Flowc :: лучший Netflow коллектор в галактике

Everything over IP and IP over everything.

ЧАВО

	FAQ

1. Why netflow traffic accounting information is not available for FastEthernet subinterfaces ?
2. Why a UNIX domain socket is used for access to traffic counters. How can I get this information remotely ?
3. How can I translate IP address to readable format and vice versa, when binary address storage is used?
4. AS numbers information is not available.
5. Netflow traffic accounting is not work on async interfaces ?
6. What does "/dev/null" interface mean in the interface table ?
7. My routers dump files and database grows so rapidly.
8. I have got the "Allignment error for router ..." message after loader run.
9. What does it mean when AS number or TCP port number is zero ?
10. What is the difference between "peer-as" and "origin-as" options in "ip flow-export" command ?
11. How perform SELECT from rotated flows table?

Q1. Why netflow traffic accounting information is not available for FastEthernet subinterfaces ?
A1. Some IOS versions not support SNMP numbers assign for subinterfaces. You can check does your IOS support subinterfaces netflow traffic accounting. Run the following command:

snmpwalk router community interfaces.ifTable.ifEntry.ifDescr

if you see something like:

...
interfaces.ifTable.ifEntry.ifDescr.2 = FastEthernet0/0
...
interfaces.ifTable.ifEntry.ifDescr.18 = FastEthernet0/0.1
interfaces.ifTable.ifEntry.ifDescr.19 = FastEthernet0/0.2
interfaces.ifTable.ifEntry.ifDescr.20 = FastEthernet0/0.3
interfaces.ifTable.ifEntry.ifDescr.23 = FastEthernet0/0.6
...

than your IOS supports this feature. Otherwise if you see only:

interfaces.ifTable.ifEntry.ifDescr.2 = FastEthernet0/0

you have to change IOS version.

Q2. Why a UNIX domain socket is used for access to traffic counters. How can I get this information remotely ?
A2. UNIX domain socket is more simplest method than BSD sockets. The inetd can help you to get traffic counters information remotely. For example, /etc/inetd.conf and /etc/services file fragments specified bellow my be used for access to traffic counters via tcp port 2050:

/etc/inetd.conf: 
trafcount stream  tcp     nowait     root  /usr/local/cisco/bin/counter counter


/etc/services:
trafcount       2050/tcp

Q3. How can I translate IP address to readable format and vice versa, when binary address storage is used?
A3. New MySQL versions have function for IP address manipulation INET_ATON() and INET_NTOA():

mysql> select INET_ATON('193.125.78.1');
+---------------------------+
| INET_ATON('193.125.78.1') |
+---------------------------+
|                3246214657 |
+---------------------------+
1 row in set (0.00 sec)

mysql> select INET_NTOA(3246214657);
+-----------------------+
| INET_NTOA(3246214657) |
+-----------------------+
| 193.125.78.1          |
+-----------------------+
1 row in set (0.00 sec)

mysql>

also, you can do the same using external program:

#!/usr/bin/perl -w
#
# inet_aton.pl
#
($a[0], $a[1], $a[2], $a[3]) = split (/\./,$ARGV[0]);
$aaa = pack ("C4", $a[0], $a[1], $a[2], $a[3]);
$bin_addr = unpack ("N*", $aaa);
print $bin_addr,"\n";

#!/usr/bin/perl -w
#
# inet_ntoa.pl
#
$xxx = pack ("N", $ARGV[0]);
@aaa = unpack ("C4", $xxx);
print $aaa[0],".",$aaa[1],".",$aaa[2],".",$aaa[3],"\n";

Q4. AS numbers information is not available.
A4. First of all, BGP must be enabled on your router. If you are interested in source and destionation AS numbers (not your BGP peers AS numbers) your have to do:

ip flow-export version 5 peer-as

Have in mind, that networks from your AS peresent in BGP table as empty AS (show ip bgp regexp ^$), therefore in netflow accounting zero AS number used for your IP networks.

Q5. Netflow traffic accounting is not work on async interfaces ?
A5. Some IOS-es (all 12.1 IOSes) has a bug in Netflow swiching code, as result you have high CPU load and no ability to get information about traffic passed throgh asynchronous interfaces.

Q6. What does "/dev/null" interface mean in the interface table ?
A6. Netflow accounting packets with non-existent on a router SNMP_ID interface number (ussually SNMP_ID is zero) stored in a database with reference to /dev/null interface. As a rule, those are packates droped by the router for some reasons (access lists or packets interface (tunnel, subinterface, virtual-access) was created on router after flowd start).

Q7. My routers dump files and database grows so rapidly.
A7. Check the dump_interval parameter in flowd.conf. If it is too small the flowd is unable to performs some perceptible traffic aggregation and dump files grows rapidly. I don't recommend to set it more than 10 hours, because you will lose presision in time resolution for stored traffic and in case of sudden crash flowd host you will lose all aggregated in RAM traffic. One or two hours for dump_interval is an appropriative values for most cases. Specifying filter parameters (src/dst addresses and ports, AS numbers, protocol, direction) in addition to external interface name in external_interface parameter is a good idea when you are going to storing some part of external traffic (f.e. particular clients traffic). You can reduce SQL database size if you load interesting traffic only to databse (see "load" and "load-only" options in traffic counters definition).

Q8. I have got the "Allignment error for router ..." message after loader run.
A8. This means that incorrect dump file offset specified in the MySQL database (ROUTERS table, last_file_offset field). This error happens when the ROUTERS.last_file_offset field was manually changed in database to incorrect (not alligned to flow record boundary) value. This is a very serious error, without fix it, incorrect data storing in database.

Q9. What does it mean when AS number or TCP port number is zero ?
A9. AS number take on a value zero in two cases. If AS number is not present in routers BGP table (you router is not BGP full view avare) or traffic is your local AS traffic, because in route table local networks represent with empty AS_path attribute (run "show ip bgp ^$" to see it). In case of TCP connections, zero TCP port number means client-side TCP connection port (see the TCP port aggregation in README)

Q10. What is the difference between "peer-as" and "origin-as" options in "ip flow-export" command ?
A10. If you are going to keep track AS numbers of traffic source or destination the "origin-as" must be used. If you are going to to keep track traffic passed through yours BGP peer, for example traffic passed through connection to ISP or Internet traffic Exchange point, the "peer-as" option must be used. In last case a NetFlow accounting contains yours ISP or Internet Exchange point AS number.

Q11. How perform SELECT from rotated flows table ?
A11. Enclose table name in apostrophes ``. For exaple SELECT COUNT(*) FROM `flows-20030405-23:50:01`

to be continue ...

сЙПЮХМЯЙЮЪ аЮММЕПМЮЪ яЕРЭ

:: News: