AW: sflow to netflow

From: Alexander Czutka <aczutka@foundrynet.com>
Date: 07/29/05
Message-ID: <006701c59419$111d3ff0$1601a8c0@laptopczutka>

Hi Neil,

I will check this !

Thanks,

Alexander

> -----Urspr|ngliche Nachricht-----
> Von: neil mckee [mailto:neil.mckee@inmon.com]
> Gesendet: Donnerstag, 28. Juli 2005 20:28
> An: aczutka@foundrynet.com
> Cc: sflow@sflow.org
> Betreff: Re: [sFlow] sflow to netflow
>
> Hello Alexander,
>
> I have two suggestions:
>
> 1. are you getting flow-samples as well as counter-samples? (It is
> only the flow-samples that can be translated to netflow)
> 2. is there a firewall configured that might stop the packets from
> being received at the other host?
>
> Here is a test you can run, using two windows on the same linux host:
>
> Window 1:
>
> $ sflowtool -p 8888 -l -c localhost -d 9991 -S | grep FLOW
> FLOW,10.0.0.254,0,0,000a95bcd814,00034706fd94,0x0800,0,0,10.0.0.71,10.0.
> 0.25,6,0x00,64,6000,38638,0x10,70,52,200
> FLOW,10.0.0.254,0,0,000a95bcd814,00034706fd94,0x0800,0,0,10.0.0.71,10.0.
> 0.25,6,0x00,64,6000,38638,0x10,70,52,200
> FLOW,10.0.0.249,2,0,00034706fd94,000a95bcd814,0x0800,0,0,10.0.0.25,10.0.
> 0.71,6,0x00,64,38638,6000,0x18,126,108,100
> FLOW,10.0.0.25,0,0,00034706fd94,000a95bcd814,0x0800,0,0,10.0.0.25,10.0.0
> .71,6,0x00,64,38638,6000,0x18,126,108,100
> FLOW,10.0.0.254,0,0,000c29bc78ff,000a95bcd814,0x0800,0,0,10.0.0.81,10.0.
> 0.71,6,0x10,64,22,49223,0x18,166,148,200
> FLOW,10.0.0.254,0,0,000c29bc78ff,000a95bcd814,0x0800,0,0,10.0.0.81,10.0.
> 0.71,6,0x10,64,22,49223,0x18,166,148,200
>
> Window 2:
>
> $ /usr/sbin/tcpdump -n -i lo udp port 9991
> tcpdump: listening on lo
> 11:06:41.321366 10.0.0.254.9991 > 127.0.0.1.9991: udp 72
> 11:06:41.322890 10.0.0.254.9991 > 127.0.0.1.9991: udp 72
> 11:06:41.920895 10.0.0.249.9991 > 127.0.0.1.9991: udp 72
> 11:06:47.708526 10.0.0.25.9991 > 127.0.0.1.9991: udp 72
> 11:06:48.331645 10.0.0.254.9991 > 127.0.0.1.9991: udp 72
> 11:06:48.331704 10.0.0.254.9991 > 127.0.0.1.9991: udp 72
>
>
> [Note: I believe the "-S" option, which causes the source address of
> the netflow packet to be "spoofed" to that of the switch/router, will
> not work on the Windows platform.]
>
> If the above works, then you can try changing "-c localhost" to "-c
> 172.16.1.15" and then run the tcpdump command on 172.16.1.15.
> Sometimes tcpdump can see the packets before a software firewall blocks
> them, so even if that works you may still need to adjust the firewall.
>
> Hope this helps.
>
> regards,
> neil
>
>
>
> On Jul 28, 2005, at 5:51 AM, Alexander Czutka wrote:
>
> > Hello,
> >
> >
> >
> > I tried to convert sflow-data to netflow-data with the command:
> >
> >
> >
> > sflowtool -p 6343 -c 172.16.1.15 -d 9991
> >
> >
> >
> > but I couldn4t see any frames getting out of my local machine to
> > 172.16.1.15.
> >
> >
> >
> > I saw sflow data coming in.
> >
> >
> >
> > I tried it with Linux (sflowtool 3.8) and Win.
> >
> >
> >
> > Is this command working ?
> >
> >
> >
> > Regards,
> >
> >
> >
> > Alexander
> >
> >
> >
> > Foundry Networks GmbH
> >
> >
> >
> > Alexander Czutka Phone: +49 (0)89 374 292 17
> >
> > Post Sales Fax: +49 (0)89 374 292 60
> >
> > Einsteinstrasse 14 Mobile: +49 (0)172 8998 517
> >
> > D-85716 Unterschleissheim Email: aczutka@foundrynet.com
> >
> > Germany www.foundrynetworks.com
> >
> > [demime 1.01d removed an attachment of type text/x-vcard which had a
> > name of Alexander Czutka (aczutka@foundrynet.com).vcf]
> >
> >
> ----
> Neil McKee
> InMon Corp.
> http://www.inmon.com
Received on Fri Jul 29 01:46:24 2005

This archive was generated by hypermail 2.1.8 : 07/29/05 PDT