Re: help getting started - no data...

From: Dave Plonka (plonka@doit.wisc.edu)
Date: Fri Nov 03 2000 - 10:04:59 PST

  • Next message: Hales, Kevin: "IfIndex issues on Cisco Cat 6000 w/MSFC"

    On Fri, Nov 03, 2000 at 04:11:57PM +0100, Zimmerman, Sheryl Ms. wrote:
    > Nope, no messages to the syslog (left the LOGFACILITY at local6, did a
    > change to the syslog.conf, to log it to /var/adm/messages and did a kill
    > -HUP pid on the syslogd)

    Well, cflowd *is* logging informational messages on startup, so if the
    LOGFACILITY is as local6 then it must be syslog misconfiguration/
    misbehavior that is causing them not to be written to a log file.

    Personally, I see them in this "catch all" logfile (under Linux):

       *.=info;*.=notice;*.=warn;\
            auth,authpriv.none;\
            cron,daemon.none;\
            mail,news.none -/var/log/messages

    Because all "info" messages go there.

    > even after the following:
    > % ps -ef | grep cfl
    > szim 11904 1 0 12:54:03 pts/6 0:04 ./cflowdmux
    > /apps/cflowd-2-1-b1/etc/cflowd.conf
    > szim 11906 1 0 12:54:08 pts/6 0:11 ./cflowd
    > /apps/cflowd-2-1-b1/etc/cflowd.conf
    > szim 11908 1 0 12:54:12 pts/6 0:00 ./cfdcollect
    > /apps/cflowd-2-1-b1/etc/cfdcollect.conf
    > szim 12315 488 0 15:03:27 pts/6 0:00 grep cfl

    Good, then that your process are up and running.

    <snip>
    > flowdump seems to show data:
    > FLOW
    > index: 0xc7ffff
    > router: XXX.XXX.XXX.XXX
    > src IP: XXX.XXX.XXX.XXX
    > dst IP: XXX.XXX.XXX.XXX
    > input ifIndex: 1
    > output ifIndex: 2
    > src port: 53
    > dst port: 2797
    > pkts: 1
    > bytes: 66
    > IP nexthop: XXX.XXX.XXX.XXX
    > start time: Fri Nov 3 15:07:28 2000
    > end time: Fri Nov 3 15:07:28 2000
    > protocol: 17
    > tos: 0
    > src AS: 0
    > dst AS: 0
    > src masklen: 24
    > dst masklen: 0
    > TCP flags: 0x10
    > engine type: 0
    > engine id: 0
    > etc...

    That looks good. I think you'll find now that my flowdumper script
    would handle _that_ raw flow just fine too, since you are apparently
    correctly using version 5 flows and collecting all flow fields as
    is indicated by "index: 0xc7ffff".

    > One thing I'm confused about though is why protocol is showing up when we've
    > set the stanza to just collect flows?

    Those fields are all part of the version 5 flow. When you say:

       COLLECT: { flows }

    you are telling cflowd that you'd like it to retain all available flow
    fields when it re-writes the flows into raw flow files using its own
    format. IMO, this is exactly what you want.

    That protocol info is shown when you examine the raw flows has nothing
    to do with whether or not you are accumulating and aggregating counters
    by protocol.

    So, at this point I don't see a problem...
    In your previous post it seemed as though you weren't getting flows in
    your raw files, but the flowdump output above shows that it is
    working.

    AFAIK, you have these options:

    1) Use cfdcollect and ARTS++ agregation, etc.
       In this case I won't be of much use to you, but others on the list
       can help.

    2) Use FlowScan with it's CampusIO and or SubNetIO reports which use
       RRDtool for counters, aggregation, and graphs.

    3) Do both.

    Dave

    -- 
    plonka@doit.wisc.edu  http://net.doit.wisc.edu/~plonka  ARS:N9HZF  Madison, WI
    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Fri Nov 03 2000 - 10:13:06 PST