nfdump shows all flows with packets and bytes 0

aabc / ipt-netflow

Netflow iptables module for Linux kernel (official)

502 stars 129 forks source link

nfdump shows all flows with packets and bytes 0 #159

Open laoshaw opened 3 years ago

laoshaw commented 3 years ago

Just installed ipt-netflow and got it run, nfdump reports many flows but all their packets and bytes are 0 while flows is 1:

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2020-12-01 22:36:22.556     0.000 TCP      192.168.1.2:53114 ->    3.231.217.16:443          0        0     1
2020-12-01 22:36:22.556     0.000 TCP      192.168.1.2:53116 ->    3.231.217.16:443          0        0     1
2020-12-01 22:36:22.804     0.000 TCP      192.168.1.2:53118 ->    3.231.217.16:443          0        0     1

How to get non-zero statistic data shown for each flow?

Additionally, my ipt_netflow_flows is always empty:

cat /proc/net/stat/ipt_netflow_flows 
# hash a dev:i,o snmp:i,o mac:src,dst vlan type proto src:ip,port dst:ip,port nexthop tos,tcpflags,options,tcpoptions packets bytes ts:first,last
<blank>

aabc commented 3 years ago

I cannot help you how to configure nfdump since I never used it.

To see the flows you need to add rules into desiring iptables chains with NETFLOW target. For example, iptables -I INPUT -j NETFLOW, iptables -I FORWARD -j NETFLOW.

laoshaw commented 3 years ago

Yes I set the iptables chain up(iptables -N NETFLOW, iptables -I INPUT -j NETFLOW, iptables -I FORWARD -j NETFLOW, iptables -I OUTPUT -j NETFLOW), otherwise nfdump(the open source command line collector) will see nothing from ipt-netflow, it appears all is working except there is no info about packet/byte counts, /proc/net/nf_conntrack has the used packets/bytes per flow as expected.

blue212121 commented 1 year ago

Hello

did you ever figure this out? Did a capture and seems ipt-netflow does not send the information (my guess is some kernel/dependency mismatch, but haven't had time to troubleshoot yet).

From captured netflow packet: Packets: 0 Octets: 0

blue212121 commented 1 year ago

Figured out what the problem was on my end

libipt_NETFLOW.so and libip6t_NETFLOW.so never got copied to /usr/lib/x86_64-linux-gnu/xtables/

cp libipt_NETFLOW.so /usr/lib/x86_64-linux-gnu/xtables/
cp libip6t_NETFLOW.so /usr/lib/x86_64-linux-gnu/xtables/

after issuing these two commands, and then reloading the module it works as expected on my end