Hi everyone,
I am trying to use softflowd and nfcapd to turn a pcap into neflow data.
I am starting nfcapd by running: nfcapd -p 12345 -l netflow/
and softflowd by running: softflowd -n localhost:12345 -r singleflow.pcap
This is the pcap I am trying to convert
No.???? Time??????? Source??????????????? Destination?????????? Protocol Info
???? 1 0.000000??? 192.168.1.73????????? 74.86.135.174???????? TCP
???? 2 0.149059??? 74.86.135.174???????? 192.168.1.73????????? TCP
???? 3 0.149170??? 192.168.1.73????????? 74.86.135.174???????? TCP
???? 4 0.149322??? 192.168.1.73????????? 74.86.135.174???????? HTTP
???? 5 0.200823??? 192.168.1.73????????? 74.86.135.174???????? TCP
???? 6 0.299411??? 74.86.135.174???????? 192.168.1.73????????? TCP
???? 7 0.319394??? 74.86.135.174???????? 192.168.1.73????????? HTTP
???? 8 0.319474??? 192.168.1.73????????? 74.86.135.174???????? TCP
???? 9 0.376528??? 74.86.135.174???????? 192.168.1.73????????? TCP
??? 10 0.376569??? 192.168.1.73????????? 74.86.135.174???????? TCP
This shows the pcap contains a single flow. ?However when I run nfdump on the
produced nfcap file, I get: -
Date flow start????????? Duration Proto????? Src IP Addr:Port Dst IP Addr:Port??
Packets??? Bytes Flows
2009-08-23 03:33:22.720???? 0.377 TCP????? 74.86.135.174:80??? ->
192.168.1.73:38589??????? 4????? 445???? 1
2009-08-23 03:33:22.720???? 0.377 TCP?????? 192.168.1.73:38589 ->
74.86.135.174:80?????????? 6????? 846???? 1
Summary: total flows: 2, total bytes: 1291, total packets: 10, avg bps: 27395,
avg pps: 26, avg bpp: 129
Time window: 2009-08-23 03:33:22 - 2009-08-23 03:33:23
Total flows processed: 2, Records skipped: 0, Bytes read: 116
Sys: 0.000s flows/second: 0.0??????? Wall: 0.000s flows/second: 5333.3
Summary: total flows: 2, total bytes: 1291, total packets: 10, avg
bps: 27395, avg pps: 26, avg bpp: 129
Time window: 2009-08-23 03:33:22 - 2009-08-23 03:33:23
Total flows processed: 2, Records skipped: 0, Bytes read: 116
Sys: 0.000s flows/second: 0.0 ? ? ? ?Wall: 0.000s flows/second: 5333.3
Which shows there are two flows. ?Every time I try and convert a pcap
to netflow I get double the number of flows I expect. ?Can anyone tell
me why this is, and what I can do to correct it?
Thank you all for you help.
Regards,
Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.mindrot.org/pipermail/netflow-tools/attachments/20090704/d510d680/attachment.html>
Damien Miller
2009-Jul-09 07:53 UTC
[netflow-tools] convert pcap to netflow with softflowd
On Sat, 4 Jul 2009, Simon wrote:> Hi everyone, > > I am trying to use softflowd and nfcapd to turn a pcap into neflow data. > > I am starting nfcapd by running: nfcapd -p 12345 -l netflow/ > and softflowd by running: softflowd -n localhost:12345 -r singleflow.pcap > > This is the pcap I am trying to convert > > No. Time Source Destination Protocol > Info > 1 0.000000 192.168.1.73 74.86.135.174 TCP > 2 0.149059 74.86.135.174 192.168.1.73 TCP > 3 0.149170 192.168.1.73 74.86.135.174 TCP > 4 0.149322 192.168.1.73 74.86.135.174 HTTP > 5 0.200823 192.168.1.73 74.86.135.174 TCP > 6 0.299411 74.86.135.174 192.168.1.73 TCP > 7 0.319394 74.86.135.174 192.168.1.73 HTTP > 8 0.319474 192.168.1.73 74.86.135.174 TCP > 9 0.376528 74.86.135.174 192.168.1.73 TCP > 10 0.376569 192.168.1.73 74.86.135.174 TCP > > This shows the pcap contains a single flow. However when I run nfdump on > the produced nfcap file, I get: -Correct, it shows the pcap contains a single _TCP_ flow. [snip]> Which shows there are two flows. Every time I try and convert a pcap to > netflow I get double the number of flows I expect. Can anyone tell me why > this is, and what I can do to correct it?Netflow flow records are unidirectional, so each TCP flow will yield two netflow flows; one for each direction. -d