[netsa-tools-discuss] unable to create directory S1 (cisco nexsus 7k)

asad a.alii85 at gmail.com
Mon Oct 12 03:51:54 EDT 2015 

Further, im running rwflowpack as

"sudo /usr/local/sbin/rwflowpack
--sensor-configuration=/etc/nsm/NW-SEC-06-eth0/sensors.conf
--sensor-name=S1 --site-config-file=/etc/nsm/NW-SEC-06-eth0/silk.conf
--archive-directory=/nsm/sensor_data/NW-SEC-06-eth0/silk//archive
--output-mode=local-storage
--root-directory=/nsm/sensor_data/NW-SEC-06-eth0/silk/
--pidfile=/var/log/rwflowpack.pid --log-level=debug
--log-directory=/var/log --log-basename=rwflowpack
"

On 10/12/15, asad <a.alii85 at gmail.com> wrote:
> hello,
>
> I'm unable to have v9 netflows from cisco Nexus7k write to silk
> directory under /data. S0 folder exists but not S1, even when the
> traffic is coming on interface with template and is verified through
> wireshark.
>
>
> # silk.conf for the "twoway" site
> # RCSIDENT("$SiLK: silk.conf 52d8f4f62ffd 2012-05-25 21:16:30Z mthomas $")
>
> # For a description of the syntax of this file, see silk.conf(5).
>
> # The syntactic format of this file
> #    version 2 supports sensor descriptions, but otherwise identical to 1
> version 2
>
> # NOTE: Once data has been collected for a sensor or a flowtype, the
> # sensor or flowtype should never be removed or renumbered.  SiLK Flow
> # files store the sensor ID and flowtype ID as integers; removing or
> # renumbering a sensor or flowtype breaks this mapping.
>
> sensor 0 S0    "Description for sensor S0"
> sensor 1 S1
> sensor 2 S2    "Optional description for sensor S2"
> sensor 3 S3
> sensor 4 S4
> sensor 5 S5
> sensor 6 S6
> sensor 7 S7
> sensor 8 S8
> sensor 9 S9
> sensor 10 S10
> sensor 11 S11
> sensor 12 S12
> sensor 13 S13
> sensor 14 S14
>
> class all
>     sensors S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14
> end class
>
> # Editing above this line is sufficient for sensor definition.
>
> # Be sure you understand the workings of the packing system before
> # editing the class and type definitions below.  In particular, if you
> # change or add-to the following, the C code in packlogic-twoway.c
> # will need to change as well.
>
> class all
>     type  0 in      in
>     type  1 out     out
>     type  2 inweb   iw
>     type  3 outweb  ow
>     type  4 innull  innull
>     type  5 outnull outnull
>     type  6 int2int int2int
>     type  7 ext2ext ext2ext
>     type  8 inicmp  inicmp
>     type  9 outicmp outicmp
>     type 10 other   other
>
>     default-types in inweb inicmp
> end class
>
> default-class all
>
> # The layout of the tree below SILK_DATA_ROOTDIR.
> # Use the default, which assumes a single class.
> path-format "%N/%T/%Y/%m/%d/%x"
>
> # The plug-in to load to get the packing logic to use in rwflowpack.
> # The --packing-logic switch to rwflowpack will override this value.
> # If SiLK was configured with hard-coded packing logic, this value is
> # ignored.
> packing-logic "/usr/local/lib/silk/packlogic-twoway.so"
>
> ++++++++++++
> sensors.conf
> ++++++++++++
>
> probe S1 netflow-v9
>   listen-on-port 2056
>   protocol udp
> end probe
> group my-network
>   ipblocks 192.168.0.0/16
>   ipblocks 172.30.0.0/16
>   ipblocks 10.0.0.0/8
> end group
> sensor S1
>   netflow-v9-probes S1
>   internal-ipblocks @my-network
>   external-ipblocks remainder
> end sensor
>
> ++++++++++++++++
> rwflowpack.log
> ++++++++++++++++++
>
> Oct 12 16:22:26 NW-SEC-06 rwflowpack[9700]: Flushing files after 120
> seconds.
> Oct 12 16:22:26 NW-SEC-06 rwflowpack[9700]: 'S1': forward 0, reverse
> 0, ignored 0, nf9: missing-pkts 0
> Oct 12 16:24:26 NW-SEC-06 rwflowpack[9700]: Flushing files after 120
> seconds.
> Oct 12 16:24:26 NW-SEC-06 rwflowpack[9700]: 'S1': forward 0, reverse
> 0, ignored 0, nf9: missing-pkts 0
> Oct 12 16:26:26 NW-SEC-06 rwflowpack[9700]: Flushing files after 120
> seconds.
> Oct 12 16:26:26 NW-SEC-06 rwflowpack[9700]: 'S1': forward 0, reverse
> 0, ignored 0, nf9: missing-pkts 0
> Oct 12 16:28:26 NW-SEC-06 rwflowpack[9700]: Flushing files after 120
> seconds.
> Oct 12 16:28:26 NW-SEC-06 rwflowpack[9700]: 'S1': forward 0, reverse
> 0, ignored 0, nf9: missing-pkts 0
> Oct 12 16:30:26 NW-SEC-06 rwflowpack[9700]: Flushing files after 120
> seconds.
> Oct 12 16:30:26 NW-SEC-06 rwflowpack[9700]: 'S1': forward 0, reverse
> 0, ignored 0, nf9: missing-pkts 0
> Oct 12 16:32:26 NW-SEC-06 rwflowpack[9700]: Flushing files after 120
> seconds.
> Oct 12 16:32:26 NW-SEC-06 rwflowpack[9700]: 'S1': forward 0, reverse
> 0, ignored 0, nf9: missing-pkts 0
>
>
> What wrong is happening? please guide.
>

More information about the netsa-tools-discuss mailing list