From dan.cave at icloud.com Sat May 9 02:24:06 2015 From: dan.cave at icloud.com (Daniel Cave) Date: Fri, 08 May 2015 16:24:06 +0000 (GMT) Subject: [netflow-tools] =?utf-8?q?softflowd_=3A=3A_Linux_AWS_instance_-_n?= =?utf-8?q?o_traffic_viewed_on_tcpdump?= Message-ID: <8cbfd286-585b-4900-9c1a-9e5c9e721171@me.com> Firstly please excuse me if i've posted in the wrong group, i was trying to find a softflowd group/mailing list and I'm hoping someone here can help answer this question I have an Amazon Linux instance running some Ipsec ?and OpevnVPN tunnels which has Cacti running, Im graphing bandwidth usage and such One thing I specifically wanted to do is use a Linux based NetFlow agent to capture the traffic and graph it using the FlowTools plugin in Cacti, so I installed/configured softflowd and have it running? by default on UDP port 9995.? According to the instructions and several wiki's i've read, it says it should be possible to run 'tcpump udp port 9995' on the ?box and see the traffic however when I do this i see nothing at all. (even though I've got a firewall rule which allows localhost to connect to 9995/udp . When I run 'softflowctl statistics' I ?see this? root at ip-10-99-0-240:~/softflowd# softflowctl statistics softflowd[4098]: Accumulated statistics since 2015-05-06T16:24:29 UTC: Number of active flows: 22 Packets processed: 36748981 Fragments: 0 Ignored packets: 15762 (15762 non-IP, 0 too short) Flows expired: 2271 (0 forced) Flows exported: 4265 in 1094 packets (0 failures) Packets received by libpcap: 38124167 Packets dropped by libpcap: 1359404 Packets dropped by interface: 0 Expired flow statistics:? minimum ? ? ? average ? ? ? maximum ? Flow bytes:? ? ? ? ? ? ? ? ? 40? ? ? 15330798? ? 2255120641 ? Flow packets: ? ? ? ? ? ? ? ? 1 ? ? ? ? 15660 ? ? ? 2663741 ? Duration:? ? ? ? ? ? ? ? ? 0.00s ? ? ? 221.36s ? ? 51087.61s Expired flow reasons: ?? ? ? tcp =? ? ? ? 20 ? tcp.rst =? ? ? ? 54 ? tcp.fin = ? ? ? 890 ?? ? ? udp =? ? ? 1292? ? ? icmp = ? ? ? ? 3 ? general = ? ? ? ? 0 ?? maxlife = ? ? ? ? 0 over 2 GiB =? ? ? ? 12 ? maxflows = ? ? ? ? 0 ?? flushed = ? ? ? ? 0 Per-protocol statistics: ? ? Octets? ? ? Packets ? Avg Life? ? Max Life ? ? ? ? Unknown (1): ? ? ? ? ? 7576? ? ? ? ? 135? ? ? 17.93s? ? ? 34.04s ? ? ? ? Unknown (6):? ? 22597666810 ? ? 21903315 ? ? 309.84s ? 30485.42s ?? ? ? Unknown (17):? ? 12218568662 ? ? 13659551 ? ? 155.59s ? 51087.61s Ive never done this stuff before and my total understanding is that this isn't working because the host is a Citrix Xen based VM with virtual switch implementation and no capability to mirror ports ? I've got the FlowView Cacti plugin installed on my host and am using the FlowCapture .deb package on the same host to pickup the softflowd/netflow v5 messages but nothing seems to be generated and im not seeing anything. I've spoken to Amazon AWS support and they know nothing about netflow/softflowd. Has anyone else had a similar experience or knowledge of AWS and softflowd ? thanks in advance. Dan.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From chakl at syscall.de Sun May 10 02:28:32 2015 From: chakl at syscall.de (Olaf Schreck) Date: Sat, 9 May 2015 18:28:32 +0200 Subject: [netflow-tools] softflowd :: Linux AWS instance - no traffic viewed on tcpdump Message-ID: <20150509162832.GD8870@syscall.de> > Ive never done this stuff before and my total understanding is that this > isn't working because ... Don't speculate. Looks like it is working: > root at ip-10-99-0-240:~/softflowd# softflowctl statistics > Number of active flows: 22 > Packets processed: 36748981 > Flows exported: 4265 in 1094 packets (0 failures) Also, your collector drops packets, measurements may not be precise. > Packets received by libpcap: 38124167 > Packets dropped by libpcap: 1359404 ciao, chakl