Page 1 of 1
No matched flows
Posted: Thu Feb 11, 2016 3:08 am
by hmaierh
NNA doesn't show anything. I created a source on port 9995 but the captured nfcapd files have a size of 276 bytes, which means they are empty. so nfdump on these nfcapd-files says: no matched flows
It seems like nfcapd/nfdump, can't extract the netflow data.
I tried to update and recompile nfdump, but it doesn't work.
Port is open and working.
Time is set correct on all machines.
Router configuration should also be allright, because i am receiving flows with other tools like nfsen.
I even captured netflow as a pcap-file with tcpdump on that port, analyzed it with Wireshark and it shows me netflow.
Any ideas how to fix that?
Re: No matched flows
Posted: Thu Feb 11, 2016 5:47 pm
by bwallace
On the NNA server, do you do have your firewall/IP tables/SE Linux rules open to this traffic?
Reason I ask is that a tcpdump captures the packets before the kernel sees it. Since you've already confirmed via a tcpdump that this traffic is getting to the NNA server, then I'm rather suspicious of the aforementioned items. If you haven't already, could you you take a look at these settings to confirm that they are not blocking/ dropping this traffic?
Re: No matched flows
Posted: Fri Feb 12, 2016 4:52 am
by hmaierh
bwallace wrote:On the NNA server, do you do have your firewall/IP tables/SE Linux rules open to this traffic?
Reason I ask is that a tcpdump captures the packets before the kernel sees it. Since you've already confirmed via a tcpdump that this traffic is getting to the NNA server, then I'm rather suspicious of the aforementioned items. If you haven't already, could you you take a look at these settings to confirm that they are not blocking/ dropping this traffic?
The firewall on the NNA server is turned off, IP tables accept all. I checked the SE Linux rules and it looked good.
But I will check the SE Linux rules again.
Thank you for that advice.
Re: No matched flows
Posted: Fri Feb 12, 2016 12:11 pm
by bwallace
Thanks, definitely lets us know what you find out.
Re: No matched flows
Posted: Tue Feb 16, 2016 1:52 am
by hmaierh
bwallace wrote:Thanks, definitely lets us know what you find out.
Hi bwallace,
I disabled SELINUX, so that no policy can block NNA. but it is still not detecting netflow.
I still believe that there is something wrong with nfdump/nfcapd, but reinstall doesn't solve that issue.
do you have any other ideas?
Re: No matched flows
Posted: Tue Feb 16, 2016 3:07 pm
by tgriep
What version of Nagios Network Analyzer are you running?
Can you provide any details on your OS. What distribution and version is it?
What make and model type of equipment you have sending the Netflow data?
What version of Netflow are you running on your equipment?
Can you login as root on the NA server and run the following and post it here?
Thanks