|
|
This chapter tells you how to start the NetFlow FlowCollector application and interpret the output file format from the data collected.
Before you start the NetFlow FlowCollector application you must have performed the tasks listed in Table 4-1.
| Step | Described in Chapter | In Section Entitled |
|---|---|---|
| Step 1--Install the NetFlow FlowCollector program files | Installing and Setting Up the NetFlow FlowCollector | Installing the NetFlow FlowCollector, in Installing and Setting Up the NetFlow FlowCollector |
| Step 2--Enable NetFlow Switching and data export on the routers | Configuring the NetFlow FlowCollector | Setting Up Environment Variables, in Installing and Setting Up the NetFlow FlowCollector, and Setting Up Protocols and Ports, in Configuring the NetFlow FlowCollector |
| Step3--Configure the NetFlow FlowCollector program files | Installing and Setting Up the NetFlow FlowCollector | Setting Up Environment Variables, in Installing and Setting Up the NetFlow FlowCollector, and Setting Up Protocols and Ports, in Configuring the NetFlow FlowCollector |
| Step 4--Define aggregation schemes and filters | Configuring the NetFlow FlowCollector | Defining Aggregation Schemes and Filters, in Configuring the NetFlow FlowCollector |
The FlowCollector application user interface allows you to view the application statistics and get/set configuration parameters. To start the user interface on a local workstation, enter
You also have the option of executing the user interface remotely from another workstation on the network. To do so enter
Where:
<ip-address> is the location where the FlowCollector application is running.
<port> is the port where NFCD is listening (default is 8550).
Once you start the FlowCollector application, the application begins to collect data based on your aggregation schemes. The output file names are in one of the following formats. The format used depends on the information specified in the nf.resources file.
The short form is the default file name format. To specify the long form as the default, edit the nf.resources file and set the LONG_OUTPUTFILE_SUFFIX label to YES.
The following is an example of a short form output filename:
gw-server.1530
The following is an example of a long form output file name:
gw-server_1996_03_15.1530
Table 4-2 describes the fields of the long form output filename format.
| Field | Description |
|---|---|
| router-name | The domain name system (DNS) name of the router that is the source of the data. If the DNS name is not available, the router's IP address is used. |
| yyyy_mm_dd | Date in year, month, and day format. |
| hhmm | File creation time, which is derived from time in the context of the time zone (local/GMT). |
For information on the directory structure used to store the output files, refer to the "Directory Structure" section in this chapter. For a description of the output file contents and several examples of output files, refer to the "Output File Format" section.
If you specified a directory path (as the DataSetPath) for a thread, the output files are stored underneath that directory. The standard path is /opt/CSCOnfc/Data. If the DataSetPath does not specify a directory, or the directory is not writable, $NFC_DIR is used. Starting with the root directory in DataSetPath (see Figure 4-1), a directory is created for each day (for example 1997_06_02). Under the date directory, a subdirectory is created for each router (for example, R1), and under the router, there is a subdirectory for each aggregation scheme (for example, SourcePort). The output files are stored under the aggregation scheme subdirectory in one of the output filename formats (long or short form output filename).
The output file contains a header and the aggregated data. The header consists of the sender router's DNS name (or IP address), the type of protocol configured at the router ("IP" for now), the name of the aggregation scheme, the period of aggregation, and two universal time coordinate (UTC) time stamps to denote the collection interval. The data consists of rows of key-value pairs. Each key is the observed ipaddr/ipaddr-pair/interface/port num/protocol name and so forth. and the value is the corresponding count of packets/octets/flows appropriate for the aggregation scheme being used. Specifically, the header (see below for CallRecord scheme) is
ROUTER router-DNS name |Type <type>| AGGREGATION <aggregation_scheme> | PERIOD <period>| UTC_Begin <time> | UTC_End <time>
Where data appears as <key> | <value>, defined in Table 3-2.
Keys of some aggregation schemes consist of more than one field, and value always contains more than one field. In the output, these are separated from each other by a vertical bar ( | ) with no space before or after. You can optionally set the delimiter to a comma ( , ) with no space before or after (CSV_FORMAT in nf.resources file).
The application may have data in its internal aggregation buffer(s) when it is signaled to exit. It writes the data into output file(s) and exits. However, it generates and marks the output files differently in this event. The output file name has as a suffix the keyword "PARTIAL," and the period in the header is written as "PARTIAL."
Example:
The call record aggregation scheme uses the following header:
DCE <router ID> | TYPE <type> | PERIOD <period> | STARTTIME <time> | ENDTIME <time>
The above fields map to those of the header for other aggregation schemes. TYPE is currently "NFIP," denoting a NetFlow-generated call record for IP traffic. The <key> is
srcaddr+dstaddr+srcport+dstport+protocol+tos
The <value> is
packets+bytes+flows+firstFlowStamp+lastFlowStamp+totalActiveTime
The firstFlowStamp (lastFlowStamp) is measured in UTC seconds and indicates when the first (last) packet was received.
The totalActiveTime is defined as the sum of (Last - First) time stamps of each flow that is represented in this record, and is in milliseconds. For example:
DCE 171.69.8.131|TYPE NFIP|PERIOD 1|STARTTIME 861605997|ENDTIME 861606057 171.69.1.17|172.23.34.36|2963|6000|6|114|2|176|1|768550628|768550628|534644 171.69.1.232|171.69.250.133|Others|Others|nfs-udpserver|0|3|172|1|768520516| 768520520|529372 :
first six CallRecord fields
--------------------------------------------------------
36.190.0.210|131.120.50.210|80|Others|www-tcp-server|160|
Where:
source IP is 36.190.0.210
dest IP is 131.120.50.210
src port is 80
dst port is Others
protocol is www-tcp-server
tos is 160
last six call record fields
--------------------------------------------------------
103|43991|3|865521515|865521559|117768
Where:
pkts is 103
bytes is 43991
number of flows is 3
first flow is 865521515
last flow is 865521559
active time is 117768
|
|