[netsa-tools-discuss] none fire walled port showing closed in sockstat

Christoper Holland christech at skyviewtech.com
Tue Sep 9 18:39:20 EDT 2014 

New to silk. been going through the install and config. I believe 
sensor.conf and silk.conf are set up properly. I start rwflowpack or 
flowcap I'm not seeing data. I've checked my router and it is sending 
netflow to the correct udp port assigned in sensor.conf. port is open on 
iptables.

Server is running Debian Wheezy. Interface for flow traffic is eth2. ip 
of nic 169.xxx.xxx.135. ip of router sending flows 169.xxx.xxx.145. 
Single server configuration receiving flow data from cisco router.

My issue is that when I check sockstat it shows rwflowpack or flowcap 
binding to the udp port, but shows closed instead of listing or established.

# sensor.conf ####

using bogus ip's as example

probe b2 netflow-v5
         listen-on-port 2051
         listen-as-host 169.xxx.xxx.135
         accept-from-host 169.xxx.xxx.145
         protocol udp
end probe

sensor b2
         netflow-v5-probes b2
         external-interface 5, 6
         internal-interface remainder
end sensor

# silk.conf ####


sensor 0 b2

class all
     sensors b2
end class

# Editing above this line is sufficient for sensor definition.

# Be sure you understand the workings of the packing system before
# editing the class and type definitions below.  In particular, if you
# change or add-to the following, the C code in packlogic-twoway.c
# will need to change as well.

class all
     type  0 in      in
     type  1 out     out
     type  2 inweb   iw
     type  3 outweb  ow
     type  4 innull  innull
     type  5 outnull outnull
     type  6 int2int int2int
     type  7 ext2ext ext2ext
     type  8 inicmp  inicmp
     type  9 outicmp outicmp
     type 10 other   other

     default-types in inweb inicmp
end class

default-class all

# The layout of the tree below SILK_DATA_ROOTDIR.
# Use the default, which assumes a single class.
# path-format "%T/%Y/%m/%d/%x"

# The plug-in to load to get the packing logic to use in rwflowpack.
# The --packing-logic switch to rwflowpack will override this value.
# If SiLK was configured with hard-coded packing logic, this value is
# ignored.
packing-logic "packlogic-twoway.so"

More information about the netsa-tools-discuss mailing list