4 Replies Latest reply on Feb 9, 2012 5:17 PM by rkidder

    NetFlow from Linux OpenSuse

    trinitron

      Hi. I have installed  fprobe on Linux Open Suse as NetFlow sensor from my interfaces. When i added my Linux machine to my NTA - i see error: You have not enabled NetFlow data export on *.253.*.142 device. For  more information, see "Enabling NetFlow and NetFlow Data Export (NDE) on  Cisco Catalyst Switches" in the Support - Product Documentation area of  www.solarwinds.com.But i dont find any information about anable NDE on Linux machines. May any help me in this question?

      By the way - is there some recomendations to configure Orion SolarWinds NTA for recieving NetFlow from Linux-machines?

      Does anybody have expirience in this?

      So I have a picture as below at my NTA (version 3.5 SP2)

      Thank You

        • Re: NetFlow from Linux OpenSuse
          GZhytar

          trinitron,

          this message appears when both Input and Output interface SNMP indexes in a NetFlow pdu exported by router equal to 0. 

          But what I see from the screenshot you should have correct data when drill down to the eth0 interface.

          One of the options is to run some packet capture tool like WireShark on NTA box and capture and analyze packets exported from your Linux. Ensure that data exported with correct SNMP indexes or configure NetFlow exporter module correctly if they are not. Hope that our brilliant community folks will give you advice how to do that.

          thanks

            • Re: NetFlow from Linux OpenSuse
              trinitron

              But what I see from the screenshot you should have correct data when drill down to the eth0 interface.

              Thanks for answer.

              Please explane what do you mean?

              Do you mean that fprobe send incorrect netflow packets? But how does it possible? Fprobe send netflow datagrams v.5 - I can see it when I capture trafic on Linux by wireshark

                • Re: NetFlow from Linux OpenSuse
                  GZhytar

                  trinitron,

                  I've attached screenshot of NetFlow packet decoded by WireShark. You can see that for taht packet Input interface index = 2 and Output interface index = 1. You can capture your netflow traffic at NTA box using WireShark and check that data is exported with correct SNMP indexes.

                  To filter packets that have both indexes equal to 0 you can e.g. use WireShark display filter condition: (cflow.outputint == 0) && (cflow.inputint == 0)

                   

                  hope this helped.

                   

                    • Re: NetFlow from Linux OpenSuse
                      rkidder

                      I was experiencing this same issue with fprobe and it was in fact related to the SNMP interface index. In my case, I was attempting to see netflow traffic between the interface eth1 and ipip0 so I used snmpwalk to determine the interface indeces like so:

                      snmpwalk -v2c -c community linuxbox iso.3.6.1.2.1.2.2.1.2

                      which returned the results:

                      iso.3.6.1.2.1.2.2.1.2.1 = STRING: "lo"
                      iso.3.6.1.2.1.2.2.1.2.2 = STRING: "eth0"
                      iso.3.6.1.2.1.2.2.1.2.3 = STRING: "eth1"
                      iso.3.6.1.2.1.2.2.1.2.4 = STRING: "tunl0"
                      iso.3.6.1.2.1.2.2.1.2.5 = STRING: "ipip0"

                      In the output above, eth1 is at index 3 and ipip0 is at index 5 so I modified the startup arguments for fprobe to include "-x3:5" and that did the trick.