Netflow listening only on udp6 2055 and not receiving netflow

Hi
I have just installed graylog and was exploring its netflow feature. i have added input for netflow but its not shoing any data. when i checked in the linux shell the output says its listening on port 2055 but seems like its not listening on ipv4 ?

greylog@greylog:~$ netstat -tunlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp6 0 0 10.20.6.98:9000 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 10.20.6.98:68 0.0.0.0:* -
udp6 0 0 10.20.6.98:2055 :::* -
udp6 0 0 10.20.6.98:2055 :::* -
udp6 0 0 10.20.6.98:2055 :::* -
udp6 0 0 10.20.6.98:2055 :::* -
udp6 0 0 10.20.6.98:514 :::* -
udp6 0 0 10.20.6.98:514 :::* -
udp6 0 0 10.20.6.98:514 :::* -
udp6 0 0 10.20.6.98:514 :::* -

Please if someone can guide me ?
I have configured netflow exports from mikrotik using v5 … tried v9 and ipfix as well. couldnt get data via any version.

when i click on show recieved messages i get below error.


While retrieving data for this widget, the following error(s) occurred:
Connection refused.

running tcp dump on the system where graylog is installed gives below result

greylog@greylog:~$ sudo tcpdump host "10.20.1.1"
[sudo] password for greylog:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:40:22.634211 IP 10.20.1.1.2055 > greylog.2055: UDP, length 72
22:40:26.134723 IP 10.20.1.1.2055 > greylog.2055: UDP, length 408
22:40:26.388051 IP 10.20.1.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300
22:40:27.634478 IP 10.20.1.1.2055 > greylog.2055: UDP, length 120
22:40:31.634352 IP 10.20.1.1.2055 > greylog.2055: UDP, length 168


Hey @ahsan

What port are you using for the input? if its port 514 its a privileged port.

i am using standard udp 2055 for netflow on both graylog input and on mikrotik ?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.