[netsa-tools-discuss] none fire walled port showing closed in sockstat

Mark Thomas mthomas at cert.org
Thu Sep 11 11:39:49 EDT 2014


Christoper-

Thank you for your email, and thank you for including the
configuration files.

The configuration files look correct to me.

You may want to try running flowcap or rwflowpack with the
--log-level=debug switch (or set LOG_LEVEL=debug in the flowcap.conf
or rwflowpack.conf files).  That will provide more information when
the daemon binds to the port.

Since you have a single port in your sensor.conf file, flowcap and
rwflowpack will exit if they cannot bind to the port or if polling
the port returns an error.

I do not have access to sockstat, but my guess is that sockstat is
reporting the status of the port incorrectly.  UDP ports are
connectionless and do not have a "listen" state like TCP ports.

As for why the packets from the router are not reaching the daemon:
that is difficult to answer and it can be difficult to debug, since
UDP is connectionless.  In addition, our daemons do not report when
they reject a connection (this is to try to keep the log size
reasonable).

You may want to try removing the accept-from-host clause to see if
that allows the router to connect.

I am sorry I cannot provide a complete solution to your issue.

Thanks,

-Mark


On Tue, 9 Sep 2014 16:39:20 -0600, Christoper Holland wrote:

> New to silk. been going through the install and config. I believe 
> sensor.conf and silk.conf are set up properly. I start rwflowpack or 
> flowcap I'm not seeing data. I've checked my router and it is sending 
> netflow to the correct udp port assigned in sensor.conf. port is open on 
> iptables.
>
> Server is running Debian Wheezy. Interface for flow traffic is eth2. ip 
> of nic 169.xxx.xxx.135. ip of router sending flows 169.xxx.xxx.145. 
> Single server configuration receiving flow data from cisco router.
>
> My issue is that when I check sockstat it shows rwflowpack or flowcap 
> binding to the udp port, but shows closed instead of listing or established.
>
> # sensor.conf ####
>
> using bogus ip's as example
>
> probe b2 netflow-v5
>          listen-on-port 2051
>          listen-as-host 169.xxx.xxx.135
>          accept-from-host 169.xxx.xxx.145
>          protocol udp
> end probe
>
> sensor b2
>          netflow-v5-probes b2
>          external-interface 5, 6
>          internal-interface remainder
> end sensor
>
> # silk.conf ####
>
>
> sensor 0 b2
>
> class all
>      sensors b2
> end class
>
> # Editing above this line is sufficient for sensor definition.
>
> # Be sure you understand the workings of the packing system before
> # editing the class and type definitions below.  In particular, if you
> # change or add-to the following, the C code in packlogic-twoway.c
> # will need to change as well.
>
> class all
>      type  0 in      in
>      type  1 out     out
>      type  2 inweb   iw
>      type  3 outweb  ow
>      type  4 innull  innull
>      type  5 outnull outnull
>      type  6 int2int int2int
>      type  7 ext2ext ext2ext
>      type  8 inicmp  inicmp
>      type  9 outicmp outicmp
>      type 10 other   other
>
>      default-types in inweb inicmp
> end class
>
> default-class all
>
> # The layout of the tree below SILK_DATA_ROOTDIR.
> # Use the default, which assumes a single class.
> # path-format "%T/%Y/%m/%d/%x"
>
> # The plug-in to load to get the packing logic to use in rwflowpack.
> # The --packing-logic switch to rwflowpack will override this value.
> # If SiLK was configured with hard-coded packing logic, this value is
> # ignored.
> packing-logic "packlogic-twoway.so"


More information about the netsa-tools-discuss mailing list