[netflow-tools] Conversion from DAG to Netflow
Santosh Rao
gsantoshrao at gmail.com
Thu Feb 22 08:13:52 EST 2007
On 2/13/07, Damien Miller <djm at mindrot.org> wrote:
>
> On Mon, 12 Feb 2007, Santosh Rao wrote:
>
> > I've been unsuccessfully trying to convert files in DAG format to
> Netflow.
> > To achieve this I first converted the DAG files to pcap using tshark and
> > then exported the pcap files using softflowd to a Netflow collector
> > (flow-capture). But every time I do the export from pcap, softflowd
> seems to
> > ignore all the IP packets. The exact output that I get is:
> >
> > # softflowd -r 26f0000.pcap -n 192.168.1.7:8819 -d
> > softflowd v0.9.8 starting data collection
> > Exporting flows to [192.168.1.7]:8819
> > Shutting down after pcap EOF
> > Shutting down on user request
> > Number of active flows: 0
> > Packets processed: 0
> > Fragments: 0
> > Ignored packets: 6918507 (6918507 non-IP, 0 too short)
>
> I don't know what DAG is, but your problem is described in the line above.
> softflowd is not recognising your pcap file as containing IP packets.
> There are two possibilities the come to mind: first, your packet capture
> may be corrupted enough to not be recognisable by softflow, but still
> be a valid pcap format. Second, the pcap file may have been written with
> a datalink type that softflowd does not support.
>
> Can you dump the file with "tcpdump -vvr 26f000.pcap"? If tcpdump can read
> it then perhaps it is a datalink type problem. Does running softflowd with
> the "-D" (debug) option give any indication of what is wrong?
>
> -d
>
Damien,
Thanks for your response.
Here is the output when I run softflowd with the -D option.
# softflowd -r /home/santosh/defeat/26f0000.pcap -n localhost:8819 -D
softflowd v0.9.8 starting data collection
Exporting flows to [127.0.0.1]:8819
Shutting down after pcap EOF
Shutting down on user request
Starting expiry scan: mode -1
Finished scan 0 flow(s) to be evicted
Number of active flows: 0
Packets processed: 0
Fragments: 0
Ignored packets: 6918507 (6918507 non-IP, 0 too short)
Flows expired: 0 (0 forced)
Flows exported: 0 in 0 packets (0 failures)
Thanks,
-santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/netflow-tools/attachments/20070221/09de1bc3/attachment.html
More information about the netflow-tools
mailing list