Re: cflowdmux running without errors but no data coming in

From: frank hellemink (druid@helms-deep.chello.com)
Date: Mon Jun 11 2001 - 05:04:54 PDT

  • Next message: Halldór Högnason: "Re: cflowdmux running without errors but no data coming in"

    Hi Halldor,

    I don't think your cflowdmux is working properly. You should see see
    something with flowwatch and flowdmp and you didn't. Did would also explain
    the fact that cfdcollect is writing nothing in your artsfiles. Even that is
    does say in the log file that it is writing data doesn't mean it is. I have
    seen this behavior before. Make sure that every time that you restart
    cfdcollect and cflowd you also restart cflowdmux. This avoids a lot of
    unexplainable problems.

    I would suggest to go step by step through your router config and server
    config and then restart cflowdmux, cflowd and cfdcollect ( in that order).

    you have probably done this already but I can't think of anything else :-(

    regards,

    Frank

    At 10:42 11-6-2001 +0000, Halldór Högnason wrote:

    >They are of size 0. I have cflowd, cflowdmux and cfdcollect running without
    >any errors. Currently
    >the arts files are of zero size ....
    >
    >total 8
    >drwxr-xr-x 2 root root 4096 Jun 11 00:00 .
    >drwxr-xr-x 4 root root 4096 Jun 8 01:37 ..
    >-rw-r--r-- 1 root root 0 Jun 8 01:37 arts.20010608
    >-rw-r--r-- 1 root root 0 Jun 9 00:00 arts.20010609
    >-rw-r--r-- 1 root root 0 Jun 10 00:00 arts.20010610
    >-rw-r--r-- 1 root root 0 Jun 11 00:00 arts.20010611
    >[halldor@halflife cflowd]$
    >
    >and my cfdcollect config is,...,
    >
    >#---------------------------------------------------------------------------
    ># An example system stanza.
    >#---------------------------------------------------------------------------
    >system {
    > logFacility: local6 # Syslog to local6 facility.
    > dataDirectory: /usr/local/arts/data/cflowd
    > filePrefix: arts
    > pidFile: /usr/local/arts/etc/cfdcollect.pid
    >}
    >
    >#---------------------------------------------------------------------------
    ># An example cflowd stanza for the case where cflowd is running on the
    ># local host.
    >#---------------------------------------------------------------------------
    >cflowd {
    > host: localhost
    > tcpCollectPort: 2056
    > minPollInterval: 300
    >}
    >
    >Kindest regards and for the help you are providing me,
    >
    >Halldor Karl Hognason
    >
    >Halldor Karl Hognason E.E.
    >Islandssimi hf.
    >Borgartun 30
    >105 Reykjavik
    >ICELAND
    >
    >E-mail: halldor.hognason@islandssimi.is
    >Tel: +354 5955016
    >Mob: +354 820 5016
    >Fax: +354 5955050
    >
    >
    >
    >
    >
    > frank
    > hellemink
    >
    > <druid@helms-deep.c To: "Halldór Högnason"
    > <Halldor.Hognason@islandssimi.is>
    > hello.com> cc: cflowd@caida.org
    >
    > Subject: Re: cflowdmux
    > running without errors but no data coming in
    > 11.06.2001
    > 10:06
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >how do your artsfiles look, are they 0 of size or do they have any data in
    >them?
    >
    >At 09:38 11-6-2001 +0000, Halldór Högnason wrote:
    >
    > >Hi
    > >
    > >No, don't see anything. My syslog shows me however that I'm definately
    > >receiving flows
    > >from my router, i.e,
    > >
    > >Jun 11 09:40:14 halflife cfdcollect[22487]: [I] connected to
    >localhost:2056
    > >Jun 11 09:40:22 halflife cflowd[30034]: [I] sent data to 127.0.0.1:1999
    > >Jun 11 09:40:22 halflife cfdcollect[22487]: [I] localhost has data for 1
    > >router.
    > >Jun 11 09:40:22 halflife cfdcollect[22487]: [I] got data for router
    >1.2.3.4
    > >from localhost
    > >Jun 11 09:40:22 halflife cfdcollect[22487]: [I] wrote data for router
    > >1.2.3.4
    > >Jun 11 09:40:22 halflife cfdcollect[22487]: [I] sleeping for 291 seconds.
    > >Jún 11 09:42:07 halflife PAM_pwdb[30058]: (su) session opened for user
    >root
    > >by halldor(uid=502)
    > >Jun 11 09:42:26 halflife flowwatch: [I] got semaphore: id 1
    > >Jun 11 09:42:26 halflife flowwatch: [I] attached to 2101248 byte packet
    > >queue at 0x40185000
    > >Jun 11 09:45:13 halflife cfdcollect[22487]: [I] awakened by alarm.
    > >Jun 11 09:45:14 halflife cfdcollect[22487]: [I] connected to
    >localhost:2056
    > >Jun 11 09:45:24 halflife cflowd[30086]: [I] sent data to 127.0.0.1:2000
    > >Jun 11 09:45:24 halflife cfdcollect[22487]: [I] localhost has data for 1
    > >router.
    > >Jun 11 09:45:24 halflife cfdcollect[22487]: [I] got data for router
    >1.2.3.4
    > >from localhost
    > >Jun 11 09:45:24 halflife cfdcollect[22487]: [I] wrote data for router
    > >1.2.3.4
    > >Jun 11 09:45:24 halflife cfdcollect[22487]: [I] sleeping for 289 seconds.
    > >
    > >
    > >Best regards,
    > >
    > >Halldor
    > >
    > >Halldor Karl Hognason E.E.
    > >Islandssimi hf.
    > >Borgartun 30
    > >105 Reykjavik
    > >ICELAND
    > >
    > >E-mail: halldor.hognason@islandssimi.is
    > >Tel: +354 5955016
    > >Mob: +354 820 5016
    > >Fax: +354 5955050
    > >
    > >
    > >
    > >
    > >
    > > frank
    > > hellemink
    > >
    > > <druid@helms-deep.c To: "Halldór Högnason"
    >
    > > <Halldor.Hognason@islandssimi.is>,
    > > hello.com> cflowd@caida.org
    > >
    > > cc:
    > >
    > > 11.06.2001 07:58 Subject: Re: cflowdmux
    >
    > > running without errors but no data coming in
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >Halldor,
    > >
    > >what happens when you do 'flowwatch all' in the directory where you keep
    > >your raw flowfiles? Do you see flows?
    > >
    > >Frank
    > >
    > >At 02:09 11-6-2001 +0000, Halldór Högnason wrote:
    > > >Hi
    > > >
    > > >I sent a mail last week where I stated problems I think I'm having with
    > >the
    > > >cflowdmux program.
    > > >To convince myself that the problem lies in the server I wrote a small
    >UDP
    > > >listener in Perl
    > > >and I'm definately receiving Netflow UDP packets from my router.
    > > >
    > > >If I'm just having empty logs in my /usr/local/arts/data/cflowd/flows
    > > >directory, i.e.
    > > >
    > > >[root@halflife flows]# ls -al
    > > >total 8
    > > >drwxr-xr-x 2 root root 4096 Jun 8 01:27 .
    > > >drwxr-xr-x 4 root root 4096 Jun 8 01:37 ..
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.0
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.1
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.2
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.3
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.4
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.5
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.6
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.7
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.8
    > > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.9
    > > >[root@halflife flows]#
    > > >
    > > >By doing f.x. cat on these files gives me nothing so they are obviously
    > > >empty as I verified.
    > > >I have seen in the mailing list archive that people have had similar
    > > >problems and nowhere
    > > >was there an obvious solution, one recommended doing make install again
    > > >which I did but
    > > >it didn't better the situation.
    > > >
    > > >I would very much appreciate help on this matter. You all probably
    > >received
    > > >my previous letter
    > > >and I changed the cflowd.conf a bit, (simplyfing it and less criteria on
    > > >information, f.x. only collect flows).
    > > >
    > > >Also I include my Netflow config in the CISCO 36xx I'm trying to collect
    > > >from,
    > > >
    > > >ip flow-aggregation cache source-prefix
    > > > cache entries 1024
    > > > cache timeout inactive 300
    > > > cache timeout active 5
    > > > export destination 5.6.7.8 9992
    > > > enabled
    > > >!
    > > >
    > > >interface FastEthernet0/0
    > > > ip address 1.2.3.4 255.255.255.0
    > > > ip accounting output-packets
    > > > ip route-cache policy
    > > > ip route-cache flow
    > > > speed auto
    > > > half-duplex
    > > > no cdp enable
    > > >!
    > > >
    > > >
    > > >[root@halflife etc]# more cflowd.conf
    > > >OPTIONS {
    > > > # syslog to local6 facility.
    > > > LOGFACILITY: local6
    > > >
    > > > # Listen for connections from cfdcollect on port 2056.
    > > > TCPCOLLECTPORT: 2056
    > > >
    > > > # Use a 2 megabyte packet buffer in shared memory.
    > > > PKTBUFSIZE: 2097152
    > > >
    > > > # Use /usr/local/arts/etc/cflowdtable.socket as named stream socket
    > > > # for connections from local clients (cfdases et. al.)
    > > > TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket
    > > >
    > > > # Keep raw flow files in /usr/local/arts/data/cflowd/flows directory.
    > > > FLOWDIR: /usr/local/arts/data/cflowd/flows
    > > >
    > > > # Each raw flow file should be 1000000 bytes in length.
    > > > FLOWFILELEN: 1000000
    > > >
    > > > # Keep 10 raw flow files per router.
    > > > NUMFLOWFILES: 10
    > > >
    > > > # Log total missed flows from a router if it exceeds 1000 between
    > > > # connections from cfdcollect.
    > > > MINLOGMISSED: 1000
    > > >}
    > > >
    > > >COLLECTOR {
    > > > HOST: 5.6.7.8 # IP address of central collector
    > > > ADDRESSES: { 5.6.7.8, localhost, 127.0.0.1 }
    > > > AUTH: none
    > > >}
    > > >
    > > >CISCOEXPORTER {
    > > > HOST: 1.2.3.4 # IP address of Cisco sending data.
    > > > ADDRESSES: { 1.2.3.4 } # Addresses of interfaces on Cisco
    > > > CFDATAPORT: 9992 # Port on which to listen for
    > > >data.
    > > > SNMPCOMM: 'public' # SNMP community name.
    > > > LOCALAS: 12969 # Local AS of Cisco sending
    > >data.
    > > > COLLECT: { flows }
    > > >}
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >Halldor Karl Hognason E.E.
    > > >Islandssimi hf.
    > > >Borgartun 30
    > > >105 Reykjavik
    > > >ICELAND
    > > >
    > > >E-mail: halldor.hognason@islandssimi.is
    > > >Tel: +354 5955016
    > > >Mob: +354 820 5016
    > > >Fax: +354 5955050
    > > >
    > > >
    > > >--
    > > >cflowd mailing list
    > > >cflowd@caida.org

    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Mon Jun 11 2001 - 05:26:33 PDT