I''ve been unsuccessfully trying to convert files in DAG format to Netflow. To achieve this I first converted the DAG files to pcap using tshark and then exported the pcap files using softflowd to a Netflow collector (flow-capture). But every time I do the export from pcap, softflowd seems to ignore all the IP packets. The exact output that I get is: # softflowd -r 26f0000.pcap -n 192.168.1.7:8819 -d softflowd v0.9.8 starting data collection Exporting flows to [192.168.1.7]:8819 Shutting down after pcap EOF Shutting down on user request Number of active flows: 0 Packets processed: 0 Fragments: 0 Ignored packets: 6918507 (6918507 non-IP, 0 too short) Flows expired: 0 (0 forced) Flows exported: 0 in 0 packets (0 failures) # I''ve tried breaking down the pcap file (which is around 650 MB) to smaller files sizes using tcpslice but that does not seem to help either. I''ve also used tools like dagconvert (from Endace) to convert DAG to pcap and run it through softflowd, but in this case too softflowd seems to ignore all packets. I am able to export pcap to Netflow using softflowd when the pcap file is created using a live capture. I would really appreciate it if someone could help me out on this problem or offer a better way on how I can do the conversion. Thanks. -santosh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/netflow-tools/attachments/20070212/844c92fe/attachment.html
On Mon, 12 Feb 2007, Santosh Rao wrote:> I''ve been unsuccessfully trying to convert files in DAG format to Netflow. > To achieve this I first converted the DAG files to pcap using tshark and > then exported the pcap files using softflowd to a Netflow collector > (flow-capture). But every time I do the export from pcap, softflowd seems to > ignore all the IP packets. The exact output that I get is: > > # softflowd -r 26f0000.pcap -n 192.168.1.7:8819 -d > softflowd v0.9.8 starting data collection > Exporting flows to [192.168.1.7]:8819 > Shutting down after pcap EOF > Shutting down on user request > Number of active flows: 0 > Packets processed: 0 > Fragments: 0 > Ignored packets: 6918507 (6918507 non-IP, 0 too short)I don''t know what DAG is, but your problem is described in the line above. softflowd is not recognising your pcap file as containing IP packets. There are two possibilities the come to mind: first, your packet capture may be corrupted enough to not be recognisable by softflow, but still be a valid pcap format. Second, the pcap file may have been written with a datalink type that softflowd does not support. Can you dump the file with "tcpdump -vvr 26f000.pcap"? If tcpdump can read it then perhaps it is a datalink type problem. Does running softflowd with the "-D" (debug) option give any indication of what is wrong? -d
On 2/13/07, Damien Miller <djm at mindrot.org> wrote:> > On Mon, 12 Feb 2007, Santosh Rao wrote: > > > I''ve been unsuccessfully trying to convert files in DAG format to > Netflow. > > To achieve this I first converted the DAG files to pcap using tshark and > > then exported the pcap files using softflowd to a Netflow collector > > (flow-capture). But every time I do the export from pcap, softflowd > seems to > > ignore all the IP packets. The exact output that I get is: > > > > # softflowd -r 26f0000.pcap -n 192.168.1.7:8819 -d > > softflowd v0.9.8 starting data collection > > Exporting flows to [192.168.1.7]:8819 > > Shutting down after pcap EOF > > Shutting down on user request > > Number of active flows: 0 > > Packets processed: 0 > > Fragments: 0 > > Ignored packets: 6918507 (6918507 non-IP, 0 too short) > > I don''t know what DAG is, but your problem is described in the line above. > softflowd is not recognising your pcap file as containing IP packets. > There are two possibilities the come to mind: first, your packet capture > may be corrupted enough to not be recognisable by softflow, but still > be a valid pcap format. Second, the pcap file may have been written with > a datalink type that softflowd does not support. > > Can you dump the file with "tcpdump -vvr 26f000.pcap"? If tcpdump can read > it then perhaps it is a datalink type problem. Does running softflowd with > the "-D" (debug) option give any indication of what is wrong? > > -d >Damien, Thanks for your response. Here is the output when I run softflowd with the -D option. # softflowd -r /home/santosh/defeat/26f0000.pcap -n localhost:8819 -D softflowd v0.9.8 starting data collection Exporting flows to [127.0.0.1]:8819 Shutting down after pcap EOF Shutting down on user request Starting expiry scan: mode -1 Finished scan 0 flow(s) to be evicted Number of active flows: 0 Packets processed: 0 Fragments: 0 Ignored packets: 6918507 (6918507 non-IP, 0 too short) Flows expired: 0 (0 forced) Flows exported: 0 in 0 packets (0 failures) Thanks, -santosh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/netflow-tools/attachments/20070221/09de1bc3/attachment.html