RE: [Flow-tools] Not seeing any data in the flow tools files

Fri, 16 Mar 2007 11:21:46 -0800 

Kelly,
 
You haven't listed the router config line where your destination IP and
UDP port is specified. It should be something like. 
    ip flow-export destination 10.0.1.13 2055
As you are receiving flows I suspect that is not the problem, however
you many not have configured flow-capture to listen on your chosen UDP
port 2055?   
 
Here's my flow-capture start command with your directory and UDP port 
    /usr/local/netflow/bin/flow-capture -N0 -z0 -V7 -n 288 -w
/var/netflow/ 0/0/2055
 
If that doesn't work switch to a UDP port > 10000 just in case you're
clashing with another listening UDP port.
 
HTH
 
Cheers
 
Alistair
 
 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Reed, Kelly
C.
Sent: 16 March 2007 18:13
To: [email protected]
Subject: [Flow-tools] Not seeing any data in the flow tools files


I'm having some difficulty getting Netflow working correctly. When I try
to run a report on the flows processed, I see zero for all types of
protocols, etc. I've been using Robert Galloway's instructions:
<http://www.dynamicnetworks.us/netflow/netflow-howto.html>
http://www.dynamicnetworks.us/netflow/netflow-howto.html . I'm using
CentOS 4.4, Flow-tools 0.68 and CUFlow

I've got a Cisco 2651XM with 2 ethernet interfaces. Here's the
interesting part of the config from the router:

 

interface FastEthernet0/0

 ip address 192.168.104.5 255.255.255.0

 ip route-cache flow

!

interface FastEthernet0/1

 ip address 192.168.214.1 255.255.255.0

 ip route-cache flow

!

ip flow-export source FastEthernet0/0

ip flow-export version 5 peer-as

 

>From the router, I can see some flow data:

 

IP Flow Switching Cache, 278544 bytes


  11 active, 4085 inactive, 47459 added


  865673 ager polls, 0 flow alloc failures


  Active flows timeout in 1 minutes                                   

  Inactive flows timeout in 15 seconds


IP Sub Flow Cache, 17032 bytes                              

  11 active, 1013 inactive, 47459 added, 47459 added to flow


  0 alloc failures, 0 force free                                

  1 chunk, 1 chunk added                        

  last clearing of statistics never

 

The Netflow collector is receiving data. I checked IPtables to see if it
was blocking 2055 and it's not.

 

[EMAIL PROTECTED] log]# tcpdump -n udp port 2055

tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

11:32:12.113683 IP 192.168.104.5.53619 > 10.0.1.13.2055: UDP, length 216

11:32:24.113694 IP 192.168.104.5.53619 > 10.0.1.13.2055: UDP, length 168

11:32:44.113757 IP 192.168.104.5.53619 > 10.0.1.13.2055: UDP, length 120

11:32:59.113931 IP 192.168.104.5.53619 > 10.0.1.13.2055: UDP, length 552

 

Flow-tools and CUFlow are processing it (although very quickly since
there's no data):

 

sleep 30...

sleep 30...

2007/03/16 11:25:13 working on file
/var/netflow/ft-v05.2007-03-16.112000-0400...

2007/03/16 11:25:13 flowscan-1.020 CUFlow: Cflow::find took  0 wallclock
secs ( 0.00 usr +  0.00 sys =  0.00 CPU) for 100 flow file bytes, flow
hit ratio: 0/0

2007/03/16 11:25:13 flowscan-1.020 CUFlow: report took  0 wallclock secs
( 0.00 usr  0.01 sys +  0.00 cusr  0.01 csys =  0.02 CPU)

sleep 30...

Use of uninitialized value in numeric gt (>) at
/usr/lib/perl5/site_perl/5.8.5/HTML/Table.pm line 1684.

Use of uninitialized value in numeric gt (>) at
/usr/lib/perl5/site_perl/5.8.5/HTML/Table.pm line 1684.

 

Here's the output of one of the files showing no data:

 

[EMAIL PROTECTED] ft]# flow-cat ft-v05.2007-03-16.113500-0400 |
flow-print

srcIP            dstIP            prot  srcPort  dstPort  octets
packets

[EMAIL PROTECTED] ft]#

 

 

Any ideas of what I can check next?

Thanks,

Kelly


**********************************************************************
Registered Office:
Marks and Spencer plc
Waterside House
35 North Wharf Road
London
W2 1NW

Registered No. 214436 in England and Wales.

Telephone (020) 7935 4422
Facsimile (020) 7487 2670

<<www.marksandspencer.com>>

Please note that electronic mail may be monitored.

This e-mail is confidential. If you received it by mistake, please let us know 
and then delete it from your system; you should not copy, disclose, or 
distribute its contents to anyone nor act in reliance on this e-mail, as this 
is prohibited and may be unlawful.
2005



_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to