Netflow v9 from IOS XR 3.8.1 problem not seeing Bytes

Unanswered Question
Jan 25th, 2010
User Badges:

I've problem with netflow v9 from IOS XR 3.8.1 not showing Bytes counts on flows. Anyone please suggest any netflow tools that can work with netflow v9 or do i need more configuration on IOS XR.


Thank you very much.


nfdump and scrutinizer.


Scrutinizer.gif


"Byte" only show as "44" with nfdump v1.6rc3

[[email protected] NET-ER-12406-A1-1]# nfdump -o "fmt:%ts|%td|%pr|%sa|%sp|%da|%dp|%byt|%in|%out" -r nfcapd.201001220955 | more
Date flow start          Duration Proto      Src IP Addr Src Pt      Dst IP Addr Dst Pt    Bytes  Input Output
2010-01-19 11:59:41.988|    0.006|TCP  |    210.1.60.216|    80| 122.154.25.254| 34804|      44|    16|    24
2010-01-19 11:59:41.991|    0.006|TCP  |  122.154.25.254| 60807|   210.1.60.216|    80|      44|    24|    16
2010-01-19 11:59:41.994|    0.003|TCP  |    210.1.60.216|    80| 122.154.25.254| 60807|      44|    16|    24
2010-01-19 11:59:42.016|    0.006|TCP  |  122.154.25.254| 30949|   210.1.60.216|    80|      44|    24|    16
2010-01-19 11:59:42.019|    0.006|TCP  |    210.1.60.216|    80| 122.154.25.254| 30949|      44|    16|    24
2010-01-19 11:59:42.019|    1.618|TCP  |  122.154.25.254| 62967|    209.17.65.4|    80|      44|    24|    16
2010-01-19 11:59:42.077|   30.828|TCP  |  122.154.25.254| 63205|    72.233.69.5|    80|      44|    24|    16
2010-01-19 11:59:42.077| 9901.263|ICMP |  91.209.226.219|     0| 122.154.25.240|   0.0|      44|    16|    24


IOS XR Netflow configure


snmp-server ifindex persist


flow exporter-map FEM-NA
version v9
  options sampler-table timeout 300
  template timeout 300
  template data timeout 300
  template options timeout 300
!
transport udp 9991
source Loopback0
destination 10.234.2.110
!
flow monitor-map FMM-NC
record ipv4
exporter FEM-NA
cache permanent
cache entries 1000000
cache timeout active 60
cache timeout inactive 900
cache timeout update 60

!
sampler-map FSM-NC
random 1 out-of 1

interface GigabitEthernet0/0/0/0.700
ipv4 address 10.xxx.xxx.xxx 255.255.254.0
flow ipv4 monitor FMM-NC sampler FSM-NC ingress
dot1q vlan 700
!
interface GigabitEthernet0/0/0/0.1701
vrf INTERNET
ipv4 address 122.xxx.xxx.xxx 255.255.255.0
flow ipv4 monitor FMM-NC sampler FSM-NC ingress
dot1q vlan 1701

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 02/02/2010 - 06:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Lacushime,


start by looking at flow cache locally on device and check export traffic.


Verify if local counters are correct and eventually capture with a protocol analyzer an export packet to see how it is made.


Eventually open a Cisco TAC service request to get their help




Hope  to help

Giuseppe

jakewilson Fri, 02/05/2010 - 04:10
User Badges:

Hello,


Thank you for using Scrutinizer. Please give www.plixer.com a call +1 (207) 324-8805 x3 and presales support can help you.  Also, the latest version of Scrutinizer is v7.5.1.


Jake

Actions

This Discussion