-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
hi all!
we are using flow-tools for traffic mediation, currently v5; and are studying the impact of switching to v8.5.
the problem is that when collecting v8.5 we loose 99.99% of the flows (based on data given by flow-header). it's not an i/o or network problem, because if i switch off filtering, i only loose 0.72%, which is ok. as soon as i turn on filtering, it shoots up to 99.99%.
since i've got quite a powerful machine handling this, i believe i'm doing something wrong somewhere, but can't quite put the finger on it. any ideas would be greatly appreciated.
i'm running flow-tools 0.66, with the following command line and filter file:
/usr/local/netflow/bin/flow-capture -f /aggregator/conf/v8-filter - -Fto-adsl -V 8.5 -A 3243 -w /servers/capture/ -p /servers/capture/capture.pid -n 96 -R /aggregator/src/parse-cflowd.pl - -E 200G 0/0/9991
filter-primitive allowed-exports type ip-address permit 194.65.12.232 permit 194.65.12.233 default deny
filter-primitive negar-mask type ip-address-prefix-len deny 0 default permit
filter-primitive negar-privadas type ip-address-prefix deny 0.0.0.0/8 deny 10.0.0.0/8 deny 127.0.0.0/8 deny 169.254.0.0/16 deny 172.16.0.0/12 deny 192.0.2.0/24 deny 192.168.0.0/16 deny 198.18.0.0/15 deny 224.0.0.0/3 default permit
filter-primitive adsl-prefix type ip-address-prefix permit 81.193.0.0/16 permit 213.13.0.0/16 permit 82.154.0.0/16 default deny
filter-primitive negar-telepac type ip-address-prefix deny 194.65.0.0/16 deny 213.13.0.0/16 deny 81.193.0.0/16 deny 82.154.0.0/16 deny 212.55.128.0/18 deny 158.162.128.0/18 default permit
filter-primitive redes-nacionais type ip-address-prefix deny 213.98.254.0/24 default permit
filter-definition to-adsl match ip-exporter-address allowed-exports match ip-source-address negar-privadas match ip-source-address negar-telepac match ip-source-address redes-nacionais match ip-destination-address adsl-prefix match ip-source-address-prefix-len negar-mask
the collector machine is a dell poweredge 6650 with the following cpu/ram:
* quad xeon 2.2ghz
* 2gb ram
here is my cisco configuration:
Cisco 12xxx series IOS (tm) GS Software (GSR-P-M), Version 12.0(25)S2 4 Port ISE Gigabit Ethernet 4 Port ISE Packet Over SONET OC-12c/STM-4
ip flow-export source Loopback0 ip flow-aggregation cache prefix export destination 192.168.1.1 9991 mask destination minimum 32 enabled
thanks in advance for any insight you can provide.
cheers,
pedro -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBEL+HuoJcYOTLmGYRAiGbAKD55pwJPcUbuIZV3yfwoHSozKl5dgCdFSwy FzWrnRBkgDfzUPppGSTX5lQ= =bdbU -----END PGP SIGNATURE-----
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
