Hi there,
When you say you are getting no error messages, remember that cflowd
writes to the syslog, and as a default on your system will probably
end up in /var/log/messages. I found it useful to do a running tail
on that file when debugging cflowd. Eg. "tail -f /var/log/messages".
Hmm, if you are only seeing SNMP requests and responses between the
routers and your collector and no Netflow Exports, then it sounds like
the fault lies with the routers, or as someone else said, with a
firewall filtering out the packets. Of course if there is no traffic
on your network there will not be any netflow exports either, but
we'll assume there is some traffic. Incidentally the command line you
have there for tcpdump is intended to display just the netflow
exports. The port number you use (2255 in your example) is the
destination port of the netflow exports. This value is configured on
the routers. I'll get to that in a minute. So if, as most people do,
you export your netflow exports on the default port (2055), use
"tcpdump -n 'udp port 2055'". When you say you are using 2056 I am a
little surprised as this is the default TCP port for the cfdcollect
process to communicate with the cflowd process on. An entirely
different thing from collection of netflow exports.
I would check with the configuration on the routers. I think there
may have been a slight change in the syntax going from IOS V11 to V12,
but for V11 it's something like:
In global configuration mode:
ip flow-export destination <collector_ip> [UDP_port]
ip flow-export source loopback0 (assuming you have a loopback address
- advisable IMHO)
ip flow-export version 5 origin-as
and for each interface you want to gather stats on:
ip route-cache flow
There are some commands you can use to look at the stats on the router
itself. In EXEC mode execute:
show ip cache flow
This will hopefully give you some pretty, and non-zero stats. You may
want to try this on your current router configurations just to see
they are at least gathering the stats. Note that I haven't tried this
to make sure, but I think it will only work if you have the "ip
route-cache flow" command active on at least one interface.
It might be best to look at the first part of the problem before
getting on to your "netstat -an" issue. As the problem seems to be
the fact that no stats are arriving at your machine I would suggest
looking there first. Do this by checking the router configs and by
using tcpdump. The other poster mentioned a firewall, and indeed this
could filter out the netflow exports, so it's worth checking to see if
there is a firewall in place that might be doing that.
Hope this helps,
-Martin
PS, I have written a "bare-bones" Netflow Export collector in C if you
(or anyone) would find it useful. It cannot solve the problem of no
netflow exports arriving at the collector :-) but it does help
debugging your CFLOWD configuration files. Like the time those Ciscos
were putting unexpected source IP addresses in the stats. I spent
hours chasing that one, and only found the problem after looking at
the output of "tcpdump -x".
Liger-dc wrote:
>
> I would like to ask the help of people who have cflowd up and running
> on thier boxes and are
> receiving flows. I have install cflowd on a PIII 450 RH Linux 7.1 box
> with 256MB and have yet to
> receive flows even though I am currently getting no error messages.
> Whenever I do a tcp dump The
> only communication that I see between my routers (7507, 6509 w/ msfc)
> and my collecter are snmp
> requests and responses. However I was told that if I run 'tcpdump -n
> udp port 2255' (2056 is the
> port that I am using to recieve upd flows) i should see something
> similar to this:
>
> collector# tcpdump -n udp port 2255
> tcpdump: listening on all devices
> 12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> 12:11:29.965310 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> 12:11:29.967780 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> 12:11:29.985854 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> 12:11:29.998673 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> 12:11:29.009464 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
>
> but I do not.
>
> When I do 'netstat -an' the tcp port is listening but not the udp port.
> Is this regular or is
> there a problem here? Any help is appreciated.
>
> =====
> Edson Manners
> Academic Computing & Networking Services
> Florida State University
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
> --
> cflowd mailing list
> cflowd@caida.org
-- E-Mail: martin@gadgets.co.nz xenaphobia: The fear of being beaten to a pulp by a leather-clad, New Zealand woman -- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Thu Jul 05 2001 - 13:54:48 PDT