[netsa-tools-discuss] super_mediator TCP connection timeout

Emily Sarneso ecoff at sei.cmu.edu
Thu Mar 26 10:48:13 EDT 2015 

Hello,

super_mediator requires the process it is exporting to to be available at startup time.  Once it is running and the exporter process goes down, it will stay up and periodically retry to connect to the exporter - but it must be available when it starts up.  

If this is a problem, you could have super_mediator write IPFIX files to a directory and have rwsender (remote host) or rwflowpack (local host) poll the directory:  

EXPORTER FILEHANDLER
   PATH “/path/to/poll”
   ROTATE 120
   LOCK
   FLOW_ONLY
EXPORTER END

In your case, it looks like you are sending a particular set of flows to a remote host, so you may want to look into using rwsender/rwreceiver to transfer and collect the files.  rwsender would be running on the same host as super_mediator polling the directory you provide in the EXPORTER block of the super_mediator.conf.  rwreceiver would run on your remote host “1.1.1.1” and listen for connections from rwsender.  rwflowpack/flowcap will also run on the remote host and poll the directory where rwreceiver writes the files.  

http://tools.netsa.cert.org/silk/rwsender.html
http://tools.netsa.cert.org/silk/rwreceiver.html

Hope this helps.  Please let us know if you have any other questions.

Emily




On Mar 25, 2015, at 8:19 AM, inetjunkmail <inetjunkmail at gmail.com> wrote:

> We have a need to relay a subset of our IPFIX data to a customer.  When we used the NFDump suite, we used nfreplay to ship them the data.  Now that we use SiLK, we were trying to use super_mediator.  To give a better idea of what we're trying to to, super_mediator.conf is below.  The problem is that when the remote collector at 1.1.1.1 is unreachable, super_mediator never starts because it hangs trying to connect.  Is there a way to have it time out and periodically retry to connect to exporters rather than requiring them to be available at the time the service starts?
> 
> Alternatively, is there a better way to accomplish this?
> 
> COLLECTOR TCP
>    PORT 18000
> COLLECTOR END
> EXPORTER TCP
>    PORT 18001
>    HOST localhost
>    FLOW_ONLY
> EXPORTER END
> EXPORTER TCP
>    PORT 2055
>    HOST "1.1.1.1"
>    FLOW_ONLY
>    ANY_IP IN_LIST "/data/silk/sets/customerA.set"
> EXPORTER END
> LOGLEVEL DEBUG
> LOG "/data/silk/log/super_mediator.log"
> PIDFILE "/data/silk/log/super_mediator.pid"
> 
> Thanks

More information about the netsa-tools-discuss mailing list