[Cflowd] How do I tell if cflowd/cflowdmux are collecting data?
Systems Administrator
sysadmin@sunet.com.au
Thu, 31 Oct 2002 15:46:06 +1100
This is a multi-part message in MIME format.
------=_NextPart_000_00C3_01C280F4.9FC04A30
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Hi all. I'm setting up a cflowd setup here, and I've used tcpdump =
to determine that the cflowd machine is indeed receiving NetFlow packets =
on the port that cflowdmux is listening on. However, I don't seem to be =
getting any information out of cflowd. Here's some output to show what =
I'm getting:
$ flowdump /usr/local/arts/data/cflowd/flows/210.80.157.1.flows.0 -c
matched 0 of 0 flows
$ cfdifmatrix -c /usr/local/etc/cflowd.conf 210.80.157.1
period: 10/31/2002 14:22:23 - 01/01/1970 10:00:00 EST (-17267242 min, =
-23 sec)
What I'm interested is is:
1. Are there any tools I can use to see if cflowdmux is passing the =
data to cflowd? =20
2. Does anyone know a particular reason why I'm getting a period =
ending at that particular time? =20
My OPTIONS stanza is set to the defaults. Here are the other =
stanzas I'm using:
-------------------------------------------------------------------------=
-------
COLLECTOR {
HOST: 203.166.102.50 # IP address of central collector
ADDRESSES: { }
AUTH: none
}
CISCOEXPORTER {
HOST: 210.80.157.1 # IP address of Cisco sending =
data.
ADDRESSES: { 210.80.157.1 } # Addresses of interfaces on =
Cisco sending data.
CFDATAPORT: 2055 # Port on which to listen for =
data.
SNMPCOMM: 'public' # SNMP community name.
LOCALAS: 1324 # Local AS of Cisco sending =
data.
COLLECT: { protocol, portmatrix, ifmatrix, nexthop, netmatrix,
asmatrix, tos, flows }
}
-------------------------------------------------------------------------=
-------
Any help would be much appreciated. =20
Thanks all,
Tim Nelson
Systems Administrator
Sunet Internet
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: sysadmin@sunet.com.au
------=_NextPart_000_00C3_01C280F4.9FC04A30
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3103.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Times New Roman"> Hi all. I'm =
setting=20
up a cflowd setup here, and I've used tcpdump to determine that the =
cflowd=20
machine is indeed receiving NetFlow packets on the port that cflowdmux =
is=20
listening on. However, I don't seem to be getting any information =
out of=20
cflowd. Here's some output to show what I'm getting:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3D"Times New Roman">$ flowdump=20
/usr/local/arts/data/cflowd/flows/210.80.157.1.flows.0 -c<BR>matched 0 =
of 0=20
flows<BR></FONT></DIV>
<DIV><FONT face=3D"Times New Roman">$ cfdifmatrix -c =
/usr/local/etc/cflowd.conf=20
210.80.157.1<BR>period: 10/31/2002 14:22:23 - 01/01/1970 10:00:00 EST =
(-17267242=20
min, -23 sec)<BR></FONT></DIV>
<DIV><FONT face=3D"Times New Roman"> What I'm =
interested is=20
is:</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">1. Are there any =
tools I can=20
use to see if cflowdmux is passing the data to cflowd? =
</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">2. Does anyone =
know a=20
particular reason why I'm getting a period ending at that particular =
time? =20
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3D"Times New Roman"> My OPTIONS stanza =
is set to=20
the defaults. Here are the other stanzas I'm using:</FONT></DIV>
<DIV><FONT face=3D"Times New Roman">----------------<FONT=20
face=3D"Times New Roman">----------------<FONT=20
face=3D"Times New Roman">----------------<FONT=20
face=3D"Times New Roman">----------------<FONT=20
face=3D"Times New =
Roman">----------------</FONT></FONT></FONT></FONT></FONT></DIV>
<DIV><FONT face=3D"Times New Roman">COLLECTOR {<BR> =20
HOST: =
203.166.102.50 # IP=20
address of central collector<BR> ADDRESSES: {=20
}<BR> AUTH: =20
none<BR>}<BR></DIV></FONT>
<DIV><FONT face=3D"Times New Roman">CISCOEXPORTER {<BR> =20
HOST: =20
210.80.157.1 &=
nbsp;=20
# IP address of Cisco sending data.<BR> =
ADDRESSES: =20
{ 210.80.157.1 } # =
Addresses of=20
interfaces on Cisco sending data.<BR> CFDATAPORT: =20
2055 &nb=
sp; =20
# Port on which to listen for data.<BR> =20
SNMPCOMM: =20
'public'  =
; =20
# SNMP community name.<BR> =
LOCALAS: =20
1324 &nb=
sp; =20
# Local AS of Cisco sending data.<BR> =20
COLLECT: { protocol, portmatrix, ifmatrix, =
nexthop,=20
netmatrix,<BR>  =
; =20
asmatrix, tos, flows }<BR>}</FONT></DIV>
<DIV><FONT face=3D"Times New Roman"><FONT=20
face=3D"Times New Roman">----------------<FONT=20
face=3D"Times New Roman">----------------<FONT=20
face=3D"Times New Roman">----------------<FONT=20
face=3D"Times New Roman">----------------<FONT=20
face=3D"Times New =
Roman">----------------</FONT></FONT></FONT></FONT></FONT></FONT></DIV>
<DIV><FONT face=3D"Times New Roman"></FONT> </DIV>
<DIV><FONT face=3D"Times New Roman"> Any help would be =
much=20
appreciated. </FONT></DIV>
<DIV><FONT face=3D"Times New Roman"></FONT> </DIV>
<DIV><FONT face=3D"Times New Roman"> Thanks =
all,</DIV></FONT>
<DIV><FONT face=3D"Times New Roman"> </DIV></FONT>
<DIV><FONT face=3D"Times New Roman">Tim Nelson<BR>Systems =
Administrator<BR>Sunet=20
Internet<BR>Tel: +61 3 5241 1155<BR>Fax: +61 3 5241 6187<BR>Web: =
<A=20
href=3D"http://www.sunet.com.au/">http://www.sunet.com.au/</A><BR>Email: =
<A=20
href=3D"mailto:sysadmin@sunet.com.au">sysadmin@sunet.com.au</A></FONT></D=
IV></BODY></HTML>
------=_NextPart_000_00C3_01C280F4.9FC04A30--