cflowd missing/ignoring oc-48 interface?

From: Shane Foster (sfoster@microsoft.com)
Date: Fri Jun 29 2001 - 15:56:32 PDT

  • Next message: Hing.Lung.Motor.Mfy,: "DC AC MOTOR SALE"

     
     
    I've got cflowd configured and running. Everything
    looks fine. There is one gsr exporting sampled netflow to the system.

    However, it looks like traffic with the oc-48 as the input
    interface is not being saved in the flow files.
    If I enable netflow on my gigabit links, I get flow
    files (mostly showing icmp & ospf packets)
     
    Tcpdump running on the cflowd system shows packets coming
    in, but the flow files are zero length when exporting
    from the oc-48 interface.
     
    Code on the router is 12.0.17S, fabric microcode is current,
    and we've seen data exported from this router & oc-48 card with other
    software packages.
     
    I'd really appreciate any help. To me, it looks like
    the cflowd system is just dropping flows associated with
    ifindex 6. Any thoughts would be appreciated.
     
    Thanks,
        Shane Foster
     
     
    [cflow@localhost etc]$ ps -ef |grep cflowd
    cflow 1288 1 0 Jun27 ? 00:00:00 ./cflowdmux
    cflow 1325 1 0 Jun27 ? 00:00:00 ./cflowd -s 300 -O 0 -m
     
    cflowd.conf contents...

    OPTIONS {
      # syslog to local6 facility.
      LOGFACILITY: local6
      TCPCOLLECTPORT: 2056
      PKTBUFSIZE: 2097152
      TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket
      FLOWDIR: /data/flows
      FLOWFILELEN: 1000000
      NUMFLOWFILES: 20
     
      MINLOGMISSED: 1000
    }

    COLLECTOR {
      HOST: 192.168.101.100
      ADDRESSES: { 192.168.5.1 }
      AUTH: none
    }
    CISCOEXPORTER {
      HOST: 192.168.5.1 # IP address of Cisco sending
    data.
      ADDRESSES: { 192.168.6.5, # pos4/0
                      192.168.2.1, # gig1/0
                      192.168.3.1 } # gig2/0
      CFDATAPORT: 2055 # Port on which to listen for data.
      SNMPCOMM: 'public' # SNMP community name.
      LOCALAS: 65000 # Local AS of Cisco sending data.
      COLLECT: { protocol, portmatrix, ifmatrix, nexthop, netmatrix,
                      asmatrix, tos, flows }
    }
     
     
     
     
     
     

    Here is the tcpdump...
    13:20:43.979881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 208, len 100)
    13:28:14.369881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 209, len 100)
    13:40:16.389881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 210, len 100)
    13:45:27.679881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 211, len 100)
    13:49:39.169881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 212, len 100)
    13:55:46.449881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 213, len 100)
    14:02:58.919881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 214, len 100)
    14:07:39.199881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 215, len 100)
    14:14:06.859881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 216, len 100)
    14:22:01.509881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 217, len 100)
    14:26:43.909881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 218, len 100)
    14:33:56.269881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 219, len 100)
    14:40:06.269881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 220, len 100)
    14:47:38.169881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 221, len 100)
    14:52:43.439881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 222, len 100)
    15:00:42.409881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 223, len 100)
    15:06:56.729881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 224, len 100)
    15:16:04.129881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 225, len 100)
    15:22:11.459881 192.168.5.1.53001 > 192.168.101.100.2055: udp 72 (ttl
    254, id 226, len 100)

     
     
    Here are the zero length flow files for the intervals..
     
     
    -rw-r--r-- 1 cflow cflow 0 Jun 29 13:18
    flows.20010629_13:23:33-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 13:23
    flows.20010629_13:28:34-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 13:28
    flows.20010629_13:33:36-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 13:33
    flows.20010629_13:38:38-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 13:38
    flows.20010629_13:43:40-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 13:43
    flows.20010629_13:48:41-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 13:48
    flows.20010629_13:53:43-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 13:53
    flows.20010629_13:58:44-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 13:58
    flows.20010629_14:03:46-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:03
    flows.20010629_14:08:47-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:08
    flows.20010629_14:13:49-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:13
    flows.20010629_14:18:50-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:18
    flows.20010629_14:23:51-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:23
    flows.20010629_14:28:53-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:28
    flows.20010629_14:33:55-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:33
    flows.20010629_14:38:56-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:38
    flows.20010629_14:43:58-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:43
    flows.20010629_14:49:00-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:49
    flows.20010629_14:54:01-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:54
    flows.20010629_14:59:03-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 14:59
    flows.20010629_15:04:04-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 15:04
    flows.20010629_15:09:06-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 15:09
    flows.20010629_15:14:08-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 15:14
    flows.20010629_15:19:10-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 15:19
    flows.20010629_15:24:11-0700
    -rw-r--r-- 1 cflow cflow 0 Jun 29 15:24
    flows.20010629_15:29:13-0700

     
     
    Here are some flow files when I had netflow enabled on all interfaces.
     
    -rw-r--r-- 1 cflow cflow 3795 Jun 29 11:17
    flows.20010629_11:17:49-0700
    -rw-r--r-- 1 cflow cflow 4510 Jun 29 11:22
    flows.20010629_11:22:51-0700
    -rw-r--r-- 1 cflow cflow 4785 Jun 29 11:27
    flows.20010629_11:27:53-0700
    -rw-r--r-- 1 cflow cflow 3685 Jun 29 11:32
    flows.20010629_11:32:57-0700
    -rw-r--r-- 1 cflow cflow 1980 Jun 29 11:37
    flows.20010629_11:37:59-0700
    -rw-r--r-- 1 cflow cflow 880 Jun 29 11:42
    flows.20010629_11:43:01-0700
    -rw-r--r-- 1 cflow cflow 825 Jun 29 11:47
    flows.20010629_11:48:02-0700
    -rw-r--r-- 1 cflow cflow 1210 Jun 29 11:53
    flows.20010629_11:53:04-0700
    -rw-r--r-- 1 cflow cflow 880 Jun 29 11:57
    flows.20010629_11:58:06-0700

    The decoded text shows icmp echo-reply ingressing a gig int, and
    egressing the oc-48.
    The corresponding echo-requests ingressing the oc-48 never show up.
     
      

    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Fri Jun 29 2001 - 16:09:21 PDT