I have flow-capture working and supposedly collecting data.
File Structure:
/opt/data/netflow/
flow-capture.conf:
-w /opt/data/netflow/MPLS/"router" -z0 -V5 -n 288 -N -1 0/"router"/2000
When looking at the collected netflow files I see the following:
root@cacti:/opt/data/netflow/MPLS/"router"/2011-06-28# ls -l
-rw-r--r-- 1 root root 80 2011-06-28 22:55 ft-v05.2011-06-28.225056-0500
-rw-r--r-- 1 root root 80 2011-06-28 23:00 ft-v05.2011-06-28.225514-0500
-rw-r--r-- 1 root root 80 2011-06-28 23:05 ft-v05.2011-06-28.230013-0500
-rw-r--r-- 1 root root 80 2011-06-28 23:10 ft-v05.2011-06-28.230512-0500
-rw-r--r-- 1 root root 80 2011-06-28 23:15 ft-v05.2011-06-28.231011-0500
-rw-r--r-- 1 root root 80 2011-06-28 23:20 ft-v05.2011-06-28.231510-0500
-rw-r--r-- 1 root root 80 2011-06-28 23:25 ft-v05.2011-06-28.232009-0500
-rw-r--r-- 1 root root 80 2011-06-28 23:30 ft-v05.2011-06-28.232508-0500
-rw-r--r-- 1 root root 80 2011-06-28 23:35 ft-v05.2011-06-28.233006-0500
I am pushing nearly 200Mbps through this router, there is no way I am only collecting 80 bytes worth of data in every 5 minute rotation.
I validated that data is pushed to the cacti server through tcpdump:
root@cacti:~# tcpdump -nnn udp port 2000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:39:35.301064 IP router.54084 > cacti-server.2000: UDP, length 1416
23:39:35.301163 IP router.54084 > cacti-server.2000: UDP, length 1416
23:39:35.301219 IP router.54084 > cacti-server.2000: UDP, length 1416
23:39:35.301227 IP router.54084 > cacti-server.2000: UDP, length 1416
23:39:35.301317 IP router.54084 > cacti-server.2000: UDP, length 1416
23:39:35.301363 IP router.54084 > cacti-server.2000: UDP, length 1416
One last question:
What is the point of adding the device into the devices section under "Devices" under the Flow Viewer link other than being able to pull data for the specified device? Or is that its only purpose? It never auto-generates the configurations prior to starting the flow-capture process.
Thoughts definitely appreciated.
Thank you!
[SOLVED] Flow-capture Overwriting ft Files?
Moderators: Developers, Moderators
[SOLVED] Flow-capture Overwriting ft Files?
Last edited by miko on Wed Jun 29, 2011 3:23 pm, edited 1 time in total.
Re: Flow-capture Overwriting ft Files?
I should also mention that I am running Cacti 0.8.7g, PIA 2.9, and Flowviewer 0.6.
I also have the following configured under Console -> Cacti Settings under "Path":
Flow Tools Binary Path: /usr/bin/
Flow Tools Work Directory: /tmp/
Flows Directory: /opt/data/netflow (I removed the trailing '/')
I also have the same device added in the /etc/flow-tools/flow-capture.conf file in the Devices section under Flow Viewer:
router /MPLS/router/ /YYYY-MM-DD "IP" 2000 NetFlow version 5 0 5 Minutes 1 Year
Thanks again.
I also have the following configured under Console -> Cacti Settings under "Path":
Flow Tools Binary Path: /usr/bin/
Flow Tools Work Directory: /tmp/
Flows Directory: /opt/data/netflow (I removed the trailing '/')
I also have the same device added in the /etc/flow-tools/flow-capture.conf file in the Devices section under Flow Viewer:
router /MPLS/router/ /YYYY-MM-DD "IP" 2000 NetFlow version 5 0 5 Minutes 1 Year
Thanks again.
Re: Flow-capture Overwriting ft Files?
Yay ... more info:
Looking at the flow-capture files I'm seeing the following:
root@cacti:/opt/data/netflow/MPLS/"router"/2011-06-29# flow-print < ft-v05.2011-06-29.114733-0500
srcIP dstIP prot srcPort dstPort octets packets
No data is written to the file itself.
So the next logical step for me was to have a look at the incoming flows directly from the router right off of the netflow host:
root@cacti:~# flow-receive 0/x.x.x.x/2000
flow-receive: setsockopt(size=4194304)
flow-receive: ftpdu_verify(): src_ip=x.x.x.x failed.
flow-receive: ftpdu_verify(): src_ip=x.x.x.x failed.
In my mind, flow-capture had some sort of permissions issue with specifying the router's IP addie directly, so the next step was to accept netflow data from any host on port 2000/udp:
So I tried the following:
root@cacti:~# flow-receive 0/0/2000
flow-receive: setsockopt(size=4194304)
flow-receive: ftpdu_verify(): src_ip=x.x.x.x failed.
flow-receive: ftpdu_verify(): src_ip=x.x.x.x failed.
A report pulled with flow-cat yields more (obviously) empty results:
root@cacti:~# flow-cat /opt/data/netflow/MPLS/"router"/2011-06-29/ft-v05.2011-06-29.114733-0500 | flow-stat -f0
# --- ---- ---- Report Information --- --- ---
#
# Fields: Total
# Symbols: Disabled
# Sorting: None
# Name: Overall Summary
#
# Args: flow-stat -f0
#
Yes I checked iptables, and it's clear and is accepting all traffic.
I have a feeling the solution will be an easy one
Looking at the flow-capture files I'm seeing the following:
root@cacti:/opt/data/netflow/MPLS/"router"/2011-06-29# flow-print < ft-v05.2011-06-29.114733-0500
srcIP dstIP prot srcPort dstPort octets packets
No data is written to the file itself.
So the next logical step for me was to have a look at the incoming flows directly from the router right off of the netflow host:
root@cacti:~# flow-receive 0/x.x.x.x/2000
flow-receive: setsockopt(size=4194304)
flow-receive: ftpdu_verify(): src_ip=x.x.x.x failed.
flow-receive: ftpdu_verify(): src_ip=x.x.x.x failed.
In my mind, flow-capture had some sort of permissions issue with specifying the router's IP addie directly, so the next step was to accept netflow data from any host on port 2000/udp:
So I tried the following:
root@cacti:~# flow-receive 0/0/2000
flow-receive: setsockopt(size=4194304)
flow-receive: ftpdu_verify(): src_ip=x.x.x.x failed.
flow-receive: ftpdu_verify(): src_ip=x.x.x.x failed.
A report pulled with flow-cat yields more (obviously) empty results:
root@cacti:~# flow-cat /opt/data/netflow/MPLS/"router"/2011-06-29/ft-v05.2011-06-29.114733-0500 | flow-stat -f0
# --- ---- ---- Report Information --- --- ---
#
# Fields: Total
# Symbols: Disabled
# Sorting: None
# Name: Overall Summary
#
# Args: flow-stat -f0
#
Yes I checked iptables, and it's clear and is accepting all traffic.
I have a feeling the solution will be an easy one
Re: Flow-capture Overwriting ft Files?
I knew it would be easy to figure out ... sheesh.
Every single one of my routers is using version 5 for netflow statistics. Invoking Murphy's law, the easiest due diligence step was glossed over ... so verifying the router I was using for testing, it was sending flow data using version freaking 9!
Modified the value to 5 and voila ... I now have flow data
Every single one of my routers is using version 5 for netflow statistics. Invoking Murphy's law, the easiest due diligence step was glossed over ... so verifying the router I was using for testing, it was sending flow data using version freaking 9!
Modified the value to 5 and voila ... I now have flow data
Who is online
Users browsing this forum: No registered users and 7 guests