RE: No Flows collected

From: Liger-dc (liger_dc@yahoo.com)
Date: Fri Jun 22 2001 - 06:07:16 PDT

  • Next message: Yu-lin Chang: "how to extract ip data from arts file written by cfdcollect?"

    In doing a tcpdump on the collector I came across something that was interesting...

    08:44:26.237231 eth0 > this.is.collector.32788 > this.is.router.fsu.edu.snmp: udp 46 (DF)
    08:44:26.237231 eth0 < this.is.router.fsu.edu.snmp > cthis.is.collector.edu.32788: udp 47
    08:44:26.237231 eth0 > this.is.collector.fsu.edu > this.is.router.fsu.edu: icmp:
    this.is.router.edu udp port 32788 unreachable (DF) [tos 0xc0]

    I interpret this as syaing that the collector cant get access to certain udp packets ont the
    router, so I logged on to the rouer and did a 'show flows' and this basically had an exported upd
    packet count of zero. Is it safe to assume that my problem resides on the router seeing that it is
    not exporting flows??

    Edson Manners
    Academic Computing & Networking Services
    Florida State University

    --- Brett Rees <reesb@powertel.com.au> wrote:
    > Edson,
    >
    > Use tcpdump or suchlike and watch for UDP packets on that interface. If the
    > box has little other traffic then you should be able to see the packet
    > counters increasing in relation to the flows in a netstat -ai.
    >
    > There is also a 'show flows' command or suchlike on the cisco. There are
    > counters that you can see incrementing.
    >
    > As netflows are generated on ingres to the router in the initial stages you
    > want to enable netflows on all of your router interfaces - otherwise thinsg
    > will seem weird.
    >
    > Cheers
    > Brett
    >
    >
    > > Brett Rees
    > Technical Specialist - ISSG
    > > POWERTEL Limited
    > > Level 11, 55 Clarence Street, SYDNEY
    > > Phone: 61-2-8264-4666
    > > Fax: 61-2-8264-4555
    > > Mobile: 61-414-678882
    > > mailto:reesb@powertel.com.au
    > >
    > >
    > >
    > > -----Original Message-----
    > > From: Liger-dc [SMTP:liger_dc@yahoo.com]
    > > Sent: Friday, June 22, 2001 5:20 AM
    > > To: cflowd@caida.org
    > > Subject: No Flows collected
    > >
    > > I have cflowdmux, cflowd (patched for Flowscan) and cfdcollect running
    > > error free. But the
    > > generated flows are all empty.
    > >
    > >
    > > -rw-r--r-- 1 root root 1000000 Jun 20 16:38
    > > xxx.xxx.xxx.13.flows.8
    > > -rw-r--r-- 1 root root 1000000 Jun 20 16:38
    > > xxx.xxx.xxx.13.flows.9
    > > drwxrwxr-x 2 root root 1024 Jun 21 11:31 bin
    > > -rw-r--r-- 1 root root 0 Jun 21 14:30
    > > flows.20010621_14:35:52-0400
    > > -rw-r--r-- 1 root root 0 Jun 21 14:35
    > > flows.20010621_14:40:53-0400
    > > -rw-r--r-- 1 root root 0 Jun 21 14:40
    > > flows.20010621_14:45:55-0400
    > > -rw-r--r-- 1 root root 0 Jun 21 14:45
    > > flows.20010621_14:50:56-0400
    > > -rw-r--r-- 1 root root 0 Jun 21 14:50
    > > flows.20010621_14:55:58-0400
    > > -rw-r--r-- 1 root root 0 Jun 21 14:55
    > > flows.20010621_15:00:59-0400
    > > -rw-r--r-- 1 root root 0 Jun 21 15:00 flows.current
    > > drwxrwxr-x 2 root root 2048 Jun 21 11:35 graphs
    > >
    > > As mentioned in the archives by people who were experiencing similar
    > > problems, I have not seen a
    > > definite answer. I am recieving flows from a Cisco msfc and a 6509. They
    > > are being exported to a
    > > computer running RH 7.1. I have not gotten any errors.
    > >
    > > Jun 21 15:09:22 xxxx cfdcollect[9881]: [I] connected to
    > > xxxx.xxxx.xxx.edu:9995
    > > Jun 21 15:10:00 xxxx CROND[15100]: (root) CMD ( /sbin/rmmod -as)
    > > Jun 21 15:10:00 xxxx CROND[15101]: (root) CMD ( /sbin/rmmod -as)
    > > Jun 21 15:10:00 xxxx cflowd[15097]: [I] sent data to xxx.xxx.x.xx:33459
    > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] xxxx.xxxx.xxx.edu has data for
    > > 2 routers.
    > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] got data for router
    > > xxx.xxx.xxx.13 from
    > > xxxx.xxxx.xxx.edu
    > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] wrote data for router
    > > xxx.xxx.xxx.13
    > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] got data for router
    > > xxx.xxx.x.252 from
    > > xxxx.xxxx.xxx.edu
    > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] wrote data for router
    > > xxx.xxx.x.252
    > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] sleeping for 261 seconds
    > >
    > > How can I make sure that my Ciscos are properly configured for Netflow,
    > > and if yes, How can I
    > > check to see if the cisco is in fact sending the flows to the collector?
    > >
    > > Any help is greatly appreciated.
    > >
    > > Edson Manners
    > > Academic Computing & Networking Services
    > > Florida State University
    > >
    > > __________________________________________________
    > > Do You Yahoo!?
    > > Get personalized email addresses from Yahoo! Mail
    > > http://personal.mail.yahoo.com/
    > > --
    > > cflowd mailing list
    > > cflowd@caida.org
    >
    >
    > **********************************************************************
    > This email (including all attachments) is intended solely for the named
    > addressee. It is confidential and may contain commercially sensitive
    > information. If you receive it in error, please let us know by reply email,
    > delete it from your system and destroy any copies.
    >
    > This email is also subject to copyright. No part of it should be reproduced,
    > adapted or transmitted without the prior written consent of the copyright owner.
    >
    > Emails may be interfered with, may contain computer viruses or other defects
    > and may not be successfully replicated on other systems. We give no
    > warranties in relation to these matters. If you have any doubts about
    > the authenticity of an email purportedly sent by us, please contact us
    > immediately.
    >
    > **********************************************************************

    __________________________________________________
    Do You Yahoo!?
    Get personalized email addresses from Yahoo! Mail
    http://personal.mail.yahoo.com/

    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Fri Jun 22 2001 - 06:21:52 PDT