I'm having some difficulty getting Netflow working correctly. When I try to run a report on the flows processed, I see zero for all types of protocols, etc. I've been using Robert Galloway's instructions: http://www.dynamicnetworks.us/netflow/netflow-howto.html <http://www.dynamicnetworks.us/netflow/netflow-howto.html> . I'm using CentOS 4.4, Flow-tools 0.68 and CUFlow
I've got a Cisco 2651XM with 2 ethernet interfaces. Here's the interesting part of the config from the router: interface FastEthernet0/0 ip address 192.168.104.5 255.255.255.0 ip route-cache flow ! interface FastEthernet0/1 ip address 192.168.214.1 255.255.255.0 ip route-cache flow ! ip flow-export source FastEthernet0/0 ip flow-export version 5 peer-as >From the router, I can see some flow data: IP Flow Switching Cache, 278544 bytes 11 active, 4085 inactive, 47459 added 865673 ager polls, 0 flow alloc failures Active flows timeout in 1 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 17032 bytes 11 active, 1013 inactive, 47459 added, 47459 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never The Netflow collector is receiving data. I checked IPtables to see if it was blocking 2055 and it's not. [EMAIL PROTECTED] log]# tcpdump -n udp port 2055 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 11:32:12.113683 IP 192.168.104.5.53619 > 10.0.1.13.2055: UDP, length 216 11:32:24.113694 IP 192.168.104.5.53619 > 10.0.1.13.2055: UDP, length 168 11:32:44.113757 IP 192.168.104.5.53619 > 10.0.1.13.2055: UDP, length 120 11:32:59.113931 IP 192.168.104.5.53619 > 10.0.1.13.2055: UDP, length 552 Flow-tools and CUFlow are processing it (although very quickly since there's no data): sleep 30... sleep 30... 2007/03/16 11:25:13 working on file /var/netflow/ft-v05.2007-03-16.112000-0400... 2007/03/16 11:25:13 flowscan-1.020 CUFlow: Cflow::find took 0 wallclock secs ( 0.00 usr + 0.00 sys = 0.00 CPU) for 100 flow file bytes, flow hit ratio: 0/0 2007/03/16 11:25:13 flowscan-1.020 CUFlow: report took 0 wallclock secs ( 0.00 usr 0.01 sys + 0.00 cusr 0.01 csys = 0.02 CPU) sleep 30... Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.8.5/HTML/Table.pm line 1684. Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.8.5/HTML/Table.pm line 1684. Here's the output of one of the files showing no data: [EMAIL PROTECTED] ft]# flow-cat ft-v05.2007-03-16.113500-0400 | flow-print srcIP dstIP prot srcPort dstPort octets packets [EMAIL PROTECTED] ft]# Any ideas of what I can check next? Thanks, Kelly
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
