[netflow-tools] Netflow aggregation and redirection...

Isherwood, Jeffrey - AES Jeffrey.Isherwood at itt.com
Tue Dec 29 05:37:59 EST 2009

Hi, I'm working on a research project requires Netflow data.  I've got a small problem, all of our network equipment will do Netflow, but only to two destinations, and both of them are being used right now, so I can't get the data.  I'd like to "split the stream" and get that Netflow to more servers... here's what I have in mind:

Allow all the devices to continue to send feed #1 to the "authorized corporate Netflow analyzer"

Stand up a new server, and send feed #2 from all the devices to the new server that receives all inbound flows, store a copy locally (for integrity) and then redirect the flows outbound to multiple analyzers (managed services providers, R&D folks etc...)

I thought that I'd use NFDUMP/NFCAPD to do it, but I seem to be having problems pulling this off.  It could be operator error, but if it is, I cannot see where I am going wrong.  Both nfdump & nfcapd are installed, and they run, but nfcapd does not seem to be collecting anything.

I was trying to originally run it with the following flags:

nfcapd -D -p 9996 -l /var/local/nfdump/flows -R
I tried using nfdump and nfreplay to see the contents of the stored flow files and they all appear to be empty except for headers.

At the suggestion of the nfdump mailing list I tried running this:

nfcapd -E -l /var/local/nfdump/flows -p 9996

This is supposed to give me stdout for the flow data but it just sits there and I see nothing... which I believe means that it is not seeing any flow data.

I do however have 12 routers currently pointing to this server, all on port 9996 so it should be seeing something.  When I run "tcpdump port 9996"  I see a lot of the following:

09:06:33.163439 IP > UDP, length 696

So I know that the routers are sending stuff, but apparently nfcapd is not seeing it.  Is anybody else doing this sort of thing?  If so, how are you doing it?  If these ARE the right tools to use, does anybody have a clue as to where I'm going wrong?

All help greatly appreciated.

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20091228/867cc9db/attachment-0001.html>

More information about the netflow-tools mailing list