[flow-tools] mis-configuration or just mis-reading output?
Richard Vanderwaal
RVanderwaal@groupwise.swin.edu.au
Mon, 03 Jun 2002 16:01:56 +1000
Hi,
I'm relatively new to flow-tools. I have just installed it on a Solaris =
2.6 machine and think it is either misconfigured or I am reading the =
output incorrectly. I have configured out border router, which is a Cisco =
7206, to export NetFlow data. The configuration is pasted below but I =
have changed IP addresses for safe measures:
interface FastEthernet0/0
description To (border) PIX firewall
ip address 192.168.5.213 255.255.255.252
ip route-cache flow
!
interface ATM1/0
description To Internet Microwave Link
no ip address
...
...
!
...
...
...
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.2.100 8888
OK. Then on my Solaris 2.6 box I run flow-capture:
flow-capture -w /usr/local/flow-tools/data 192.168.2.100/192.168.5.213/8888=
I leave it collect some data for a while, then view some of the data with =
the following command:
flow-cat -p /usr/local/flow-tools/data/2002/2002-06/ | flow-stat -f9
When I look at the output, the octets field seems rather large. If I'm =
not wrong, octets is bytes, correct? What I am looking at on my results =
just doesnt seem to be correct at all if that is the case. For example, =
and this is just one line from the output, the total amount of bytes is in =
the gigabytes:
IPaddr flows octets packets
192.168.1.117 165415 882216081258 1971365474
The line above is one of our proxy servers, and so yes there should be a =
lot of traffic for that address, but I know that it hasnt transferred =
882216081258 bytes. But as I said, I may just misunderstand what octets =
are.
Can anyone clear this up for me? I hope I have provided enough information=
.
Thanks in advance,
Regards,
Richard.