From gsantoshrao at gmail.com Mon Feb 12 20:06:16 2007 From: gsantoshrao at gmail.com (Santosh Rao) Date: Mon, 12 Feb 2007 01:06:16 -0800 Subject: [netflow-tools] Conversion from DAG to Netflow Message-ID: <676775080702120106k35adab9fv4b758e5beacb6201@mail.gmail.com> I've been unsuccessfully trying to convert files in DAG format to Netflow. To achieve this I first converted the DAG files to pcap using tshark and then exported the pcap files using softflowd to a Netflow collector (flow-capture). But every time I do the export from pcap, softflowd seems to ignore all the IP packets. The exact output that I get is: # softflowd -r 26f0000.pcap -n 192.168.1.7:8819 -d softflowd v0.9.8 starting data collection Exporting flows to [192.168.1.7]:8819 Shutting down after pcap EOF Shutting down on user request Number of active flows: 0 Packets processed: 0 Fragments: 0 Ignored packets: 6918507 (6918507 non-IP, 0 too short) Flows expired: 0 (0 forced) Flows exported: 0 in 0 packets (0 failures) # I've tried breaking down the pcap file (which is around 650 MB) to smaller files sizes using tcpslice but that does not seem to help either. I've also used tools like dagconvert (from Endace) to convert DAG to pcap and run it through softflowd, but in this case too softflowd seems to ignore all packets. I am able to export pcap to Netflow using softflowd when the pcap file is created using a live capture. I would really appreciate it if someone could help me out on this problem or offer a better way on how I can do the conversion. Thanks. -santosh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/netflow-tools/attachments/20070212/844c92fe/attachment.html From djm at mindrot.org Wed Feb 14 18:08:29 2007 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 Feb 2007 18:08:29 +1100 (EST) Subject: [netflow-tools] Conversion from DAG to Netflow In-Reply-To: <676775080702120106k35adab9fv4b758e5beacb6201@mail.gmail.com> References: <676775080702120106k35adab9fv4b758e5beacb6201@mail.gmail.com> Message-ID: On Mon, 12 Feb 2007, Santosh Rao wrote: > I've been unsuccessfully trying to convert files in DAG format to Netflow. > To achieve this I first converted the DAG files to pcap using tshark and > then exported the pcap files using softflowd to a Netflow collector > (flow-capture). But every time I do the export from pcap, softflowd seems to > ignore all the IP packets. The exact output that I get is: > > # softflowd -r 26f0000.pcap -n 192.168.1.7:8819 -d > softflowd v0.9.8 starting data collection > Exporting flows to [192.168.1.7]:8819 > Shutting down after pcap EOF > Shutting down on user request > Number of active flows: 0 > Packets processed: 0 > Fragments: 0 > Ignored packets: 6918507 (6918507 non-IP, 0 too short) I don't know what DAG is, but your problem is described in the line above. softflowd is not recognising your pcap file as containing IP packets. There are two possibilities the come to mind: first, your packet capture may be corrupted enough to not be recognisable by softflow, but still be a valid pcap format. Second, the pcap file may have been written with a datalink type that softflowd does not support. Can you dump the file with "tcpdump -vvr 26f000.pcap"? If tcpdump can read it then perhaps it is a datalink type problem. Does running softflowd with the "-D" (debug) option give any indication of what is wrong? -d From victor.lopez at uam.es Thu Feb 22 03:57:48 2007 From: victor.lopez at uam.es (=?ISO-8859-1?Q?V=EDctor_L=F3pez_=C1lvarez?=) Date: Wed, 21 Feb 2007 17:57:48 +0100 Subject: [netflow-tools] CISCO HDLC Pcap format Message-ID: <45DC7A0C.9050001@uam.es> I have tried to change from Pcap format to Netflow using softflowd but it say me that the format I use is not support. However, I can extract information using tcpdump, so I wonder why softflowd say me that is an unsupported datalink type. Anyone knows which is the reason? Besides, how could I add the support for this header? Thanks. -- Regards, V?ctor L?pez ?lvarez Universidad Aut?noma de Madrid Networking Research Group (NRG - http://www.ii.uam.es/~networking) http://rincon.uam.es/dir?cw=288360595703125 From gsantoshrao at gmail.com Thu Feb 22 08:13:52 2007 From: gsantoshrao at gmail.com (Santosh Rao) Date: Wed, 21 Feb 2007 13:13:52 -0800 Subject: [netflow-tools] Conversion from DAG to Netflow In-Reply-To: References: <676775080702120106k35adab9fv4b758e5beacb6201@mail.gmail.com> Message-ID: <676775080702211313x439ffacfoa9116b26470568df@mail.gmail.com> On 2/13/07, Damien Miller wrote: > > On Mon, 12 Feb 2007, Santosh Rao wrote: > > > I've been unsuccessfully trying to convert files in DAG format to > Netflow. > > To achieve this I first converted the DAG files to pcap using tshark and > > then exported the pcap files using softflowd to a Netflow collector > > (flow-capture). But every time I do the export from pcap, softflowd > seems to > > ignore all the IP packets. The exact output that I get is: > > > > # softflowd -r 26f0000.pcap -n 192.168.1.7:8819 -d > > softflowd v0.9.8 starting data collection > > Exporting flows to [192.168.1.7]:8819 > > Shutting down after pcap EOF > > Shutting down on user request > > Number of active flows: 0 > > Packets processed: 0 > > Fragments: 0 > > Ignored packets: 6918507 (6918507 non-IP, 0 too short) > > I don't know what DAG is, but your problem is described in the line above. > softflowd is not recognising your pcap file as containing IP packets. > There are two possibilities the come to mind: first, your packet capture > may be corrupted enough to not be recognisable by softflow, but still > be a valid pcap format. Second, the pcap file may have been written with > a datalink type that softflowd does not support. > > Can you dump the file with "tcpdump -vvr 26f000.pcap"? If tcpdump can read > it then perhaps it is a datalink type problem. Does running softflowd with > the "-D" (debug) option give any indication of what is wrong? > > -d > Damien, Thanks for your response. Here is the output when I run softflowd with the -D option. # softflowd -r /home/santosh/defeat/26f0000.pcap -n localhost:8819 -D softflowd v0.9.8 starting data collection Exporting flows to [127.0.0.1]:8819 Shutting down after pcap EOF Shutting down on user request Starting expiry scan: mode -1 Finished scan 0 flow(s) to be evicted Number of active flows: 0 Packets processed: 0 Fragments: 0 Ignored packets: 6918507 (6918507 non-IP, 0 too short) Flows expired: 0 (0 forced) Flows exported: 0 in 0 packets (0 failures) Thanks, -santosh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/netflow-tools/attachments/20070221/09de1bc3/attachment.html