Hi !
thanks for all your answers.
I have moved Flow-Tools on a dedicated server now, and it's working better
!
My syslog messages looks like :
Dec 29 12:50:00 localhost flow-capture[9568]: STAT: now=1135857000
startup=1135773029 src_ip=xxx.xxx.xxx.xxx dst_ip=xxx.xxx.xxx.xxx d_ver=7
pkts=272563 flows=7359201 lost=54 reset=2 filter_drops=0
Dec 29 12:55:00 localhost flow-capture[9568]: STAT: now=1135857300
startup=1135773029 src_ip=xxx.xxx.xxx.xxx dst_ip=xxx.xxx.xxx.xxx d_ver=5
pkts=4945 flows=13563 lost=62 reset=0 filter_drops=0
Do you think the lost flow number is too high ?
As you see, I receive flow version 5 from the MSFC and version 7 from the
PFC. I just want to be sure that there is no problem of misunderstanding
with that on the collector. I think it is transparent, isn't it ?
RĂ©mi
[EMAIL PROTECTED]
gton.edu To: Remi PACTAT/fr/[EMAIL
PROTECTED]
cc:
[email protected]
22/12/05 20:25 Subject: Re: [Flow-tools]
Netflow on 7600
On Dec 22, 2005, at 5:09 AM, [EMAIL PROTECTED] wrote:
> Hi there !
>
> I (still) have problems on my Cisco 7600 in Native mode (SUP2 -
> MSFC2 - PFC
> 2). Here is my config :
>
> mls aging long 64
> mls aging normal 32
> mls flow ip interface-full
> mls flow ipx destination
> mls nde sender
> mls nde interface
>
> ip flow-cache timeout active 1
> mls flow ip interface-full
> ip flow-export source Loopback0
> ip flow-export version 5
> ip flow-export destination x.x.x.x 2055
>
>
> and "ip route-cache flow" on 2 interfaces
>
> I'm receiving information on my collector, but those pieces of
> information
> are different to some reliable information I have. (for example the
> collector learn me 125MB of conversation where there was 190MB
> actually)
>
Are you sure you're not dropping some of the flow exports between the
router and the flow-tools server?
You've configured MLS aging to _very_ short times (the minimum in
each case), and this will result in early MLS cache expiration (and
probably higher MLS cache miss ratios). Did you do this because your
MLS cache table was filling up? Also, you're breaking up every flow
into one minute chunks (also the minimum possible configuration),
which means that e.g. a 5 minute conversation must be successfully
exported 5 times in order to be fully collected.
Do you see any export failures/drops in "show ip flow export"? Also,
do you see high numbers of lost flows in the syslog messages that
flow-capture generates when it rolls over? Another thing I'd look at
is if you see high numbers of IP discards or UDP receive errors
(netstat -s on linux) on your flow-tools server.
-alex
*************************************************************************
This message and any attachments (the "message") are confidential and intended
solely for the addressee(s).
Any unauthorised use or dissemination is prohibited. E-mails are susceptible to
alteration.
Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be
liable for the message if altered, changed or
falsified.
************
Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de ses
destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout
message electronique est susceptible d'alteration.
La SOCIETE GENERALE et ses filiales declinent toute responsabilite au titre de
ce message s'il a ete altere, deforme ou falsifie.
*************************************************************************
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
