[netflow-tools] convert pcap to netflow with softflowd

[Simon]

Hi everyone,





I am trying to use softflowd and nfcapd to turn a pcap into neflow data.





I am starting nfcapd by running: nfcapd -p 12345 -l netflow/


and softflowd by running: softflowd -n localhost:12345 -r singleflow.pcap





This is the pcap I am trying to convert



No.     Time        Source                Destination           Protocol Info

     1 0.000000    192.168.1.73          74.86.135.174         TCP 

     2 0.149059    74.86.135.174         192.168.1.73          TCP

     3 0.149170    192.168.1.73          74.86.135.174         TCP

     4 0.149322    192.168.1.73          74.86.135.174         HTTP

     5 0.200823    192.168.1.73          74.86.135.174         TCP

     6 0.299411    74.86.135.174         192.168.1.73          TCP

     7 0.319394    74.86.135.174         192.168.1.73          HTTP

     8 0.319474    192.168.1.73          74.86.135.174         TCP

     9 0.376528    74.86.135.174         192.168.1.73          TCP

    10 0.376569    192.168.1.73          74.86.135.174         TCP



This shows the pcap contains a single flow.  However when I run nfdump on the produced nfcap file, I get: -



Date flow start          Duration Proto      Src IP Addr:Port Dst IP Addr:Port   Packets    Bytes Flows

2009-08-23 03:33:22.720     0.377 TCP      74.86.135.174:80    -> 192.168.1.73:38589        4      445     1

2009-08-23 03:33:22.720     0.377 TCP       192.168.1.73:38589 -> 74.86.135.174:80           6      846     1



Summary: total flows: 2, total bytes: 1291, total packets: 10, avg bps: 27395, avg pps: 26, avg bpp: 129

Time window: 2009-08-23 03:33:22 - 2009-08-23 03:33:23

Total flows processed: 2, Records skipped: 0, Bytes read: 116

Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 5333.3



Summary: total flows: 2, total bytes: 1291, total packets: 10, avg


bps: 27395, avg pps: 26, avg bpp: 129


Time window: 2009-08-23 03:33:22 - 2009-08-23 03:33:23


Total flows processed: 2, Records skipped: 0, Bytes read: 116


Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 5333.3




Which shows there are two flows.  Every time I try and convert a pcap
to netflow I get double the number of flows I expect.  Can anyone tell
me why this is, and what I can do to correct it?





Thank you all for you help.





Regards,




Simon




      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20090704/d510d680/attachment.html>