Netflow v9 from IOS XR 3.8.1 problem not seeing Bytes

Unanswered Question
Jan 25th, 2010

I've problem with netflow v9 from IOS XR 3.8.1 not showing Bytes counts on flows. Anyone please suggest any netflow tools that can work with netflow v9 or do i need more configuration on IOS XR.

Thank you very much.

nfdump and scrutinizer.

Scrutinizer.gif

"Byte" only show as "44" with nfdump v1.6rc3

[[email protected] NET-ER-12406-A1-1]# nfdump -o "fmt:%ts|%td|%pr|%sa|%sp|%da|%dp|%byt|%in|%out" -r nfcapd.201001220955 | more
Date flow start          Duration Proto      Src IP Addr Src Pt      Dst IP Addr Dst Pt    Bytes  Input Output
2010-01-19 11:59:41.988|    0.006|TCP  |    210.1.60.216|    80| 122.154.25.254| 34804|      44|    16|    24
2010-01-19 11:59:41.991|    0.006|TCP  |  122.154.25.254| 60807|   210.1.60.216|    80|      44|    24|    16
2010-01-19 11:59:41.994|    0.003|TCP  |    210.1.60.216|    80| 122.154.25.254| 60807|      44|    16|    24
2010-01-19 11:59:42.016|    0.006|TCP  |  122.154.25.254| 30949|   210.1.60.216|    80|      44|    24|    16
2010-01-19 11:59:42.019|    0.006|TCP  |    210.1.60.216|    80| 122.154.25.254| 30949|      44|    16|    24
2010-01-19 11:59:42.019|    1.618|TCP  |  122.154.25.254| 62967|    209.17.65.4|    80|      44|    24|    16
2010-01-19 11:59:42.077|   30.828|TCP  |  122.154.25.254| 63205|    72.233.69.5|    80|      44|    24|    16
2010-01-19 11:59:42.077| 9901.263|ICMP |  91.209.226.219|     0| 122.154.25.240|   0.0|      44|    16|    24

IOS XR Netflow configure


snmp-server ifindex persist

flow exporter-map FEM-NA
version v9
  options sampler-table timeout 300
  template timeout 300
  template data timeout 300
  template options timeout 300
!
transport udp 9991
source Loopback0
destination 10.234.2.110
!
flow monitor-map FMM-NC
record ipv4
exporter FEM-NA
cache permanent
cache entries 1000000
cache timeout active 60
cache timeout inactive 900
cache timeout update 60

!
sampler-map FSM-NC
random 1 out-of 1

interface GigabitEthernet0/0/0/0.700
ipv4 address 10.xxx.xxx.xxx 255.255.254.0
flow ipv4 monitor FMM-NC sampler FSM-NC ingress
dot1q vlan 700
!
interface GigabitEthernet0/0/0/0.1701
vrf INTERNET
ipv4 address 122.xxx.xxx.xxx 255.255.255.0
flow ipv4 monitor FMM-NC sampler FSM-NC ingress
dot1q vlan 1701

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Tue, 02/02/2010 - 06:07

Hello Lacushime,

start by looking at flow cache locally on device and check export traffic.

Verify if local counters are correct and eventually capture with a protocol analyzer an export packet to see how it is made.

Eventually open a Cisco TAC service request to get their help

Hope  to help

Giuseppe

jakewilson Fri, 02/05/2010 - 04:10

Hello,

Thank you for using Scrutinizer. Please give www.plixer.com a call +1 (207) 324-8805 x3 and presales support can help you.  Also, the latest version of Scrutinizer is v7.5.1.

Jake

Actions

This Discussion