Troubleshooting Netflow

No data displayed on the Flow Analysis Console page. How do I troubleshoot?

In order for Traverse to collect NetFlow data, please ensure that:

  • the flow source is configured in Traverse (section 'Configuring NetFlow Collectors' in the User Guide)
  • the device is configured to export flow records to the DGE/DGE extension of the flow type specified in the previous step (section 'Enabling Export of Flow Records' in the User Guide)
  • flow data is arriving at the DGE/DGEx on the correct port from the IP address of the device as provisioned in Traverse (Wireshark may be used for this purpose)
  • the Windows Firewall on the DGE/DGEx is not blocking/discarding the flow data packets

Should there be an issue with a Netflow report in Traverse, kindly follow the steps below.

Review the Netflow configuration

Log in as superuser and navigate to 'Superuser->Global Config->Netflow Collector' and click on the appropriate Update link. Review the source data and ensure it matches with the configuration on the router.  A few things to keep in mind:

* The 'Accept from IP Address' is typically the IP address of the device as configured in Traverse.

* For netflow-v9, the flow source device must be configured to export template a template record periodically. If the interval is set to 2 minutes, then it will require 2 minutes to begin saving flow data after any restart of the flow collector (Traverse DGE/DGEx) or the flow source (the network device).

* The field 'Local Network(s) in CIDR notation' must contain one or more entries, each entry on a separate line. Do not leave empty.

Starting and stopping NetFlow Related Components

The Traverse Service Controller (TSC) may be used to stop/start the Flow Analysis Engine and the Simple NetFlow Collector. The Traverse Flow Analysis Engine is responsible for retrieving the stored flow data records from disk and the Traverse Simple NetFlow Collector writes the flow data to disk.

Ensure Firewall And/Or Anti-Virus software is turned off

Any Firewall/Anti-Virus software must allow incoming UDP packets on the configured port (e.g. 2055) from the router. Either configure the Firewall/Anti-Virus software to permit the UDP traffic on the appropriate port. For troubleshooting purposes, you may turn off the Firewall/Anti-Virus software altogether.

Is Traverse receiving NetFlow data?

Under %TRAVERSE_HOME%\apps\silk\data, some or all of the following directories may be present:







Under each of these, you should see a hierarchy by year, month and day, such as: %TRAVERSE_HOME%\apps\silk\data\ext2ext\2009\08\17

At the innermost level, you should see files such as



If none of the directories/files listed above are present, it would indicate that Traverse is not saving flow data from the flow source. In that case, please revisit and ensure that the configuration on Traverse and on the router are correct.

Is Traverse listening on the configured port?

To ensure that the Traverse DGE is listening on the correct port, run the following command from the command line.  The resulting output also is shown below (assuming the flow data is being sent to UDP port 2055):

%TRAVERSE_HOME%\apps\silk\sbin>netstat -ano | findstr 2055

  UDP           *:*                                    8040


To collect diagnostic information for Traverse Support: 

  • Enable verbose logging within the flow data extraction script on the Traverse server running the Flow Collector (DGE or DGEx) by removing any leading '#' characters from before the 'DEBUG' flag in 'TRAVERSE_HOME\plugin\monitors\silk-topn.conf':
$DEBUG = 1;
  • Note the 'rwfilter' command in TRAVERSE_HOME\logs\silk-topn.log that extracts the data for presentation on the report.  For example;
C:\Program Files (x86)\Traverse\logs>tail -f silk-topn.log
DEBUG: verified 'silk' directory at C:\Program Files (x86)\Traverse/apps/silk/bin
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) verified 'silk' directory at C:\Program Files (x86)\Traverse/apps/silk/bin
DEBUG: request: TOPN C:\Windows\temp\TOPNa04744 __all__ __all__ __all__ __all__ __all__ 20150207005832 20150207
025832 top 10 bytes client
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) request: TOPN C:\Windows\temp\TOPNa04744 __all__ __all__ __all__
__all__ __all__ 20150207005832 20150207025832 top 10 bytes client
DEBUG: loading map of sensor id to ip address
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) loading map of sensor id to ip address
DEBUG:  sensor #0 =>
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG)   sensor #0 =>
DEBUG: source ip = __all__
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) source ip = __all__
DEBUG: requesting information from silk ...
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) requesting information from silk ...
DEBUG: running command: "C:\Program Files (x86)\Traverse/apps/silk/bin\rwfilter"  --data-rootdir=/tvsilk/data --not-any-addr= --type=
all --threads=4 --compression-method=none --pass=stdout --ip-version=4 --sensor=S10.10.12.253 --proto=6,17 --start-date=2015/02/07:00 --end-
date=2015/02/07:02 2>C:\Windows\temp\TOPNa04744.rwf | "C:\Program Files (x86)\Traverse/apps/silk/bin\rwstats" --output-path=C:\Windows\temp\
TOPNa04744.tmp --no-titles --no-columns --top --bytes --count=10 --fields=dIP
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) running command: "C:\Program Files (x86)\Traverse/apps/silk/bin\rwfilter"  --data-rootdir=/tvs
ilk/data --not-any-addr= --type=all --threads=4 --compression-method=none --pass=stdout --ip-version=4 --sensor=S10.10.12.253 --proto
=6,17 --start-date=2015/02/07:00 --end-date=2015/02/07:02 2>C:\Windows\temp\TOPNa04744.rwf | "C:\Program Files (x86)\Traverse/apps/silk/bin\
rwstats" --output-path=C:\Windows\temp\TOPNa04744.tmp --no-titles --no-columns --top --bytes --count=10 --fields=dIP
DEBUG: return code: 1
Fri Feb  6 18:58:38 2015 [silk-topn]: (DEBUG) return code: 1
  • Attach a copy of 'silk-topn.log' to your ticket for analysis

All Traverse versions


Have more questions?

Contact us

Was this article helpful?
1 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section