Re: help getting started - no data...

From: Dave Plonka (plonka@doit.wisc.edu)
Date: Fri Nov 03 2000 - 06:58:12 PST

  • Next message: Zimmerman, Sheryl Ms.: "RE: help getting started - no data..."

    On Fri, Nov 03, 2000 at 01:10:12PM +0000, Sheryl Zimmermann wrote:
    > Really hope someone can help!
    >
    > Everything appears to have compile ok.
    > I'm running 12.01 (11) on a 3600 router. I am exporting to my host
    > using port 2055.

    How did you configure the Cisco? Something like this?

       ip flow-export version 5 peer-as
       ip flow-export destination 10.0.0.1 2055

    The "version 5" bit is important if you want to use Cflow.pm and
    flowdumper as you say below.

    > When I do a
    > "sh ip flow export", everything looks good.
    > when I run snoop on my sun host (running 2.7) where both cfdcollect and
    > cflowd are running, it shows a large number of udp packets coming in on
    > port 2055.

    Cool - that's the right thing to check.

    > I have flow files being created as per my specs in cflowd.conf. But no
    > arts files.

    If all you're running is cflowdmux and cflowd, I think you just get raw
    flow files. (The other stuff needs you to run artsagg, but I'm no
    expert on that since I don't use it.)

    > And when I use the sample perl script that Dave Plonka gave Cflow.pm
    > (changed to TCP and port 80), I get the following results:
    > XXXX.flows.0: Invalid index in flow data file: 0! Version 5 flow-export
    > is required with *all* data being saved using the COLLECT field of the
    > CISCOEXPORTER stanza(s)!

    Hmm... I'm thinking that your raw flow files are empty... IIRC, cflowd
    will extend them out to the max size initially, even if no flows are
    contained there-in.

    You did start cflowdmux, no? If not, I've attached a sample "rc"
    script for Solaris that you can put in init.d and use to start and stop
    cflowdmux and cflowd. (You have to set the proper paths at the top.)

    If you are running cflowdmuxh, does the "flowdump" utility that comes
    with cflowd (instrad of my "flowdumper" perl script) show anything in
    the raw flow files?

    > My CISCOEXPORTER stanza reads:
    > CISCOEXPORTER {
    > HOST: XXX.XXX.XXX.XXX # IP address of Cisco sending
    > data.
    > ADDRESSES: {XXX.XXX.XXX.XXX , # Addresses of interfaces on
    > Cisco
    > XXX.XXX.XXX.XXX,
    > XXX.XXX.XXX.XXX} # sending data.
    > CFDATAPORT: 2055 # Port on which to listen for
    > data.
    > SNMPCOMM: 'PUBLIC' # SNMP community name.
    > COLLECT: { flows }
    > }

    Looks fine...
     
    > (excuse the XXX's, but need to protect the innocent!)
    >
    > I am receiving no messages from the syslog.

    None? That's not good, you should at least configure "syslog.conf" so
    you get even the informational messages and such. I believe the
    default syslog faciliy that cflowd uses is LOCAL6.

    For instance, yesterday when I brought up cflowd-2-1-b1 for testing I
    got this:

       Nov 2 08:52:07 localhost cflowdmux[30571]: [I] cflowdmux (version cflowd-2-1-b1) started.
       Nov 2 08:52:07 localhost cflowdmux[30571]: [I] created 1052672 byte packet queue shmem segment {CflowdPacketQueue.cc:247}
       Nov 2 08:52:07 localhost cflowdmux[30571]: [I] attached to 1052672 byte packet queue at 0x40119000
       Nov 2 08:52:07 localhost cflowdmux[30571]: [I] created semaphore: id 2049
       Nov 2 08:52:07 localhost cflowdmux[30571]: [I] set UDP recv queue to 261040 bytes for fd 4 (port 2057)
       Nov 2 08:52:07 localhost cflowd[30579]: [I] cflowd (version cflowd-2-1-b1) started.
       Nov 2 08:52:07 localhost cflowd[30579]: [I] got semaphore: id 2049
       Nov 2 08:52:07 localhost cflowd[30579]: [I] attached to 1052672 byte packet queue

    Dave

    -- 
    plonka@doit.wisc.edu  http://net.doit.wisc.edu/~plonka  ARS:N9HZF  Madison, WI
    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Fri Nov 03 2000 - 07:14:31 PST