RE: help getting started - no data...

From: Zimmerman, Sheryl Ms. (ZimmermanS@hq.5sigcmd.army.mil)
Date: Fri Nov 03 2000 - 07:00:36 PST

  • Next message: Slutsman, Lev A, ALSVC: "Getting Started"

    As per -
    from show running:
    Global:
    ip flow-export destination <Cflowd host> 2055
    ip flow-export source Loopback0
    ip flow-export version 5

    sh ip flow ex
    Flow export is enabled
      Exporting flows to <Cflowd host> (2055)
      Exporting using source interface Loopback0
      Version 5 flow records
      145237103 flows exported in 5754037 udp datagrams
      0 flows failed due to lack of export packet
      335315 export packets were sent up to process level
      0 export packets were dropped due to no fib
      0 export packets were dropped due to adjacency issues

    sh ip cache fl
    IP packet size distribution (10984M total packets):
       1-32 64 96 128 160 192 224 256 288 320 352 384 416 448
    480
       .003 .470 .163 .057 .050 .029 .009 .009 .008 .006 .005 .012 .008 .010
    .003

        512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
       .004 .003 .013 .032 .097 .000 .000 .000 .000 .000 .000

    IP Flow Switching Cache, 278544 bytes
      1436 active, 2660 inactive, 927489646 added
      4104297107 ager polls, 0 flow alloc failures
      last clearing of statistics never
    Protocol Total Flows Packets Bytes Packets Active(Sec)
    Idle(Sec)
    -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
    TCP-Telnet 4955090 1.1 20 85 23.7 16.8 13.6
    TCP-FTP 3757533 0.8 9 70 7.9 6.4 8.9
    TCP-FTPD 986215 0.2 166 719 38.3 21.6 10.5
    TCP-WWW 362557706 84.4 9 176 796.5 5.1 6.3
    TCP-SMTP 11003587 2.5 36 738 92.2 11.1 8.1
    TCP-X 42976 0.0 35 250 0.3 18.7 13.9
    TCP-BGP 588446 0.1 2 75 0.3 6.7 15.8
    TCP-NNTP 265387 0.0 300 846 18.5 58.2 14.6
    TCP-Frag 1788 0.0 13 155 0.0 6.2 15.8
    TCP-other 130323660 30.3 30 326 935.0 13.5 12.3
    UDP-DNS 137480917 32.0 7 113 248.0 3.5 15.7
    UDP-NTP 7875554 1.8 1 75 1.9 0.1 15.6
    UDP-TFTP 11717 0.0 3 52 0.0 6.0 13.8
    UDP-Frag 37523 0.0 11 1224 0.1 2.9 15.6
    UDP-other 216727779 50.4 6 168 344.6 4.7 15.6
    ICMP 46501908 10.8 2 75 30.9 4.6 15.6
    IGMP 458 0.0 10 1296 0.0 0.2 15.8
    IPINIP 2 0.0 1 1454 0.0 0.0 15.2
    GRE 18048 0.0 107 182 0.4 51.9 15.6
    IP-other 586927 0.1 133 130 18.1 92.8 15.2
    Total: 923723221 215.0 11 254 2557.5 6.1 11.4

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP
    Pkts
    ....
    Gobs of data to follow.

    The output from "sh ip cache flow" is identical on the routers exporting
    either via NFCollector or Cflowd. Should they be? I'm currently only asking
    the router to export flows in cflowd.conf, so why does it show protocols,
    unless this is a residual from NFCollector?

    Much obliged! Shery
    Shery Zimmerman - Litton PRC
    5th Signal TNOC - Design and Performance
    DSN 380-4034

    > -----Original Message-----
    > From: Mark Borchers [SMTP:mborchers@splitrock.net]
    > Sent: Friday, November 03, 2000 3:50 PM
    > To: 'zimmermans@hq.5sigcmd.army.mil'
    > Subject: RE: help getting started - no data...
    >
    > I'm not a cflowd expert (yet) but I do have some experience using
    > Cisco Netflow with their commercial Collector and Analyzer products.
    > If you think there is any chance your router config needs to be
    > QA'ed, why don't you paste the relevant lines from your Cisco config
    > file, along with the output of "show ip flow export" into a message.
    >
    >
    > -----Original Message-----
    > From: Sheryl Zimmermann [mailto:szim@tnoc.5sigcmd.army.mil]
    > Sent: Friday, November 03, 2000 7:44 AM
    > To: cflowd@caida.org; dwm@caida.org
    > Subject: Re: help getting started - no data...
    >
    >
    >
    > Please forgive my presumption - I am getting the following dead.letter
    > errors, and I could really use some help!
    >
    > ----- The following addresses had permanent fatal errors -----
    > "|/home/petidomo/bin/hermes cflowd"
    > (expanded from: <cflowd@caida.org>)
    >
    > ----- Transcript of session follows -----
    > or... User unknown
    > /no/such/directory/dead.letter... cannot open
    > /no/such/directory/dead.letter: No such file or directory
    >
    >
    > Really hope someone can help!
    >
    > Everything appears to have compile ok.
    > I'm running 12.01 (11) on a 3600 router. I am exporting to my host using
    > port 2055. When I do a
    > "sh ip flow export", everything looks good.
    > when I run snoop on my sun host (running 2.7) where both cfdcollect and
    > cflowd are running, it shows a large number of udp packets coming in on
    > port
    > 2055.
    > I have flow files being created as per my specs in cflowd.conf. But no
    > arts
    > files.
    > And when I use the sample perl script that Dave Plonka gave Cflow.pm
    > (changed to TCP and port 80), I get the following results:
    > XXXX.flows.0: Invalid index in flow data file: 0! Version 5 flow-export
    > is
    > required with *all* data being saved using the COLLECT field of the
    > CISCOEXPORTER stanza(s)!
    >
    >
    > My CISCOEXPORTER stanza reads:
    > CISCOEXPORTER {
    > HOST: XXX.XXX.XXX.XXX # IP address of Cisco sending
    > data.
    >
    > ADDRESSES: {XXX.XXX.XXX.XXX , # Addresses of interfaces on
    > Cisco
    > XXX.XXX.XXX.XXX,
    > XXX.XXX.XXX.XXX} # sending data.
    > CFDATAPORT: 2055 # Port on which to listen for
    > data.
    >
    > SNMPCOMM: 'PUBLIC' # SNMP community name.
    > COLLECT: { flows }
    > }
    >
    >
    > (excuse the XXX's, but need to protect the innocent!)
    >
    >
    > I am receiving no messages from the syslog.
    >
    > Also, the shared memory and semaphores appear correct when we do an ipsc
    > -a,
    > as well as the ports looking as they should (netstat -an, snoop). This
    > router WAS configured prior to this for exporting Protocol and
    > DetailHostMatrix data in binary to an NFC. Would that have any effect on
    > how
    > cflowd goes to gather data now?
    >
    >
    >
    > Can someone please point me to what might be going wrong??
    >
    >
    >
    > --
    >
    >
    >
    > Shery Zimmerman - Litton PRC
    >
    > 5th Signal TNOC - Design and Performance
    >
    > DSN 380-4034
    >
    >
    > --
    >
    >
    >
    > Shery Zimmerman - Litton PRC
    >
    > 5th Signal TNOC - Design and Performance
    >
    > DSN 380-4034
    >

    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Fri Nov 03 2000 - 07:13:44 PST