RE: cfdcollect working?....or

From: Andrew Fort (afort@staff.webcentral.com.au)
Date: Mon Jun 25 2001 - 21:56:59 PDT

Next message: Joe Loiacono: "Re: cfdcollect working?....or"

Previous message: Michael Bellears: "cfdcollect working?....or"
Maybe in reply to: Michael Bellears: "cfdcollect working?....or"
Next in thread: Joe Loiacono: "Re: cfdcollect working?....or"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michael, you're mixing up the tools available for analysis and collection (i
think most of us did this when starting out with cflowd and related tools
:).

flowdump is a binary executable used to debug what is arriving from the
cflowdmux process. It attaches to the shared memory buffer offered by the
cflowdmux (in the same fashion that cflowd does). It doesn't analyse the
raw flow files. You'll notice perl is complaining about the content of
flowdump - fair enough considering it's a binary :-)

flowdumper is a perlscript written by Dave Plonka, used to analyse the raw
dump files that a specially patched version of cflowd generates. his
patches to cflowd (along with his other useful flow analysis software) are
available from his homepage http://net.doit.wisc.edu/~plonka/ . it has no
function with the standard cflowd distribution.

If you wish to analyse the flow dump files that your cfdcollect has dumped,
you can use the arts* binaries that are built with thea arts++ libraries.

It looks like you're starting out with your netflow analysis. Depending on
your applicaton, the cflowd system may not be what you're exactly after -
especially if you want very fine grained analysis of a small amount of data,
rather than aggregation of large amounts of data flowing through a backbone
exchange point, say.

If you're interested, contact me off list at this address and I can point
you towards some other software I've found very useful in doing our netflow
analysis (for full datacentre and remote office analysis).

>So it appears as if data is being dumped, but when I run
>flowdump/flowdumper, i get...
>
>vagabond:/usr/local/arts/data/cflowd/flows# perl flowdumper -v
>xxx.xxx.xxx.xxx/arts.20010626
>xxx.xxx.xxx.xxx/arts.20010626: Invalid index in cflowd flow file:
>0xDFB00000! Version 5 flow-export is required with *all*
>fields being saved.
>e.g. COLLECT: { flows }
>vagabond:/usr/local/arts/data/cflowd/flows# perl flowdump
>xxx.xxx.xxx.xxx/arts.20010626
>Unrecognized character \177 at flowdump line 1.
>You have new mail in /var/spool/mail/root
>vagabond:/usr/local/arts/data/cflowd/flows
>
>My clfowd.conf file contains ->
>
>CISCOEXPORTER {
> HOST: xxx.xxx.xxx.xxx # IP address of Cisco sending
>data.
> ADDRESSES: { xxx.xxx.xxx.xxx }
> # Addresses of interfaces on Cisco
> # sending data.
> CFDATAPORT: 2056 # Port on which to
>listen for data.
> SNMPCOMM: 'public' # SNMP community name.
> COLLECT: { flows, protocol }

--
andrew fort
--
cflowd mailing list
cflowd@caida.org

Next message: Joe Loiacono: "Re: cfdcollect working?....or"
Previous message: Michael Bellears: "cfdcollect working?....or"
Maybe in reply to: Michael Bellears: "cfdcollect working?....or"
Next in thread: Joe Loiacono: "Re: cfdcollect working?....or"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Jun 25 2001 - 22:08:30 PDT