Joe,
'flowd-reader -c' takes any flowd capture as input. If the capture contains IPv6, the output will include IPv6 addresses which'll break flow-import.
You can certainly use a subset of netflow-original (e.g., leave out L4 info if you like). Using more than netflow-original will just waste router/server CPU and export bandwidth since flowd silently drops other fields anyway. Think of flowd as a netflow-original + IPv6 collector...
Re sync issues... While the import is taking place, other scripts might mistakenly think the "ft-" file is complete when it's not. Here is a revised script that uses FT's "tmp-" file name to avoid that case:
#!/usr/bin/perl
# "flowd2ft" crontab script to move flowd capture files into flow-tools
# -- flow-tools variables
our $ftImport = "/usr/local/netflow/bin/flow-import"; # where ft's flow-import is
our $ftDir = "/var/log/flow-tools-capture"; # where ft's capture files go
our $ftTZ = "-0500"; # timezone for ft capture files
our $ftPeriod = 300; # seconds per ft capture file and cron interval
# -- flowd variables
our $flowdReader = "/usr/local/bin/flowd-reader"; # where flowd-reader is
our $flowdConf = "/usr/local/etc/flowd.conf"; # where flowd.conf is
our $flowdHup = "10"; # SIGUSR1
our ($flowdPid, $flowdLog);
### START OF NEW STUFF
our $ftStem = sprintf("v05.%04d-%02d-%02d.%02d%02d%02d$ftTZ", $year + 1900, $mon + 1, $mday, $hour, $min, $sec);
our $ftFile = "tmp-$ftStem";
our $ftFileFinal = "ft-$ftStem";
### END OF NEW STUFF
open(IN, $flowdConf) || die "Could not read $flowdConf";
while ( <IN> ) {
if (/^\s*logfile ["]?([^"\s]+)/) { $flowdLog = $1; }
if (/^\s*pidfile ["]?([^"\s]+)/) { $flowdPid = $1; }
}
close(IN);
exit if (! -f $flowdLog); # exit silently on empty file
die "$flowdPid does not exist: $!" if (! -f $flowdPid);
my $pid = `cat $flowdPid`;
`mv $flowdLog $flowdLog.tmp`;
die "$flowdPid ($pid) invalid: $!" if (! kill $flowdHup, $pid);
`$flowdReader -c $flowdLog.tmp | $flowImport -f 2 -V 5 -z 1 > $ftDir/$ftFile`;
unlink("$flowdLog.tmp");
`mv $ftDir/$ftFile $ftDir/$ftFileFinal`; ##### ALSO NEW
-Craig
Post by Joe LoiaconoCraig,
Thanks for the 'flowd2ft' script to enable conversion between flowd V9 captures and flow-tools ft files ( http://mailman.splintered.net/pipermail/flow-tools/2009-March/003765.html )
Naturally it only supports for V5 fields (use 'record netflow-original' when setting up Cisco flexible netflow).
Does this require that the exporter be set this way only? In other words, will 'flowd-reader -c' be able to take any v9 file and convert it for flow-tools (V5 only - which is OK), or just those exported with 'record netflow-original'?
Do you have to be careful syncing up the cron times with the flowd file times?
Many thanks!
Joe
Date: 04/22/2010 01:04 PM
Subject: Re: [Flow-tools] NetFlow v9 support in flow-tools?
________________________________
http://code.google.com/p/flow-tools/updates/list
Adding v9 to flow-tools is not that easy; the fixed-length file structure currently used doesn't lend itself to the arbitarry field/protocol capabilities of netflow v9. It's a substantial effort.
http://mailman.splintered.net/pipermail/flow-tools/2009-March/003765.html
-Craig
A colleague of mine mentioned the other day that he heard someone had updated flow-tools to support NetFlow v9. Truth? I can¢t find anything about such support.
--
Adam Powers
NetFlow Ninja & CTO
Lancope, Inc.
c. 678.725.1028
_______________________________________________
Flow-tools mailing list
http://mailman.splintered.net/mailman/listinfo/flow-tools