[HOWTO] Netflow

[justinchudgar]

This never worked for me

Code: Select all

apt-get install -t testing flowscan-cuflow 

I'm looking at the standard and unvirse apt lists and I can't find those anywhere.

Where did you get that?

CuFlow is part of the flow-tools package IIRC.

[joez]

You are my last hope!!

I am running a suse linux 10.3 box and a cisco 3640 router with ios 12.1.

I would like to use flowscan to visualize netflows from the router.

I have EXACTLY followed the howto at http://www.dynamicnetworks.us/netflow. Doublechecked everything three times.

Flow-capture words perfect but I keep getting this damn error message when starting flowscan:

"/var/netflow/ft-v05.2008-04-22.151000+0200: Invalid index in cflowd flow file: 0xCF100103! Version 5 flow-export is required with *all* fields being saved.
2008/04/22 15:15:07 flowscan-1.020 CUFlow: Cflow::find took 0 wallclock secs ( 0.00 usr + 0.00 sys = 0.00 CPU) for 240653 flow file bytes, flow hit ratio: 0/0
2008/04/22 15:15:07 flowscan-1.020 CUFlow: report took 0 wallclock secs ( 0.00 usr 0.00 sys + 0.01 cusr 0.00 csys = 0.01 CPU)"

I have googled around for hours to find possible causes for the problem. All posts refer to cflow-module compiled without proper support for flow-tools. BUT I have exactly followed the howto to make cflow from the contrib Directory of flow-tools. First confiure, make, make install flow-tools and then perl Makefile.PL, make, make install for cflow...

I have tried other flow-tools versions, tried RPM, SRPM, I keep getting this damn error message.

I reconfigured to router with flow source and "peer-as" which I didnt have in the frist place but no change...

How the HELL can I find out what the problem is? Is there any way to test if my cflow module has proper support built in?? Is it possible to test the flow-files somehow to find out why flowscan cant parse them??

I can view them with flow-tools without problem. I have version 5 export, etc...

Please advice!

Kind Regards

[elpiako]

I've succeeded in creating rrds files from netflow files.
Here is my simple configuration of CUFlow.cf :

Subnet 192.168.85.0/24
Network 192.168.168.85.130/32 netflow1
Network 192.168.168.85.131/32 netflow2
Router 192.168.200.100 myrouter

flowscan creates those folder & files :

Folder myrouter with files protocol_multicast.rrd & total.rrd
+ network_netflow1.rrd < seems to be netflow1 trafic
+ network_netflow2.rrd < seems to be netflow2 trafic
+ protocol_multicast.rrd
+ total.rrd < this file seems to be all traffic from netflow files.

I made a test : netflow1 and netflow2 generate some traffic.
When I graph all rrd files in cacti :
- network_netflow1.rrd displays the traffic of netflow1 correctly
- network_netflow2.rrd displays the traffic of netflow2 correctly
- total.rrd displays ALL the traffic (netflow1+netflow2)

But ALL the others display EMPTY graphs.
My question is : what are the other files ??? what does mean "protocol_multicast" ?