Nope, no messages to the syslog (left the LOGFACILITY at local6, did a
change to the syslog.conf, to log it to /var/adm/messages and did a kill
-HUP pid on the syslogd) even after the following:
% ps -ef | grep cfl
szim 11904 1 0 12:54:03 pts/6 0:04 ./cflowdmux
/apps/cflowd-2-1-b1/etc/cflowd.conf
szim 11906 1 0 12:54:08 pts/6 0:11 ./cflowd
/apps/cflowd-2-1-b1/etc/cflowd.conf
szim 11908 1 0 12:54:12 pts/6 0:00 ./cfdcollect
/apps/cflowd-2-1-b1/etc/cfdcollect.conf
szim 12315 488 0 15:03:27 pts/6 0:00 grep cfl
% kill -TERM 11904 11906 11908
% ./cflowdmux /apps/cflowd-2-1-b1/etc/cflowd.conf
% ./cflowd /apps/cflowd-2-1-b1/etc/cflowd.conf
% ./cfdcollect /apps/cflowd-2-1-b1/etc/cfdcollect.conf
(I'm running a tail -f and nothing has come through...)
flowdump seems to show data:
FLOW
index: 0xc7ffff
router: XXX.XXX.XXX.XXX
src IP: XXX.XXX.XXX.XXX
dst IP: XXX.XXX.XXX.XXX
input ifIndex: 1
output ifIndex: 2
src port: 53
dst port: 2797
pkts: 1
bytes: 66
IP nexthop: XXX.XXX.XXX.XXX
start time: Fri Nov 3 15:07:28 2000
end time: Fri Nov 3 15:07:28 2000
protocol: 17
tos: 0
src AS: 0
dst AS: 0
src masklen: 24
dst masklen: 0
TCP flags: 0x10
engine type: 0
engine id: 0
etc...
One thing I'm confused about though is why protocol is showing up when we've
set the stanza to just collect flows?
Shery Zimmerman - Litton PRC
5th Signal TNOC - Design and Performance
DSN 380-4034
> -----Original Message-----
> From: Dave Plonka [SMTP:plonka@doit.wisc.edu]
> Sent: Friday, November 03, 2000 3:58 PM
> To: cflowd@caida.org
> Cc: zimmermans@hq.5sigcmd.army.mil; hamiltona@hq.5sigcmd.army.mil
> Subject: Re: help getting started - no data...
>
> On Fri, Nov 03, 2000 at 01:10:12PM +0000, Sheryl Zimmermann wrote:
> > Really hope someone can help!
> >
> > Everything appears to have compile ok.
> > I'm running 12.01 (11) on a 3600 router. I am exporting to my host
> > using port 2055.
>
> How did you configure the Cisco? Something like this?
>
> ip flow-export version 5 peer-as
> ip flow-export destination 10.0.0.1 2055
>
> The "version 5" bit is important if you want to use Cflow.pm and
> flowdumper as you say below.
>
> > When I do a
> > "sh ip flow export", everything looks good.
> > when I run snoop on my sun host (running 2.7) where both cfdcollect and
> > cflowd are running, it shows a large number of udp packets coming in on
> > port 2055.
>
> Cool - that's the right thing to check.
>
> > I have flow files being created as per my specs in cflowd.conf. But no
> > arts files.
>
> If all you're running is cflowdmux and cflowd, I think you just get raw
> flow files. (The other stuff needs you to run artsagg, but I'm no
> expert on that since I don't use it.)
>
> > And when I use the sample perl script that Dave Plonka gave Cflow.pm
> > (changed to TCP and port 80), I get the following results:
> > XXXX.flows.0: Invalid index in flow data file: 0! Version 5 flow-export
> > is required with *all* data being saved using the COLLECT field of the
> > CISCOEXPORTER stanza(s)!
>
> Hmm... I'm thinking that your raw flow files are empty... IIRC, cflowd
> will extend them out to the max size initially, even if no flows are
> contained there-in.
>
> You did start cflowdmux, no? If not, I've attached a sample "rc"
> script for Solaris that you can put in init.d and use to start and stop
> cflowdmux and cflowd. (You have to set the proper paths at the top.)
>
> If you are running cflowdmuxh, does the "flowdump" utility that comes
> with cflowd (instrad of my "flowdumper" perl script) show anything in
> the raw flow files?
>
> > My CISCOEXPORTER stanza reads:
> > CISCOEXPORTER {
> > HOST: XXX.XXX.XXX.XXX # IP address of Cisco sending
> > data.
> > ADDRESSES: {XXX.XXX.XXX.XXX , # Addresses of interfaces on
> > Cisco
> > XXX.XXX.XXX.XXX,
> > XXX.XXX.XXX.XXX} # sending data.
> > CFDATAPORT: 2055 # Port on which to listen for
> > data.
> > SNMPCOMM: 'PUBLIC' # SNMP community name.
> > COLLECT: { flows }
> > }
>
> Looks fine...
>
> > (excuse the XXX's, but need to protect the innocent!)
> >
> > I am receiving no messages from the syslog.
>
> None? That's not good, you should at least configure "syslog.conf" so
> you get even the informational messages and such. I believe the
> default syslog faciliy that cflowd uses is LOCAL6.
>
> For instance, yesterday when I brought up cflowd-2-1-b1 for testing I
> got this:
>
> Nov 2 08:52:07 localhost cflowdmux[30571]: [I] cflowdmux (version
> cflowd-2-1-b1) started.
> Nov 2 08:52:07 localhost cflowdmux[30571]: [I] created 1052672 byte
> packet queue shmem segment {CflowdPacketQueue.cc:247}
> Nov 2 08:52:07 localhost cflowdmux[30571]: [I] attached to 1052672
> byte packet queue at 0x40119000
> Nov 2 08:52:07 localhost cflowdmux[30571]: [I] created semaphore: id
> 2049
> Nov 2 08:52:07 localhost cflowdmux[30571]: [I] set UDP recv queue to
> 261040 bytes for fd 4 (port 2057)
> Nov 2 08:52:07 localhost cflowd[30579]: [I] cflowd (version
> cflowd-2-1-b1) started.
> Nov 2 08:52:07 localhost cflowd[30579]: [I] got semaphore: id 2049
> Nov 2 08:52:07 localhost cflowd[30579]: [I] attached to 1052672 byte
> packet queue
>
> Dave
>
> --
> plonka@doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF
> Madison, WI
-- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Fri Nov 03 2000 - 07:24:34 PST