[netsa-tools-discuss] super_mediator TCP connection timeout

inetjunkmail inetjunkmail at gmail.com
Thu Mar 26 11:16:34 EDT 2015 

Thanks for your reply.  Unfortunately we don't own the receiver and they
are not using SiLK.  I'm under the impression that the output of rwsender
was not equivalent to IPFIX and it required rwreceiver at the other end to
receive the data (rather than a generic IPFIX collector).  Do I understand
that correctly?

Thanks again for your help

On Thu, Mar 26, 2015 at 10:48 AM, Emily Sarneso <ecoff at sei.cmu.edu> wrote:

> Hello,
>
> super_mediator requires the process it is exporting to to be available at
> startup time.  Once it is running and the exporter process goes down, it
> will stay up and periodically retry to connect to the exporter - but it
> must be available when it starts up.
>
> If this is a problem, you could have super_mediator write IPFIX files to a
> directory and have rwsender (remote host) or rwflowpack (local host) poll
> the directory:
>
> EXPORTER FILEHANDLER
>    PATH “/path/to/poll”
>    ROTATE 120
>    LOCK
>    FLOW_ONLY
> EXPORTER END
>
> In your case, it looks like you are sending a particular set of flows to a
> remote host, so you may want to look into using rwsender/rwreceiver to
> transfer and collect the files.  rwsender would be running on the same host
> as super_mediator polling the directory you provide in the EXPORTER block
> of the super_mediator.conf.  rwreceiver would run on your remote host
> “1.1.1.1” and listen for connections from rwsender.  rwflowpack/flowcap
> will also run on the remote host and poll the directory where rwreceiver
> writes the files.
>
> http://tools.netsa.cert.org/silk/rwsender.html
> http://tools.netsa.cert.org/silk/rwreceiver.html
>
> Hope this helps.  Please let us know if you have any other questions.
>
> Emily
>
>
>
>
> On Mar 25, 2015, at 8:19 AM, inetjunkmail <inetjunkmail at gmail.com> wrote:
>
> > We have a need to relay a subset of our IPFIX data to a customer.  When
> we used the NFDump suite, we used nfreplay to ship them the data.  Now that
> we use SiLK, we were trying to use super_mediator.  To give a better idea
> of what we're trying to to, super_mediator.conf is below.  The problem is
> that when the remote collector at 1.1.1.1 is unreachable, super_mediator
> never starts because it hangs trying to connect.  Is there a way to have it
> time out and periodically retry to connect to exporters rather than
> requiring them to be available at the time the service starts?
> >
> > Alternatively, is there a better way to accomplish this?
> >
> > COLLECTOR TCP
> >    PORT 18000
> > COLLECTOR END
> > EXPORTER TCP
> >    PORT 18001
> >    HOST localhost
> >    FLOW_ONLY
> > EXPORTER END
> > EXPORTER TCP
> >    PORT 2055
> >    HOST "1.1.1.1"
> >    FLOW_ONLY
> >    ANY_IP IN_LIST "/data/silk/sets/customerA.set"
> > EXPORTER END
> > LOGLEVEL DEBUG
> > LOG "/data/silk/log/super_mediator.log"
> > PIDFILE "/data/silk/log/super_mediator.pid"
> >
> > Thanks
>
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list