a-zazell Posted October 19, 2011 · Report post Здравствуйте, столкнулись с проблемой связки softflowd и nfdump. В данных "Date flow start" за прошлое время и большие значения "Duration Proto". Сенсор: # uname -a FreeBSD HOST 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Sat Oct 8 16:37:12 MSD 2011 root@HOST:/usr/obj/usr/src/sys/MYKERNEL amd64 # pkg_info | grep softflowd softflowd-0.9.8_2 Softflowd is flow-based network traffic analyser with expor Стартуем softflowd daemon так: softflowd -v 9 -i lan -n COLLECTOR:9998 -p /var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -m 819200 -t maxlife=20m -t general=20m -t tcp=20m Коллектор: # uname -a Linux COLLECTOR 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux # nfcapd -V nfcapd: Version: 1.6.1 $LastChangedDate: 2010-03-05 07:50:35 +0100 (Fri, 05 Mar 2010) $ $Id: nfcapd.c 51 2010-01-29 09:01:54Z haag $ Стартуем collector так: nfcapd -w -D -z -n SENSOR sensor_ip /tmp/netflowv9 -p 9998 -t 300 -u username -g usergroup -P /tmp/netflowv9/9998.pid -x /tmp/netflowv9/nfcapdmv -B 200000 Обработка данных выдает: # nfdump -r nfcapd.201110190940 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows ... 2011-08-30 16:16:29.631 4294958.395 TCP 10.7.8.51:3032 -> 194.186.138.86:55571 3 144 1 2011-08-30 16:16:29.631 4294958.395 TCP 10.7.8.51:3033 -> 85.234.28.15:40435 3 144 1 2011-08-30 16:16:29.631 4294958.395 TCP 10.7.8.51:3034 -> 85.143.60.93:37867 3 144 1 2011-08-30 16:31:20.713 4294591.301 UDP 10.7.8.51:39759 -> 213.142.50.205:28909 6 348 1 2011-08-30 16:31:22.295 4294965.814 TCP 10.7.8.223:59668 -> 83.149.29.243:8888 4 216 1 2011-08-30 16:31:22.295 4294965.814 TCP 83.149.29.243:8888 -> 10.7.8.223:59668 3 164 1 2011-08-30 16:16:31.643 4294958.359 TCP 10.7.8.51:3038 -> 82.151.198.182:49674 3 144 1 2011-08-30 16:31:22.728 4294419.301 UDP 10.7.8.51:39759 -> 178.70.190.49:47659 6 348 1 2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 -> 95.32.209.62:10951 1 95 1 2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 -> 94.45.20.135:35691 1 95 1 2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 -> 95.31.31.38:42219 1 95 1 2011-10-19 09:34:09.998 0.000 UDP 10.7.8.51:39759 -> 95.134.28.165:49557 1 95 1 2011-08-30 16:31:23.415 4294966.609 TCP 10.7.8.51:4677 -> 95.72.152.15:59368 5 294 1 2011-08-30 16:31:23.415 4294966.609 TCP 95.72.152.15:59368 -> 10.7.8.51:4677 3 128 1 ... Пробовали ловить на той же машине, аналогично # pkg_info | grep nfdump nfdump-1.6.4 Command-line tools to collect and process NetFlow data Может кто сталкивался? Буду рад любой помощи! Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
vlad11 Posted October 19, 2011 (edited) · Report post На Фряхе /etc/rc.conf # cat /etc/rc.conf | grep flow softflowd_enable="YES" softflowd_interfaces="ng0 re0 gif2" softflowd_ng0_collector="10.0.0.1:1234" softflowd_ng0_extra_args="" softflowd_re0_collector="10.0.0.1:1235" softflowd_re0_extra_args="" softflowd_gif2_collector="10.0.0.1:1236" softflowd_gif2_extra_args="-6" # softflowd_em0_timeouts="-t maxlife=300" # softflowd_em1_timeouts="-t maxlife=600" # softflowd_em0_max_states="16000" # softflowd_em1_max_states="17000" # softflowd_em0_extra_args # softflowd_em1_extra_args flow_capture_enable="YES" #flow_capture_datadir=/var/netflow flow_capture_localip="10.0.0.1" flow_capture_profiles="ng0 re0 gif2" #flow_capture_pid="/var/run/flow-capture/flow-capture.pid" flow_capture_flags="-E5G -n 287 -S 5 -N 3" flow_capture_ng0_port="1234" flow_capture_ng0_datadir=/var/netflow/ng0 flow_capture_re0_port="1235" flow_capture_re0_datadir=/var/netflow/re0 flow_capture_gif2_port="1236" flow_capture_gif2_datadir=/var/netflow/gif2 Запущены: 3422 ?? Ss 2:48,51 /usr/local/sbin/softflowd -i ng0 -n 10.0.0.1:1234 -m 16000 -p /var/run/softflowd.ng0.pid -c /var/run/softflowd.ng0.ctl -t maxlife=300 3431 ?? Ss 1:18,75 /usr/local/sbin/softflowd -i re0 -n 10.0.0.1:1235 -m 16000 -p /var/run/softflowd.re0.pid -c /var/run/softflowd.re0.ctl -t maxlife=300 3438 ?? Is 0:05,49 /usr/local/sbin/softflowd -i gif2 -n 10.0.0.1:1236 -m 16000 -p /var/run/softflowd.gif2.pid -c /var/run/softflowd.gif2.ctl -t maxlife=300 -6 3595 ?? Ss 1:25,59 /usr/local/bin/flow-capture -E5G -n 287 -S 5 -N 3 -w /var/netflow/ng0 -p /var/run/flow-capture/flow-capture.pid 10.0.0.1/0.0.0.0/1234 3603 ?? Ss 0:42,12 /usr/local/bin/flow-capture -E5G -n 287 -S 5 -N 3 -w /var/netflow/re0 -p /var/run/flow-capture/flow-capture.pid 10.0.0.1/0.0.0.0/1235 3611 ?? Ss 0:06,01 /usr/local/bin/flow-capture -E5G -n 287 -S 5 -N 3 -w /var/netflow/gif2 -p /var/run/flow-capture/flow-capture.pid 10.0.0.1/0.0.0.0/1236 Edited October 19, 2011 by vlad11 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
a-zazell Posted October 19, 2011 · Report post Да, с v5 вроде нормально: 1019.21:37:21.058 1019.21:37:21.062 0 10.7.8.55 34558 0 93.190.21.22 161 17 0 2 265 1019.21:37:21.058 1019.21:37:21.062 0 93.190.21.22 161 0 10.7.8.55 34558 17 0 2 327 1019.21:40:14.155 1019.21:40:22.238 0 10.7.8.230 1398 0 74.125.39.104 80 6 7 35 7906 1019.21:40:14.155 1019.21:40:22.238 0 74.125.39.104 80 0 10.7.8.230 1398 6 2 38 33750 1019.21:35:43.246 1019.21:37:38.330 0 10.7.8.26 3580 0 74.125.43.138 80 6 3 9 2731 1019.21:35:43.246 1019.21:37:38.330 0 74.125.43.138 80 0 10.7.8.26 3580 6 3 8 4161 1019.21:37:38.483 1019.21:37:39.055 0 10.7.8.223 51230 0 84.16.224.160 80 6 3 11 2396 1019.21:37:38.483 1019.21:37:39.055 0 84.16.224.160 80 0 10.7.8.223 51230 6 3 9 7256 1019.21:37:39.191 1019.21:37:39.459 0 10.7.8.223 51231 0 84.16.224.160 80 6 3 7 2331 1019.21:37:39.191 1019.21:37:39.459 0 84.16.224.160 80 0 10.7.8.223 51231 6 3 5 412 1019.21:37:39.396 1019.21:37:39.651 0 10.7.8.223 51232 0 84.16.224.160 80 6 3 7 2340 1019.21:37:39.396 1019.21:37:39.651 0 84.16.224.160 80 0 10.7.8.223 51232 6 3 5 411 1019.21:37:41.139 1019.21:37:41.310 0 10.7.8.223 53425 0 87.240.131.97 80 6 1 2 104 1019.21:37:41.139 1019.21:37:41.310 0 87.240.131.97 80 0 10.7.8.223 53425 6 1 1 52 1019.21:37:51.508 1019.21:37:51.677 0 10.7.8.223 57576 0 87.240.131.98 80 6 1 2 104 1019.21:37:51.508 1019.21:37:51.677 0 87.240.131.98 80 0 10.7.8.223 57576 6 1 1 52 1019.21:37:53.069 1019.21:37:53.237 0 10.7.8.223 37482 0 87.240.131.99 80 6 1 2 104 1019.21:37:53.069 1019.21:37:53.237 0 87.240.131.99 80 0 10.7.8.223 37482 6 1 1 52 1019.21:38:00.307 1019.21:38:00.514 0 10.7.8.223 42916 0 69.171.228.39 80 6 1 2 104 1019.21:38:00.307 1019.21:38:00.514 0 69.171.228.39 80 0 10.7.8.223 42916 6 1 2 104 таких аномалий вроде нет, но необходимо собирать v9. 1019.21:40:14.155 1019.21:40:22.238 0 74.125.39.104 80 0 10.7.8.230 1398 6 2 38 33750 1019.21:35:43.246 1019.21:37:38.330 0 10.7.8.26 3580 0 74.125.43.138 80 6 3 9 2731 Кстати, это нормальная последовательность в дампе? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
a-zazell Posted October 19, 2011 · Report post А вот при запуске с параметрами: softflowd -i lan -n 127.0.0.1:9998 -p /var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -t maxlife=300 nfcapd -w -D -z -n local,127.0.0.1,/tmp/netflowv9 -p 9998 -t 300 -P /tmp/netflowv9/9998.pid -B 200000 Все нормально: # nfdump -r nfcapd.201110192310 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2011-10-19 23:09:20.381 0.000 TCP 64.4.62.124:81 -> 10.7.8.230:1825 1 40 1 2011-10-19 23:11:47.595 12.775 TCP 10.7.8.230:1847 -> 74.125.79.104:80 17 4589 1 2011-10-19 23:11:47.595 12.775 TCP 74.125.79.104:80 -> 10.7.8.230:1847 31 28173 1 2011-10-19 23:11:56.585 3.477 TCP 10.7.8.230:1862 -> 74.125.79.104:80 22 4825 1 2011-10-19 23:11:56.585 3.477 TCP 74.125.79.104:80 -> 10.7.8.230:1862 46 49094 1 2011-10-19 23:09:17.224 317.015 ICMP 10.7.8.20:0 -> 8.8.8.8:8.0 309 18540 1 2011-10-19 23:09:17.314 316.015 ICMP 8.8.8.8:0 -> 10.7.8.20:0.0 306 18360 1 2011-10-19 23:09:18.014 320.709 ICMP 10.7.8.230:0 -> 8.8.8.8:8.0 189 11340 1 ... ... Summary: total flows: 55, total bytes: 483200, total packets: 3268, avg bps: 11975, avg pps: 10, avg bpp: 147 Time window: 2011-10-19 23:09:16 - 2011-10-19 23:14:39 Total flows processed: 55, Blocks skipped: 0, Bytes read: 2912 Sys: 0.002s flows/second: 24336.3 Wall: 0.000s flows/second: 77355.8 Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...