PfFlowd not sending packets

donoreo

I have it set to go my PC at the moment, but it is not sending any packets.  I have confirmed this with Wireshark.

What should I check?  EDIT: aside from the obvious, it is running, I have even rebooted.

donoreo

Does anyone have it working?  It was suggested I use this since Ntop was broken and now it appears to be broken as well.

jimp

pfflowd starts up for me and sends packets, provided I filled out all of the fields on the page. Perhaps it's not leaving the interface you expect? For instance, did you fill in the source IP as your LAN IP if the destination IP is your LAN IP?

I just filled in the fields and directed it at an IP and port 9999 and tried a few connections, and I see it sending data.

11:21:17.196784 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 208
11:21:17.198949 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 116
11:21:17.200322 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 116

Here is what it looks like in the process list when it's running.

root   40285  0.0  0.2  2912   816  ??  Ss   11:18AM   0:00.00 /usr/local/sbin/pfflowd -n 192.168.197.135:9999 -s 192.168.197.148 -S any -v 9

donoreo

@jimp:

pfflowd starts up for me and sends packets, provided I filled out all of the fields on the page. Perhaps it's not leaving the interface you expect? For instance, did you fill in the source IP as your LAN IP if the destination IP is your LAN IP?

I just filled in the fields and directed it at an IP and port 9999 and tried a few connections, and I see it sending data.

11:21:17.196784 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 208
11:21:17.198949 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 116
11:21:17.200322 IP 192.168.197.148.38793 > 192.168.197.135.9999: UDP, length 116

Here is what it looks like in the process list when it's running.

root   40285  0.0  0.2  2912   816  ??  Ss   11:18AM   0:00.00 /usr/local/sbin/pfflowd -n 192.168.197.135:9999 -s 192.168.197.148 -S any -v 9

My PFsense is in bridge mode.  It only has one IP.  The source IP is that IP, the host is the machine I want it sent to.  I have Any, LAN and WAN in the direction field and all versions of netflow.  I can see it running on the command line, it looks just like yours, aside from the obvious IP address difference, but nothing it being sent.

jimp

Not sure how a bridge might interact with that, but have you used tcpdump on both the "wan" and "lan" side when looking for the netflow packets?

donoreo

@jimp:

Not sure how a bridge might interact with that, but have you used tcpdump on both the "wan" and "lan" side when looking for the netflow packets?

I do not know how to do that really, but I am currently running tcpdump grepped looking for 9996 and nothing on that port number is showing up.

tcpdump | grep 9996 is what I ran.

jimp

Try:

tcpdump -ni <wan interface=""> port 9996</wan>

Where <wan interface="">is the physical WAN interface, like em0, vr1, etc.
If that doesn't find anything, use the LAN interface.

Or just use Diagnostics > Packet capture and fill in the box to filter by port.</wan>

donoreo

Nothing.  I tried bge0, bge1, bridge0, nothing.  Diagnostics did the same thing.

This is really annoying.  I have been trying for weeks now to find something that I can use to track our internet usage and can find…nothing!

donoreo

Should I file a bug report?

jimp

Unfortunately I can't replicate your issue, it works for me when I set it up.

It's a little more manual process but you could try softflowd
http://doc.pfsense.org/index.php/Exporting_NetFlow_with_softflowd

donoreo

That was going to be my next step.

You are not testing in Bridge mode though.  That can be considered it's own bug.

jimp

Actually I am testing in bridge mode as well as normal mode. I get netflow packets either way.

It does appear that the collector system had to be online before the packets started going though.

donoreo

What were you using as a collector?

jimp

Nothing at the moment, just sending the packets at a random BSD VM.

donoreo

@jimp:

Nothing at the moment, just sending the packets at a random BSD VM.

Sorry, I thought you meant the collector software.  I have been sending to my own PC and still nothing.

donoreo

Softlowd is sending packets.

One question, the doc says this:

Launching softflowd

To launch softflowd at boot time, backup your configuration, and above the line, add the following line.
<shellcmd>softflowd -i em0 -v 5 -m 50000 -n 10.0.0.100:9999</shellcmd>

What file is it referring to?  I am not familiar enough with BSD, more of a Linux guy.

jimp

Ignore that bit, install the shellcmd package and add it there. It's in the raw config.xml, and the shellcmd package can maintain that entry for you rather than editing the config xml manually.

cmb

The way some applications bind, they don't function entirely correctly with bridging unless the IP they're using is on the bridge itself (which is only supported in 2.0), I suspect that's what you're seeing here. The only thing I've seen to date that has issues in that scenario is nmap but other applications likely have the same issue.