• Support
  • Forums
  • Blogs

Remote sensor and netflow.


edited October 2014 in AlienVault USM Appliance > Sensor

I'm pretty new to OSSIM so there might be obvious mistakes that I haven't taken into account.

First, let me explain what I want to do.

I have installed an OSSIM server with three nic cards.

One for management with ip
One for Log collection & Scanning with ip
One for network monitoring on promisc mode with port mirroring that receives data from all the net

On alienvault-setup I configure them accordingly, activating netflow generator on port 555. After that I go to
Configuration - AlienVault components - Sensors

And check if it's activated the netflow or not, it is and by default it's on port 12000.

I activate my net, scan for assests, ids monitoring, etc. After that, I check the netflow tab and it works correctly.

so far, so good.

Now, problem arises when I try to do the same thing on a sensor.

I set up a sensor installation on a server that has two nic cards.

First Nic card has an IP withing the range of the server (so they can see each other and communicate)

Second nic card on promisc mode that receives data from a different net (

I configure the sensor on alienvault-setup telling that the second nic card monitors and that the IP address
of the server and the framework is, I activate netflow on alienvault-setup again with 555 as port I then proceed to check the sensor on the framework and activate netflow
and assign the port 12000, so sensor is detected and added to the server, I then proceed to scan assets, etc.

And well, It never show anything on the netflow framework, I tried following this guide:


But nothing, I did checked that traffic is going to the server on port 555 from the sensor, but nothing shows up

Can somebody give me some pointers?

Share post:

Best Answer

  • Answer ✓
    That seems to be the problem then. When a sensor is configured for netflow collection, a service called fprobe is started to generate the flows. Please run this on both of your sensors:

    ps aux|grep fprobe

    you should see something like this:

    root       597  0.0  0.1  47336  6168 ?        Ssl  10:12   0:08 /usr/sbin/fprobe -ieth0 -fip

    Notice that it will list the interface that it is listening (eth0 in this case), and the ip:port that it sends the flows to ( and port 555 in this case). This ip:port should be where nfcapd is listening. 

    In your case, ip should be, but the port number is likely to be 555, since you are seeing traffic there. 

    As nfcapd is listening on port 12000 and 12001, you will need to match it on the sensor. Run alienvault-setup, choose Configure Sensor > Enable Netflow Generator, choose yes then change the port number.   


  • You need a different port number for each sensor that's generating netflow data, they cannot both be using 12000. 

    On your OSSIM server, if you run 'ps aux|grep nfcapd', what do you get?
  • Hi, I have different port numbers on each generator. One uses 12000 and the other 12001. Sorry for the typo.

    Doing a ps aux|grep nfcapd

    Lists me as both nfcapd listening to 12000 and 12001.

    Also, I checked with:
    tcpdump -i eth0 -n 'host and port 555' <br>
    And it shows traffic.
  • Do you see traffic on both port 12000 and 12001 using tcpdump?
  • Nothing there.
  • Sorry for the delay. That pretty much solved it all. Thanks!
Sign In or Register to comment.