Re: [Cflowd] Need some help getting my CFLOWD running on Solaris 9....

From: R. Drew Davis (drew@research.bell-labs.com)
Date: Mon Jul 29 2002 - 19:19:46 PDT

  • Next message: Alex Ponnath: "RE: [Cflowd] Need some help getting my CFLOWD running on Solaris 9...."

    > Date: Mon, 29 Jul 2002 17:53:48 -0700
    > From: "Alex Ponnath" <alexp@iccinternet.com>
    > To: <cflowd@caida.org>
    > Subject: [Cflowd] Need some help getting my CFLOWD running on Solaris 9..
    ..
    >
    >Hi,
    >=20
    >i am having a problem for some reason to get cflowd running on my
    >Solaris 9 Box. The Server
    >is a dual 440 MHZ 220R with 2 x 18 GB HD's and 1 GIG of Mem so power
    >should not be the problem.
    >I installed the binary version which installs to the /usr/local/arts
    >dir...
    >=20
    >when i start the cflowdmux and cflowd they start fine since i never saw
    >cfdcollect start i started it
    >manually with the option which pointed it to the ../etc/cfdcollect.conf
    >file
    >=20
    >It also started fine and is still running but i dont see to log any data
    >to any file for some reason.
    >=20
    >So i hope someone can point me to the right direction since there is no
    >error logs in syslog or console
    >I inc below any relevant info regarding my setup and hope somene can see
    >whats wrong
    >=20
    >thanks
    >=20
    >Alex
    >=20
    >=20
    >=20
    >My cfdcollect.conf loks like this..
    >system {
    > logFacility: local6 # Syslog to local6 facility.
    > dataDirectory: /export/home/netflow
    > filePrefix: arts
    > pidFile: /usr/local/arts/etc/cfdcollect.pid
    >}
    >cflowd {
    > host: localhost
    > tcpCollectPort: 2056
    > minPollInterval: 300
    >}
    >=20
    >And my cflowd.conf like this
    >OPTIONS {
    > LOGFACILITY: local6
    > TCPCOLLECTPORT: 2056
    > PKTBUFSIZE: 2097152
    > TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket
    > FLOWDIR: /usr/local/arts/data/cflowd/flows
    > FLOWFILELEN: 1000000
    > NUMFLOWFILES: 10
    > MINLOGMISSED: 1000
    >}
    >=20
    >COLLECTOR {
    > HOST: 127.0.0.1 # IP address of central collector
    > ADDRESSES: { 127.0.0.1 }
    > AUTH: none
    >}
    >=20
    >CISCOEXPORTER {
    > HOST: 216.158.230.47 # IP address of Cisco sending data.
    > CFDATAPORT: 2055 # Port on which to listen for data.
    > SNMPCOMM: 'xxxxxxx' # SNMP community name.
    > LOCALAS: 18915 # Local AS of Cisco sending data.
    > COLLECT: { protocol, portmatrix, ifmatrix, nexthop, netmatrix,=20
    > asmatrix, tos, flows }
    >}
    >=20
    >=20
    >=20
    >Some Basic Debug info for my system
    >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
    >=3D=3D=3D=3D
    >=20
    >Output of snoop (seems the router is sending the UDP Packets...)
    >216.158.204.47 -> cflowd1 UDP D=3D2055 S=3D56866 LEN=3D1472
    >216.158.204.47 -> cflowd1 UDP D=3D2055 S=3D56866 LEN=3D1472
    >216.158.204.47 -> cflowd1 UDP D=3D2055 S=3D56866 LEN=3D1472
    >216.158.204.47 -> cflowd1 UDP D=3D2055 S=3D56866 LEN=3D1472
    >216.158.204.47 -> cflowd1 UDP D=3D2055 S=3D56866 LEN=3D1472
    >=20
    >i can find in the /usr/local/arts/data/cflowd/flows
    >the 10 files which are all empty...
    ># ls -l
    >total 2272
    >-rw-r--r-- 1 root other 1000000 Jul 29 17:12
    >216.158.230.47.flows.0
    >-rw-r--r-- 1 root other 1000000 Jul 29 15:27
    >216.158.230.47.flows.1
    >-rw-r--r-- 1 root other 1000000 Jul 29 15:27
    >216.158.230.47.flows.2
    >-rw-r--r-- 1 root other 1000000 Jul 29 15:27
    >216.158.230.47.flows.3
    >-rw-r--r-- 1 root other 1000000 Jul 29 15:27
    >216.158.230.47.flows.4
    >-rw-r--r-- 1 root other 1000000 Jul 29 15:27
    >216.158.230.47.flows.5
    >-rw-r--r-- 1 root other 1000000 Jul 29 15:27
    >216.158.230.47.flows.6
    >-rw-r--r-- 1 root other 1000000 Jul 29 15:27
    >216.158.230.47.flows.7
    >-rw-r--r-- 1 root other 1000000 Jul 29 15:27
    >216.158.230.47.flows.8
    >-rw-r--r-- 1 root other 1000000 Jul 29 15:27
    >216.158.230.47.flows.9
    >=20
    >=20
    ># ipcs -a
    >IPC status from <running system> as of Mon Jul 29 17:41:00 PDT 2002
    >T ID KEY MODE OWNER GROUP CREATOR
    >CGROUP CBYTES QNUM QBYTES LSPID LRPID STIME RTIME CTIME=20
    >Message Queues:
    >T ID KEY MODE OWNER GROUP CREATOR
    >CGROUP NATTCH SEGSZ CPID LPID ATIME DTIME CTIME=20
    >Shared Memory:
    >m 100 0x542 --rw-r--r-- root other root
    >other 2 2101248 343 387 17:13:01 17:38:23 17:12:55
    >T ID KEY MODE OWNER GROUP CREATOR
    >CGROUP NSEMS OTIME CTIME=20
    >Semaphores:
    >s 0 0x542 --ra-ra-ra- root other root
    >other 2 17:40:59 17:06:16
    >=20
    >netstat -n
    >Active UNIX domain sockets
    >Address Type Vnode Conn Local Addr Remote Addr
    >300012713a0 stream-ord 30001314108 00000000
    >/usr/local/arts/etc/cflowdtable.socket =20
    >=20
    >=20
    >ps -e (which refelcts the 3 running services....
    >=20
    > 345 pts/1 0:00 cflowd
    > 347 pts/1 0:02 cfdcolle
    > 343 pts/1 0:00 cflowdmu
    >=20
    >Arts File with 0 byte and never grows...=20
    ># cd 216.158.230.47
    ># ls -l
    >total 0
    >-rw-r--r-- 1 root other 0 Jul 29 17:13 arts.20020730

    I'll confess up front that I have never touched a Solaris 9 system, so if
    any of my suggestions are laughably bad, that may be why.

    You already did the first thing I was going to suggest - which was use
    snoop to see if the packets were arriving at all. Next thing I
    think you need to resolve is the case of the missing messages.
    cflowd emits console messages when it starts up. The complete
    silence you are hearing makes me think the messages are going into a
    black hole somewhere.

    I suggest you review your /etc/syslog.conf to find out where the local6
    messages are going. I expect that if you figure that out, you'll soon be
    rewarded with some messages that will guide you the rest of the way.

    Drew

    R. Drew Davis, Room MH 2C-264 E-mail: drew@bell-labs.com
    Bell Laboratories Voice: 908-582-7280
    600 Mountain Ave. Fax: 908-582-3340
    Murray Hill, NJ 07974

    Bell Laboratories: The Research & Development Unit of Lucent Technologies.

    _______________________________________________
    Cflowd mailing list
    Cflowd@caida.org
    http://login.caida.org/mailman/listinfo/cflowd



    This archive was generated by hypermail 2.1.4 : Mon Jul 29 2002 - 19:28:35 PDT