Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with netflow and ntop collector

Hi all,

I'm a new user and I'm tryng to setup a linux machine with some tool to monitor the network.

For the network usage, I choose ntop.

After configuring ntop and the router, I make some test and all seems to be work correctly, but I see that the traffic reported on ntop is not the real traffic passed trhough the router. For example: if I make a FTP download of about 30 MB, I see only few KB reported by netflow. It's normal? I try to change the version of netflow export (v1, v5, v9) but nothing change.

Moreover, thinking a problem on Ntop, I try to use other two netflow analyzer, but the result is the same.

Someone can help me? Do we modify some parameters on the router to change this behavior? Or is it normal?

Regards

Danilo

6 REPLIES
Cisco Employee

Re: Problem with netflow and ntop collector

Danilo, can you provide your netflow config on the source router?

When you say you ony see a few KB reported. Is that a few KB reported against the source/target and FTP combination or just a few KB received at the collector (traffic-wise)? I would expect the Netflow records to aggregate to 30MB, but the ntop server will not see 30MB of traffic at it. Netflow reduces the information to records noting source, destination, protocol, size, etc.

I'd stick with v5 record types for now. Once we know things are being metered and exported correctly you can migrate to the more advanced v9 records.

Also, what platform? IOS version?

New Member

Re: Problem with netflow and ntop collector

Hi Jadavis,

thanks for the answer.

The netflow configuration on the router is very basic:

interface FastEthernet0/1

ip route-cache flow

!

ip flow-export source FastEthernet0/1

ip flow-export version 5

ip flow-export destination 192.168.187.10 2056

The router is in a LAB enviroment for test ntop with netflow and it's a 2811 with SPSERVICESK9-M ios(Version 12.4(15)T5).

For the FTP traffic, if I understand correctly netflow should report to my collector some data about the network traffic like source, destination, protocol, port and also byte transferred. Ntop report me correctly all this data but for the byte transferred Ntop reports only few KB for a transfer of 30 MB.

How can I see on the router the amount of traffic recordered by netflow? Can I use the command "show ip cache flow" for this? So I can understand if is netflow that do not send all the data or is ntop that don't understand the data sent by the router.

Also, if it's a problem on ntop, it's strange that with another netflow analyzer I have the same result.

Regards

Bronze

Re: Problem with netflow and ntop collector

Hello,

did you enable netflow on all L3 interfaces? It is neccessary to run "ip route-cache flow" or "ip flow ingress" on all interfaces. If you run flow cache on on one interface you will see only data that are received on this interface, but you don't see outgoing traffic from this interface. Please, let me know if it helps...

Kind regards,

Jan Nejman

Caligare, Co.

http://www.caligare.com/

New Member

Re: Problem with netflow and ntop collector

Hi Jan,

thanks a lot for the suggestion!!!!

Unfortunatly I don't know (yet) very well netflow, but now with the command ip route-cache flow on the two L3 interfaces seems to be work correctly.

Regards

Cisco Employee

Re: Problem with netflow and ntop collector

Go ahead and share your 'show ip cache flow' output. (Or email direct to me - jadavis@cisco.com)

Maybe we're dealing with a difference of seeing just the FTP control traffic (TCP 21) versus the data traffic (TCP 20)?

You should see something like

TCP-FTP 255 0.0 6 100 0.0 9.0 7.2

TCP-FTPD 15010 0.0 1 63 0.0 0.6 15.4

FTPD would be the data stream.

New Member

Re: Problem with netflow and ntop collector

Hi Jadavis,

think I solved my problem.

After put the command ip route-cache flow under all L3 interfaces, now I see all traffic.

I have some problem yet, but it's refer to ntop configuration. The FTP traffic is reported under another category because when I start a downloand form an FTP server, the connection from the FTP server to the router arrives on port >1024 and not on the port 20 or 21. Now I modify the configuration of ntop and seems to work correctly, logging all the traffic in the righ way.

Thanks for the help!

Danilo

833
Views
0
Helpful
6
Replies