groud / softflowd Goto Github PK

What steps will reproduce the problem?
1. Analyze source code from files netflow1.c and netflow5.c 
2. Look for following snippet in function send_netflow_v[15]:
if (j == 0) {
                        memset(&packet, '\0', sizeof(packet));

3. Run tcpdump and see generated netflow packets.

According to IF MIB Definition of ifIndex 
(http://net-snmp.sourceforge.net/docs/mibs/IF-MIB.txt) ifIndex has to be 
greater than zero. Right now both ifIndex fields in every flow are set to 0.
The problem applies to version 0.9.8 and 0.9.9.

Because of the problem Netflow Analyzer Enterprise Edition from from 
ManageEngine (http://www.manageengine.com/products/netflow/) refuses to see 
such flows.

The problem can be fixed with following code:
flw->if_index_out = flw->if_index_in = htons(1);
It's necessary to add the string in the functions send_netflow_v[15] just 
before following code:
offset += sizeof(*flw);
j++;

I attached full patch for it.

Or try to map SNMP-index of given on command line interface name.
But it's more complicated.

With best regards,
Maxim Zimovets

What steps will reproduce the problem?

When the data export, my collector generates the data with different date, I am 
using the NFSEN. for example:

2011-06-28 xxxxxxxxxxxxxxxxxx xxxxxxxxxxx xxxxxxxxxxxx xxxxxxxx...

this late date.


And one more question, I could profiles exporter or make profiles with 
softflowd?



What is the expected output? What do you see instead?
Late date

What version of the product are you using? On what operating system?
pfsense 2.0

att
Zacaron

What steps will reproduce the problem?
- softflowd stops/crashes after a few hours/days of running with the following 
output:

Shutting down after pcap EOF
Shutting down on user request

What version of the product are you using? On what operating system?
softflowd 0.9.8
Linux 2.6.27.7-9-pae #1 SMP 2008-12-04 18:10:04 +0100 i686 i686 i386 GNU/Linux

Please provide any additional information below.
I've commented "graceful_shutdown_request = 1" (line 1872 in softflowd.c) then 
got: 

Shutting down after pcap EOF
Exiting immediately on user request

What steps will reproduce the problem?
1. extract tar.gz
2. create rpmbuild directory structure
3. copy files to folders inside rpmbuild structure:
  cp softflowd-0.9.9/softflowd.spec ~/rpmbuild/SPECS
  cp softflowd-0.9.9/softflowd.init ~/rpmbuild/SOURCES
  cp softflowd-0.9.9/softflowd.sysconfig ~/rpmbuild/SOURCES
  cp softflowd-0.9.9.tar.gz ~/rpmbuild/SOURCES
4. build rpm: rpmbuild -ba:
  rpmbuild -ba ~/rpmbuild/SPECS/softflowd.spec


What is the expected output? What do you see instead?
It was expected tu see a builded rpm file
It gives an error saying that it cannot find "ChangeLog" file

What version of the product are you using? On what operating system?
softflowd-0.9.9 on Centos 6.2

Please provide any additional information below.
I made a simple script that changes the softflowd.spec not to use "ChangeLog" 
file
but if you could add it to tar.gz file it would be the right way of do it.

thanks

What steps will reproduce the problem?
$ softflowd -i eth0 -n blahh:1234
if "blahh" cannot be resolved, the error message
is "address too long" .

What is the expected output? What do you see instead?
"unknown hostname" or something similar

What version of the product are you using? On what operating system?
current (0.9.9) on gentoo linux

Please provide any additional information below.
this small patch works for me:
--- softflowd_orig.c    2012-02-13 02:39:42.000000000 +0100
+++ softflowd.c 2013-08-19 21:22:57.000000000 +0200
@@ -1603,7 +1603,7 @@

        memset(&hints, '\0', sizeof(hints));
        hints.ai_socktype = SOCK_DGRAM;
-       if ((herr = getaddrinfo(host, port, &hints, &res)) == -1) {
+       if ((herr = getaddrinfo(host, port, &hints, &res)) != 0) {
                fprintf(stderr, "Address lookup failed: %s\n",
                    gai_strerror(herr));
                exit(1);

output is "Address lookup failed: Name or service not known"
as expected.

what is the role of sampling??

Is possible to give sampled packet to softflowd?? difference between given all 
packet and sampled packet????

Hi,

I'm interested by this tool. I want to catch NetFlow data from Cisco Catalyst 
2950 switches taht are note NetFlow capable by himself. 

I found a website talking about your product was able to give a kind of 
rendering with these switches (From 
www.plixer.com/blog/netflow-analyzer/catalyst-2950-netflow-support/)

I would like to use your product but I found nothing help me to install your 
product, no sample, no lab environment, no screenshot,...

Producing at least a small documentation section on this web page could be very 
interesting. We should found that:

1- How to install (Package, platform, requierment, etc.)

2- How to configure 

3- Sample (real usage to have a kind of template)

4- Supported network equipments

5- Supported software (like, how softflowd work between a network and ntop)

What steps will reproduce the problem?
1. Setup a pfSense router to send NetFlow V9 to a CentOS 6/FlowViewer/IPFIX
2. Take a Wireshark trace on CentOS with tcpdump
3. Observe following decoding:

Cisco NetFlow/IPFIX
    Version: 9
    Count: 14
    SysUptime: 129080.231279120 seconds
    Timestamp: Nov  2, 2014 09:17:01.000000000 Paris, Madrid
        CurrentSecs: 1414916221
    FlowSequence: 163268
    SourceId: 0
    FlowSet 1
        FlowSet Id: (Data) (1024)
        FlowSet Length: 440
        Flow 1
            SrcAddr: 192.168.100.64 (192.168.100.64)
            DstAddr: 192.168.150.15 (192.168.150.15)
            [Duration: -0.061000000 seconds]
                StartTime: 128738.007000000 seconds
                EndTime: 128737.946000000 seconds
            Octets: 116
            Packets: 1
            SrcPort: 63880
            DstPort: 161
            Protocol: 17
            TCP Flags: 0x00
            IPVersion: 04
        Flow 2
            SrcAddr: 192.168.150.15 (192.168.150.15)
            DstAddr: 192.168.100.64 (192.168.100.64)
            [Duration: -0.061000000 seconds]
                StartTime: 128738.007000000 seconds
                EndTime: 128737.946000000 seconds
            Octets: 130
            Packets: 1
            SrcPort: 161
            DstPort: 63880
            Protocol: 17
            TCP Flags: 0x00
            IPVersion: 04


What is the expected output? What do you see instead?
End time later than Start time


What version of the product are you using? On what operating system?
pfSense 2.1.5-RELEASE (i386)
softflowd 0.9.8 pkg v1.0.1


Please provide any additional information below.

Regards
Antoine

It would be very useful to be able to use libnetfilter_log as an input to 
softflowd.