cfdcollect not working although no errors are report and I can see

From: Halldór Högnason (Halldor.Hognason@islandssimi.is)
Date: Mon Sep 03 2001 - 05:53:10 PDT

  • Next message: Goncalo Costa: "Re: Router problem"

    Hi

    I'm still having problems using cfdcollect and I'm now running cfdcollect
    on a separate machine
    and I can see data the cfdcollect process on that machine asking for data
    and getting it.

    Machine A: running cflowdmux and cflowd IP: 213.1.1.1 (RedHat 6.1
    Kernel: 2.2.14-5.0)
    Machine B: running cfdcollect IP: 213.2.2.2 (RedHat 7.1)
    Router 1: sending Netflow data IP: 213.3.3.3 (CISCO 7513, IOS
    Version 12.0(7)T)

    of course the above are addresses that I exchanged for the real ones I'm
    using.

    By looking at the syslog everything seems to be working ok,

    Machine A:
    Sep 3 12:09:53 Machine_A cflowdmux[9823]: [I] cflowdmux (version
    cflowd-2-1-b1) started.
    Sep 3 12:09:53 Machine_A cflowdmux[9823]: [I] created 2101248 byte packet
    queue shmem segment {CflowdPacketQueue.cc:247}
    Sep 3 12:09:53 Machine_A cflowdmux[9823]: [I] attached to 2101248 byte
    packet queue at 0x40185000
    Sep 3 12:09:53 Machine_A cflowdmux[9823]: [I] created semaphore: id 0
    Sep 3 12:09:53 Machine_A cflowdmux[9823]: [I] set UDP recv queue to 261040
    bytes for fd 4 (port 9992)
    Sep 3 12:10:01 Machine_A cflowd[9827]: [I] cflowd (version cflowd-2-1-b1)
    started.
    Sep 3 12:10:01 Machine_A cflowd[9827]: [I] got semaphore: id 0
    Sep 3 12:10:01 Machine_A cflowd[9827]: [I] attached to 2101248 byte packet
    queue at 0x4027a000
    Sep 3 12:10:48 Machine_A cflowd[9828]: [I] sent data to 213.2.2.2:2089
    Sep 3 12:15:48 Machine_A cflowd[9842]: [I] sent data to 2132.2.2:2293
    Sep 3 12:20:48 Machine_A cflowd[9846]: [I] sent data to 213.2.2.2:2491

    Machine B:
    Sep 3 12:03:43 Machine_B cfdcollect[30513]: [I] cfdcollect (version
    cflowd-2-1-b1) started with 1 cflowd instances.
    Sep 3 12:03:44 Machine_B cfdcollect[30513]: [I] connected to
    213.1.1.1:2056
    Sep 3 12:04:00 Machine_B cfdcollect[30513]: [I] 213.1.1.1 has data for 1
    router.
    Sep 3 12:04:00 Machine_B cfdcollect[30513]: [I] got data for router
    213.3.3.3 from 213.1.1.1
    Sep 3 12:04:00 Machine_B cfdcollect[30513]: [I] wrote data for router
    213.3.3.3
    Sep 3 12:04:00 Machine_B cfdcollect[30513]: [I] sleeping for 283 seconds.
    Sep 3 12:08:43 Machine_B cfdcollect[30513]: [I] awakened by alarm.
    Sep 3 12:08:44 Machine_B cfdcollect[30513]: [I] connected to
    213.1.1.1:2056
    Sep 3 12:09:01 Machine_B cfdcollect[30513]: [I] 213.1.1.1 has data for 1
    router.
    Sep 3 12:09:01 Machine_B cfdcollect[30513]: [I] got data for router
    213.3.3.3 from 213.1.1.1
    Sep 3 12:09:01 Machine_B cfdcollect[30513]: [I] wrote data for router
    213.3.3.3
    Sep 3 12:09:01 Machine_B cfdcollect[30513]: [I] sleeping for 282 seconds.
    Sep 3 12:13:43 Machine_B cfdcollect[30513]: [I] awakened by alarm.
    Sep 3 12:13:44 Machine_B cfdcollect[30513]: [I] connected to
    213.1.1.1:2056
    Sep 3 12:14:00 Machine_B cfdcollect[30513]: [I] 213.1.1.1 has data for 1
    router.
    Sep 3 12:14:00 Machine_B cfdcollect[30513]: [I] got data for router
    213.3.3.3 from 213.1.1.1
    Sep 3 12:14:00 Machine_B cfdcollect[30513]: [I] wrote data for router
    213.3.3.3
    Sep 3 12:14:00 Machine_B cfdcollect[30513]: [I] sleeping for 283 seconds.

    and when I run TCPDUMP to verify my results I get the following,

    Machine A: (tcpdump dst host 213.2.2.2)
    12:20:31.495540 eth0 > 213.1.1.1.2056 > 213.2.2.2.2491: S
    1631055956:1631055956(0) ack 1195161418 win 32120 <mss
    1460,sackOK,timestamp 43472346 95120897,nop,wscale 0> (DF)
    12:20:48.076963 eth0 > 213.1.1.1.2056 > 213.2.2.2.2491: P 1:5(4) ack 1 win
    32120 <nop,nop,timestamp 43474004 95120897> (DF)
    12:20:48.084165 eth0 > 213.1.1.1.2056 > 213.2.2.2.2491: P 5:9(4) ack 1 win
    32120 <nop,nop,timestamp 43474005 95122555> (DF)
    12:20:48.088265 eth0 > 213.1.1.1.2056 > 213.2.2.2.2491: P 9:13(4) ack 1 win
    32120 <nop,nop,timestamp 43474005 95122556> (DF)
    12:20:48.092370 eth0 > 213.1.1.1.2056 > 213.2.2.2.2491: P 13:17(4) ack 1
    win 32120 <nop,nop,timestamp 43474006 95122556> (DF)
    12:20:48.096270 eth0 > 213.1.1.1.2056 > 213.2.2.2.2491: P 17:19(2) ack 1
    win 32120 <nop,nop,timestamp 43474006 95122557> (DF)
    12:20:48.101273 eth0 > 213.1.1.1.2056 > 213.2.2.2.2491: F 19:19(0) ack 1
    win 32120 <nop,nop,timestamp 43474007 95122557> (DF)
    12:20:48.101916 eth0 > 213.1.1.1.2056 > 213.2.2.2.2491: . 20:20(0) ack 2
    win 32120 <nop,nop,timestamp 43474007 95122557> (DF)
    213.2.2.2ADDRESSES:

    Machine B:(tcpdump src host 213.1.1.1)
    12:08:44.001728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2293: S
    1302909869:1302909869(0) ack 873364909 win 32120 <mss 1460,sackOK,timestamp
    43442349 95090897,nop,wscale0> (DF)
    12:09:01.201728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2293: P 1:5(4) ack 1 win
    32120 <nop,nop,timestamp 43444069 95090897> (DF)
    12:09:01.201728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2293: FP 5:19(14) ack 1
    win 32120 <nop,nop,timestamp 43444069 95090897> (DF)
    12:09:01.201728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2293: . 20:20(0) ack 2
    win 32120 <nop,nop,timestamp 43444069 95092617> (DF)
    12:13:44.001728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2491: S
    1631055956:1631055956(0) ack 1195161418 win 32120 <mss
    1460,sackOK,timestamp 4347234695120897,nop,wscale0> (DF)
    12:14:00.581728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2491: P 1:5(4) ack 1 win
    32120 <nop,nop,timestamp 43474004 95120897> (DF)
    12:14:00.591728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2491: P 5:9(4) ack 1 win
    32120 <nop,nop,timestamp 43474005 95122555> (DF)
    12:14:00.591728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2491: P 9:13(4) ack 1 win
    32120 <nop,nop,timestamp 43474005 95122556> (DF)
    12:14:00.591728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2491: P 13:17(4) ack 1
    win 32120 <nop,nop,timestamp 43474006 95122556> (DF)
    12:14:00.601728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2491: P 17:19(2) ack 1
    win 32120 <nop,nop,timestamp 43474006 95122557> (DF)
    12:14:00.601728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2491: F 19:19(0) ack 1
    win 32120 <nop,nop,timestamp 43474007 95122557> (DF)
    12:14:00.601728 eth0 < 213.1.1.1.2056 > 213.2.2.2.2491: . 20:20(0) ack 2
    win 32120 <nop,nop,timestamp 43474007 95122557> (DF)

    I think we can conclude from this that the systems seems to be correctly
    configured and working. However when I look at the arts file on 213.2.2.2
    it is created the time I start cfdcollect
    and doesn't seem to have changed since then, i.e., it is of size zero. I
    changed ownership to nobody and modification 777 so that would not be the
    thing that is bothering me (I run the systems as root
    so it shouldn't be the case)

    -rwxrwxrwx 1 nobody nobody 0 Sep 3 10:15 arts.20010903

    However I'm definately getting data from cflowdmux and cflowd since by
    running flowdump I get,

    FLOW
      index: 0xc7ffff
      router: 213.3.3.3
      src IP: 213.176.x.x
      dst IP: 213.176.y.y
      input ifIndex: 3
      output ifIndex: 7
      src port: 80
      dst port: 3821
      pkts: 2
      bytes: 80
      IP nexthop: 195.219.j.j
      start time: Mon Sep 3 12:25:43 2001
      end time: Mon Sep 3 12:25:45 2001
      protocol: 6
      tos: 0
      src AS: 12nnn
      dst AS: 12nnn
      src masklen: 30
      dst masklen: 19
      TCP flags: 0x14
      engine type: 0
      engine id: 0
    FLOW
      index: 0xc7ffff
      router: 213.3.3.3
      src IP: 193.4.x.x
      dst IP: 194.200.y.y
      input ifIndex: 3
      output ifIndex: 7
      src port: 6483
      dst port: 3300
      pkts: 1
      bytes: 40
      IP nexthop: 195.219.j.j
      start time: Mon Sep 3 12:25:43 2001
      end time: Mon Sep 3 12:25:43 2001
      protocol: 6
      tos: 0
      src AS: 12nnn
      dst AS: 12nnn
      src masklen: 16
      dst masklen: 14
      TCP flags: 0x4
      engine type: 0
      engine id: 0

    The configuration I'm using is the following,

    Machine A:
    bash# more cflowd.conf
    OPTIONS {
    LOGFACILITY: local6
    TCPCOLLECTPORT: 2056
    PKTBUFSIZE: 2097152
    TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket
    FLOWDIR: /usr/local/arts/data/cflowd/flows
    FLOWFILELEN: 1000000
    NUMFLOWFILES: 10
    MINLOGMISSED: 1000
    }
    COLLECTOR {
    HOST: 213.2.2.2
    ADDRESSES: 213.2.2.2
    AUTH: none
    }
    CISCOEXPORTER {
    HOST: 213.3.3.3
    ADDRESSES: { 213.3.3.3 }
    CFDATAPORT: 9992
    SNMPCOMM: 'public'
    LOCALAS: 12969
    COLLECT: { flows }
    }

    Machine B:
    system {
      logFacility: local6 # Syslog to local6 facility.
      dataDirectory: /usr/local/arts/data/cflowd
      filePrefix: arts
      pidFile: /usr/local/arts/etc/cfdcollect.pid
    }
    cflowd {
      host: 213.1.1.1
      tcpCollectPort: 2056
      minPollInterval: 300
    }

    Router 1:
    ip flow-export version 5
    ip flow-export destination 213.1.1.1 9992
    ip flow-aggregation cache source-prefix
     cache entries 1024
     cache timeout inactive 300
     cache timeout active 5
     export destination 213.1.1.1 9992
     enabled
    !

    Ok, I think this is as much detailed information on my configuration and
    status as possible so does anyone have a clue
    on what the problem might be ?

    Best regards,

    Halldor Karl Hognason

    Halldor Karl Hognason E.E.
    Islandssimi hf.
    Borgartun 30
    105 Reykjavik
    ICELAND

    E-mail: halldor.hognason@islandssimi.is
    Tel: +354 5955016
    Mob: +354 820 5016
    Fax: +354 5955050 

    --
cflowd mailing list
cflowd@caida.org

    This archive was generated by hypermail 2b29 : Mon Sep 03 2001 - 05:50:31 PDT