Re: UDP port not listening.. tips on what to check for and how to check

From: Martin van den Nieuwelaar (martin@gadgets.co.nz)
Date: Thu Jul 05 2001 - 23:38:05 PDT

  • Next message: jung@corp.thrunet.com: "data gathering on 2.5G POS module"

    Hi there,

    When you say you are getting no error messages, remember that cflowd
    writes to the syslog, and as a default on your system will probably
    end up in /var/log/messages. I found it useful to do a running tail
    on that file when debugging cflowd. Eg. "tail -f /var/log/messages".

    Hmm, if you are only seeing SNMP requests and responses between the
    routers and your collector and no Netflow Exports, then it sounds like
    the fault lies with the routers, or as someone else said, with a
    firewall filtering out the packets. Of course if there is no traffic
    on your network there will not be any netflow exports either, but
    we'll assume there is some traffic. Incidentally the command line you
    have there for tcpdump is intended to display just the netflow
    exports. The port number you use (2255 in your example) is the
    destination port of the netflow exports. This value is configured on
    the routers. I'll get to that in a minute. So if, as most people do,
    you export your netflow exports on the default port (2055), use
    "tcpdump -n 'udp port 2055'". When you say you are using 2056 I am a
    little surprised as this is the default TCP port for the cfdcollect
    process to communicate with the cflowd process on. An entirely
    different thing from collection of netflow exports.

    I would check with the configuration on the routers. I think there
    may have been a slight change in the syntax going from IOS V11 to V12,
    but for V11 it's something like:

    In global configuration mode:

    ip flow-export destination <collector_ip> [UDP_port]
    ip flow-export source loopback0 (assuming you have a loopback address
    - advisable IMHO)
    ip flow-export version 5 origin-as

    and for each interface you want to gather stats on:

    ip route-cache flow

    There are some commands you can use to look at the stats on the router
    itself. In EXEC mode execute:

    show ip cache flow

    This will hopefully give you some pretty, and non-zero stats. You may
    want to try this on your current router configurations just to see
    they are at least gathering the stats. Note that I haven't tried this
    to make sure, but I think it will only work if you have the "ip
    route-cache flow" command active on at least one interface.

    It might be best to look at the first part of the problem before
    getting on to your "netstat -an" issue. As the problem seems to be
    the fact that no stats are arriving at your machine I would suggest
    looking there first. Do this by checking the router configs and by
    using tcpdump. The other poster mentioned a firewall, and indeed this
    could filter out the netflow exports, so it's worth checking to see if
    there is a firewall in place that might be doing that.

    Hope this helps,

    -Martin

    PS, I have written a "bare-bones" Netflow Export collector in C if you
    (or anyone) would find it useful. It cannot solve the problem of no
    netflow exports arriving at the collector :-) but it does help
    debugging your CFLOWD configuration files. Like the time those Ciscos
    were putting unexpected source IP addresses in the stats. I spent
    hours chasing that one, and only found the problem after looking at
    the output of "tcpdump -x".

    Liger-dc wrote:
    >
    > I would like to ask the help of people who have cflowd up and running
    > on thier boxes and are
    > receiving flows. I have install cflowd on a PIII 450 RH Linux 7.1 box
    > with 256MB and have yet to
    > receive flows even though I am currently getting no error messages.
    > Whenever I do a tcp dump The
    > only communication that I see between my routers (7507, 6509 w/ msfc)
    > and my collecter are snmp
    > requests and responses. However I was told that if I run 'tcpdump -n
    > udp port 2255' (2056 is the
    > port that I am using to recieve upd flows) i should see something
    > similar to this:
    >
    > collector# tcpdump -n udp port 2255
    > tcpdump: listening on all devices
    > 12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > 12:11:29.965310 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > 12:11:29.967780 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > 12:11:29.985854 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > 12:11:29.998673 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > 12:11:29.009464 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    >
    > but I do not.
    >
    > When I do 'netstat -an' the tcp port is listening but not the udp port.
    > Is this regular or is
    > there a problem here? Any help is appreciated.
    >
    > =====
    > Edson Manners
    > Academic Computing & Networking Services
    > Florida State University
    >
    > __________________________________________________
    > Do You Yahoo!?
    > Get personalized email addresses from Yahoo! Mail
    > http://personal.mail.yahoo.com/
    > --
    > cflowd mailing list
    > cflowd@caida.org

    -- 
    E-Mail: martin@gadgets.co.nz
    xenaphobia: The fear of being beaten to a pulp by
    a leather-clad, New Zealand woman
    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Thu Jul 05 2001 - 13:54:48 PDT