[Flow-tools] Empty flow files

Joe Loiacono jloiacon at csc.com
Mon Apr 20 11:29:14 EDT 2009 

flow-capture logs for me to: /var/log/cflowd.log. Looks like cacti is 
intermediate and sending to system messages at /var/log/messages?

My typical messages:

3076 Apr 20 15:15:17 dbcollect flow-capture[20686]: remove/2 
2009/2009-03/2009-03-29/ft-v07.2009-03-29.234501+0000
3077 Apr 20 15:16:37 dbcollect flow-capture[20686]: ftpdu_seq_check(): 
src_ip=192.168.16.1 dst_ip=172.16.253.32 d_version=7 expecting=3971473012 
received=3971473039 lost=27
3078 Apr 20 15:17:36 dbcollect flow-capture[20662]: remove/2 
./2009/2009-01/2009-01-07/ft-v01.2009-01-07.153000+0000
3079 Apr 20 15:18:00 dbcollect flow-capture[20173]: STAT: now=1240240680 
startup=1235616206 src_ip=172.17.100.36 dst_ip=172.16.253.32 d_ver=5 
pkts=42903148 flows=1243414628 lost=100678 reset=432 filter_drops=0

Your 'remove' messages are flow-capture doing directory trimming to meet 
your requirements of 5M total space. It goes through the motions but 
there's no need ( .. 0 files) since you're not close to 5M.

Can you try it completely independently from cacti as a check?

Joe



"Schultz, Brian" <Brian.Schultz at AtlasAir.com> 
Sent by: flow-tools-bounces at list.splintered.net
04/18/2009 08:58 AM

To
"Craig Weinhold" <craig.weinhold at cdw.com>
cc
flow-tools at list.splintered.net
Subject
RE: [Flow-tools] Empty flow files






Where can I see the syslog files?
It's not netflow v9, these are older routers


-----Original Message-----
From: Craig Weinhold [mailto:craig.weinhold at cdw.com]
Sent: Fri 4/17/2009 9:53 PM
To: Schultz, Brian
Subject: Re: [Flow-tools] Empty flow files

What does syslog say? flow-tools does a good job of logging errors.

Could the netflow format be v9 ? flow-tools won't understand it.

-Craig


On Fri, 17 Apr 2009, Schultz, Brian wrote:

> I?ve been trying to get flow-tools to work for the past couple of days 
but I all the flow files seem to be empty. I was using ntop for a little 
while to test out flow reporting (and it worked) but I think I?m going to 
move over to Cacti so I can get netflow and snmp all in one place. I?m 
running this on Ubuntu btw. Any ideas on what I can do?
>
> There aren?t any firewall rules to prevent anything
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> I can see all of the incoming flows
> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 15:49:23.288138 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 
1464
> 15:49:34.283227 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 
936
> 15:49:48.290208 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 
1464
> 15:49:55.287958 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 
1464
> 15:50:02.288658 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 
1464
> 15:50:03.288547 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 
1464
> 15:50:04.289581 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 
1464
> 15:50:07.293188 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 
1464
> 15:50:08.325804 IP 192.168.1.6.49866 > 172.19.10.23.2058: UDP, length 
1464
>
> I start up flow-capture
> sudo flow-capture -V5 -d7 -E5M -S1 -w /var/flow/ams 0/0/2058
>
> I can see that the port is up but it?s not in the listening state if 
that makes a difference
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address State 
PID/Program name
> tcp        0      0 127.0.0.1:3306          0.0.0.0:* LISTEN 4400/mysqld
> tcp        0      0 0.0.0.0:80              0.0.0.0:* LISTEN 
4579/apache2
> tcp        0      0 0.0.0.0:22              0.0.0.0:* LISTEN 4887/sshd
> tcp6       0      0 :::22                   :::* LISTEN      4887/sshd
> udp        0      0 0.0.0.0:2058            0.0.0.0:*  5131/flow-capture
> udp        0      0 127.0.0.1:161           0.0.0.0:*        4500/snmpd
> udp        0      0 0.0.0.0:68              0.0.0.0:*  3988/dhclient3
> Active UNIX domain sockets (only servers)
> Proto RefCnt Flags       Type       State         I-Node   PID/Program 
name    Path
> unix  2      [ ACC ]     STREAM     LISTENING     13342    4400/mysqld   
   /var/run/mysqld/mysqld.sock
> unix  2      [ ACC ]     STREAM     LISTENING     13222 4308/dbus-daemon 
   /var/run/dbus/system_bus_socket
>
> I see all of the flow files being created
> Cacti:/var/flow/ams/2009/2009-04/2009-04-17$ ls -l
> total 32
> -rw-r--r-- 1 root root 88 2009-04-17 15:30 ft-v05.2009-04-17.152325-0400
> -rw-r--r-- 1 root root 88 2009-04-17 15:44 ft-v05.2009-04-17.153001-0400
> -rw-r--r-- 1 root root 88 2009-04-17 15:53 ft-v05.2009-04-17.155206-0400
> -rw-r--r-- 1 root root 88 2009-04-17 16:00 ft-v05.2009-04-17.155424-0400
> -rw-r--r-- 1 root root 88 2009-04-17 16:01 ft-v05.2009-04-17.160001-0400
> -rw-r--r-- 1 root root 88 2009-04-17 16:15 ft-v05.2009-04-17.160344-0400
> -rw-r--r-- 1 root root 88 2009-04-17 16:30 ft-v05.2009-04-17.161501-0400
> -rw-r--r-- 1 root root 80 2009-04-17 16:30 
tmp-v05.2009-04-17.163001-0400
>
> But there?s nothing in them
> flow-print < ft-v05.2009-04-17.152325-0400
> srcIP            dstIP            prot  srcPort  dstPort  octets packets
>
> not sure what this means but it scrolls by in the message log
> Cacti:~$ tail /var/log/messages
> Apr 17 16:03:52 Cacti flow-capture[5659]: remove/1 0 files
> Apr 17 16:03:52 Cacti flow-capture[5659]: remove/2 0 files
> Apr 17 16:03:53 Cacti flow-capture[5659]: remove/1 0 files
> Apr 17 16:03:53 Cacti flow-capture[5659]: remove/2 0 files
> Apr 17 16:03:54 Cacti flow-capture[5659]: remove/1 0 files
> Apr 17 16:03:54 Cacti flow-capture[5659]: remove/2 0 files
> Apr 17 16:03:55 Cacti flow-capture[5659]: remove/1 0 files
> Apr 17 16:03:55 Cacti flow-capture[5659]: remove/2 0 files
> Apr 17 16:03:56 Cacti flow-capture[5659]: remove/1 0 files
> Apr 17 16:03:56 Cacti flow-capture[5659]: remove/2 0 files
>
> I am running the NIC in promiscuous mode because I can?t change the 
settings on the routers just yet but they?re pointed at another VM on my 
machine. Would this not work because it?s not being pointed at flow-tools? 
Ok well I just ran it on the machine that all the flows are pointed to and 
it?s not creating the flow files
> eth0      Link encap:Ethernet  HWaddr 00:0c:29:72:d8:d9
>           inet addr:172.19.10.24  Bcast:172.19.10.255 Mask:255.255.255.0
>           inet6 addr: fe80::20c:29ff:fe72:d8d9/64 Scope:Link
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:22694 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1597 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:6293072 (6.2 MB)  TX bytes:201679 (201.6 KB)
>           Interrupt:19 Base address:0x2000
>

_______________________________________________
Flow-tools mailing list
flow-tools at splintered.net
http://mailman.splintered.net/mailman/listinfo/flow-tools
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.splintered.net/pipermail/flow-tools/attachments/20090420/744ad733/attachment.htm

More information about the Flow-tools mailing list