Logo

The contents of this legacy page are no longer maintained nor supported, and are made available only for historical purposes.

cflowd configuration: cflowd configuration Next Previous Contents

2. cflowd configuration

cflowd, cflowdmux and the local utilities (cfdases, cfdnets, et. al.) all read configuration information from cflowd.conf. In a standard installation, cflowd.conf will be located in the /usr/local/arts/etc/ directory.

cflowd.conf contains three types of stanzas: an OPTIONS stanza specifying system-wide configuration values, CISCOEXPORTER stanzas specifying configuration values for each Cisco from which we're collecting data, and COLLECTOR stanzas specifying hosts from which we permit cfdcollect connections.

2.1 OPTIONS stanza

The OPTIONS stanza in cflowd.conf is used to set system-wide configuration values for cflowd, cflowdmux and local clients. There should be a single OPTIONS stanza in cflowd.conf, and it should be the first stanza. Following are descriptions of each of the settings in an OPTIONS stanza.

LOGFACILITY (optional)

The LOGFACILITY setting is used to set the syslog facility that will be used by cflowd and cflowdmux for logging. If unspecified, local6 will be used.

TCPCOLLECTPORT (optional)

The TCPCOLLECTPORT setting is used to set the TCP port on which cflowd will listen for connections from cfdcollect. Connections to this port are used for downloading tabular data from cflowd and cause the tabular data in cflowd to be cleared after transmission. Only hosts with a COLLECTOR stanza are permitted to connect to this port and retrieve data. Normally, a single cfdcollect will be running on a COLLECTOR host and be the only program to connect to the TCPCOLLECTPORT.

If TCPCOLLECTPORT is unspecified, a default value of 2056 will be used.

PKTBUFSIZE (optional)

cflowdmux uses a 1 megabyte packet buffer by default, split into 2 toggle buffers in a single shared memory segment. Using the PKTBUFSIZE setting, you may change the default size of the packet buffer shared memory segment. This option is typically used to increase the size of the packet buffer.

TABLESOCKFILE

The TABLESOCKFILE setting specifies the path to the named stream socket on which cflowd will listen for local table client connections. cflowd will accept connections from table clients on this socket. Typical table clients are cfdases, cfdnets, et. al.

FLOWDIR

Specifies the directory in which raw flow files should be stored. This is used when flows is specified in a CISCOEXPORTER stanza.

FLOWFILELEN (optional)

Specifies the length of raw flow files. cflowd will roll over a raw flow file when it reaches this length. cflowd will not truncate a raw flow in a flow file, so it typically writes to some length just below the FLOWFILELEN. If unspecified, a default value of 1048576 (1 megabyte) will be used.

NUMFLOWFILES (optional)

Specifies the number of raw flow files to be user per router. This determines how many raw flow files will be kept by cflowd per router. If unspecified, a default value of 10 will be used.

MINLOGMISSED (optional)

Specifies the threshold at which cflowd will syslog a message about missed flows. cflowd only does this when contacted by cfdcollect. If this value is unspecified, a default value of 300 will be used.

Example

Below is an example OPTIONS stanza. We've specified local6 as the LOGFACILITY, so cflowd and cflowdmux will syslog using this facility. We've specified a TCPCOLLECTPORT of 2056, so cflowd will listen for connections from cfdcollect on TCP port 2056. cflowdmux will listen for raw flow client connections on the named stream socket /usr/local/arts/etc/cflowdmux.socket as specified with RAWFLOWSOCKFILE. cflowd will listen for connections from table clients on the named stream socket /usr/local/arts/etc/cflowdtable.socket as specified with TABLESOCKFILE. cflowd will store raw flow files in the /usr/local/arts/data/cflowd directory if flows are specified in the COLLECT portion of a CISCOEXPORTER stanza. As specified by FLOWFILELEN, cflowd will roll over a raw flow file when it reaches 1000000 bytes. 10 flow files will be kept per router, as specified with NUMFLOWFILES. As specified by MINLOGMISSED, cflowd will syslog a message about missed flows when there are more than 300 flows missed between queries from cfdcollect. 

OPTIONS {
  LOGFACILITY:          local6
  TCPCOLLECTPORT:       2056  
  TABLESOCKFILE:        /usr/local/arts/etc/cflowdtable.socket
  FLOWDIR:              /usr/local/arts/data/cflowd
  FLOWFILELEN:          1000000
  NUMFLOWFILES:         10
  MINLOGMISSED:         300
}

2.2 CISCOEXPORTER stanza

The CISCOEXPORTER stanza is used to specify configuration values for a single Cisco router. There may be more than one CISCOEXPORTER stanza in cflowd.conf, with each corresponding to a Cisco router from which we would like to collect data.

HOST

The HOST setting is used to specify the IP address of the Cisco.

ADDRESSES

The ADDRESSES setting is used to specify the IP addresses of interfaces on the Cisco router. It's possible for flow-export packets to originate from more than one interface on a Cisco router; the ADDRESSES setting lets us specify multiple source addresses from which we'll accept flow-export data for a single Cisco router.

CFDATAPORT

The CFDATAPORT setting is used to specify the UDP port on which cflowdmux should listen for flow-export packets from the Cisco router. This should match whatever you've configured as the flow-export destination port on the Cisco router.

LOCALAS (optional)

The LOCALAS setting is used to specify the local AS of the Cisco router. This value is used when trying to fix 0 values in the source and destination AS fields in flows from version 5 flow-export and in the prefix aggregation flows in version 8 flow-export. If LOCALAS is unspecified, cflowd will not try to fix 0 values in the source and destination AS fields.

SNMPCOMM (optional but recommended)

SNMPCOMM is used to specify the SNMP (v1) community name to be used when retrieving interface descriptions and IP addresses from the router (ifDescr and ipAdEntIfIndex). It should be enclosed in single quotes. Currently we can't handle a community name that contains a single quote, but this will be fixed soon.

COLLECT

The COLLECT setting is used to specify the types of data that should be collected from the flow-export data for the Cisco router. There are several types of data which can be collected:

  • asmatrix - AS matrix (packets and bytes from source ASes to destination ASes)
  • netmatrix - net matrix (packets and bytes from source networks to destination networks)
  • portmatrix - port matrix (packets and bytes from source ports to destination ports)
  • ifmatrix - interface matrix (packets and bytes from input interfaces to output interfaces, by ifIndex)
  • protocol - protocol table (packets and bytes per IP protocol)
  • nexthop - IP nexthop table (packets and bytes per IP nexthop)
  • tos - TOS table (packets and bytes per IP TOS)
  • flows - raw flow data

Example

An example CISCOEXPORTER is shown below. It is for a router with an IP address of 204.212.46.1 (the HOST) that is configured to flow-export to port 2055 (the CFDATAPORT) on the host running cflowd. We specified two addresses for the Cisco router: 204.212.46.1 and 204.212.45.14. These correspond to the IP addresses of different interfaces on the Cisco router. We specified a LOCALAS of 195, corresponding to the local AS of the Cisco router. We used COLLECT to list the types of data which cflowd will collect for the Cisco router using the flow-export data from the router. 


CISCOEXPORTER {
  HOST:         204.212.46.1            #  IP address of Cisco sending data.
  ADDRESSES:    { 204.212.46.1,         #  Addresses of interfaces on Cisco
                  204.212.45.14 }       #    sending data.
  CFDATAPORT:   2055                    #  Port on which to listen for data.
  SNMPCOMM:     'public'
  LOCALAS:      195                     #  Local AS of Cisco sending data.
  COLLECT:      { protocol, ifmatrix, portmatrix, netmatrix, 
                  nexthop, asmatrix, tos, flows }
}

2.3 COLLECTOR stanza

The COLLECTOR stanza is used to hold configuration values for a host running cfdcollect. In a standard configuration, there will only be one or two of these, since a single cfdcollect host is normally used to collect data from all instances of cflowd. However, there may be more than one entry (for example, you may have a hot backup host on which you will run cfdcollect when the primary cfdcollect host is down).

HOST

The HOST setting is used to specify the IP address of the host running cfdcollect.

ADDRESSES

The ADDRESSES setting is used to specify the IP addresses of the host running cfdcollect. cflowd will permit connections from cfdcollect originating from any of the IP addresses in the list.

AUTH

Currently unused.

Example

Below is an example COLLECTOR stanza. This says that we will allow connections from cfdcollect that come from 195.83.243.2 or 195.83.241.9, and we will assume that connections from either of these addresses are from the same host. 


COLLECTOR {                             
  HOST:         195.83.243.2    # IP address of host running cfdcollect
  ADDRESSES:    { 195.83.243.2, 195.83.241.9 }  # other addresses of host
  AUTH:         none
}

Next Previous Contents

Related Objects

See https://catalog.caida.org/software/cflowd/ to explore related objects to this document in the CAIDA Resource Catalog.