[27959] in North American Network Operators' Group
cflowd and netflow settings
daemon@ATHENA.MIT.EDU (Dana Hudes)
Sat Apr 1 20:39:33 2000
Message-ID: <006801bf9c44$067b0d20$3d5cdcd1@hudes.org>
From: "Dana Hudes" <dhudes@panix.com>
To: <nanog@merit.edu>, <dwm@caida.org>
Date: Sat, 1 Apr 2000 20:37:35 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Errors-To: owner-nanog-outgoing@merit.edu
Hi folks,
this is actual operational question so excuse the interruption in the =
fiber cut du jour thread.
I have a cisco 7500 series router with v11.1(CC) code. I have cflowd =
running on a Dell PIII
system with an IDE hard drive (thankfully fairly large) under RedHat =
Linux 6.1 . cflowd and friends
are compiled with -mcpu=3Di686 . =20
I have configured a generous cache size of 65535 on the router but it =
only uses 1024 entries anyway.
show ip cache flow says that:
IP Flow Switching Cache, 69632 bytes
1002 active, 22 inactive, 3045004972 added
2253347804 ager polls, 0 flow alloc failures
Exporting flows to x.x.x.x (2055)
Exporting using source interface Loopback0
Version 6 flow records, origin-as
Active flows timeout in 60 minutes
3045003952 flows exported in 112978700 udp datagrams, 0 failed
last clearing of statistics 5d05h
The collector machine is getting hammered on the data collection.
From the log:
Apr 1 20:20:19 plan9 cfdcollect[28872]: [I] wrote data for router =
172.16.1.2
Apr 1 20:20:19 plan9 cfdcollect[28872]: [I] connected to localhost:2056
Apr 1 20:20:19 plan9 cflowd[16312]: [I] sent data to 216.70.64.120:1877
Apr 1 20:20:22 plan9 cflowd[29964]: [I] missed 195585 of 220926 flows =
from 172.
16.1.2 engine 0 agg_method 0 (88.5296% loss)
Apr 1 20:20:57 plan9 cfdcollect[28872]: [I] localhost has data for 1 =
router.
Apr 1 20:20:59 plan9 cfdcollect[28872]: [I] got data for router =
172.16.1.2 from
localhost
Apr 1 20:20:59 plan9 cfdcollect[28872]: [I] wrote data for router =
172.16.1.2
Apr 1 20:20:59 plan9 cfdcollect[28872]: [I] connected to localhost:2056
Apr 1 20:20:59 plan9 cflowd[16315]: [I] sent data to 216.70.64.120:1878
Apr 1 20:21:02 plan9 cflowd[29964]: [I] missed 168234 of 248568 flows =
from 172.
16.1.2 engine 0 agg_method 0 (67.6813% loss)
At this point, cfdcollect is set to minPollInterval of 15
but I still lose data at peak (sure, at 10am on a weekday its no problem =
to keep up...)
cflowd is configured for FLOWFILELEN: 2097152 and to keep 70 raw flow =
files.
I had pretty much the same % loss with 1Mb flow files and only keeping =
10 .
I'm thinking that perhaps disk I/O is a problem with cfdcollect and =
cflowd on 1 machine with 1 disk.
Two physical disks (Ultra Wide Fast SCSI) might help keep up.
Thanks
Dana Hudes
