Hi and thanks for your reply,
Maby the CISCO is not sending the correct header to the cflowd, does
cflowd/mux support
Netflow v8 ?
As you can see in my config I'm using the source-prefix v8 header and now
I'm just wondering
if it's supported my cflowd ?
Best regards,
Halldor
Halldor Karl Hognason E.E.
Islandssimi hf.
Borgartun 30
105 Reykjavik
ICELAND
E-mail: halldor.hognason@islandssimi.is
Tel: +354 5955016
Mob: +354 820 5016
Fax: +354 5955050
frank hellemink
<druid@helms-deep.c To: "Halldór Högnason" <Halldor.Hognason@islandssimi.is>
hello.com> cc: cflowd@caida.org
Subject: Re: cflowdmux running without errors but no data coming in
11.06.2001 12:04
Hi Halldor,
I don't think your cflowdmux is working properly. You should see see
something with flowwatch and flowdmp and you didn't. Did would also explain
the fact that cfdcollect is writing nothing in your artsfiles. Even that is
does say in the log file that it is writing data doesn't mean it is. I have
seen this behavior before. Make sure that every time that you restart
cfdcollect and cflowd you also restart cflowdmux. This avoids a lot of
unexplainable problems.
I would suggest to go step by step through your router config and server
config and then restart cflowdmux, cflowd and cfdcollect ( in that order).
you have probably done this already but I can't think of anything else :-(
regards,
Frank
At 10:42 11-6-2001 +0000, Halldór Högnason wrote:
>They are of size 0. I have cflowd, cflowdmux and cfdcollect running
without
>any errors. Currently
>the arts files are of zero size ....
>
>total 8
>drwxr-xr-x 2 root root 4096 Jun 11 00:00 .
>drwxr-xr-x 4 root root 4096 Jun 8 01:37 ..
>-rw-r--r-- 1 root root 0 Jun 8 01:37 arts.20010608
>-rw-r--r-- 1 root root 0 Jun 9 00:00 arts.20010609
>-rw-r--r-- 1 root root 0 Jun 10 00:00 arts.20010610
>-rw-r--r-- 1 root root 0 Jun 11 00:00 arts.20010611
>[halldor@halflife cflowd]$
>
>and my cfdcollect config is,...,
>
>
#---------------------------------------------------------------------------
># An example system stanza.
>
#---------------------------------------------------------------------------
>system {
> logFacility: local6 # Syslog to local6 facility.
> dataDirectory: /usr/local/arts/data/cflowd
> filePrefix: arts
> pidFile: /usr/local/arts/etc/cfdcollect.pid
>}
>
>
#---------------------------------------------------------------------------
># An example cflowd stanza for the case where cflowd is running on the
># local host.
>
#---------------------------------------------------------------------------
>cflowd {
> host: localhost
> tcpCollectPort: 2056
> minPollInterval: 300
>}
>
>Kindest regards and for the help you are providing me,
>
>Halldor Karl Hognason
>
>Halldor Karl Hognason E.E.
>Islandssimi hf.
>Borgartun 30
>105 Reykjavik
>ICELAND
>
>E-mail: halldor.hognason@islandssimi.is
>Tel: +354 5955016
>Mob: +354 820 5016
>Fax: +354 5955050
>
>
>
>
>
> frank
> hellemink
>
> <druid@helms-deep.c To: "Halldór Högnason"
> <Halldor.Hognason@islandssimi.is>
> hello.com> cc: cflowd@caida.org
>
> Subject: Re: cflowdmux
> running without errors but no data coming in
> 11.06.2001
> 10:06
>
>
>
>
>
>
>
>
>
>how do your artsfiles look, are they 0 of size or do they have any data in
>them?
>
>At 09:38 11-6-2001 +0000, Halldór Högnason wrote:
>
> >Hi
> >
> >No, don't see anything. My syslog shows me however that I'm definately
> >receiving flows
> >from my router, i.e,
> >
> >Jun 11 09:40:14 halflife cfdcollect[22487]: [I] connected to
>localhost:2056
> >Jun 11 09:40:22 halflife cflowd[30034]: [I] sent data to 127.0.0.1:1999
> >Jun 11 09:40:22 halflife cfdcollect[22487]: [I] localhost has data for 1
> >router.
> >Jun 11 09:40:22 halflife cfdcollect[22487]: [I] got data for router
>1.2.3.4
> >from localhost
> >Jun 11 09:40:22 halflife cfdcollect[22487]: [I] wrote data for router
> >1.2.3.4
> >Jun 11 09:40:22 halflife cfdcollect[22487]: [I] sleeping for 291
seconds.
> >Jún 11 09:42:07 halflife PAM_pwdb[30058]: (su) session opened for user
>root
> >by halldor(uid=502)
> >Jun 11 09:42:26 halflife flowwatch: [I] got semaphore: id 1
> >Jun 11 09:42:26 halflife flowwatch: [I] attached to 2101248 byte packet
> >queue at 0x40185000
> >Jun 11 09:45:13 halflife cfdcollect[22487]: [I] awakened by alarm.
> >Jun 11 09:45:14 halflife cfdcollect[22487]: [I] connected to
>localhost:2056
> >Jun 11 09:45:24 halflife cflowd[30086]: [I] sent data to 127.0.0.1:2000
> >Jun 11 09:45:24 halflife cfdcollect[22487]: [I] localhost has data for 1
> >router.
> >Jun 11 09:45:24 halflife cfdcollect[22487]: [I] got data for router
>1.2.3.4
> >from localhost
> >Jun 11 09:45:24 halflife cfdcollect[22487]: [I] wrote data for router
> >1.2.3.4
> >Jun 11 09:45:24 halflife cfdcollect[22487]: [I] sleeping for 289
seconds.
> >
> >
> >Best regards,
> >
> >Halldor
> >
> >Halldor Karl Hognason E.E.
> >Islandssimi hf.
> >Borgartun 30
> >105 Reykjavik
> >ICELAND
> >
> >E-mail: halldor.hognason@islandssimi.is
> >Tel: +354 5955016
> >Mob: +354 820 5016
> >Fax: +354 5955050
> >
> >
> >
> >
> >
> > frank
> > hellemink
> >
> > <druid@helms-deep.c To: "Halldór
Högnason"
>
> > <Halldor.Hognason@islandssimi.is>,
> > hello.com> cflowd@caida.org
> >
> > cc:
> >
> > 11.06.2001 07:58 Subject: Re:
cflowdmux
>
> > running without errors but no data coming in
> >
> >
> >
> >
> >
> >
> >
> >
> >Halldor,
> >
> >what happens when you do 'flowwatch all' in the directory where you keep
> >your raw flowfiles? Do you see flows?
> >
> >Frank
> >
> >At 02:09 11-6-2001 +0000, Halldór Högnason wrote:
> > >Hi
> > >
> > >I sent a mail last week where I stated problems I think I'm having
with
> >the
> > >cflowdmux program.
> > >To convince myself that the problem lies in the server I wrote a small
>UDP
> > >listener in Perl
> > >and I'm definately receiving Netflow UDP packets from my router.
> > >
> > >If I'm just having empty logs in my /usr/local/arts/data/cflowd/flows
> > >directory, i.e.
> > >
> > >[root@halflife flows]# ls -al
> > >total 8
> > >drwxr-xr-x 2 root root 4096 Jun 8 01:27 .
> > >drwxr-xr-x 4 root root 4096 Jun 8 01:37 ..
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.0
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.1
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.2
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.3
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.4
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.5
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.6
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.7
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.8
> > >-rw-r--r-- 1 root root 1000000 Jun 8 16:29 1.2.3.4.flows.9
> > >[root@halflife flows]#
> > >
> > >By doing f.x. cat on these files gives me nothing so they are
obviously
> > >empty as I verified.
> > >I have seen in the mailing list archive that people have had similar
> > >problems and nowhere
> > >was there an obvious solution, one recommended doing make install
again
> > >which I did but
> > >it didn't better the situation.
> > >
> > >I would very much appreciate help on this matter. You all probably
> >received
> > >my previous letter
> > >and I changed the cflowd.conf a bit, (simplyfing it and less criteria
on
> > >information, f.x. only collect flows).
> > >
> > >Also I include my Netflow config in the CISCO 36xx I'm trying to
collect
> > >from,
> > >
> > >ip flow-aggregation cache source-prefix
> > > cache entries 1024
> > > cache timeout inactive 300
> > > cache timeout active 5
> > > export destination 5.6.7.8 9992
> > > enabled
> > >!
> > >
> > >interface FastEthernet0/0
> > > ip address 1.2.3.4 255.255.255.0
> > > ip accounting output-packets
> > > ip route-cache policy
> > > ip route-cache flow
> > > speed auto
> > > half-duplex
> > > no cdp enable
> > >!
> > >
> > >
> > >[root@halflife etc]# more cflowd.conf
> > >OPTIONS {
> > > # syslog to local6 facility.
> > > LOGFACILITY: local6
> > >
> > > # Listen for connections from cfdcollect on port 2056.
> > > TCPCOLLECTPORT: 2056
> > >
> > > # Use a 2 megabyte packet buffer in shared memory.
> > > PKTBUFSIZE: 2097152
> > >
> > > # Use /usr/local/arts/etc/cflowdtable.socket as named stream socket
> > > # for connections from local clients (cfdases et. al.)
> > > TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket
> > >
> > > # Keep raw flow files in /usr/local/arts/data/cflowd/flows
directory.
> > > FLOWDIR: /usr/local/arts/data/cflowd/flows
> > >
> > > # Each raw flow file should be 1000000 bytes in length.
> > > FLOWFILELEN: 1000000
> > >
> > > # Keep 10 raw flow files per router.
> > > NUMFLOWFILES: 10
> > >
> > > # Log total missed flows from a router if it exceeds 1000 between
> > > # connections from cfdcollect.
> > > MINLOGMISSED: 1000
> > >}
> > >
> > >COLLECTOR {
> > > HOST: 5.6.7.8 # IP address of central collector
> > > ADDRESSES: { 5.6.7.8, localhost, 127.0.0.1 }
> > > AUTH: none
> > >}
> > >
> > >CISCOEXPORTER {
> > > HOST: 1.2.3.4 # IP address of Cisco sending data.
> > > ADDRESSES: { 1.2.3.4 } # Addresses of interfaces on Cisco
> > > CFDATAPORT: 9992 # Port on which to listen
for
> > >data.
> > > SNMPCOMM: 'public' # SNMP community name.
> > > LOCALAS: 12969 # Local AS of Cisco sending
> >data.
> > > COLLECT: { flows }
> > >}
> > >
> > >
> > >
> > >
> > >
> > >Halldor Karl Hognason E.E.
> > >Islandssimi hf.
> > >Borgartun 30
> > >105 Reykjavik
> > >ICELAND
> > >
> > >E-mail: halldor.hognason@islandssimi.is
> > >Tel: +354 5955016
> > >Mob: +354 820 5016
> > >Fax: +354 5955050
> > >
> > >
> > >--
> > >cflowd mailing list
> > >cflowd@caida.org
-- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Mon Jun 11 2001 - 06:58:12 PDT