I am new to netflow so maybe I have the problem is about understanding, but I have not found references on what is happening.
I have a Palo Alto PA500 firewall and I am trying to extract netflow statistics to an Ubuntu box with nfdump.
I have installed nfdump and run nfcap without problems:
sudo apt-get install nfdump
nfcapd -E -T all -p 9001 -l /tmp/nfcaptest
I have configured the Palo Alto as described in the documentation:
Device / Server Profiles / Netflow
Add
Name: nfserver
Refresh:
Minutes: 30
Packets: 20
Active Timeout (min): 5
Name: nfserver
IP: x.x.x.x
Port: 9001
I have added the netflow server to all the interfaces and commited the changes.
I am seeing the traffic in the server with tcpdump.
12:51:33.848206 IP x.x.x.x.50705 > nfserver.9001: UDP, length 1369
nfcap is giving this output constantly:
Ident: 'none' Flows: 0, Packets: 0, Bytes: 0, Sequence Errors: 0, Bad Packets: 0
Total ignored packets: 0
File Block Header:
NumBlocks = 0
Size = 0
id = 2
I see that there is a nfcapd.xxx file every 5 minutes but when I try to read them I see no results.
# nfdump -r nfcapd.current.7757
Date first seen Event XEvent Proto Src IP Addr:Port Dst IP Addr:Port X-Src IP Addr:Port X-Dst IP Addr:Port In Byte Out Byte
No matched flows
What am I missing? Is the problem in the Fw (not sending the data) or in the server (not using it)?
UPDATE: Looks like the problem is with nfcapd. I have opened the tcpdump capture with Whireshark and I can see all the netflow data is correctly received. For some reason nfcapd is ignoring/not receiving it.
