Monitoring Network Traffic with Netflow
Subject:   libnsl on FreeBSD
Date:   2005-09-18 12:22:12
From:   jasontaylor1
Response to: libnsl on FreeBSD

Thanks for that. It now compiles and installs without complaining.

However I get no output from flowdumper.


[jasont@sechost]/var/log/netflows: ls -l
total 1154
-rw-r--r-- 1 root wheel 8070 Sep 18 18:40 ft-v05.2005-09-18.183947+0100
-rw-r--r-- 1 root wheel 50481 Sep 18 18:45 ft-v05.2005-09-18.184001+0100
-rw-r--r-- 1 root wheel 60604 Sep 18 18:50 ft-v05.2005-09-18.184501+0100
-rw-r--r-- 1 root wheel 76010 Sep 18 18:55 ft-v05.2005-09-18.185001+0100
-rw-r--r-- 1 root wheel 56227 Sep 18 19:00 ft-v05.2005-09-18.185501+0100
-rw-r--r-- 1 root wheel 57349 Sep 18 19:05 ft-v05.2005-09-18.190001+0100
-rw-r--r-- 1 root wheel 44022 Sep 18 19:10 ft-v05.2005-09-18.190501+0100
-rw-r--r-- 1 root wheel 48894 Sep 18 19:15 ft-v05.2005-09-18.191001+0100
-rw-r--r-- 1 root wheel 62026 Sep 18 19:20 ft-v05.2005-09-18.191501+0100
-rw-r--r-- 1 root wheel 61056 Sep 18 19:25 ft-v05.2005-09-18.192001+0100
-rw-r--r-- 1 root wheel 44053 Sep 18 19:30 ft-v05.2005-09-18.192501+0100
-rw-r--r-- 1 root wheel 57780 Sep 18 19:35 ft-v05.2005-09-18.193001+0100
-rw-r--r-- 1 root wheel 44531 Sep 18 19:40 ft-v05.2005-09-18.193501+0100
-rw-r--r-- 1 root wheel 46751 Sep 18 19:45 ft-v05.2005-09-18.194001+0100
-rw-r--r-- 1 root wheel 58878 Sep 18 19:50 ft-v05.2005-09-18.194502+0100
-rw-r--r-- 1 root wheel 74163 Sep 18 19:55 ft-v05.2005-09-18.195001+0100
-rw-r--r-- 1 root wheel 73601 Sep 18 20:00 ft-v05.2005-09-18.195501+0100
-rw-r--r-- 1 root wheel 71073 Sep 18 20:05 ft-v05.2005-09-18.200001+0100
-rw-r--r-- 1 root wheel 60490 Sep 18 20:10 ft-v05.2005-09-18.200501+0100
-rw-r--r-- 1 root wheel 58576 Sep 18 20:15 ft-v05.2005-09-18.201001+0100
-rw-r--r-- 1 root wheel 45904 Sep 18 20:20 ft-v05.2005-09-18.201501+0100
-rw-r--r-- 1 root wheel 100 Sep 18 20:20 tmp-v05.2005-09-18.202001+0100

[jasont@sechost]/var/log/netflows: ls ft-* | xargs -n 1 flowdumper -s

Any ideas? I've tried Cflow on a few different boxes now (Redhat 9, FreeBSD 4.8 and 5.4) with similar results.



  • libnsl on FreeBSD
    2005-09-19 18:18:45  agshekeloh [View]

    I've installed the tools in exactly this manner on eight different machines. Following the instructions *exactly* will make flowdumper work.

    When you say "it doesn't complain," are you talking about the line that says "no library found for -libnls"? If so, did you make exactly the edit in the article, or did you use the patch in the posted followup comment?

    I can't comment on the patch in the comment, but I can say that the edit in the article has always worked, both for me and a variety of other people. I have lost no functionality from the tools, on 4.x and 5.x.
    • libnsl on FreeBSD
      2005-09-20 15:07:18  jasontaylor1 [View]

      I tried both methods and played around a bit myself. Flowdumper simply produced no output when run against my collected flow files.

      BUT.. I've just tried again using method on last page of article and it's now working...

      Thanks for the encouragements to retry. Now to get the other tools in part 2 of the article working, which are also not working right.

      • libnsl on FreeBSD
        2008-03-04 10:23:34  Joao Ceron [View]

        You must ensure that the file referenced by perl is the same as that compiled.

        cd flow-tools/work/flow-tools-0.68/contrib/Cflow-1.051

        agrius# md5 /usr/local/lib/perl5/site_perl/5.8.8/mach/
        MD5 ( = 19e30f1834c7f81c6aeddeb605993757
        MD5 (/usr/local/lib/perl5/site_perl/5.8.8/mach/ = 19e30f1834c7f81c6aeddeb605993757

    • libnsl on FreeBSD
      2006-08-07 04:04:21  rihad [View]

      It's a pity all the needed software has to be set up in a generic Unix way: its authors are not adhering to FreeBSD standards (rcNG, etc). Every locally maintained ad-hoc startup script makes system upgrades a bit more painful and is just plain ugly.

      After almost one year, thing have not changed.

      Thanks for the HOWTO, though. Everything worked for me.
  • libnsl on FreeBSD
    2005-09-20 05:11:36 [View]

    All I can say is that with the warning Michael Lucas is warning us, flowdumper won't show me nothing on three separate machines (4.x, 5.x and 6.x). With the nsl removed from Makefile it goes well and flowdumper works - I'm using it currently and plan to deploy more installations.

    This is propably my error as Michael can't be wrong, but the fact is - flow-tools are real nightmare to succesfully set up and a typical case how to not write and maintain software (IMHO of course).
    • libnsl on FreeBSD
      2005-09-20 05:25:32  agshekeloh [View]

      I can be very wrong. Extremely wrong. Utterly, thoroughly, completely wrong. It seems that the more certain I am that I'm right, the more likely that I am wrong.

      I can say that before I submitted this article, I sent it to two different people on two different networks to review and follow. It worked for them.

      Netflow setup is a complete nightmare. Perhaps it worked more smoothly back when these tools were new, I don't know. Getting working is the worst part by far. Flowdumper is just the simplest front end and test for

      I know of people working on new flow capturing tools, but they're not ready yet. :-(