North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

cflowd and netflow settings

  • From: Dana Hudes
  • Date: Sat Apr 01 20:40:16 2000 
Hi folks,
this is actual operational question so excuse the interruption in the fiber cut du jour thread.
I have a cisco 7500 series router with v11.1(CC) code. I have cflowd running on a Dell PIII
system with an IDE hard drive (thankfully fairly large) under RedHat Linux 6.1 . cflowd and friends
are compiled with -mcpu=i686 .  
I have configured a generous cache size of 65535 on the router but it only uses 1024 entries anyway.

show ip cache flow says that:
IP Flow Switching Cache, 69632 bytes
  1002 active, 22 inactive, 3045004972 added
  2253347804 ager polls, 0 flow alloc failures
  Exporting flows to x.x.x.x (2055)
  Exporting using source interface Loopback0
  Version 6 flow records, origin-as
  Active flows timeout in 60 minutes
  3045003952 flows exported in 112978700 udp datagrams, 0 failed
  last clearing of statistics 5d05h

The collector machine is getting hammered on the data collection.
>From the log:
Apr  1 20:20:19 plan9 cfdcollect[28872]: [I] wrote data for router 172.16.1.2
Apr  1 20:20:19 plan9 cfdcollect[28872]: [I] connected to localhost:2056
Apr  1 20:20:19 plan9 cflowd[16312]: [I] sent data to 216.70.64.120:1877
Apr  1 20:20:22 plan9 cflowd[29964]: [I] missed 195585 of 220926 flows from 172.
16.1.2 engine 0 agg_method 0 (88.5296% loss)
Apr  1 20:20:57 plan9 cfdcollect[28872]: [I] localhost has data for 1 router.
Apr  1 20:20:59 plan9 cfdcollect[28872]: [I] got data for router 172.16.1.2 from
 localhost
Apr  1 20:20:59 plan9 cfdcollect[28872]: [I] wrote data for router 172.16.1.2
Apr  1 20:20:59 plan9 cfdcollect[28872]: [I] connected to localhost:2056
Apr  1 20:20:59 plan9 cflowd[16315]: [I] sent data to 216.70.64.120:1878
Apr  1 20:21:02 plan9 cflowd[29964]: [I] missed 168234 of 248568 flows from 172.
16.1.2 engine 0 agg_method 0 (67.6813% loss)

At this point, cfdcollect is set to  minPollInterval   of   15
but I still lose data at peak (sure, at 10am on a weekday its no problem to keep up...)
cflowd is configured for FLOWFILELEN:  2097152 and to keep 70 raw flow files.

I had pretty much the same % loss with 1Mb flow files and only keeping 10 .

I'm thinking that perhaps disk I/O is a problem with cfdcollect and cflowd on 1 machine with 1 disk.
Two physical disks (Ultra Wide Fast SCSI) might help keep up.

Thanks
Dana Hudes