netflow tools - Jul 2007 - Input for softflowd from pcap file.

Hi,

Iam new to NetFlow and softflowd.

I ran softflowd with input from a pcap file which has a 20 min complete ssh
conversation between two machines. I ran tcpdump on the collector machine
and saved the NetFlow V9 traffic from softflowd. I saved the exported info
as dmp file and later examined using wireshark. I only see Template Flowset
and no Data Flowset.

Am i doing anything wrong ?

Thanks,
Subra.

> softflowd -D -v 9 -r TCP_20min_conn.dmp -n 10.6.100.134:9992
softflowd v0.9.8 starting data collection
Exporting flows to [10.6.100.134]:9992
ADD FLOW seq:1 [10.1.1.40]:22 <> [10.1.5.46]:3123 proto:6
Shutting down after pcap EOF
Shutting down on user request
Starting expiry scan: mode -1
Queuing flow seq:1 (0x927d4c8) for expiry reason 3
Finished scan 1 flow(s) to be evicted
Flow 2/0: r 0 offset 190 type 0004 len 66(0x0042) flows 2
Sending flow packet len = 192
sent 1 netflow packets
EXPIRED: seq:1 [10.1.1.40]:22 <> [10.1.5.46]:3123 proto:6 octets>:5143
packets>:48 octets<:6324 packets<:46
start:2007-04-30T22:18:59.801finish:2007-04-30T22:43:
13.317 tcp>:1b tcp<:1b flowlabel>:00000000 flowlabel<:00000000 
(0x927d4c8)
Number of active flows: 0
Packets processed: 94
Fragments: 0
Ignored packets: 0 (0 non-IP, 0 too short)
Flows expired: 1 (0 forced)
Flows exported: 1 in 1 packets (0 failures)

Expired flow statistics:  minimum       average       maximum
  Flow bytes:               11467         11467         11467
  Flow packets:                94            94            94
  Duration:               1453.52s      1453.52s      1453.52s

Expired flow reasons:
       tcp =         0   tcp.rst =         0   tcp.fin =         0
       udp =         0      icmp =         0   general =         0
   maxlife =         0
  over 2Gb =         0
  maxflows =         0
   flushed =         1

Per-protocol statistics:     Octets      Packets   Avg Life    Max Life
            tcp (6):          11467           94    1453.52s    1453.52s
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mindrot.org/pipermail/netflow-tools/attachments/20070709/db2c3e54/attachment.html

On Mon, 9 Jul 2007, subramanian ramasamy wrote:
> Hi,
> 
> Iam new to NetFlow and softflowd.
> 
> I ran softflowd with input from a pcap file which has a 20 min complete ssh
> conversation between two machines. I ran tcpdump on the collector machine
> and saved the NetFlow V9 traffic from softflowd. I saved the exported info
> as dmp file and later examined using wireshark. I only see Template Flowset
> and no Data Flowset.
> 
> Am i doing anything wrong ?
I have no idea - this is a pretty convoluted way to look at flows. 
Softflowd is definitely seeing the flow, and appears to be exporting it.
Could you set up some NetFlow (e.g. flowd) and try to capture it?

-d