[Nfsen-discuss] nfsen not showing appropriate traffic levels
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
[Nfsen-discuss] nfsen not showing appropriate traffic levels
|
From: Lemmenes, B. <ble...@us...> - 2006-02-13 19:35:36
|
Hello all, I've just started playing with nfsen, and so far I love the interface and the flexibility however I don't seem to be seeing all the data the routers are - read should be - sending. Here's the basic setup: 3 Cisco 7609's and a 7206. All are configured to export version 5 flows to the nfsen/nfdump host (running on OpenBSD 3.8). Two of the 7609's are sending to the cflowd server as well (different host). Ip route-cache flow is enabled on all appropriate interfaces and sampling is NOT enabled. Attached are three graphs: Cflowd-ssh.jpg -- an older semi used cflowd setup, showing just tcp port 22 for a 24 hour period. Nfsen-ssh.png -- nfsen ssh profile showing just 'tcp and port 22' also for a 24 hour period. Nfsen-traffic-live.png -- 24 hour live traffic graph from nfsen. Note the difference between the nfsen tcp 22 traffic between nfsen and cflowd. The interesting thing is that the cflowd graph is just from 1 of the 7609's (core01_grr in nfsen) where the nfsen graph a profile including all 4 routers. Our network moves over 500Mb/sec yet the biggest spike on nfsen is 10meg and that's from the 7206 which just has a couple T1's and no upstream. Here's a breakdown of some steps I've done for testing... I've tried upgrading to nfdump 1.5 and nfsen 1.2.3... same problem, then configured one of the 7609's to send v9 flows... same issue. By doing very large sized ICMP packets from the routers themselves I'm able to generate several meg of traffic between routers and that shows up in the graphs -- not these graphs however as I've re-done the nfsen install since. An scp of an ISO to a box directly off one of the routers from an Internet host does not show up (on the graphs or just the details text reports), nor do FTP downloads of at least ~2Mb/sec. Using the details page to show all the flows (host x.x.x.x filter) for a DNS server it only shows flows with the source of the DNS server. A filter of (dst host x.x.x.x) returns no flows. While looking at the 'sh ip cache flow' includes flows with the destination of the same IP. While there is a disparity between the cflowd and nfsen it seems odd that the 7206 is the only router that appears to be reporting things correctly and it's a different platform/IOS version that the rest. I'll be talking to cisco to verify there are no issues with netflow on our release of IOS. Any thoughts on what I've botched or is this a Cisco BUG? Thanks in advanced! Berant Lemmenes |
