Hiya folks,
With regards to my earlier problem:
This is an extract of /var/log/messages
Apr 24 18:44:52 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
928
Apr 24 18:44:52 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
1168
Apr 24 18:44:52 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
1168
Apr 24 18:44:53 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
400
Apr 24 18:44:53 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
1168
Apr 24 18:44:54 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
208
Apr 24 18:44:54 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
1168
Apr 24 18:44:54 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
1168
Apr 24 18:44:56 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
400
Apr 24 18:44:56 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
1168
Apr 24 18:44:56 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
1168
Apr 24 18:44:57 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
208
And the offending code:
len = recvfrom(sockfd, (char *)flowpdu, sizeof(*flowpdu),0,
(struct sockaddr *)&Saddr,&alen);
if (len < (sizeof(FLOW_PDU_HDR) + (ntohs(flowpdu->header.count) *
sizeof(FLOW_PDU_ENTRY))))
{
syslog(LOG_ERR,"[E] %s:%d recvfrom() returned %d",
__FILE__,__LINE__,len);
return(-1);
}
It was getting the flow data all the time, bit it did not like it.
I am running 11.2.(9)P on which the command:
ip flow-export version 5 origin-as
Does not exist, only the following is there:
ip flow-export dest
Is it a version problem?
Anyway, I commented out the above code and it's collecting stats, I get
a lot of:
Apr 24 18:58:32 mekong cflowd[16687]: [E] cflowd.c:364 missed
2.12341e+07 flows from 193.164.160.114
Apr 24 18:58:32 mekong cflowd[16687]: [E] cflowd.c:364 missed
2.91787e+07 flows from 193.164.160.114
Apr 24 18:58:32 mekong cflowd[16687]: [E] cflowd.c:364 missed
2.07987e+09 flows from 193.164.160.114
But it's collecting something...!
Hiya folks,
With regards to my earlier problem:
This is an extract of /var/log/messages
Apr 24 18:44:52 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
928
Apr 24 18:44:52 mekong cflowd[16202]: [E] recv.c:100 recvfrom() returned
1168
<SNIP>
And the offending code:
len = recvfrom(sockfd, (char *)flowpdu, sizeof(*flowpdu),0,
(struct sockaddr *)&Saddr,&alen);
if (len < (sizeof(FLOW_PDU_HDR) + (ntohs(flowpdu->header.count) *
sizeof(FLOW_PDU_ENTRY))))
{
syslog(LOG_ERR,"[E] %s:%d recvfrom() returned %d",
__FILE__,__LINE__,len);
return(-1);
}
Yes, we figured this out too. Se below for a solution
It was getting the flow data all the time, bit it did not like it.
I am running 11.2.(9)P on which the command:
ip flow-export version 5 origin-as
Does not exist, only the following is there:
ip flow-export dest
Is it a version problem?
Yes, it is a version problem. Cflowd only works with version 5 of
cisco flows (without code mods). The approriate config line would
be:
ip flow-export version 5 ...
Unfortunately it looks like this is only in 11.1(?)
bye,
ken emery
ken emery wrote:
> Is it a version problem?
Yes, it is a version problem. Cflowd only works with version 5 of
cisco flows (without code mods). The approriate config line would
be:
ip flow-export version 5 ...
Unfortunately it looks like this is only in 11.1(?)
It sure does, does anybody have an details about what is differant onthe new
version (Version 6?)?
Unfortunately some routers, like the ones that would be good to fun
flow-export need 11.2.9 - arhhh!
Back to the pub 
Leigh Porter <leigh@wisper.net> writes:
[...]
> Unfortunately it looks like this is only in 11.1(?)
It sure does, does anybody have an details about what is differant onthe new
version (Version 6?)?
You need flow export version 5 on your routers to use cflowd. It sure
would be handy if the error message that cflowd printed lead you
believe this instead of that your IP stack is broken somehow.
In addition to version 5 of the export format, newer IOS versions also
let you do good things like expire flows more frequently then 30
minutes (the old default) and set the source address.
Matt Ranney wrote:
Leigh Porter <leigh@wisper.net> writes:
[...]
> > Unfortunately it looks like this is only in 11.1(?)
>
> It sure does, does anybody have an details about what is differant onthe new
> version (Version 6?)?
You need flow export version 5 on your routers to use cflowd. It sure
would be handy if the error message that cflowd printed lead you
believe this instead of that your IP stack is broken somehow.
In addition to version 5 of the export format, newer IOS versions also
let you do good things like expire flows more frequently then 30
minutes (the old default) and set the source address.
It would, on both counts!
Anybody know of an image that wil work with cflowd, has traffic-shaping
and not-to-many-bugs 