Versions Compared

Old Version 6

changes.mady.by.user Keith Sinclair

Saved on

compared with

New Version 7

changes.mady.by.user Mark Dueck

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added help for determining if NetFow packets are arriving at the server.

...

Code Block
/usr/local/opmantek/bin/opflow_purge_raw_files.sh /var/opflow 7
/usr/local/opmantek/bin/opflowd.pl type=purge

 

8. Are NetFlow packets arriving at the server?

You have verified that flowd and opflowd are both running and still you have no data on your dashboard. There are several things to check:

8a. Check the flowd logfile to make sure it is growing

Find the logfile by checking the flowd.conf file (probably in /usr/local/etc/flowd.conf)

Code Block
ll /data/opflow/flowd
[root@thor opflow]$ ls -l /data/opflow/flowd
-rw------- 1 root root 4900 Oct  7 10:42 flowd
[root@thor opflow]$ ls -l /data/opflow/flowd
-rw------- 1 root root 6800 Oct  7 10:42 flowd
[root@thor opflow]$ ls -l /data/opflow/flowd
-rw------- 1 root root 7600 Oct  7 10:43 flowd

In this example the file is growing, so flows are making it into the server, if they are not you will see something like this 

Code Block
[root@thor opflow]$ ls -l /data/opflow/flowd
-rw------- 1 root root 0 Feb  7  2013 flowd
[root@thor opflow]$ ls -l /data/opflow/flowd
-rw------- 1 root root 0 Feb  7  2013 flowd

In this case the file is not growing and more investigation is necessary.

8b. Checking for packets arriving on the interface

 Running tcpdump will tell us if packets are making it to the server 

Code Block
# change/verify the interface (eth0) and port (if you have changed from the default config)
tcpdump -vni eth0 proto \\udp and port 12345

If no packets are arriving double check the firewall configuration will allow them through: 

Code Block
iptables -L
 
# seeing something like this means they are, if your output is different it does not mean they cannot make it through, it simply means you will have to take a good look at what your output is telling you
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you see no packets arrive using tcpdump and the firewall is not stopping the packets then you will need to verify the configuration of your node that is sending the netflow packets and that they are going to the correct node/port. One way to check the config on a Cisco device is:

Code Block
router>sh ip flow export
Flow export v9 is enabled for main cache  Export source and destination details :
  VRF ID : Default
    Destination(1)  192.168.1.7 (12345)
    Destination(2)  192.168.1.42 (12345)
  Version 9 flow records
  25716317 flows exported in 890127 udp datagrams

If that is not the issue you will need to verify that nothing on your network is filtering the packets and preventing them from arriving at the server.