[netflow-tools] softflowd :: Linux AWS instance - no traffic viewed on tcpdump

Daniel Cave dan.cave at icloud.com
Sat May 9 02:24:06 AEST 2015

Firstly please excuse me if i've posted in the wrong group, i was trying to find a softflowd group/mailing list and I'm hoping someone here can help answer this question

I have an Amazon Linux instance running some Ipsec  and OpevnVPN tunnels which has Cacti running, Im graphing bandwidth usage and such

One thing I specifically wanted to do is use a Linux based NetFlow agent to capture the traffic and graph it using the FlowTools plugin in Cacti, so I installed/configured softflowd and have it running 
by default on UDP port 9995. 

According to the instructions and several wiki's i've read, it says it should be possible to run 'tcpump udp port 9995' on the  box and see the traffic however when I do this i see nothing at all. (even though I've got a firewall rule which allows localhost to connect to 9995/udp .

When I run 'softflowctl statistics' I  see this 

root at ip-10-99-0-240:~/softflowd# softflowctl statistics

softflowd[4098]: Accumulated statistics since 2015-05-06T16:24:29 UTC:

Number of active flows: 22

Packets processed: 36748981

Fragments: 0

Ignored packets: 15762 (15762 non-IP, 0 too short)

Flows expired: 2271 (0 forced)

Flows exported: 4265 in 1094 packets (0 failures)

Packets received by libpcap: 38124167

Packets dropped by libpcap: 1359404

Packets dropped by interface: 0

Expired flow statistics:  minimum       average       maximum

  Flow bytes:                  40      15330798    2255120641

  Flow packets:                 1         15660       2663741

  Duration:                  0.00s       221.36s     51087.61s

Expired flow reasons:

       tcp =        20   tcp.rst =        54   tcp.fin =       890

       udp =      1292      icmp =         3   general =         0

   maxlife =         0

over 2 GiB =        12

  maxflows =         0

   flushed =         0

Per-protocol statistics:     Octets      Packets   Avg Life    Max Life

        Unknown (1):           7576          135      17.93s      34.04s

        Unknown (6):    22597666810     21903315     309.84s   30485.42s

       Unknown (17):    12218568662     13659551     155.59s   51087.61s

Ive never done this stuff before and my total understanding is that this isn't working because the host is a Citrix Xen based VM with virtual switch implementation and no capability to mirror ports ? I've got the FlowView Cacti plugin installed on my host and am using the FlowCapture .deb package on the same host to pickup the softflowd/netflow v5 messages but nothing seems to be generated and im not seeing anything.

I've spoken to Amazon AWS support and they know nothing about netflow/softflowd.

Has anyone else had a similar experience or knowledge of AWS and softflowd ?

thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mindrot.org/pipermail/netflow-tools/attachments/20150508/8ac86d7d/attachment-0001.html>

More information about the netflow-tools mailing list