javadmohebbi
commented
2 years ago Hi @cvasiliu2001
Thank you for submitting issue. To investigate the issue, we need to run the following commands to gather some logs from our application.
1- You need to stop the netflow collector docker images
cd $HOME/oi24/nfcollector
docker-compose down2- Download the following logger tool and run int, wait form some minutes and after that, a file located in /tmp/nfcollector-dump.log (by default) will be created. You can change it using -out /path/to/your/log/file. Also if you are listening on different address other than default port :6859, you can change it using -addr command line option.
wget -O /tmp/nfcollector-logger https://github.com/javadmohebbi/goNfCollector/raw/main/build/linux/amd64/nfcollector-logger
chmod +x /tmp/nfcollector-logger
sudo /tmp/nfcollector-loggerThis file might include some confidential information like IP addresses, You can replace the confidential IP Addresses and the share it with me.
Regards
rcastro-uy
Hi Javad - great software...
I am trying to implement goNfCollector to get and analyze flows from a Fortigate device...
Issue: The goNfCollector does not process Fortigate v9 flows even if the flows from Fortigate are send and received on port ....
Investigations:
For testing I have used Netflow Generator (from Solarwind) and goNfCollector work very well with it.... I have used tcpdump and flows from Fortigate arrived on port (so there is no problem with configuration or routing or firewall)
I thought is was something related with V9 fields used by Fortigate, so I have used another flow-gatherer (goflow) with console outputs to see if there is any difference between flows received from Fortigate and flows received from Netflow Generator....
A dummy flow generated by Netflow Generated that is processed well by goNfCollector (captured with goflow):
Type:NETFLOW_V9 TimeReceived:1638574069 SequenceNum:10578 SamplingRate:0 SamplerAddress:10.X.X.X (modified) TimeFlowStart:1638574069 TimeFlowEnd:1638574069 Bytes:3000 Packets:10 SrcAddr:192.168.1.152 DstAddr:192.168.1.111 Etype:2048 Proto:6 SrcPort:38340 DstPort:443 InIf:6 OutIf:7 SrcMac:00:00:00:00:00:00 DstMac:00:00:00:00:00:00 SrcVlan:0 DstVlan:0 VlanId:0 IngressVrfID:0 EgressVrfID:0 IPTos:0 ForwardingStatus:0 IPTTL:0 TCPFlags:0 IcmpType:0 IcmpCode:0 IPv6FlowLabel:0 FragmentId:0 FragmentOffset:0 BiFlowDirection:0 SrcAS:49320 DstAS:49320 NextHop:1.1.1.2 NextHopAS:0 SrcNet:0 DstNet:0 HasEncap:false SrcAddrEncap:
DstAddrEncap:
ProtoEncap:0
EtypeEncap:0
IPTosEncap:0
IPTTLEncap:0
IPv6FlowLabelEncap:0
FragmentIdEncap:0
FragmentOffsetEncap:0
HasMPLS:false
MPLSCount:0
MPLS1TTL:0
MPLS1Label:0
MPLS2TTL:0,
MPLS2Label: 0,
MPLS3TTL:0
MPLS3Label:0
MPLSLastTTL:0
MPLSLastLabel:0
HasPPP:false
PPPAddressControl:0
vs A real flow generated by Fortigate that is not processed by goNfCollector (captured also with goflow):
Type:NETFLOW_V9 TimeReceived:1638573080 SequenceNum:239 SamplingRate:1 SamplerAddress:10.X.X.X (modified) TimeFlowStart:1638573075 TimeFlowEnd:1638573075 Bytes:40 Packets:1 SrcAddr:185.X.X.X (modified) DstAddr:10.X.X.X (modified) Etype:2048 Proto:6 SrcPort:9115 DstPort:56664 InIf:3 OutIf:18 SrcMac:00:00:00:00:00:00 DstMac:00:00:00:00:00:00 SrcVlan:0 DstVlan:0 VlanId:0 IngressVrfID:0 EgressVrfID:0 IPTos:0 ForwardingStatus:64 IPTTL:0 TCPFlags:0 IcmpType:0 IcmpCode:0 IPv6FlowLabel:0 FragmentId:0 FragmentOffset:0 BiFlowDirection:0 SrcAS:0 DstAS:0 NextHop:
NextHopAS:0
SrcNet:0
DstNet:0
HasEncap:false
SrcAddrEncap:
DstAddrEncap:
ProtoEncap:0
EtypeEncap:0
IPTosEncap:0
IPTTLEncap:0
IPv6FlowLabelEncap:0
FragmentIdEncap:0
FragmentOffsetEncap:0
HasMPLS:false
MPLSCount:0
MPLS1TTL:0
MPLS1Label:0
MPLS2TTL:0,
MPLS2Label: 0,
MPLS3TTL:0
MPLS3Label:0
MPLSLastTTL:0
MPLSLastLabel:0
HasPPP:false
PPPAddressControl:0
Both flows are captured with goflow on the same server where goNfCollector is also installed...
I didn't spot any difference between these two flows and I do not know how to continue...
Any help will be very much appreciated!
Cristi