[Ntop] No data in Netflow on FreeBSD 7.0

Gary Gatten Ggatten at waddell.com
Fri Apr 30 02:22:15 CEST 2010 

I used to run on FBSD 6, but now RHEL5 so don't know first hand of issues with FBSD anymore. My understanding is it *works* fine.  I know there is some logic in the code to do somethings different if OS is FBSD, maybe that is broken?  If you like source, there are several places in the code to enable DEBUG output, starting in globals-defines.h, but also within the netflow plugin module code.  It will spew a $HITLOAD of messages, so maybe build it with a different prefix and only run for a few seconds.  I'll try to think of something else....  MAYBE try the port just to see if it works and if so diff the code?

----- Original Message -----
From: ntop-bounces at listgateway.unipi.it <ntop-bounces at listgateway.unipi.it>
To: ntop at unipi.it <ntop at unipi.it>
Sent: Thu Apr 29 18:55:34 2010
Subject: Re: [Ntop] No data in Netflow on FreeBSD 7.0

Thanks for the quick reply(s)

"Sounds like you tried most everything."
<sigh> yeah, that's what I thought.

Interface is selected. Netflow statistics says 1 packet in, 1 out, 40 
bytes, 1 flow. Nothing in any of the v1/v5/v9 rows, nothing except "1 
flow processed" in the Discarded section.

running as root, with -t 5 doesn't show me anything I can identify as a 
problem - This is the log section that seems most relevant:

Apr 29 19:40:30 netmon ntop[37164]:   Now running as requested user 
'root' (0:0)
Apr 29 19:40:30 netmon ntop[37164]:   Device  0. 
em0                            (active)
Apr 29 19:40:30 netmon ntop[37164]:   Device  1. 
NetFlow-device.2               (active)
Apr 29 19:40:30 netmon ntop[37164]:   Note: Reporting device initally 
set to 1 [NetFlow-device.2]
Apr 29 19:40:30 netmon ntop[37164]:   MEMORY: Base interface structure 
(no hashes loaded) is 0.33MB each
Apr 29 19:40:30 netmon ntop[37164]:   MEMORY:     or 0.65MB for 2 interfaces
Apr 29 19:40:30 netmon ntop[37164]:   MEMORY: ipTraffixMatrix structure 
(no TrafficEntry loaded) is 0.36MB
Apr 29 19:40:30 netmon ntop[37164]:   THREADMGMT[t34412171552]: ntop 
RUNSTATE: RUN(4)
Apr 29 19:40:30 netmon ntop[37164]:   THREADMGMT[t34412176704]: NPS(1): 
Started thread for network packet sniffing [em0]
Apr 29 19:40:30 netmon ntop[37164]:   THREADMGMT[t34412176704]: 
NPS(em0): pcapDispatch thread starting [p37164]
Apr 29 19:40:30 netmon ntop[37164]:   THREADMGMT[t34412175968]: NETFLOW: 
(port 9990) thread running [p37164]

and:

Apr 29 19:40:55 netmon ntop[37164]:   RRD: Cycle 0 ended, 38 RRDs 
updated, 0.037 seconds
Apr 29 19:40:55 netmon ntop[37164]:   RRD_DEBUG: Sleeping for 300 
seconds (interval 300, end at Thu Apr 29 19:45:55 2010)
Apr 29 19:43:04 netmon ntop[37164]:   SECURITY: Loading items table
Apr 29 19:45:57 netmon ntop[37164]:   RRD: Cycle 1 ended, 18 RRDs 
updated, 0.006 seconds

tim

On 04/29/2010 06:32 PM, Gary Gatten wrote:
> Also, try running as root to rule out perms and maybe start with -t 5 and hope to get some useful messages in the log.
>
> -----Original Message-----
> From: ntop-bounces at listgateway.unipi.it [mailto:ntop-bounces at listgateway.unipi.it] On Behalf Of Gary Gatten
> Sent: Thursday, April 29, 2010 4:58 PM
> To: 'ntop at unipi.it'
> Subject: Re: [Ntop] No data in Netflow on FreeBSD 7.0
>
> Sounds like you tried most everything.
>
> What does "Plugins>  Netflow>  Statistics" show?
>
> Also, have you "Selected" the interface?  "Admin>  Switch NIC" and actually choose your netflow interface?
>
> G
>
>
> -----Original Message-----
> From: ntop-bounces at listgateway.unipi.it [mailto:ntop-bounces at listgateway.unipi.it] On Behalf Of Tim Palmer
> Sent: Thursday, April 29, 2010 4:34 PM
> To: ntop at listgateway.unipi.it
> Subject: [Ntop] No data in Netflow on FreeBSD 7.0
>
> Good Day,
>
> I'm trying to get ntop working on a FreeBSD 7.0 amd64 box. I've had
> problems compiling 3.3.10, so tried 3.4pre3.
>
> I'm only interested in seeing data on a NetFlow interface. Nothing local
> is needed. However, I'm seeing similar behavior on eth0, only the
> Traffic Statistics table on the Summary Traffic page show very many
> packets dropped by libpcap.
>
> Compile and installation work fine. Ntop starts fine, web interface is
> fully functional. Netflow plugin is enabled and active. But there is
> only one packet shown for the NetFlow device, no packets dropped by
> ntop. I *believe* I've tried all ip address configuration options. Most
> other settings are default. Running in daemon mode does not produce any
> warnings on the console. Listen port is not default, and I've configured
> in the web UI, not spec
>
> started with {prefix}/bin/ntop -w 81 -u ntop -L -d
>
> tcpdump shows data coming in on the port I'm expecting it. Ethereal
> confirms they are legit netflow/cflow packets.
>
> sockstat shows ntop listening on the udp4 port expected.
>
> disabling ipfw doesn't help.
>
> Files are created in {prefix}/var/ntop/rrd/interfaces/NetFlow-device.2.
> They are being updated, but only with NANs or 0.000 entries.
>
> Netflow statistics page in the web UI shows just the one packet,
> 56bytes. No dropped flows or other problems.
>
> We prefer to compile from source, so haven't tried the port yet.
>
> rrdtool is 1.4, compiled from source. Cacti is also on this box, and has
> no problem w/ rrdtool.
> perl is 5.10.0
>
> flow-capture is also in use on this box (for other devices, on other
> ports) and is working properly.
>
> I'm at a loss. If there's more information I can provide, I am most
> happy to do so.
>
> Kernel is custom. I have not yet tried with GENERIC, but try that next.
>
> FreeBSD xxx.xxx.xxx 7.0-RELEASE-p12 FreeBSD 7.0-RELEASE-p12 #0: Wed Apr
> 28 17:46:20 EDT 2010     xxx at xxx.xxx.xxx:/usr/obj/usr/src/sys/NETMON  amd64
>
> Thank you very much for your time. I'm sort of hoping this is just
> something stupid I'm missing.
>
> Tim Palmer
> _______________________________________________
> Ntop mailing list
> Ntop at listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
> _______________________________________________
> Ntop mailing list
> Ntop at listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
> _______________________________________________
> Ntop mailing list
> Ntop at listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>    

_______________________________________________
Ntop mailing list
Ntop at listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

More information about the Ntop mailing list