RE: No Flows collected

From: Brett Rees (reesb@powertel.com.au)
Date: Sun Jun 24 2001 - 16:55:43 PDT

  • Next message: Brett Rees: "RE: how to extract ip data from arts file written by cfdcollect?"

    Yes, if there are no flows being exported from the router then you won't
    reeceive anything at the collector. The FAQs etc detail how to enable the
    flows. You probably want to enable the flows in peer-AS mode.

    Regards
    Brett

    > Brett Rees
    Technical Specialist - ISSG
    > POWERTEL Limited
    > Level 11, 55 Clarence Street, SYDNEY
    > Phone: 61-2-8264-4666
    > Fax: 61-2-8264-4555
    > Mobile: 61-414-678882
    > mailto:reesb@powertel.com.au
    >
    >
    >
    > -----Original Message-----
    > From: Liger-dc [SMTP:liger_dc@yahoo.com]
    > Sent: Friday, June 22, 2001 11:07 PM
    > To: Brett Rees
    > Cc: cflowd@caida.org
    > Subject: RE: No Flows collected
    >
    > In doing a tcpdump on the collector I came across something that was
    > interesting...
    >
    > 08:44:26.237231 eth0 > this.is.collector.32788 >
    > this.is.router.fsu.edu.snmp: udp 46 (DF)
    > 08:44:26.237231 eth0 < this.is.router.fsu.edu.snmp >
    > cthis.is.collector.edu.32788: udp 47
    > 08:44:26.237231 eth0 > this.is.collector.fsu.edu > this.is.router.fsu.edu:
    > icmp:
    > this.is.router.edu udp port 32788 unreachable (DF) [tos 0xc0]
    >
    > I interpret this as syaing that the collector cant get access to certain
    > udp packets ont the
    > router, so I logged on to the rouer and did a 'show flows' and this
    > basically had an exported upd
    > packet count of zero. Is it safe to assume that my problem resides on the
    > router seeing that it is
    > not exporting flows??
    >
    > Edson Manners
    > Academic Computing & Networking Services
    > Florida State University
    >
    >
    > --- Brett Rees <reesb@powertel.com.au> wrote:
    > > Edson,
    > >
    > > Use tcpdump or suchlike and watch for UDP packets on that interface. If
    > the
    > > box has little other traffic then you should be able to see the packet
    > > counters increasing in relation to the flows in a netstat -ai.
    > >
    > > There is also a 'show flows' command or suchlike on the cisco. There are
    > > counters that you can see incrementing.
    > >
    > > As netflows are generated on ingres to the router in the initial stages
    > you
    > > want to enable netflows on all of your router interfaces - otherwise
    > thinsg
    > > will seem weird.
    > >
    > > Cheers
    > > Brett
    > >
    > >
    > > > Brett Rees
    > > Technical Specialist - ISSG
    > > > POWERTEL Limited
    > > > Level 11, 55 Clarence Street, SYDNEY
    > > > Phone: 61-2-8264-4666
    > > > Fax: 61-2-8264-4555
    > > > Mobile: 61-414-678882
    > > > mailto:reesb@powertel.com.au
    > > >
    > > >
    > > >
    > > > -----Original Message-----
    > > > From: Liger-dc [SMTP:liger_dc@yahoo.com]
    > > > Sent: Friday, June 22, 2001 5:20 AM
    > > > To: cflowd@caida.org
    > > > Subject: No Flows collected
    > > >
    > > > I have cflowdmux, cflowd (patched for Flowscan) and cfdcollect running
    > > > error free. But the
    > > > generated flows are all empty.
    > > >
    > > >
    > > > -rw-r--r-- 1 root root 1000000 Jun 20 16:38
    > > > xxx.xxx.xxx.13.flows.8
    > > > -rw-r--r-- 1 root root 1000000 Jun 20 16:38
    > > > xxx.xxx.xxx.13.flows.9
    > > > drwxrwxr-x 2 root root 1024 Jun 21 11:31 bin
    > > > -rw-r--r-- 1 root root 0 Jun 21 14:30
    > > > flows.20010621_14:35:52-0400
    > > > -rw-r--r-- 1 root root 0 Jun 21 14:35
    > > > flows.20010621_14:40:53-0400
    > > > -rw-r--r-- 1 root root 0 Jun 21 14:40
    > > > flows.20010621_14:45:55-0400
    > > > -rw-r--r-- 1 root root 0 Jun 21 14:45
    > > > flows.20010621_14:50:56-0400
    > > > -rw-r--r-- 1 root root 0 Jun 21 14:50
    > > > flows.20010621_14:55:58-0400
    > > > -rw-r--r-- 1 root root 0 Jun 21 14:55
    > > > flows.20010621_15:00:59-0400
    > > > -rw-r--r-- 1 root root 0 Jun 21 15:00 flows.current
    > > > drwxrwxr-x 2 root root 2048 Jun 21 11:35 graphs
    > > >
    > > > As mentioned in the archives by people who were experiencing similar
    > > > problems, I have not seen a
    > > > definite answer. I am recieving flows from a Cisco msfc and a 6509.
    > They
    > > > are being exported to a
    > > > computer running RH 7.1. I have not gotten any errors.
    > > >
    > > > Jun 21 15:09:22 xxxx cfdcollect[9881]: [I] connected to
    > > > xxxx.xxxx.xxx.edu:9995
    > > > Jun 21 15:10:00 xxxx CROND[15100]: (root) CMD ( /sbin/rmmod -as)
    > > > Jun 21 15:10:00 xxxx CROND[15101]: (root) CMD ( /sbin/rmmod -as)
    > > > Jun 21 15:10:00 xxxx cflowd[15097]: [I] sent data to
    > xxx.xxx.x.xx:33459
    > > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] xxxx.xxxx.xxx.edu has data
    > for
    > > > 2 routers.
    > > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] got data for router
    > > > xxx.xxx.xxx.13 from
    > > > xxxx.xxxx.xxx.edu
    > > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] wrote data for router
    > > > xxx.xxx.xxx.13
    > > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] got data for router
    > > > xxx.xxx.x.252 from
    > > > xxxx.xxxx.xxx.edu
    > > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] wrote data for router
    > > > xxx.xxx.x.252
    > > > Jun 21 15:10:00 xxxx cfdcollect[9881]: [I] sleeping for 261 seconds
    > > >
    > > > How can I make sure that my Ciscos are properly configured for
    > Netflow,
    > > > and if yes, How can I
    > > > check to see if the cisco is in fact sending the flows to the
    > collector?
    > > >
    > > > Any help is greatly appreciated.
    > > >
    > > > Edson Manners
    > > > Academic Computing & Networking Services
    > > > Florida State University
    > > >
    > > > __________________________________________________
    > > > Do You Yahoo!?
    > > > Get personalized email addresses from Yahoo! Mail
    > > > http://personal.mail.yahoo.com/
    > > > --
    > > > cflowd mailing list
    > > > cflowd@caida.org
    > >
    > >
    > > **********************************************************************
    > > This email (including all attachments) is intended solely for the named
    > > addressee. It is confidential and may contain commercially sensitive
    > > information. If you receive it in error, please let us know by reply
    > email,
    > > delete it from your system and destroy any copies.
    > >
    > > This email is also subject to copyright. No part of it should be
    > reproduced,
    > > adapted or transmitted without the prior written consent of the
    > copyright owner.
    > >
    > > Emails may be interfered with, may contain computer viruses or other
    > defects
    > > and may not be successfully replicated on other systems. We give no
    > > warranties in relation to these matters. If you have any doubts about
    > > the authenticity of an email purportedly sent by us, please contact us
    > > immediately.
    > >
    > > **********************************************************************
    >
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Get personalized email addresses from Yahoo! Mail
    > http://personal.mail.yahoo.com/
    > --
    > cflowd mailing list
    > cflowd@caida.org

    **********************************************************************
    This email (including all attachments) is intended solely for the named
    addressee. It is confidential and may contain commercially sensitive
    information. If you receive it in error, please let us know by reply email,
    delete it from your system and destroy any copies.

    This email is also subject to copyright. No part of it should be reproduced,
    adapted or transmitted without the prior written consent of the copyright owner.

    Emails may be interfered with, may contain computer viruses or other defects
    and may not be successfully replicated on other systems. We give no
    warranties in relation to these matters. If you have any doubts about
    the authenticity of an email purportedly sent by us, please contact us
    immediately.

    **********************************************************************

    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Sun Jun 24 2001 - 17:05:55 PDT