Re: sflow to netflow

Hello Alexander,

I have two suggestions:

1. are you getting flow-samples as well as counter-samples? (It is
only the flow-samples that can be translated to netflow)
2. is there a firewall configured that might stop the packets from
being received at the other host?

Here is a test you can run, using two windows on the same linux host:

Window 1:

$ sflowtool -p 8888 -l -c localhost -d 9991 -S | grep FLOW
FLOW,10.0.0.254,0,0,000a95bcd814,00034706fd94,0x0800,0,0,10.0.0.71,10.0.
0.25,6,0x00,64,6000,38638,0x10,70,52,200
FLOW,10.0.0.254,0,0,000a95bcd814,00034706fd94,0x0800,0,0,10.0.0.71,10.0.
0.25,6,0x00,64,6000,38638,0x10,70,52,200
FLOW,10.0.0.249,2,0,00034706fd94,000a95bcd814,0x0800,0,0,10.0.0.25,10.0.
0.71,6,0x00,64,38638,6000,0x18,126,108,100
FLOW,10.0.0.25,0,0,00034706fd94,000a95bcd814,0x0800,0,0,10.0.0.25,10.0.0
.71,6,0x00,64,38638,6000,0x18,126,108,100
FLOW,10.0.0.254,0,0,000c29bc78ff,000a95bcd814,0x0800,0,0,10.0.0.81,10.0.
0.71,6,0x10,64,22,49223,0x18,166,148,200
FLOW,10.0.0.254,0,0,000c29bc78ff,000a95bcd814,0x0800,0,0,10.0.0.81,10.0.
0.71,6,0x10,64,22,49223,0x18,166,148,200

Window 2:

$ /usr/sbin/tcpdump -n -i lo udp port 9991
tcpdump: listening on lo
11:06:41.321366 10.0.0.254.9991 > 127.0.0.1.9991: udp 72
11:06:41.322890 10.0.0.254.9991 > 127.0.0.1.9991: udp 72
11:06:41.920895 10.0.0.249.9991 > 127.0.0.1.9991: udp 72
11:06:47.708526 10.0.0.25.9991 > 127.0.0.1.9991: udp 72
11:06:48.331645 10.0.0.254.9991 > 127.0.0.1.9991: udp 72
11:06:48.331704 10.0.0.254.9991 > 127.0.0.1.9991: udp 72

[Note: I believe the "-S" option, which causes the source address of
the netflow packet to be "spoofed" to that of the switch/router, will
not work on the Windows platform.]

If the above works, then you can try changing "-c localhost" to "-c
172.16.1.15" and then run the tcpdump command on 172.16.1.15.
Sometimes tcpdump can see the packets before a software firewall blocks
them, so even if that works you may still need to adjust the firewall.

Hope this helps.

regards,
neil

On Jul 28, 2005, at 5:51 AM, Alexander Czutka wrote:

> Hello,
>
>
>
> I tried to convert sflow-data to netflow-data with the command:
>
>
>
> sflowtool -p 6343 -c 172.16.1.15 -d 9991
>
>
>
> but I couldn4t see any frames getting out of my local machine to
> 172.16.1.15.
>
>
>
> I saw sflow data coming in.
>
>
>
> I tried it with Linux (sflowtool 3.8) and Win.
>
>
>
> Is this command working ?
>
>
>
> Regards,
>
>
>
> Alexander
>
>
>
> Foundry Networks GmbH
>
>
>
> Alexander Czutka Phone: +49 (0)89 374 292 17
>
> Post Sales Fax: +49 (0)89 374 292 60
>
> Einsteinstrasse 14 Mobile: +49 (0)172 8998 517
>
> D-85716 Unterschleissheim Email: aczutka@foundrynet.com
>
> Germany www.foundrynetworks.com
>
> [demime 1.01d removed an attachment of type text/x-vcard which had a
> name of Alexander Czutka (aczutka@foundrynet.com).vcf]
>
>

----
Neil McKee
InMon Corp.
http://www.inmon.com