Martin,
Thank you. WHat you said was exactly right. My packets were being dropped at a firewall right
ouside of my subnet. Unfortunately I figured this out before I read yur email, but I will still
give credit where credit is due. Thanks for all your help.
--- Martin van den Nieuwelaar <martin@gadgets.co.nz> wrote:
> Hi there,
>
> When you say you are getting no error messages, remember that cflowd
> writes to the syslog, and as a default on your system will probably
> end up in /var/log/messages. I found it useful to do a running tail
> on that file when debugging cflowd. Eg. "tail -f /var/log/messages".
>
> Hmm, if you are only seeing SNMP requests and responses between the
> routers and your collector and no Netflow Exports, then it sounds like
> the fault lies with the routers, or as someone else said, with a
> firewall filtering out the packets. Of course if there is no traffic
> on your network there will not be any netflow exports either, but
> we'll assume there is some traffic. Incidentally the command line you
> have there for tcpdump is intended to display just the netflow
> exports. The port number you use (2255 in your example) is the
> destination port of the netflow exports. This value is configured on
> the routers. I'll get to that in a minute. So if, as most people do,
> you export your netflow exports on the default port (2055), use
> "tcpdump -n 'udp port 2055'". When you say you are using 2056 I am a
> little surprised as this is the default TCP port for the cfdcollect
> process to communicate with the cflowd process on. An entirely
> different thing from collection of netflow exports.
>
> I would check with the configuration on the routers. I think there
> may have been a slight change in the syntax going from IOS V11 to V12,
> but for V11 it's something like:
>
> In global configuration mode:
>
> ip flow-export destination <collector_ip> [UDP_port]
> ip flow-export source loopback0 (assuming you have a loopback address
> - advisable IMHO)
> ip flow-export version 5 origin-as
>
> and for each interface you want to gather stats on:
>
> ip route-cache flow
>
> There are some commands you can use to look at the stats on the router
> itself. In EXEC mode execute:
>
> show ip cache flow
>
> This will hopefully give you some pretty, and non-zero stats. You may
> want to try this on your current router configurations just to see
> they are at least gathering the stats. Note that I haven't tried this
> to make sure, but I think it will only work if you have the "ip
> route-cache flow" command active on at least one interface.
>
> It might be best to look at the first part of the problem before
> getting on to your "netstat -an" issue. As the problem seems to be
> the fact that no stats are arriving at your machine I would suggest
> looking there first. Do this by checking the router configs and by
> using tcpdump. The other poster mentioned a firewall, and indeed this
> could filter out the netflow exports, so it's worth checking to see if
> there is a firewall in place that might be doing that.
>
> Hope this helps,
>
> -Martin
>
> PS, I have written a "bare-bones" Netflow Export collector in C if you
> (or anyone) would find it useful. It cannot solve the problem of no
> netflow exports arriving at the collector :-) but it does help
> debugging your CFLOWD configuration files. Like the time those Ciscos
> were putting unexpected source IP addresses in the stats. I spent
> hours chasing that one, and only found the problem after looking at
> the output of "tcpdump -x".
>
> Liger-dc wrote:
> >
> > I would like to ask the help of people who have cflowd up and running
> > on thier boxes and are
> > receiving flows. I have install cflowd on a PIII 450 RH Linux 7.1 box
> > with 256MB and have yet to
> > receive flows even though I am currently getting no error messages.
> > Whenever I do a tcp dump The
> > only communication that I see between my routers (7507, 6509 w/ msfc)
> > and my collecter are snmp
> > requests and responses. However I was told that if I run 'tcpdump -n
> > udp port 2255' (2056 is the
> > port that I am using to recieve upd flows) i should see something
> > similar to this:
> >
> > collector# tcpdump -n udp port 2255
> > tcpdump: listening on all devices
> > 12:11:29.953100 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> > 12:11:29.965310 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> > 12:11:29.967780 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> > 12:11:29.985854 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> > 12:11:29.998673 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> > 12:11:29.009464 10.0.0.1.1868 > 10.0.0.2.2255: udp 1168
> >
> > but I do not.
> >
> > When I do 'netstat -an' the tcp port is listening but not the udp port.
> > Is this regular or is
> > there a problem here? Any help is appreciated.
> >
> > =====
> > Edson Manners
> > Academic Computing & Networking Services
> > Florida State University
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Get personalized email addresses from Yahoo! Mail
> > http://personal.mail.yahoo.com/
> > --
> > cflowd mailing list
> > cflowd@caida.org
>
> --
> E-Mail: martin@gadgets.co.nz
> xenaphobia: The fear of being beaten to a pulp by
> a leather-clad, New Zealand woman
> --
> cflowd mailing list
> cflowd@caida.org
=====
Edson Manners
Academic Computing & Networking Services
Florida State University
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
-- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Fri Jul 06 2001 - 07:37:51 PDT