From: Gilbertson, Derik (DGilbertson@chartercom.com)
Date: Fri Nov 22 2002 - 15:44:27 PST
For some reason, cflowd is not writting the flows to the specified dir in cflowd.conf anymore. I'm using the patch version of cflowd so I can using options '-s 300 -O 0 -m'. It was working for a good 30 minutes or so. But, then it just stopped.
I've tried restarting cflowdmux and cflowd multiple times. Also, killed off cflowd, cflowdmux. Deleted the socket file, deleted the 10 raw files in FLOWDIR. Which is recreated when cflowd is started backup, except for the socket file.
without the flows.20000320_16:57:22 being created. FlowScan has nothing to read.
I am receiving data from my router. output from tcpdump is below.
Any ideas ? suggestions would be great.
--- FLOWDIR ---
[root@backup etc]# ls -l /usr/local/flows/data/
total 0
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.0
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.1
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.2
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.3
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.4
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.5
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.6
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.7
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.8
-rw-r--r-- 1 root root 1000000 Nov 22 17:40 172.31.38.34.flows.9
--- cflowd.cf ---
OPTIONS {
LOGFACILITY: local6
TCPCOLLECTPORT: 2056
PKTBUFSIZE: 2097152
TABLESOCKFILE: /usr/local/arts/etc/cflowdtable.socket
FLOWDIR: /usr/local/flows/data
FLOWFILELEN: 1000000
NUMFLOWFILES: 10
MINLOGMISSED: 1000
}
COLLECTOR {
HOST: 24.196.aaa.aaa # IP address of central collector
# ADDRESSES: { 24.196.aaa.aaa }
AUTH: none
}
CISCOEXPORTER {
HOST: 172.31.38.34 # IP address of Cisco sending data.
ADDRESSES: { 12.25.xxx.xxx, 12.25.xxx.xxx, 12.25.xxx.xxx }
# Addresses of interfaces on Cisco sending data.
CFDATAPORT: 2055 # Port on which to listen for data.
SNMPCOMM: 'xxxxxx' # SNMP community name.
LOCALAS: xxxxx # Local AS of Cisco sending data.
COLLECT: { protocol, portmatrix, ifmatrix, nexthop, netmatrix,
asmatrix, tos, flows }
}
--- tcpdump ---
[root@backup etc]# tcpdump port 2055
tcpdump: listening on eth0
18:05:47.562435 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.581939 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.598838 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.615376 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.634266 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.654123 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.667644 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.678294 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.702145 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.721237 fitc-wi-er-1.54041 > server.2055: udp 1464
18:05:47.744926 fitc-wi-er-1.54041 > server.2055: udp 1464
.....
22 packets received by filter
0 packets dropped by kernel
--- syslog ---
Nov 22 17:29:34 backup cflowdmux[30144]: [I] cflowdmux (version cflowd-2-1-b1) started.
Nov 22 17:29:34 backup cflowdmux[30144]: [I] created 2101248 byte packet queue shmem segment {CflowdPacketQueue.cc:247}
Nov 22 17:29:34 backup cflowdmux[30144]: [I] attached to 2101248 byte packet queue at 0x401d4000
Nov 22 17:29:34 backup cflowdmux[30144]: [I] created semaphore: id 131073
...
Nov 22 17:40:47 backup cflowd[30169]: [I] cflowd (version cflowd-2-1-b1) started.
Nov 22 17:40:47 backup cflowd[30169]: [I] got semaphore: id 131073
Nov 22 17:40:47 backup cflowd[30169]: [I] attached to 2101248 byte packet queue at 0x40a71000
~derik gilbertson
_______________________________________________
Cflowd mailing list
Cflowd@caida.org
http://login.caida.org/mailman/listinfo/cflowd
This archive was generated by hypermail 2.1.4 : Fri Nov 22 2002 - 16:02:59 PST