Ok, so my pflow interface is up,:
pflow0: flags=141<UP,RUNNING,PROMISC> mtu 1492
priority: 0
pflow: sender: 0.0.0.0 receiver: 127.0.0.1:9995 version: 5
groups: pflow
The created states are exported:
set state-defaults pflow, no-sync
(Also pfctl -sr says so)
The nfcapd is listening:
# pgrep -fl nfcap
20264 /usr/local/bin/nfcapd -b 127.0.0.1 -4 -l /netflow -S 0 -w -D
The flow packets are sent to the listening nfcapd:
# tcpdump -i pflow0
tcpdump: listening on pflow0, link-type RAW
15:10:25.500196 0.0.0.0.61175 > localhost.9995: udp 744 (DF) [tos 0x10]
15:11:44.512890 0.0.0.0.61175 > localhost.9995: udp 888 (DF) [tos 0x10]
15:12:44.562534 0.0.0.0.61175 > localhost.9995: udp 168 (DF) [tos 0x10]
15:13:44.681469 0.0.0.0.61175 > localhost.9995: udp 120 (DF) [tos 0x10]
15:14:40.690466 0.0.0.0.61175 > localhost.9995: udp 456 (DF) [tos 0x10]
15:15:47.701228 0.0.0.0.61175 > localhost.9995: udp 984 (DF) [tos 0x10]
15:16:41.709903 0.0.0.0.61175 > localhost.9995: udp 456 (DF) [tos 0x10]
The running nfcapd is writing the captured files
-rw-r--r-- 1 root wheel 276 May 2 15:10 nfcapd.201305021505
-rw-r--r-- 1 root wheel 276 May 2 15:15 nfcapd.201305021510
-rw-r--r-- 1 root wheel 276 May 2 15:15 nfcapd.current
But none of the files contains any actual flows.
They are all of size 276, probably just the header.
At the end of every interval, the log says
May 2 15:20:10 gw nfcapd[20264]: Ident: 'none' Flows: 0, Packets: 0, Bytes:
0, Sequence Errors: 0, Bad Packets: 0
May 2 15:20:10 gw nfcapd[20264]: Total ignored packets: 0
I must be missing something obvious.
Can someone please give a hint?
Jan
