From irino at sfc.wide.ad.jp Mon Oct 10 19:22:19 2011 From: irino at sfc.wide.ad.jp (Hitoshi Irino) Date: Mon, 10 Oct 2011 17:22:19 +0900 Subject: [netflow-tools] [PATCH] periodic sampling function for softflowd In-Reply-To: <4E77FB1E.8030004@sfc.wide.ad.jp> References: <4E77FB1E.8030004@sfc.wide.ad.jp> Message-ID: <4E92AB3B.9060403@sfc.wide.ad.jp> Hello all softflowd developers and users, I committed (it means hg commit & push) this sampling function to google code. I also extend netflow version 9 export function. It export sampling parameter using option template flow records and data flow records. (2011?09?20? 11:31), Hitoshi Irino wrote: > Hello softflowd developers and users, > > I wrote a patch which provides periodic sampling function to softflowd. > > I add -s option, it needs a number which sampling rate (denominator). > > thanks, > Hitoshi Irino > > > > > > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools From irino at sfc.wide.ad.jp Mon Oct 10 19:27:53 2011 From: irino at sfc.wide.ad.jp (Hitoshi Irino) Date: Mon, 10 Oct 2011 17:27:53 +0900 Subject: [netflow-tools] [PATCH] reducing compile warning on AMD64 cpu In-Reply-To: <4E6FE57C.6000001@sfc.wide.ad.jp> References: <4E6FE57C.6000001@sfc.wide.ad.jp> Message-ID: <4E92AC89.9040701@sfc.wide.ad.jp> Hello all I did hg commit & push this patch. thanks, Hitoshi Irino (2011?09?14? 08:21), Hitoshi Irino wrote: > Hello softflowd developers and users, > > Some warning appears in printf similar functions when softflowd is > compiled in ubuntu 11.04 x64(AMD64) environment. > The attached patch replaces llu to PRIu64 to reduce compile warning. > > thanks, > Hitoshi Irino > > > > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools From irino at sfc.wide.ad.jp Mon Oct 10 19:41:57 2011 From: irino at sfc.wide.ad.jp (Hitoshi Irino) Date: Mon, 10 Oct 2011 17:41:57 +0900 Subject: [netflow-tools] [PATCH] softflowd: Fix broken v9 flow creation for IPv6 In-Reply-To: <1297113056@msgid.manchmal.in-ulm.de> References: <1297113056@msgid.manchmal.in-ulm.de> Message-ID: <4E92AFD5.9010502@sfc.wide.ad.jp> Hello Christoph, I committed (hg commit & push) this patch to google code on September 21th. thanks, Hitoshi Irino (2011?02?08? 06:20), Christoph Biedl wrote: > Hello, > > Full story: To create flow information for IPv6 connections, too, I > had to switch to v9 flow creation. And soon saw error messages in > nfcapd which captures the flow datagrams like in: > > nfcapd[31773]: Process_v9: Corrupt data flowset? Pad bytes: 6 > > Reading the files created by nfcapd using nfdump resulted in a lot of > garbage; and wireshark didn't show sound information, either. > > Explanation (after a longer search): > > In netflowd9.c:82 the number of records in the flow template is > defined as 11. The actual number of records is 13 (l.148-151 for > v4_template, l.180-183 for v6_template). So it's basically good luck > no exception is triggered when filling the template with these two > extra records (just two octects) as this either just affects padding > or the following variables without doing real harm. > > A second reason for garbled data was caused by a copy'n'waste error in > lines 169-172. > > Both were introduced in > > changeset: 198:13176bb927c3 > user: djm > date: Thu Oct 01 07:06:08 2009 +0000 > summary: - (djm) Support manual specification of an interface index to be used > > Fix: See patch below. Works for me. > > Cheers, > > Christoph > > PS: On a side note, certain v9 flow datagrams seem to drive a squeezy > wireshark into a segmentation fault, I'm too tired to dig into this > right now. > > > --- a/netflow9.c > +++ b/netflow9.c > @@ -79,7 +79,7 @@ struct NF9_DATA_FLOWSET_HEADER { > #define NF9_IP_PROTOCOL_VERSION 60 > > /* Stuff pertaining to the templates that softflowd uses */ > -#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS 11 > +#define NF9_SOFTFLOWD_TEMPLATE_NRECORDS 13 > struct NF9_SOFTFLOWD_TEMPLATE { > struct NF9_TEMPLATE_FLOWSET_HEADER h; > struct NF9_TEMPLATE_FLOWSET_RECORD r[NF9_SOFTFLOWD_TEMPLATE_NRECORDS]; > @@ -167,10 +167,10 @@ nf9_init_template(void) > v6_template.r[4].length = htons(4); > v6_template.r[5].type = htons(NF9_IN_PACKETS); > v6_template.r[5].length = htons(4); > - v4_template.r[6].type = htons(NF9_IF_INDEX_IN); > - v4_template.r[6].length = htons(4); > - v4_template.r[7].type = htons(NF9_IF_INDEX_OUT); > - v4_template.r[7].length = htons(4); > + v6_template.r[6].type = htons(NF9_IF_INDEX_IN); > + v6_template.r[6].length = htons(4); > + v6_template.r[7].type = htons(NF9_IF_INDEX_OUT); > + v6_template.r[7].length = htons(4); > v6_template.r[8].type = htons(NF9_L4_SRC_PORT); > v6_template.r[8].length = htons(2); > v6_template.r[9].type = htons(NF9_L4_DST_PORT); > > > > > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools From irino at sfc.wide.ad.jp Mon Oct 10 19:45:25 2011 From: irino at sfc.wide.ad.jp (Hitoshi Irino) Date: Mon, 10 Oct 2011 17:45:25 +0900 Subject: [netflow-tools] [PATCH] Support softflowd listening on "any" interface In-Reply-To: <1297032320@msgid.manchmal.in-ulm.de> References: <1297032320@msgid.manchmal.in-ulm.de> Message-ID: <4E92B0A5.6030907@sfc.wide.ad.jp> Hello Christoph, I committed (hg commit & push) this patch to google code on September 21th. thanks, Hitoshi Irino (2011?02?07? 08:25), Christoph Biedl wrote: > Hello, > > I tried to make softflowd listen on all interfaces, which is at least > possible on Linux kernels using "any" as the interface name. This, > however, caused softflowd to exit after a few seconds with a "Shutting > down after pcap EOF" message. > > It seems poll (softflowd.c:1902) sometimes sets pl[0].revents without > actually packets available, thus causing pcap_dispatch to return zero. > > That patch below tries to deal with this by not leaving the main loop > in that situation while reading from a live capture. Works for me, but > please review. > > Regards, > > Christoph > > --- a/softflowd.c > +++ b/softflowd.c > @@ -1924,7 +1924,7 @@ main(int argc, char **argv) > logit(LOG_ERR, "Exiting on pcap_dispatch: %s", > pcap_geterr(pcap)); > break; > - } else if (r == 0) { > + } else if (r == 0&& capfile != NULL) { > logit(LOG_NOTICE, "Shutting down after " > "pcap EOF"); > graceful_shutdown_request = 1; > > > > > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools From irino at sfc.wide.ad.jp Thu Oct 13 01:39:11 2011 From: irino at sfc.wide.ad.jp (Hitoshi Irino) Date: Wed, 12 Oct 2011 23:39:11 +0900 Subject: [netflow-tools] softflowd.8: Broken URL In-Reply-To: <1296672922@msgid.manchmal.in-ulm.de> References: <1296599560@msgid.manchmal.in-ulm.de> <1296672922@msgid.manchmal.in-ulm.de> Message-ID: <4E95A68F.3040307@sfc.wide.ad.jp> Hello Christoph I think these 2 URLs are better to replace broken URL. http://www.ietf.org/rfc/rfc3954.txt It is the informational RFC, "Cisco Systems NetFlow Services Export Version 9". http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_implementation_design_guide09186a00800d6a11.html It is "Cisco Netflow Collection Engine NetFlow Services Solutions Guide". It explains NetFlow version 1, 5 and 9 export format. I committed (did hg commit and hg push) this change to google code. http://code.google.com/p/softflowd/source/detail?r=295d119769a5d5010f1a9e67517336228606918d thanks, Hitoshi Irino (2011?02?03? 03:56), Christoph Biedl wrote: > Christoph Biedl wrote... > > (...) > > Ups, I did it again. > > What I was trying to say: > > The URL > http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_0/nfc_ug/nfcform.htm > at the end of the softflowd.8 manpage appearently does not point to > the intended page any more. I don't know what has been there, if it > was the netflow9 format description, a replacement seems to be > http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9_ps6601_Products_White_Paper.html > > Regards > > Christoph > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: softflowd_man_brokenurl.txt URL: From irino at sfc.wide.ad.jp Sat Oct 15 12:15:16 2011 From: irino at sfc.wide.ad.jp (Hitoshi Irino) Date: Sat, 15 Oct 2011 10:15:16 +0900 Subject: [netflow-tools] Patch: Fix errors in softflowd.8 In-Reply-To: <1296850934@msgid.manchmal.in-ulm.de> References: <1296586745@msgid.manchmal.in-ulm.de> <1296587168@msgid.manchmal.in-ulm.de> <1296850934@msgid.manchmal.in-ulm.de> Message-ID: <4E98DEA4.9060604@sfc.wide.ad.jp> Hello Christoph I committed (did hg commit and hg push to google code) this patch. thanks, Hitoshi Irino (2011?02?05? 05:23), Christoph Biedl wrote: > Christoph Biedl wrote... > > (...) > > Well, three more things I found. > > Chri- "Me, nitpicking?" stoph > > --- a/softflowd.8 > +++ b/softflowd.8 > @@ -161,7 +161,7 @@ Specify an alternate location for the remote control socket in daemon mode. > Default is > .Pa /var/run/softflowd.ctl > .It Fl m Ar max_flows > -Specify the maximum number of flow to concurrently track. > +Specify the maximum number of flows to concurrently track. > If this limit is exceeded, the flows which have least recently seen traffic > are forcibly expired. > In practice, the actual maximum may briefly exceed this limit by a > @@ -173,7 +173,7 @@ than 800k of working data. > Set the timeout names > .Ar timeout_name > to > -.Ar time > +.Ar time . > Refer to the > .Sx Timeouts > section for the valid timeout names and their meanings. > @@ -189,7 +189,7 @@ should not fork and daemonise itself. > .It Fl 6 > Force > .Nm > -To track IPv6 flows even if the NetFlow export protocol does not support > +to track IPv6 flows even if the NetFlow export protocol does not support > reporting them. > This is useful for debugging and statistics gathering only. > .It Fl D > > _______________________________________________ > netflow-tools mailing list > netflow-tools at mindrot.org > https://lists.mindrot.org/mailman/listinfo/netflow-tools