From netflow-tools.aguu at manchmal.in-ulm.de Tue Feb 1 07:58:33 2011 From: netflow-tools.aguu at manchmal.in-ulm.de (Christoph Biedl) Date: Mon, 31 Jan 2011 21:58:33 +0100 Subject: [netflow-tools] Cannot compile softflowd from hg Message-ID: <1296506499@msgid.manchmal.in-ulm.de> Hi, I tried to compile softflowd from hg, and failed. In short, both "config.h.in" and "configure" are missing in hg, causing error messages like config.status: error: cannot find input file: `config.h.in' To increase my confusion, starting with the 0.9.8 tarball and applying all deltas from hg since then (and resetting the $Id$ tags beforehand) does not yield the same tree. These two files are still there, and (not really important) .hgtags is not created. Re-adding these two files seems to solve the issue. Did I miss something? Christoph -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From fweimer at bfk.de Tue Feb 1 19:08:03 2011 From: fweimer at bfk.de (Florian Weimer) Date: Tue, 01 Feb 2011 08:08:03 +0000 Subject: [netflow-tools] Cannot compile softflowd from hg In-Reply-To: <1296506499@msgid.manchmal.in-ulm.de> (Christoph Biedl's message of "Mon\, 31 Jan 2011 21\:58\:33 +0100") References: <1296506499@msgid.manchmal.in-ulm.de> Message-ID: <82mxmg6uu4.fsf@mid.bfk.de> * Christoph Biedl: > Re-adding these two files seems to solve the issue. Did I miss > something? I guess you just need to run autoreconf. Those generated files are probably included in release tarballs only, and not in the repository. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From netflow-tools.aguu at manchmal.in-ulm.de Wed Feb 2 04:44:08 2011 From: netflow-tools.aguu at manchmal.in-ulm.de (Christoph Biedl) Date: Tue, 1 Feb 2011 18:44:08 +0100 Subject: [netflow-tools] Cannot compile softflowd from hg In-Reply-To: <82mxmg6uu4.fsf@mid.bfk.de> References: <1296506499@msgid.manchmal.in-ulm.de> <82mxmg6uu4.fsf@mid.bfk.de> Message-ID: <1296582156@msgid.manchmal.in-ulm.de> Florian Weimer wrote... > I guess you just need to run autoreconf. Thanks, that did the trick. Perhaps the documentation should see a small update as below? Christoph --- a/README +++ b/README @@ -28,6 +28,7 @@ Installing Building softflowd should be as simple as typing: +[ -f configure ] || autoreconf ./configure make make install From netflow-tools.aguu at manchmal.in-ulm.de Wed Feb 2 06:03:37 2011 From: netflow-tools.aguu at manchmal.in-ulm.de (Christoph Biedl) Date: Tue, 1 Feb 2011 20:03:37 +0100 Subject: [netflow-tools] Patch: Fix errors in softflowd.8 Message-ID: <1296586745@msgid.manchmal.in-ulm.de> A non-text attachment was scrubbed... Name: not available Type: multipart/signed Size: 2 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ netflow-tools mailing list netflow-tools at mindrot.org https://lists.mindrot.org/mailman/listinfo/netflow-tools -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From netflow-tools.aguu at manchmal.in-ulm.de Wed Feb 2 06:10:36 2011 From: netflow-tools.aguu at manchmal.in-ulm.de (Christoph Biedl) Date: Tue, 1 Feb 2011 20:10:36 +0100 Subject: [netflow-tools] Patch: Fix errors in softflowd.8 In-Reply-To: <1296586745@msgid.manchmal.in-ulm.de> References: <1296586745@msgid.manchmal.in-ulm.de> Message-ID: <1296587168@msgid.manchmal.in-ulm.de> Christoph Biedl wrote... Sorry, seems like I messed the whole thing up. Second try ... "man --warnings" complained about nroff errors in softflowd.8. Looking closer it seems the explanation of signal handling somehow got garbled. The patch attached fixes both. Cheers, Christoph --- a/softflowd.8 +++ b/softflowd.8 @@ -35,14 +35,14 @@ .Op Fl L Ar hoplimit .Op Fl T Ar track_level .Op Fl c Ar ctl_sock -.Ek +.Bk -words .Oo Fl i\ \& .Sm off .Oo Ar if_ndx : Oc .Ar interface .Sm on .Oc -.Bk words +.Ek .Op Fl m Ar max_flows .Op Fl n Ar host:port .Op Fl p Ar pidfile @@ -336,11 +336,10 @@ command. This interface allows one to shut down the daemon, force expiry of all tracked flows and extract debugging and summary data. -Also, upon receipt of a +Also, receipt of a .Dv SIGTERM or -.DV SIGINT -.Nm +.Dv SIGINT will cause .Nm to exit, after expiring all flows (and thus sending flow export packets -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From netflow-tools.aguu at manchmal.in-ulm.de Wed Feb 2 09:37:39 2011 From: netflow-tools.aguu at manchmal.in-ulm.de (Christoph Biedl) Date: Tue, 1 Feb 2011 23:37:39 +0100 Subject: [netflow-tools] softflowd.8: Broken URL Message-ID: <1296599560@msgid.manchmal.in-ulm.de> A non-text attachment was scrubbed... Name: not available Type: multipart/signed Size: 2 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ netflow-tools mailing list netflow-tools at mindrot.org https://lists.mindrot.org/mailman/listinfo/netflow-tools From netflow-tools.aguu at manchmal.in-ulm.de Thu Feb 3 05:56:16 2011 From: netflow-tools.aguu at manchmal.in-ulm.de (Christoph Biedl) Date: Wed, 2 Feb 2011 19:56:16 +0100 Subject: [netflow-tools] softflowd.8: Broken URL In-Reply-To: <1296599560@msgid.manchmal.in-ulm.de> References: <1296599560@msgid.manchmal.in-ulm.de> Message-ID: <1296672922@msgid.manchmal.in-ulm.de> Christoph Biedl wrote... (...) Ups, I did it again. What I was trying to say: The URL http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_0/nfc_ug/nfcform.htm at the end of the softflowd.8 manpage appearently does not point to the intended page any more. I don't know what has been there, if it was the netflow9 format description, a replacement seems to be http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9_ps6601_Products_White_Paper.html Regards Christoph From netflow-tools.aguu at manchmal.in-ulm.de Sat Feb 5 07:23:59 2011 From: netflow-tools.aguu at manchmal.in-ulm.de (Christoph Biedl) Date: Fri, 4 Feb 2011 21:23:59 +0100 Subject: [netflow-tools] Patch: Fix errors in softflowd.8 In-Reply-To: <1296587168@msgid.manchmal.in-ulm.de> References: <1296586745@msgid.manchmal.in-ulm.de> <1296587168@msgid.manchmal.in-ulm.de> Message-ID: <1296850934@msgid.manchmal.in-ulm.de> Christoph Biedl wrote... (...) Well, three more things I found. Chri- "Me, nitpicking?" stoph --- a/softflowd.8 +++ b/softflowd.8 @@ -161,7 +161,7 @@ Specify an alternate location for the remote control socket in daemon mode. Default is .Pa /var/run/softflowd.ctl .It Fl m Ar max_flows -Specify the maximum number of flow to concurrently track. +Specify the maximum number of flows to concurrently track. If this limit is exceeded, the flows which have least recently seen traffic are forcibly expired. In practice, the actual maximum may briefly exceed this limit by a @@ -173,7 +173,7 @@ than 800k of working data. Set the timeout names .Ar timeout_name to -.Ar time +.Ar time . Refer to the .Sx Timeouts section for the valid timeout names and their meanings. @@ -189,7 +189,7 @@ should not fork and daemonise itself. .It Fl 6 Force .Nm -To track IPv6 flows even if the NetFlow export protocol does not support +to track IPv6 flows even if the NetFlow export protocol does not support reporting them. This is useful for debugging and statistics gathering only. .It Fl D From netflow-tools.aguu at manchmal.in-ulm.de Mon Feb 7 10:25:04 2011 From: netflow-tools.aguu at manchmal.in-ulm.de (Christoph Biedl) Date: Mon, 7 Feb 2011 00:25:04 +0100 Subject: [netflow-tools] [PATCH] Support softflowd listening on "any" interface Message-ID: <1297032320@msgid.manchmal.in-ulm.de> Hello, I tried to make softflowd listen on all interfaces, which is at least possible on Linux kernels using "any" as the interface name. This, however, caused softflowd to exit after a few seconds with a "Shutting down after pcap EOF" message. It seems poll (softflowd.c:1902) sometimes sets pl[0].revents without actually packets available, thus causing pcap_dispatch to return zero. That patch below tries to deal with this by not leaving the main loop in that situation while reading from a live capture. Works for me, but please review. Regards, Christoph --- a/softflowd.c +++ b/softflowd.c @@ -1924,7 +1924,7 @@ main(int argc, char **argv) logit(LOG_ERR, "Exiting on pcap_dispatch: %s", pcap_geterr(pcap)); break; - } else if (r == 0) { + } else if (r == 0 && capfile != NULL) { logit(LOG_NOTICE, "Shutting down after " "pcap EOF"); graceful_shutdown_request = 1; -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From netflow-tools.aguu at manchmal.in-ulm.de Tue Feb 8 08:20:29 2011 From: netflow-tools.aguu at manchmal.in-ulm.de (Christoph Biedl) Date: Mon, 7 Feb 2011 22:20:29 +0100 Subject: [netflow-tools] [PATCH] softflowd: Fix broken v9 flow creation for IPv6 Message-ID: <1297113056@msgid.manchmal.in-ulm.de> Hello, Full story: To create flow information for IPv6 connections, too, I had to switch to v9 flow creation. And soon saw error messages in nfcapd which captures the flow datagrams like in: nfcapd[31773]: Process_v9: Corrupt data flowset? Pad bytes: 6 Reading the files created by nfcapd using nfdump resulted in a lot of garbage; and wireshark didn't show sound information, either. Explanation (after a longer search): In netflowd9.c:82 the number of records in the flow template is defined as 11. The actual number of records is 13 (l.148-151 for v4_template, l.180-183 for v6_template). So it's basically good luck no exception is triggered when filling the template with these two extra records (just two octects) as this either just affects padding or the following variables without doing real harm. A second reason for garbled data was caused by a copy'n'waste error in lines 169-172. Both were introduced in changeset: 198:13176bb927c3 user: djm date: Thu Oct 01 07:06:08 2009 +0000 summary: - (djm) Support manual specification of an interface index to be used Fix: See patch below. Works for me. Cheers, Christoph PS: On a side note, certain v9 flow datagrams seem to drive a squeezy wireshark into a segmentation fault, I'm too tired to dig into this right now. --- a/netflow9.c +++ b/netflow9.c @@ -79,7 +79,7 @@ struct NF9_DATA_FLOWSET_HEADER { #define NF9_IP_PROTOCOL_VERSION 60 /* Stuff pertaining to the templates that softflowd uses */ -#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS 11 +#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS 13 struct NF9_SOFTFLOWD_TEMPLATE { struct NF9_TEMPLATE_FLOWSET_HEADER h; struct NF9_TEMPLATE_FLOWSET_RECORD r[NF9_SOFTFLOWD_TEMPLATE_NRECORDS]; @@ -167,10 +167,10 @@ nf9_init_template(void) v6_template.r[4].length = htons(4); v6_template.r[5].type = htons(NF9_IN_PACKETS); v6_template.r[5].length = htons(4); - v4_template.r[6].type = htons(NF9_IF_INDEX_IN); - v4_template.r[6].length = htons(4); - v4_template.r[7].type = htons(NF9_IF_INDEX_OUT); - v4_template.r[7].length = htons(4); + v6_template.r[6].type = htons(NF9_IF_INDEX_IN); + v6_template.r[6].length = htons(4); + v6_template.r[7].type = htons(NF9_IF_INDEX_OUT); + v6_template.r[7].length = htons(4); v6_template.r[8].type = htons(NF9_L4_SRC_PORT); v6_template.r[8].length = htons(2); v6_template.r[9].type = htons(NF9_L4_DST_PORT); -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: From reza at lethalnetworks.com Tue Feb 22 11:19:12 2011 From: reza at lethalnetworks.com (reza a) Date: Mon, 21 Feb 2011 16:19:12 -0800 (PST) Subject: [netflow-tools] netflow v9 mean opinion score Message-ID: <2016454860.142.1298333952441.JavaMail.root@zcs> does pfflow support netflow v9 and mean opinion score? From reza at lethalnetworks.com Fri Feb 25 16:29:57 2011 From: reza at lethalnetworks.com (reza a) Date: Thu, 24 Feb 2011 21:29:57 -0800 (PST) Subject: [netflow-tools] softflowd - netflow v9 Message-ID: <654434709.186.1298611796969.JavaMail.root@zcs> Hello all, Does softflowd allow you to measure VoIP metrics such as Jitter, MoS, RTT when utilizing Netflow v9? Thanks, -Reza