Softflowd not exporting all flows to ntop

[vostorga]

Good day. Currently I have a setup like the following: Network device (192.168.0.10) sending netflows to remote port 4000 ==> Linux Host (192.168.0.65) running softflowd and ntop ; softflowd is sending them to 192.168.0.65:4500

I've build softflowd in Linux x86_64 using the following:

git clone https://github.com/irino/softflowd.git cd softflowd/ autoconf autoreconf --install ./configure --enable-ntopng make make install

And executing softflow using

softflowd -v ntopng -i ens3 -n 192.168.0.65:4500 -d -D -N -R 4000 -P tcp -T full

In ntop I'm just seeing a few flows mostly related to own network broadcast .

softflowctl shows the following:

softflowctl statistics softflowd[8429]: Accumulated statistics since 2020-05-08T21:40:24 UTC: Number of active flows: 393 Packets processed: 13325 Fragments: 0 Ignored packets: 293 (293 non-IP, 0 too short) Flows expired: 2 (0 forced) Flows exported: 0 (2 records) in 2 packets (0 failures) Packets received by libpcap: 13618 Packets dropped by libpcap: 0 Packets dropped by interface: 0

Expired flow statistics: minimum average maximum Flow bytes: 410 1560 2709 Flow packets: 8 9 10 Duration: 0.28s 16.16s 32.03s

Expired flow reasons: tcp = 0 tcp.rst = 2 tcp.fin = 0 udp = 0 icmp = 0 general = 0 maxlife = 0 over 2 GiB = 0 maxflows = 0 flushed = 0

Per-protocol statistics: Octets Packets Avg Life Max Life tcp (6): 3119 18 16.16s 32.03s

I have checked the following:

• Making sure there is incoming traffic from network device
• Making sure ntop created tcp socket 192.168.0.65:4500
• Running softflowd in debug mode and seeing lots of traffic

Please your guide on this , I am surely misunderstanding how softflowd receives traffic and send it to ntop,

[irino]

Hmm, I don't know detail about your situation. However If the statistics of your softflowctl shows 2 expired flow and ntop displays 2 flows, It is expected behavior of softflowd

[irino]

Can I close this issue?

[vostorga]

Functionality of exporting flows to ntop doesnt work. I have tried with a device that sends 150 flows per second all the time.

On Fri, May 15, 2020, 8:58 PM Hitoshi Irino notifications@github.com wrote:

Can I close this issue?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/irino/softflowd/issues/25#issuecomment-629578512, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5RHJOQPILHZGEG4DP2QB3RRX6M3ANCNFSM4M4PZG7Q .

[irino]

Ah, I understood your environment miss-configuration. -R option means receiving PSAMP. It is not netflow receiving port. If you want to display netflow data on ntop, you should send netflow from device to ntop directly.

[vostorga]

Thanks for your reply.

As netflow receiving port functionality doesnt exist, you may close this ticket.

On Sat, May 16, 2020, 6:59 AM Hitoshi Irino notifications@github.com wrote:

Ah, I understood your environment miss-configuration. -R option means receiving PSAMP. It is not netflow receiving port. If you want to display netflow data on ntop, you should send netflow from device to ntop directly.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/irino/softflowd/issues/25#issuecomment-629642014, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD5RHJO7UU2CA27VDWPBQC3RR2E35ANCNFSM4M4PZG7Q .