
-d
More information about the netflow-tools
mailing list