Menu

Capturing V5 flows via flowtools based method, reporting by exporter fails.

General Discussion
Mike Donnelly
2013-07-08
2013-07-09

  • Mike Donnelly

    Mike Donnelly - 2013-07-08

    Problem: Capturing V5 flows via flowtools based method, reporting by exporter fails.

    I have 5 flow-tools based collectors running , capturing V5 data from 5 7200 series devices and storing the data in the /opt/flowdata tree. I leveraged flow-fanout to build a sixth composite collection run searches across the complete group of routers specified flowviewer . 

    For example, for my 5 devices I process : 
router1 :    port 9990 -->fanout --> flow-capture: 8700 -->   /opt/flowdata/router1/2013/....
                          fanout --> flow-capture:8800   ------------------->  /opt/flowdata/allrouters/2013/...
router2 :   port 9991 --> fanout --> flow-capture: 8701  -->  /opt/flowdata/router2/2013/....
                          fanout-->  flow-capture:8800 ------------------ --> /opt/flowdata/allrouters/2013/...
router3 :   port 9992 --> fanout --> flow-capture: 8702  -->  /opt/flowdata/router3/2013/....
                          fanout-->  flow-capture:8800 ---------------------> /opt/flowdata/allrouters/2013/...
router4 :   port 9993 --> fanout --> flow-capture: 8703  -->  /opt/flowdata/router4/2013/....
                          fanout-->  flow-capture:8800 --------------------> /opt/flowdata/allrouters/2013/...
router5 :   port 9994 --> fanout --> flow-capture: 8704  -->  /opt/flowdata/router5/2013/....
                          fanout-->  flow-capture:8800 ---------------------> /opt/flowdata/allrouters/2013/...

    In flowviewer i have 6 devices defined: allrouters, and routers 1 through 5.

    GOAL: My Goal is to efficiently store and search individual router collections or across a predefined group of routers, without storing multiple copies of the flowdata like i’m doing with flow-fanout. The flow-fanout method works but there’s alot of redundant disk and I/O being chewed up by duplicating every capture.

    It was suggested that I try to use exporters rather than devices in flowviewer to be able to specify a specific exporter or a larger group (device) . I found that the flowviewer app was trying to use silk tools
    to process collections specified by exporter, and use flowtool tools when searching specified device. Since all of my collections are flowtools based, using exporters as it is today becomes a problem.

    System Overview:
    Centos 6.4 / Flowtools 0.68 / Flowviewer 4.1 / Apache 2.2.15 / silk 2.5.0 / rrdtool 1.3.8

    Some debugging info :
    Does the collection contain exporter information? Yes

    flow-stat -f27 < allrouters/..../ft-v05.2013-07-08.100000-0400|grep 10.8|awk {'print $1'}

        10.8.118.15
    10.8.118.3 
    10.8.118.10 
    10.8.118.2 
    10.8.118.1

    How did you configure the @devices array in the config file:

        @devices                 = ("allrouters") ;
    push(@devices, ("router1","router2","router3","router4","router5")) ;

    How did you configure the @exporters array in the config file:

        @exporters               = ("10.8.118.15:router1","10.8.118.3:router2","10.8.118.10:router3","10.8.118.2:router4","10.8.118.1:router5");

    Any Ipfix at all? : Nope

        @ipfix_devices           = (""); \# for SiLK

    Reports by DEVICE allows me to select any of my six ‘devices’ and works as expected in the flowviewer http interface.
    Reports by EXPORTER allows me to select any of the 5 defined exporters above but returns quickly with a blank report.
    I set all debug parameters to “Y” in the config file and retested.
    In the http error log i have the following messages associated with the report attempt: 

    [Mon Jul 08 13:28:41 2013] [error] [client 10.53.23.36] rwfilter: Site configuration file not found, referer: http://10.63.18.10/cgi-bin/FlowViewer.cgi?filter_hash=FG_FlowGrapher_save_132642ZR^EEE10.8.118.2
[Mon Jul 08 13:28:41 2013] [error] [client 10.53.23.36] rwstats: Error processing headers on file 'stdin': Unexpected end of file while reading header, referer: http://10.63.18.10/cgi-bin/FlowViewer.cgi?filter_hash=FG_FlowGrapher_save_132642ZR^EEE10.8.118.2

    Flow Grapher fails equally as quickly, but with a bit more noise:

    cat ./cgi-bin/Flow_Working/DEBUG_VIEWER

    In FlowViewer.cgi
In FlowViewer... filter_hash: FG_FlowGrapher_save_132642ZR^EEE10.8.118.2
In FlowViewer_Main.cgi
Using GDBM
Using NDBM
Using GDBM  
Using NDBM
FORM{device_name}:
FORM{exporter}: 10.8.118.2
This device is exporting IPFIX  from:                                to start SiLK                      elapsed seconds: 0.000000  running: 0.000000
silk_command: /usr/bin/rwfilter --data-rootdir=/opt/flowdata/ --type= --start-date=2013/07/08:11 --end-date=2013/07/08:13 --active=2013/07/08:11:55:00-2013/07/08:12:55:00  --pass=stdout | /usr/bin/rwstats --fields=1,2 --values=Bytes,Packets,Records --no-titles --no-percents --delimited="  " --count=100
/opt/flowviewer/cgi-bin/Flow_Working/FlowViewer_output_132841>  from: start SiLK    to end SiLK                       elapsed seconds: 0.067418  running: 0.067418

    [root@enetnms1 flowviewer]# more ./cgi-bin/Flow_Working/DEBUG_GRAPHER

    In FlowGrapher_Main.cgi
Using GDBM
Using NDBM
FORM{device_name}:
FORM{exporter}: 10.8.118.15
This device is exporting IPFIX
current_year_date: 01/01/2013   current_year_epoch: 1357016400  current_year_dst: 0
prior_year_date: 01/01/2012     prior_year_epoch: 1325394000    prior_year_dst: 0
next_year_date: 01/01/2014      next_year_epoch: 1388552400     next_year_dst: 0
Current Year: 01/01/2013  Epoch: 1357016400  DST: 0
Start Date:  7/8/2013  Epoch: 1373298900  DST: 1
    start_date: 7/8/2013           start_epoch: 1373298900   start_epoch_dst: 1
    end_date: 7/8/2013             end_epoch: 1373302500     end_epoch_dst: 1
silk_command: /usr/bin/rwfilter --data-rootdir=/opt/flowdata/ --type= --start-date=2013/07/08:11 --end-date=2013/07/08:13 --active=2013/07/08:11:55:00-2013/07/08:12:55:00  --pass=stdout | /usr/bin/rwcount --bin-size=5 --start-epoch=1373298900 --epoch-slots > /opt/flowviewer/cgi-bin/Flow_Working/FlowGrapher_output_132642
from: start                          to start SiLK                      elapsed seconds: 0.011950  running: 0.011950
from: start SiLK                     to end SiLK                        elapsed seconds: 0.008542  running: 0.020492
from: end SiLK                       to done_FLOWS                      elapsed seconds: 0.014602  running: 0.035094
from: done_FLOWS                     to create_graph                    elapsed seconds: 0.051755  running: 0.086849    
done with sort file: /opt/flowviewer/cgi-bin/Flow_Working/FlowGrapher_save_132642ZR
from: create_graph                   to done                            elapsed seconds: 0.005552  running: 0.092401
run took: 0 seconds

    I have eliminated the fanout from the config and the results are the same. This config example is “slimmed down” for purposes of this post.
    I have 30+ devices in several organizational groups like the one group ‘allrouters’ described above sending to this box.

    Optimally i’d like to dump groups of routers to common ports, search across routers by ‘device’, and search separate devices by ‘exporter’.
    IE: web routers to port 9001, core routers to 9002, dist routers to 9003, etc.. then get granular with exporters.

    Thanks !

     

    Last edit: Mike Donnelly 2013-07-09

  • Mike Donnelly

    Mike Donnelly - 2013-07-09

    I identified the problem as how i cleared out the @ipfix_devices array.

    BAD:
    @ipfix_devices = ("") ; # for SiLK

    caused FV/FG to handle all exporter requests with silk tools. Commenting out the array or adding a dummy device to the array made it behave again.

    GOOD:
    @ipfix_devices = (" ") ; # for SiLK
    or
    # @ipfix_devices = ("router_silk_1") ; # for SiLK

     

    • Joe Loiacono

      Joe Loiacono - 2013-07-09

      Thanks for the useful info Mike. I'm fixing this.

      Joe

      From: "Mike Donnelly" mpdsville1@users.sf.net
      To: "[flowviewer:discussion] "
      general@discussion.flowviewer.p.re.sf.net
      Date: 07/09/2013 02:44 PM
      Subject: [flowviewer:discussion] Capturing V5 flows via flowtools
      based method, reporting by exporter fails.

      I identified the problem as how i cleared out the @ipfix_devices array.
      BAD:
      @ipfix_devices = ("") ; # for SiLK
      caused FV/FG to handle all exporter requests with silk tools. Commenting
      out the array or adding a dummy device to the array made it behave again.
      GOOD:
      @ipfix_devices = (" ") ; # for SiLK
      or

      @ipfix_devices = ("router_silk_1") ; # for SiLK

      Capturing V5 flows via flowtools based method, reporting by exporter
      fails.

      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/flowviewer/discussion/general/
      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       

Log in to post a comment.