|
|
This appendix provides helpful information and procedures in case you encounter problems while using FlowCollector. This appendix includes information on the following topics:
The nfcollector status command provides an easy way to determine the following:
To invoke nfcollector status, enter the following command line at the UNIX prompt:
$ $NFC_DIR/bin/nfcollector status
When invoked, the nfcollector status command displays status information about FlowCollector and the UNIX workstation on which FlowCollector is running, including the following examples:
NFC_DIR=/opt/CSCOnfc NFC_RESOURCEFILE=$NFC_DIR/config/nf.resources
NFCD: running (pid: 8745) NFCollector Aggregation: stopped NFCollector Timer: stopped
-rw-r----- 1 mkjeeves eng 5 Jun 5 10:53 /tmp/nfcd.pid -rw-r----- 1 mkjeeves eng 8 Jun 5 10:53 /tmp/nfcd.uid p--------- 1 mkjeeves eng 0 Jun 5 10:53 /tmp/nfcunix.dg
mkjeeves 8745 1 0 10:53:14 pts/3 0:00 /opt/CSCOnfc/bin/NFCD
Disk Space for /opt/CSCOnfc: Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0t0d0s5 2100876 44722 1846074 3% /opt
To invoke show-tech, enter the following command line at the UNIX prompt:
$ $NFC_DIR/bin/nfcollector show-tech
When invoked, the show-tech command creates a log file named show-tech.log in the directory $NFC_DIR/logs, and saves the following information in it:
The utilities described in this section are typically used to troubleshoot FlowCollector operation by providing a way to capture and play back received NetFlow data. The process emulates a Cisco export device generating NetFlow data through the NetFlow data export feature. The utilities are available in $NFC_DIR/tools/.
where:
| -p UDP-port | UDP port number on which flows are to be received. Default is 9991. |
| -c count | Number of flows to sample before calculating the incoming rate. Default is 100. |
| -s socket-buffer | Receive socket buffer size, in bytes. Default is 90000 bytes. |
where:
| -p UDP-port | UDP port number on which flows are to be received. Default is 9991. |
| -s socket-buffer | Receive socket buffer size, in bytes. Default is 90000 bytes. This argument and value determines how many datagrams the kernel will store in this buffer as datagrams come in from the network. The larger the buffer, the more time fdget has to consume data from the buffer before the buffer overflows. If the buffer overflows, datagrams are lost. |
| -a | Print acknowledgment only. Default is to print the content of flows. Using -a means print only an acknowledgment for each datagram received rather than the content of the datagram. |
where:
| -f datafile | Name of data file to play back to the user-specified destination (defined by IP address and UDP port number). |
| -d IP-address | Destination IP address. |
| -p UDP-port | Destination UDP port number. Default is 9991. |
| -i delay | Amount of delay, in milliseconds, between datagrams. Default is 1000. The longer the delay, the more separation there is between datagrams being sent to the receiving destination. |
| -b burst | Number of flows sent in each burst. Default is 10. This argument is used in conjunction with -i to control the speed and "burstiness" of the playback. |
| -s socket-buffer | Receive socket buffer size, in bytes. Default is 90000 bytes. |
| -t flows | Number of flows to play back in this session. Default is all flows in data file. If the data file contains 1000 datagrams, and you set -t to 1, fdplayback only sends one datagram. |
This section contains some basic problems that you might encounter while attempting to run FlowCollector.
Symptom Starting FlowCollector starts the FlowCollector daemon (NFCD), but no other processes.
Possible Cause Look in the $NFC_DIR/logs/nfc.log file. If there is a message prefixed with the label "ERROR," FlowCollector encountered an illegal or incomplete configuration parameter while starting up.
Recommended Action Perform the following steps:
Step 1 Use the nfcollector status command to verify which processes are running.
Step 2 Use the nfcollector stop all command to stop FlowCollector.
Step 3 Look in the appropriate configuration file for one of the following:
(a) A configuration parameter that does not follow the required syntax
(b) An invalid configuration value
(c) A configuration parameter with one or more required lines preceded by comment characters
Step 4 Fix the configuration file.
Step 5 Restart FlowCollector.
Symptom The nfcollector stop all command does not stop all of the processes.
Possible Cause In some rare cases, FlowCollector might find itself in a state where the nfcollector stop all command will not stop cleanly, leaving temporary files in /tmp.
Recommended Action Use the nfcollector clean command to force all processes related to FlowCollector to stop. The nfcollector clean command then cleans up all /tmp files related to FlowCollector operation.
Symptom FlowCollector data files are not being written to the directory specified in the dataSetPath thread attribute.
Possible Cause Either the process does not have the appropriate permission settings, or the DiskSpaceLimit thread attribute value has been exceeded.
Recommended Action Look at the nfc.log file to get the exact cause. If the problem is permission settings, fix the permission settings and try again. If the problem is related to the DiskSpaceLimit setting, increase the limit (if acceptable). You might need to make more disk space available in this partition.
Symptom The export device is exporting NetFlow data to a port, but FlowCollector does not see any data.
Possible Cause Check the nfc.log file for an error message about not being able to bind to that UDP port. If you find such a message, some other application is using that port.
Recommended Action Verify that the export device is not using a reserved port number in its attempt to export data to FlowCollector. Use an unreserved port number in the range 1024 to 65535 (for example, 9995 or 9996) to export data to FlowCollector.
|
|