Pfflowd stopped status

leap

Dear all,

I just installed pfflowd with 1.0.1 Snapshot 03-27-2007, I tried to start it manually still stopped at service page.

Anyone can help me

buraglio

I think I need to know more about your failure mode, I can't recreate it.  A new install with the pfflowd package starts fine for me.

ps -auxww | grep flow

nobody 26485  0.0  0.4  1556  1136  ??  Ss    8:21AM  0:00.00 /usr/local/sbin/pfflowd -n 10.142.235.151:6996 -S any -v 5

Does it start and not work immediately or just after a reboot?  How are you determining failure? 
Can you start it from the CLI by the startup script?  /usr/local/etc/rc.d/pfflowd.sh
Can you start the command manually by running the full command?

@leap:

Dear all,

I just installed pfflowd with 1.0.1 Snapshot 03-27-2007, I tried to start it manually still stopped at service page.

Anyone can help me

dupuyol

Actually, we got pfflowd to start.  However, we are only getting IN Traffic information and not OUT traffic.

Any idea of what may be going wrong?

TIA

cmb

I can't seem to recreate the problem with only getting one direction of traffic. Like here's a snip of nfdump output from my netflow collector. Is this not what you're seeing?

2007-06-02 13:42:30.096  139.000 TCP      209.97.34.40:80    ->      10.0.64.15:52053        5    1269    1
2007-06-02 13:42:30.096  139.000 TCP        10.0.64.15:52054 ->    209.97.34.40:80          6    1699    1
2007-06-02 13:42:30.096  139.000 TCP      209.97.34.40:80    ->      10.0.64.15:52054        5    1249    1
2007-06-02 13:42:30.096  139.000 TCP        10.0.64.15:52054 ->    209.97.34.40:80          6    1699    1
2007-06-02 13:42:30.096  139.000 TCP      209.97.34.40:80    ->      10.0.64.15:52054        5    1249    1
2007-06-02 13:42:30.096  139.000 TCP        10.0.64.15:52055 ->  159.54.228.148:80          14    1003    1
2007-06-02 13:42:30.096  139.000 TCP    159.54.228.148:80    ->      10.0.64.15:52055      22    22911    1
2007-06-02 13:42:30.096  139.000 TCP        10.0.64.15:52055 ->  159.54.228.148:80          14    1003    1
2007-06-02 13:42:30.096  139.000 TCP    159.54.228.148:80    ->      10.0.64.15:52055      22    22911    1
2007-06-02 13:32:45.096  724.000 TCP        10.0.64.15:51925 ->  64.233.167.147:80        121    54924    1
2007-06-02 13:32:45.096  724.000 TCP    64.233.167.147:80    ->      10.0.64.15:51925      121    37386    1

compudaze

I don't get any out traffic as well.

buraglio

How is pfflowd configured?  I can't seem to recreate the failure.

compudaze

Configured via webGUI:

• Host: x.x.x.x
• Port: 9996
• pf rule direction restriction: Any
• Netflow version: 5

I'm using ManageEngine NetFlow Analyzer on the server configured as the host.

buraglio

And if you stop and restart the service it still gives unidirectional flows?  I'm not familiar with that particular collector, but with flow-tools and nfdump I cannot recreate the failure.

cmb

The package on 1.2.1 has a patch that shows all traffic, previously because of the way it relies on the state table it didn't always track everything. Give 1.2.1 a shot and report back.

buraglio

Yeah, it does have a dependency on the state table.  It could be the case that the way my default rules are they just lend the,selves to the pfflowd process.