PfFlowd not sending packets
-
I have it set to go my PC at the moment, but it is not sending any packets. I have confirmed this with Wireshark.
What should I check? EDIT: aside from the obvious, it is running, I have even rebooted.
-
Does anyone have it working? It was suggested I use this since Ntop was broken and now it appears to be broken as well.
-
pfflowd starts up for me and sends packets, provided I filled out all of the fields on the page. Perhaps it's not leaving the interface you expect? For instance, did you fill in the source IP as your LAN IP if the destination IP is your LAN IP?
I just filled in the fields and directed it at an IP and port 9999 and tried a few connections, and I see it sending data.
11:21:17.196784 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 208 11:21:17.198949 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 116 11:21:17.200322 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 116Here is what it looks like in the process list when it's running.
root 40285 0.0 0.2 2912 816 ?? Ss 11:18AM 0:00.00 /usr/local/sbin/pfflowd -n 192.168.197.135:9999 -s 192.168.197.148 -S any -v 9
-
pfflowd starts up for me and sends packets, provided I filled out all of the fields on the page. Perhaps it's not leaving the interface you expect? For instance, did you fill in the source IP as your LAN IP if the destination IP is your LAN IP?
I just filled in the fields and directed it at an IP and port 9999 and tried a few connections, and I see it sending data.
11:21:17.196784 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 208 11:21:17.198949 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 116 11:21:17.200322 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 116Here is what it looks like in the process list when it's running.
root 40285 0.0 0.2 2912 816 ?? Ss 11:18AM 0:00.00 /usr/local/sbin/pfflowd -n 192.168.197.135:9999 -s 192.168.197.148 -S any -v 9My PFsense is in bridge mode. It only has one IP. The source IP is that IP, the host is the machine I want it sent to. I have Any, LAN and WAN in the direction field and all versions of netflow. I can see it running on the command line, it looks just like yours, aside from the obvious IP address difference, but nothing it being sent.
-
Not sure how a bridge might interact with that, but have you used tcpdump on both the "wan" and "lan" side when looking for the netflow packets?
-
Not sure how a bridge might interact with that, but have you used tcpdump on both the "wan" and "lan" side when looking for the netflow packets?
I do not know how to do that really, but I am currently running tcpdump grepped looking for 9996 and nothing on that port number is showing up.
tcpdump | grep 9996 is what I ran.
-
Try:
tcpdump -ni <wan interface=""> port 9996</wan>Where <wan interface="">is the physical WAN interface, like em0, vr1, etc.
If that doesn't find anything, use the LAN interface.Or just use Diagnostics > Packet capture and fill in the box to filter by port.</wan>
-
Nothing. I tried bge0, bge1, bridge0, nothing. Diagnostics did the same thing.
This is really annoying. I have been trying for weeks now to find something that I can use to track our internet usage and can find…nothing!
-
Should I file a bug report?
-
Unfortunately I can't replicate your issue, it works for me when I set it up.
It's a little more manual process but you could try softflowd
http://doc.pfsense.org/index.php/Exporting_NetFlow_with_softflowd
-
That was going to be my next step.
You are not testing in Bridge mode though. That can be considered it's own bug.
-
Actually I am testing in bridge mode as well as normal mode. I get netflow packets either way.
It does appear that the collector system had to be online before the packets started going though.
-
What were you using as a collector?
-
Nothing at the moment, just sending the packets at a random BSD VM.
-
Nothing at the moment, just sending the packets at a random BSD VM.
Sorry, I thought you meant the collector software. I have been sending to my own PC and still nothing.
-
Softlowd is sending packets.
One question, the doc says this:
Launching softflowd
To launch softflowd at boot time, backup your configuration, and above the line, add the following line.
<shellcmd>softflowd -i em0 -v 5 -m 50000 -n 10.0.0.100:9999</shellcmd>What file is it referring to? I am not familiar enough with BSD, more of a Linux guy.
-
Ignore that bit, install the shellcmd package and add it there. It's in the raw config.xml, and the shellcmd package can maintain that entry for you rather than editing the config xml manually.
-
The way some applications bind, they don't function entirely correctly with bridging unless the IP they're using is on the bridge itself (which is only supported in 2.0), I suspect that's what you're seeing here. The only thing I've seen to date that has issues in that scenario is nmap but other applications likely have the same issue.
