Deleting and readding exporter

Scrutinizer is an enterprise/business class NetFlow and sFlow analysis tool. Scrutinizer provides historical trends of the company's critical network interfaces as well as the details on:

Who: The end system causing the traffic
What: The application/protocol that is being used
When: The time frame it has been occurring for
Where: The network connection that is affected

Moderators: scottr, Moderator Team

Post Reply
yozh
Posts: 7
Joined: Mon Sep 28, 2015 10:02 am

Deleting and readding exporter

Post by yozh » Thu Oct 27, 2016 8:00 am

Hello,

I'm on version 16 on a VM appliance and exporting from Astaro UTM (Sophos) for some reason the reports shows wrong source and destination and ports. Meaning they are reverse, when I do flow view they are right, but in any other reports its flipped. I`m pretty sure it was showing right reports before.

I wanted to delete the exporter and let it read it to see if the issue goes away, but when I remove it, it does not come back for a while and when I check status from scruit_util it says deleted.


How can I added back and what can I do about the reverse reports ?

User avatar
Jarrydb
Posts: 6
Joined: Fri May 15, 2015 4:37 pm

Re: Deleting and readding exporter

Post by Jarrydb » Fri Oct 28, 2016 8:57 am

Hi Yozh,

In regards to you deleting a device, it will take a couple of minutes to be seen as deleted from the manage exporters page. As far as the device coming back to life under the status tab / device explorer. When you delete a device Scrutinizer will be waiting for flows and a template in order to populate the reports.
You may want to check to make sure that the template timeout is set to 1 minute along with the active-timeout for the flow cache.

The reversed port issue will be a bit interesting to dig into, we have seen some oddities with sophos exporters. I think the best way to locate the problem would be to ssh to your Scrutinizer box as root, then we will want to kick off a packet capture to see the raw flows being sent.

tcpdump -i eth0 host (ip of sophos) -w Nameofpcap.pcap

Let this run for 5 - 10 minutes and then open it with wireshark

you should be able to see CFLOW data, when you open up the flows you will see SrcPort and DstPort, we can use this information to see if its on the devices side or the Scrutinizer side.

For help with this feel free to pop into our livechat or give us a call.

I am also available to help take a look

jarrydb@plixer.com

Thanks!
- Jarryd

yozh
Posts: 7
Joined: Mon Sep 28, 2015 10:02 am

Re: Deleting and readding exporter

Post by yozh » Fri Oct 28, 2016 12:19 pm

Jarrydb wrote:Hi Yozh,

In regards to you deleting a device, it will take a couple of minutes to be seen as deleted from the manage exporters page. As far as the device coming back to life under the status tab / device explorer. When you delete a device Scrutinizer will be waiting for flows and a template in order to populate the reports.
You may want to check to make sure that the template timeout is set to 1 minute along with the active-timeout for the flow cache.

The reversed port issue will be a bit interesting to dig into, we have seen some oddities with sophos exporters. I think the best way to locate the problem would be to ssh to your Scrutinizer box as root, then we will want to kick off a packet capture to see the raw flows being sent.

tcpdump -i eth0 host (ip of sophos) -w Nameofpcap.pcap

Let this run for 5 - 10 minutes and then open it with wireshark

you should be able to see CFLOW data, when you open up the flows you will see SrcPort and DstPort, we can use this information to see if its on the devices side or the Scrutinizer side.

For help with this feel free to pop into our livechat or give us a call.

I am also available to help take a look

jarrydb@plixer.com

Thanks!
Hello,

Thank you very much for the response. Are you saying that if I delete an exporter and it keeps sending flows, eventually it will come back as a valid exporter ?

I did a capture and checked the frames, they look right to me, the DST IP and Port are correct and so is the source...

User avatar
Jarrydb
Posts: 6
Joined: Fri May 15, 2015 4:37 pm

Re: Deleting and readding exporter

Post by Jarrydb » Fri Oct 28, 2016 1:17 pm

Are you saying that if I delete an exporter and it keeps sending flows, eventually it will come back as a valid exporter
Yep it will come back automatically as a valid exporter after Scrutinizer starts receiving flows and a template
hey look right to me, the DST IP and Port are correct and so is the source
Ok so they look ok in a pcap, you will want to look for the same conversation in Scrutinizer and see if they are the same. We show what is sent to us and shouldnt be flipping the conversation around.

You should be able to use a host to host filter to find the conversation, maybe using a source / destination port filter to help narrow down the results.


:)
- Jarryd

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests