Follow

Troubleshooting Netflow

In order for Traverse to collect NetFlow data, please ensure that:

  • the flow source is configured in Traverse (section 'Configuring NetFlow Collectors' in the User Guide)
  • the device is configured to export flow records to the DGE/DGE extension of the flow type specified in the previous step (section 'Enabling Export of Flow Records' in the User Guide)
  • flow data is arriving at the DGE/DGEx on the correct port from the IP address of the device as provisioned in Traverse (Wireshark may be used for this purpose)
  • the Windows Firewall on the DGE/DGEx is not blocking/discarding the flow data packets



Should their be an issue with a Netflow report in Traverse, kindly follow the steps listed here:

 

Review the Netflow configuration

Log in as superuser and navigate to Superuser --> Global Config --> Netflow Collector and click on the appropriate Update link. Review the source data and ensure it matches with the configuration on the router.  A few things to keep in mind:

* The 'Accept from IP Address' is typically the IP address of the device as configured or resolved on the DGE/DGEX. Please note that this also must be the interface that the router exports to

* For netflow-v9, the template configuration must be set to export every 5 minutes initially to start persisting the data on the DGE/DGEX

* The field 'Local Network(s) in CIDR notation
                    Enter each entry on separate line' must not be left blank

 

 Starting and stopping NetFlow Related Components

Are multiple instances of the NetFlow Collector running?

Typically, the Traverse Service Controller (TSC) is used to stop/start the Flow Analysis Engine and the Simple NetFlow Collector. This in turn stops the Traverse Flow Analysis Engine and Traverse Simple NetFlow Collector Windows services respectively. Stopping the Simple NetFlow Collector Windows service should in turn end the rwflowpack.exe process (the one listening on port 2055).

On occasion, the Simple NetFlow Collector Windows service may stop, but rwflowpack process may not. If this happens and you attempt to start the Simple NetFlow Collector from TSC, the following log entries (with debug level) would be observed in <TRAVERSE_HOME>\apps\silk\logs\rwflowpack-20090817.txt:

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[6388]: Forked child 1932.  Parent exiting

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Failed to bind address: Address already in use

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Could not create PDU Reader for 'S0' on 0.0.0.0:2055

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Unable to start flow processor #1 for PDU Reader

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Unable to start flow processor

Aug 17 14:54:16 vmdev-pm01-w2k3 rwflowpack[1932]: Stopped logging.

The resolution is to kill the rwflowpack process from the Windows Task Manager and then start the Simple NetFlow Collector from the TSC.

 

Ensure Firewall And/Or Anti-Virus software is turned off

Any Firewall/Anti-Virus software must allow incoming UDP packets on port 2055 from the router. Either configure the Firewall/Anti-Virus software to permit UDP on port 2055. For troubleshooting purposes, you may turn off the Firewall/Anti-Virus software altogether.


Is Traverse receiving NetFlow data?

At <TRAVERSE_HOME>\apps\silk\data, the following directories (not all may be present) should be listed:

ext2ext

in

int2int

inweb

out

outweb

Under each of these, you should see a hierarchy by year, month and day, such as: <TRAVERSE_HOME>\apps\silk\data\ext2ext\2009\08\17

At the innermost level, you should see files such as

ext2ext-S0_20090817.20

ext2ext-S0_20090817.21

If none of the directories/files listed above are present, it would indicate that Traverse is not receiving data from the router. In that case, please revisit and ensure that the configuration on Traverse and on the router is correct.

 

Is Traverse listening on the right port?

To ensure that the Traverse DGE is listening on the right port (2055, typically), run the following command from the command line.  The resulting output also is shown below.

  <TRAVERSE_HOME>\apps\silk\sbin>netstat -ano | findstr 2055

  UDP    0.0.0.0:2055           *:*                                    8040

 

Running rwflowpack manually:

Run rwflowpack manually from the DOS command prompt (using Run as Administrator) to validate the configuration files. This will not have rwflowpack itself run.

(When copying and pasting the command, please ensure that all entries are on one line on the DOS command prompt)

E:\Traverse>apps\silk\sbin\rwflowpack --root-directory="/tvsilk/data" --pidfile="/tvsilk/data/rwflowpack.pid" --sensor-configuration="/tvsilk/data/sensor.conf" --log-level=notice --log-directory="/tvsilk/logs" --output-mode=local-storage --pack-interfaces --no-daemon --no-file-locking --verify-sensor-config

 

To run rwflowpack from the command line:

E:\Traverse>apps\silk\sbin\rwflowpack --root-directory="/tvsilk/data" --pidfile="/tvsilk/data/rwflowpack.pid" --sensor-configuration="/tvsilk/data/sensor.conf" --log-level=notice --log-directory="/tvsilk/logs" --output-mode=local-storage --pack-interfaces --no-daemon --no-file-locking

 

 

  • Enable verbose logging within the flow data extraction script on the Traverse server running the Flow Collector (DGE or DGEx) by removing any leading '#' characters from before the 'DEBUG' flag in 'TRAVERSE_HOME\plugin\monitors\silk-topn.conf':
$DEBUG = 1;
  • Note the 'rwfilter' command in TRAVERSE_HOME\logs\silk-topn.log that extracts the data for presentation on the report.  For example;
C:\Program Files (x86)\Traverse\logs>tail -f silk-topn.log
DEBUG: verified 'silk' directory at C:\Program Files (x86)\Traverse/apps/silk/bin
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) verified 'silk' directory at C:\Program Files (x86)\Traverse/apps/silk/bin
DEBUG: request: TOPN C:\Windows\temp\TOPNa04744 10.10.12.253:__all__:__all__ __all__ __all__ __all__ __all__ __all__ 20150207005832 20150207
025832 top 10 bytes client
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) request: TOPN C:\Windows\temp\TOPNa04744 10.10.12.253:__all__:__all__ __all__ __all__ __all__
__all__ __all__ 20150207005832 20150207025832 top 10 bytes client
DEBUG: loading map of sensor id to ip address
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) loading map of sensor id to ip address
DEBUG:  sensor #0 => 10.10.12.253
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG)   sensor #0 => 10.10.12.253
DEBUG: source ip = __all__
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) source ip = __all__
DEBUG: requesting information from silk ...
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) requesting information from silk ...
DEBUG: running command: "C:\Program Files (x86)\Traverse/apps/silk/bin\rwfilter"  --data-rootdir=/tvsilk/data --not-any-addr=0.0.0.0 --type=
all --threads=4 --compression-method=none --pass=stdout --ip-version=4 --sensor=S10.10.12.253 --proto=6,17 --start-date=2015/02/07:00 --end-
date=2015/02/07:02 2>C:\Windows\temp\TOPNa04744.rwf | "C:\Program Files (x86)\Traverse/apps/silk/bin\rwstats" --output-path=C:\Windows\temp\
TOPNa04744.tmp --no-titles --no-columns --top --bytes --count=10 --fields=dIP
Fri Feb  6 18:58:37 2015 [silk-topn]: (DEBUG) running command: "C:\Program Files (x86)\Traverse/apps/silk/bin\rwfilter"  --data-rootdir=/tvs
ilk/data --not-any-addr=0.0.0.0 --type=all --threads=4 --compression-method=none --pass=stdout --ip-version=4 --sensor=S10.10.12.253 --proto
=6,17 --start-date=2015/02/07:00 --end-date=2015/02/07:02 2>C:\Windows\temp\TOPNa04744.rwf | "C:\Program Files (x86)\Traverse/apps/silk/bin\
rwstats" --output-path=C:\Windows\temp\TOPNa04744.tmp --no-titles --no-columns --top --bytes --count=10 --fields=dIP
DEBUG: return code: 1
Fri Feb  6 18:58:38 2015 [silk-topn]: (DEBUG) return code: 1
  • Attach a copy of 'silk-topn.log' to your ticket for analysis
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.