Re: UDP port not listening.. tips on what to check for and how to check

From: Liger-dc (liger_dc@yahoo.com)
Date: Fri Jul 06 2001 - 07:33:58 PDT

  • Next message: Liger-dc: "Re: Why does this cflowd.conf generate error ?"

    Martin,
        Thank you. WHat you said was exactly right. My packets were being dropped at a firewall right
    ouside of my subnet. Unfortunately I figured this out before I read yur email, but I will still
    give credit where credit is due. Thanks for all your help.

    --- Martin van den Nieuwelaar <martin@gadgets.co.nz> wrote:
    > Hi there,
    >
    > When you say you are getting no error messages, remember that cflowd
    > writes to the syslog, and as a default on your system will probably
    > end up in /var/log/messages. I found it useful to do a running tail
    > on that file when debugging cflowd. Eg. "tail -f /var/log/messages".
    >
    > Hmm, if you are only seeing SNMP requests and responses between the
    > routers and your collector and no Netflow Exports, then it sounds like
    > the fault lies with the routers, or as someone else said, with a
    > firewall filtering out the packets. Of course if there is no traffic
    > on your network there will not be any netflow exports either, but
    > we'll assume there is some traffic. Incidentally the command line you
    > have there for tcpdump is intended to display just the netflow
    > exports. The port number you use (2255 in your example) is the
    > destination port of the netflow exports. This value is configured on
    > the routers. I'll get to that in a minute. So if, as most people do,
    > you export your netflow exports on the default port (2055), use
    > "tcpdump -n 'udp port 2055'". When you say you are using 2056 I am a
    > little surprised as this is the default TCP port for the cfdcollect
    > process to communicate with the cflowd process on. An entirely
    > different thing from collection of netflow exports.
    >
    > I would check with the configuration on the routers. I think there
    > may have been a slight change in the syntax going from IOS V11 to V12,
    > but for V11 it's something like:
    >
    > In global configuration mode:
    >
    > ip flow-export destination <collector_ip> [UDP_port]
    > ip flow-export source loopback0 (assuming you have a loopback address
    > - advisable IMHO)
    > ip flow-export version 5 origin-as
    >
    > and for each interface you want to gather stats on:
    >
    > ip route-cache flow
    >
    > There are some commands you can use to look at the stats on the router
    > itself. In EXEC mode execute:
    >
    > show ip cache flow
    >
    > This will hopefully give you some pretty, and non-zero stats. You may
    > want to try this on your current router configurations just to see
    > they are at least gathering the stats. Note that I haven't tried this
    > to make sure, but I think it will only work if you have the "ip
    > route-cache flow" command active on at least one interface.
    >
    > It might be best to look at the first part of the problem before
    > getting on to your "netstat -an" issue. As the problem seems to be
    > the fact that no stats are arriving at your machine I would suggest
    > looking there first. Do this by checking the router configs and by
    > using tcpdump. The other poster mentioned a firewall, and indeed this
    > could filter out the netflow exports, so it's worth checking to see if
    > there is a firewall in place that might be doing that.
    >
    > Hope this helps,
    >
    > -Martin
    >
    > PS, I have written a "bare-bones" Netflow Export collector in C if you
    > (or anyone) would find it useful. It cannot solve the problem of no
    > netflow exports arriving at the collector :-) but it does help
    > debugging your CFLOWD configuration files. Like the time those Ciscos
    > were putting unexpected source IP addresses in the stats. I spent
    > hours chasing that one, and only found the problem after looking at
    > the output of "tcpdump -x".
    >
    > Liger-dc wrote:
    > >
    > > I would like to ask the help of people who have cflowd up and running
    > > on thier boxes and are
    > > receiving flows. I have install cflowd on a PIII 450 RH Linux 7.1 box
    > > with 256MB and have yet to
    > > receive flows even though I am currently getting no error messages.
    > > Whenever I do a tcp dump The
    > > only communication that I see between my routers (7507, 6509 w/ msfc)
    > > and my collecter are snmp
    > > requests and responses. However I was told that if I run 'tcpdump -n
    > > udp port 2255' (2056 is the
    > > port that I am using to recieve upd flows) i should see something
    > > similar to this:
    > >
    > > collector# tcpdump -n udp port 2255
    > > tcpdump: listening on all devices
    > > 12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > > 12:11:29.965310 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > > 12:11:29.967780 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > > 12:11:29.985854 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > > 12:11:29.998673 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > > 12:11:29.009464 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
    > >
    > > but I do not.
    > >
    > > When I do 'netstat -an' the tcp port is listening but not the udp port.
    > > Is this regular or is
    > > there a problem here? Any help is appreciated.
    > >
    > > =====
    > > Edson Manners
    > > Academic Computing & Networking Services
    > > Florida State University
    > >
    > > __________________________________________________
    > > Do You Yahoo!?
    > > Get personalized email addresses from Yahoo! Mail
    > > http://personal.mail.yahoo.com/
    > > --
    > > cflowd mailing list
    > > cflowd@caida.org
    >
    > --
    > E-Mail: martin@gadgets.co.nz
    > xenaphobia: The fear of being beaten to a pulp by
    > a leather-clad, New Zealand woman
    > --
    > cflowd mailing list
    > cflowd@caida.org

    =====
    Edson Manners
    Academic Computing & Networking Services
    Florida State University

    __________________________________________________
    Do You Yahoo!?
    Get personalized email addresses from Yahoo! Mail
    http://personal.mail.yahoo.com/

    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Fri Jul 06 2001 - 07:37:51 PDT