[a-zazell]

Здравствуйте, столкнулись с проблемой связки softflowd и nfdump. В данных "Date flow start" за прошлое время и большие значения "Duration Proto".

 

Сенсор:

 

# uname -a
FreeBSD HOST 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Sat Oct  8 16:37:12 MSD 2011     root@HOST:/usr/obj/usr/src/sys/MYKERNEL  amd64
# pkg_info | grep softflowd
softflowd-0.9.8_2   Softflowd is flow-based network traffic analyser with expor

Стартуем softflowd daemon так:

 

softflowd -v 9 -i lan -n COLLECTOR:9998 -p /var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -m 819200 -t maxlife=20m -t general=20m -t tcp=20m

 

Коллектор:

 

# uname -a
Linux COLLECTOR 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
# nfcapd -V
nfcapd: Version: 1.6.1 $LastChangedDate: 2010-03-05 07:50:35 +0100 (Fri, 05 Mar 2010) $ $Id: nfcapd.c 51 2010-01-29 09:01:54Z haag $

 

Стартуем collector так:

 

nfcapd -w -D -z -n SENSOR sensor_ip /tmp/netflowv9 -p 9998 -t 300 -u username -g usergroup -P /tmp/netflowv9/9998.pid -x /tmp/netflowv9/nfcapdmv -B 200000

 

 

Обработка данных выдает:

 

 

# nfdump -r nfcapd.201110190940
Date flow start          Duration Proto      Src IP Addr:Port         Dst IP Addr:Port   Packets    Bytes Flows
...
2011-08-30 16:16:29.631 4294958.395 TCP          10.7.8.51:3032  ->  194.186.138.86:55571        3      144     1
2011-08-30 16:16:29.631 4294958.395 TCP          10.7.8.51:3033  ->    85.234.28.15:40435        3      144     1
2011-08-30 16:16:29.631 4294958.395 TCP          10.7.8.51:3034  ->    85.143.60.93:37867        3      144     1
2011-08-30 16:31:20.713 4294591.301 UDP          10.7.8.51:39759 ->  213.142.50.205:28909        6      348     1
2011-08-30 16:31:22.295 4294965.814 TCP         10.7.8.223:59668 ->   83.149.29.243:8888         4      216     1
2011-08-30 16:31:22.295 4294965.814 TCP      83.149.29.243:8888  ->      10.7.8.223:59668        3      164     1
2011-08-30 16:16:31.643 4294958.359 TCP          10.7.8.51:3038  ->  82.151.198.182:49674        3      144     1
2011-08-30 16:31:22.728 4294419.301 UDP          10.7.8.51:39759 ->   178.70.190.49:47659        6      348     1
2011-10-19 09:34:09.998     0.000 UDP          10.7.8.51:39759 ->    95.32.209.62:10951        1       95     1
2011-10-19 09:34:09.998     0.000 UDP          10.7.8.51:39759 ->    94.45.20.135:35691        1       95     1
2011-10-19 09:34:09.998     0.000 UDP          10.7.8.51:39759 ->     95.31.31.38:42219        1       95     1
2011-10-19 09:34:09.998     0.000 UDP          10.7.8.51:39759 ->   95.134.28.165:49557        1       95     1
2011-08-30 16:31:23.415 4294966.609 TCP          10.7.8.51:4677  ->    95.72.152.15:59368        5      294     1
2011-08-30 16:31:23.415 4294966.609 TCP       95.72.152.15:59368 ->       10.7.8.51:4677         3      128     1
...

 

 

Пробовали ловить на той же машине, аналогично

 

# pkg_info | grep nfdump
nfdump-1.6.4        Command-line tools to collect and process NetFlow data

 

Может кто сталкивался? Буду рад любой помощи!

[vlad11]

На Фряхе /etc/rc.conf

# cat /etc/rc.conf | grep flow
softflowd_enable="YES"
softflowd_interfaces="ng0 re0 gif2"
softflowd_ng0_collector="10.0.0.1:1234"
softflowd_ng0_extra_args=""
softflowd_re0_collector="10.0.0.1:1235"
softflowd_re0_extra_args=""
softflowd_gif2_collector="10.0.0.1:1236"
softflowd_gif2_extra_args="-6"
# softflowd_em0_timeouts="-t maxlife=300"
# softflowd_em1_timeouts="-t maxlife=600"
# softflowd_em0_max_states="16000"
# softflowd_em1_max_states="17000"
# softflowd_em0_extra_args
# softflowd_em1_extra_args
flow_capture_enable="YES"
#flow_capture_datadir=/var/netflow
flow_capture_localip="10.0.0.1"
flow_capture_profiles="ng0 re0 gif2"
#flow_capture_pid="/var/run/flow-capture/flow-capture.pid"
flow_capture_flags="-E5G -n 287 -S 5 -N 3"
flow_capture_ng0_port="1234"
flow_capture_ng0_datadir=/var/netflow/ng0
flow_capture_re0_port="1235"
flow_capture_re0_datadir=/var/netflow/re0
flow_capture_gif2_port="1236"
flow_capture_gif2_datadir=/var/netflow/gif2

 

Запущены:

 

3422  ??  Ss     2:48,51 /usr/local/sbin/softflowd -i ng0 -n 10.0.0.1:1234 -m 16000 -p /var/run/softflowd.ng0.pid -c /var/run/softflowd.ng0.ctl -t maxlife=300
3431  ??  Ss     1:18,75 /usr/local/sbin/softflowd -i re0 -n 10.0.0.1:1235 -m 16000 -p /var/run/softflowd.re0.pid -c /var/run/softflowd.re0.ctl -t maxlife=300
3438  ??  Is     0:05,49 /usr/local/sbin/softflowd -i gif2 -n 10.0.0.1:1236 -m 16000 -p /var/run/softflowd.gif2.pid -c /var/run/softflowd.gif2.ctl -t maxlife=300 -6
3595  ??  Ss     1:25,59 /usr/local/bin/flow-capture -E5G -n 287 -S 5 -N 3 -w /var/netflow/ng0 -p /var/run/flow-capture/flow-capture.pid 10.0.0.1/0.0.0.0/1234
3603  ??  Ss     0:42,12 /usr/local/bin/flow-capture -E5G -n 287 -S 5 -N 3 -w /var/netflow/re0 -p /var/run/flow-capture/flow-capture.pid 10.0.0.1/0.0.0.0/1235
3611  ??  Ss     0:06,01 /usr/local/bin/flow-capture -E5G -n 287 -S 5 -N 3 -w /var/netflow/gif2 -p /var/run/flow-capture/flow-capture.pid 10.0.0.1/0.0.0.0/1236

Изменено 19 октября, 2011 пользователем vlad11

[a-zazell]

Да, с v5 вроде нормально:

 

1019.21:37:21.058 1019.21:37:21.062 0     10.7.8.55       34558 0     93.190.21.22    161   17  0  2          265
1019.21:37:21.058 1019.21:37:21.062 0     93.190.21.22    161   0     10.7.8.55       34558 17  0  2          327
1019.21:40:14.155 1019.21:40:22.238 0     10.7.8.230      1398  0     74.125.39.104   80    6   7  35         7906
1019.21:40:14.155 1019.21:40:22.238 0     74.125.39.104   80    0     10.7.8.230      1398  6   2  38         33750
1019.21:35:43.246 1019.21:37:38.330 0     10.7.8.26       3580  0     74.125.43.138   80    6   3  9          2731
1019.21:35:43.246 1019.21:37:38.330 0     74.125.43.138   80    0     10.7.8.26       3580  6   3  8          4161
1019.21:37:38.483 1019.21:37:39.055 0     10.7.8.223      51230 0     84.16.224.160   80    6   3  11         2396
1019.21:37:38.483 1019.21:37:39.055 0     84.16.224.160   80    0     10.7.8.223      51230 6   3  9          7256
1019.21:37:39.191 1019.21:37:39.459 0     10.7.8.223      51231 0     84.16.224.160   80    6   3  7          2331
1019.21:37:39.191 1019.21:37:39.459 0     84.16.224.160   80    0     10.7.8.223      51231 6   3  5          412
1019.21:37:39.396 1019.21:37:39.651 0     10.7.8.223      51232 0     84.16.224.160   80    6   3  7          2340
1019.21:37:39.396 1019.21:37:39.651 0     84.16.224.160   80    0     10.7.8.223      51232 6   3  5          411
1019.21:37:41.139 1019.21:37:41.310 0     10.7.8.223      53425 0     87.240.131.97   80    6   1  2          104
1019.21:37:41.139 1019.21:37:41.310 0     87.240.131.97   80    0     10.7.8.223      53425 6   1  1          52
1019.21:37:51.508 1019.21:37:51.677 0     10.7.8.223      57576 0     87.240.131.98   80    6   1  2          104
1019.21:37:51.508 1019.21:37:51.677 0     87.240.131.98   80    0     10.7.8.223      57576 6   1  1          52
1019.21:37:53.069 1019.21:37:53.237 0     10.7.8.223      37482 0     87.240.131.99   80    6   1  2          104
1019.21:37:53.069 1019.21:37:53.237 0     87.240.131.99   80    0     10.7.8.223      37482 6   1  1          52
1019.21:38:00.307 1019.21:38:00.514 0     10.7.8.223      42916 0     69.171.228.39   80    6   1  2          104
1019.21:38:00.307 1019.21:38:00.514 0     69.171.228.39   80    0     10.7.8.223      42916 6   1  2          104

 

таких аномалий вроде нет, но необходимо собирать v9.

 

1019.21:40:14.155 1019.21:40:22.238 0     74.125.39.104   80    0     10.7.8.230      1398  6   2  38         33750
1019.21:35:43.246 1019.21:37:38.330 0     10.7.8.26       3580  0     74.125.43.138   80    6   3  9          2731

 

Кстати, это нормальная последовательность в дампе?

[a-zazell]

А вот при запуске с параметрами:

 

softflowd -i lan -n 127.0.0.1:9998 -p /var/run/softflowd.lan.pid -c /var/run/softflowd.lan.ctl -t maxlife=300
nfcapd -w -D -z -n local,127.0.0.1,/tmp/netflowv9 -p 9998 -t 300 -P /tmp/netflowv9/9998.pid -B 200000

 

Все нормально:

 

# nfdump -r nfcapd.201110192310
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2011-10-19 23:09:20.381     0.000 TCP        64.4.62.124:81    ->       10.7.8.230:1825         1       40     1
2011-10-19 23:11:47.595    12.775 TCP         10.7.8.230:1847  ->    74.125.79.104:80          17     4589     1
2011-10-19 23:11:47.595    12.775 TCP      74.125.79.104:80    ->       10.7.8.230:1847        31    28173     1
2011-10-19 23:11:56.585     3.477 TCP         10.7.8.230:1862  ->    74.125.79.104:80          22     4825     1
2011-10-19 23:11:56.585     3.477 TCP      74.125.79.104:80    ->       10.7.8.230:1862        46    49094     1
2011-10-19 23:09:17.224   317.015 ICMP         10.7.8.20:0     ->          8.8.8.8:8.0        309    18540     1
2011-10-19 23:09:17.314   316.015 ICMP           8.8.8.8:0     ->        10.7.8.20:0.0        306    18360     1
2011-10-19 23:09:18.014   320.709 ICMP        10.7.8.230:0     ->          8.8.8.8:8.0        189    11340     1
...
...
Summary: total flows: 55, total bytes: 483200, total packets: 3268, avg bps: 11975, avg pps: 10, avg bpp: 147
Time window: 2011-10-19 23:09:16 - 2011-10-19 23:14:39
Total flows processed: 55, Blocks skipped: 0, Bytes read: 2912
Sys: 0.002s flows/second: 24336.3    Wall: 0.000s flows/second: 77355.8