Re: Mystery

From: Joe Loiacono (jloiacon@nastg.gsfc.nasa.gov)
Date: Thu Jun 28 2001 - 13:54:24 PDT

  • Next message: Diane Proscino-Tharp: "Empty flow files"

     From the cflowd FAQ ( http://caida.org/tools/measurement/cflowd/newfaq.xml )

    "Q: In the CISCOEXPORTER stanze, multiple IP addresses can be defined for a
    Cisco router. What is the reasoning behind this functionality? How common
    is it for a router to originate data from more than one interface in a
    typical network configuration?

    A: That depends on your version of IOS and your router configuration. In
    some versions of IOS, if you don't specify the source address to be used by
    flow-export, you'll get packets with source addresses of one of the
    interfaces on the box; for other versions of IOS you'll get packets with a
    bogus (0.0.0.0, for example) source address if you don't specify the source
    address for flow-export in your router config. I forget Cisco's exact
    logic, but suffice it to say you're best off configuring the source address
    for flow-export in your Cisco config and configuring multiple IP addresses
    in cflowd.conf to be sure."

    Make sure the CISCOEXPORTER HOST ip address in fact matches your loopback
    on MSFC. Similar for teh 6509. If they don't match, I believe cflowd drops
    the packet. I don't know if this is your problem, but it has resulted in
    the same symptoms for me in the past.

    Joe

    At 12:41 PM 06/28/2001 -0700, Liger-dc wrote:
    >I have configured a catalyst 6509 switch with an MSFC2 Route Switching
    >Module to export flows to
    >cflowd.
    >
    >The NDE config for the MSFC is shown below....
    >ip flow-export source Loopback0
    >ip flow-export version 5
    >ip flow-export destination 1x6.2x1.xx.xx0 9995
    >
    >The NDE config for the C6509 is shown below....
    >set mls nde 1x6.2x1.xx.xx0 9995
    >set mls nde enable
    >
    >Here is the data from the 'sho ip flo exp' from the msfc
    >Flow export is enabled
    > Exporting flows to 1x6.2x1.xx.xx0 (9995)
    > Exporting using source interface Loopback0
    > Version 5 flow records
    > 2342413 flows exported in 34552223 udp datagrams
    > 0 flows failed due to lack of export packet
    > 1234052 export packets were sent up to process level
    > 0 export packets were dropped due to no fib
    > 0 export packets were dropped due to adjacency issues
    > 0 export packets were dropped due to fragmentation failures
    > 0 export packets were dropped due to encapsulation fixup failures
    > 0 export packets were dropped enqueuing for the RP
    > 0 export packets were dropped due to IPC rate limiting
    >
    >Here is the data from 'sho mls nde' from the 6509
    >bfs-6000x> (enable) sho mls nde
    >Netflow Data Export version: 7
    >Netflow Data Export enabled
    >Netflow Data Export configured for port 9995 on host 1x6.2x1.xx.xx0
    >Total packets exported = 34037
    >
    >For the second part, I have cflowd configured on a PIII 450, 256MB box
    >running Red Hat 7.1.
    >Here is my Cflowd.conf
    >OPTIONS {
    ># syslog to local6 facility.
    >LOGFACILITY: local6
    >
    ># Listen for connections from cfdcollect on port 2056.
    >TCPCOLLECTPORT: 9995
    >
    ># Use a 2 megabyte packet buffer in shared memory.
    >PKTBUFSIZE: 2097152
    >
    ># Use /usr/local/arts/etc/cflowdtable.socket as named stream socket
    ># for connections from local clients (cfdases et. al.)
    >TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket
    >
    ># Keep raw flow files in /usr/local/arts/data/cflowd/flows directory.
    >FLOWDIR: /usr/local/arts/data/cflowd/flows
    >
    ># Each raw flow file should be 1000000 bytes in length.
    >FLOWFILELEN: 1000000
    >
    ># Keep 10 raw flow files per router. Default = 10
    >NUMFLOWFILES: 5
    >
    ># Log total missed flows from a router if it exceeds 1000 between
    ># connections from cfdcollect.
    >MINLOGMISSED: 10
    >}
    >
    >COLLECTOR {
    >HOST: 1x6.2x1.xx.xx0 # IP address of central collector
    >(cwsi.acns.fsu.edu)
    >ADDRESSES: { 1x6.2x1.xx.xx0 }
    >AUTH: none
    >}
    >
    ># BFS-MSFCX
    >CISCOEXPORTER {
    > HOST: 1xx.xx.xx.x
    > ADDRESSES: { 1x6.2x1.xx3.x3 1xx.1xx.x.xx54 xxx.x1.x.x 1x.xx6.xx1.xx
    > 1x.xx.x.x 1xx.xxx.xxx.x}
    > CFDATAPORT: 9995
    > SNMPCOMM: 'public'
    > LOCALAS: 2553
    > COLLECT: { protocol, portmatrix, ifmatrix, nexthop,
    > netmatrix,asmatrix, flows}
    >
    >}
    >
    ># BFS-6000X
    >CISCOEXPORTER {
    >HOST: 2x.xx.xx.x
    > ADDRESSES: { 2x.xx.xx.x }
    > CFDATAPORT: 9995
    > SNMPCOMM: 'public'
    > LOCALAS: 2553
    > COLLECT: { protocol, portmatrix, netmatrix, asmatrix, flows}
    >
    >}
    >
    >Here is my cfdcollect.conf
    >system {
    > logFacility: local6
    > dataDirectory: /usr/local/arts/data/cflowd
    > filePrefix: arts
    > pidFile: /usr/local/arts/etc/cfdcollect.pid
    >}
    >
    >cflowd {
    > host: cwsi.acns.fsu.edu
    > tcpCollectPort: 9995
    > minPollInterval: 300
    >
    >
    >
    >
    >Cflowd installed quietly and below is the 'tail /var/log/messages' after
    >beginning cflowdmux,
    >cflowd and cfdcollect respectively
    >
    >Jun 28 15:01:13 cwsi cflowdmux[6108]: [I] cflowdmux (version
    >cflowd-2-1-b1) started.
    >Jun 28 15:01:13 cwsi cflowdmux[6108]: [I] created 2101248 byte packet
    >queue shmem segment
    >{CflowdPacketQueue.cc:247}
    >Jun 28 15:01:13 cwsi cflowdmux[6108]: [I] attached to 2101248 byte packet
    >queue at 0x401cf000
    >Jun 28 15:01:13 cwsi cflowdmux[6108]: [I] created semaphore: id 32769
    >Jun 28 15:01:13 cwsi cflowdmux[6108]: [I] set UDP recv queue to 261040
    >bytes for fd 4 (port 9995)
    >Jun 28 15:01:18 cwsi cflowd[6110]: [I] cflowd (version cflowd-2-1-b1) started.
    >Jun 28 15:01:18 cwsi cflowd[6110]: [I] got semaphore: id 32769
    >Jun 28 15:01:18 cwsi cflowd[6110]: [I] attached to 2101248 byte packet
    >queue at 0x402c4000
    >Jun 28 15:01:38 cwsi cfdcollect[6112]: [I] cfdcollect (version
    >cflowd-2-1-b1) started with 1
    >cflowd instances.
    >Jun 28 15:01:39 cwsi cfdcollect[6112]: [I] connected to cwsi.acns.fsu.edu:9995
    >
    >
    >All three run fine, below is the output after they have been running for a
    >while..
    >Jun 28 15:01:38 cwsi cfdcollect[6112]: [I] cfdcollect (version
    >cflowd-2-1-b1) started with 1
    >cflowd instances.
    >Jun 28 15:01:39 cwsi cfdcollect[6112]: [I] connected to cwsi.acns.fsu.edu:9995
    >Jun 28 15:01:55 cwsi cflowd[6114]: [I] sent data to 146.201.3.30:34198
    >Jun 28 15:01:55 cwsi cfdcollect[6112]: [I] cwsi.acns.fsu.edu has data for
    >1 router.
    >Jun 28 15:01:55 cwsi cfdcollect[6112]: [I] got data for router
    >128.186.2.252 from
    >cwsi.acns.fsu.edu
    >Jun 28 15:01:55 cwsi cfdcollect[6112]: [I] wrote data for router 128.186.2.252
    >Jun 28 15:01:55 cwsi cfdcollect[6112]: [I] sleeping for 283 seconds.
    >
    >My problem is that my arts.files are empty, below
    >[root@cwsi 128.186.2.252]# ls -l
    >total 0
    >-rw-rw-r-- 1 root root 0 Jun 20 10:45 arts.20010620
    >-rw-rw-r-- 1 root root 0 Jun 20 20:00 arts.20010621
    >-rw-rw-r-- 1 root root 0 Jun 21 20:04 arts.20010622
    >-rw-rw-r-- 1 root root 0 Jun 22 20:03 arts.20010623
    >-rw-rw-r-- 1 root root 0 Jun 23 20:03 arts.20010624
    >-rw-rw-r-- 1 root root 0 Jun 24 20:03 arts.20010625
    >-rw-rw-r-- 1 root root 0 Jun 27 16:12 arts.20010627
    >-rw-rw-r-- 1 root root 0 Jun 27 20:04 arts.20010628
    >
    >My raw flows are not being updated either....
    >[root@cwsi flows]# ls -l
    >total 985
    >-rw-r--r-- 1 root root 1000000 Jun 28 15:01 128.186.2.252.flows.0
    >-rw-r--r-- 1 root root 1000000 Jun 28 15:01 128.186.2.252.flows.1
    >-rw-r--r-- 1 root root 1000000 Jun 28 15:01 128.186.2.252.flows.2
    >-rw-r--r-- 1 root root 1000000 Jun 28 15:01 128.186.2.252.flows.3
    >-rw-r--r-- 1 root root 1000000 Jun 28 15:01 128.186.2.252.flows.4
    >drwxrwxr-x 2 root root 1024 Jun 21 11:31 bin
    >drwxrwxr-x 2 root root 2048 Jun 21 11:35 graphs
    >[root@cwsi flows]#
    >
    > Doing an artsdump and flowdump give nothing. Which seems to tell me
    > that the flows are being
    >sent by the routers but are not being recieved by the collector.
    > I sincerely need whatever help, suggestion or advise that anyone can
    > give and will greatly
    >appreciate it.
    >
    >
    >=====
    >Edson Manners
    >Academic Computing & Networking Services
    >Florida State University
    >
    >__________________________________________________
    >Do You Yahoo!?
    >Get personalized email addresses from Yahoo! Mail
    >http://personal.mail.yahoo.com/
    >--
    >cflowd mailing list
    >cflowd@caida.org

    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Thu Jun 28 2001 - 14:02:56 PDT