|
|
This chapter tells you how to use the NetFlow FlowCollector user interface (NFUI) to review application statistics and resource definitions--such as for threads, filters, and protocols, or to create and modify FlowCollector resource definitions.
This chapter includes information on the following topics:
FlowCollector should be running before you start the NFUI; otherwise, there will be no FlowCollector application statistics or resource definitions to review.
Use the following command to start the FlowCollector user interface:
$ $NFC_DIR/bin/NFUI
The system displays the main menu of the FlowCollector user interface (see Figure 4-1).
-------------------- NetFlow FlowCollector UI -------------------- MAIN MENU 1. Threads 2. Filters 3. Protocols 4. Source Ports 5. Destination Ports 6. UDP Ports 7. Source ASNs 8. Destination ASNs 9. Source(s) IP Address(es) 11. Dump Configuration h. Help q. Quit Enter Item Number [1 - 11, (h)elp, (q)uit] :
The FlowCollector user interface consists of a main menu that provides access to a series of submenus and information displays (see Figure 4-1).
Some of the main menu entries, such as the threads, filters, and protocol configuration parameters, provide access to submenus where you can create new definitions or modify existing definitions. When you type the number for one of these entries and press Return, the user interface displays the submenu for that configuration parameter. For example, when you select item 1 on the main menu, the user interface displays the threads submenu (see Figure 4-2).
---------------- SUB MENU (Threads) ---------------- 1. List of Thread IDs 2. Review Thread 3. Modify Thread 4. Create Thread 5. Delete Thread h. Help q. Quit to main menu Enter Item Number [1 - 5, (h)elp, (q)uit] :
All of the submenus have a format similar to the main menu shown in Figure 4-1: the user interface displays some information and then prompts you to act on that information. For each user interface prompt, you type a number or an alphanumeric entry in the command entry line, and then press Return.
Each submenu contains an item that allows you to quit the current menu and return to the main menu. In the main menu, the quit option exits the user interface.
In those submenus where the user interface prompts you to type in a complete entry, such as a thread or filter ID, the user interface displays a list of the items you can use, as a reminder. For example, when you select item 2 (Review Thread) in the Threads submenu (see Figure 4-2), the user interface prompts you for a response, as shown in Figure 4-3.
2. Retrieve attributes of a Thread Thread ID (Hit <CR> to see list of threads) :
If you know the name of the thread you want to review, type it and press Return. For example, if you entered the thread name CALLREC, the user interface would display information similar to that shown in Figure 4-4.
2. Retrieve attributes of a Thread Thread ID (Hit <CR> to see list of threads) :CALLREC Thread CALLREC Aggregation CallRecord Period 10 Port 9995 DataSetPath /opt/CSCOnfc/Data State Active DiskSpaceLimit 0 File Retain 36 ---------------- SUB MENU (Threads) ---------------- 1. List of Thread IDs 2. Review Thread 3. Modify Thread 4. Create Thread 5. Delete Thread h. Help q. Quit to main menu Enter Item Number [1 - 5, (h)elp, (q)uit] :
If you do not know the name of any threads, press Return, and the user interface displays a list of all the defined thread names (see Figure 4-5).
2. Retrieve attributes of a Thread Thread ID (Hit <CR> to see list of threads) :<CR> PROTO CALLREC DETHTM SRCPORT DEINTER Thread ID :
When you are creating or modifying a FlowCollector configuration parameter, such as a thread, filter, or protocol definition, the user interface prompts you through each of the steps in the process and provides the applicable units (where appropriate) and the default value (where appropriate) in angle brackets (< >). For example, if you were modifying an existing thread, one of the steps in the process involves setting the Period parameter:
Period (minutes) <10> :
When you come to the end of the process, the user interface prompts you to confirm the created or modified configuration parameter. For example, if you are creating a new filter definition, the user interface prompts you through all the steps, and then prompts you to confirm that you want to save the new filter:
Are you sure you want to create this filter? [Y/N] :
By typing N (no) and pressing Return, you cancel the save action (and lose any changes).
Some of the main menu entries display read-only resource definitions and statistics. You set resource definitions by editing one or more of the FlowCollector configuration files in the $NFC_DIR/config directory.
When you select one of the following main menu items, the user interface displays a read-only list of numbers:
For example, if you select item 4 (Source Ports) from the main menu, the user interface displays information similar to that shown in Figure 4-6.
*** List of existing Source Ports *** 21:ftp 88 50, 100 1024, 1999:Other_Reserved_Ports 20000, 29999:My_Range 40000, 49999:My_Range Press Return to continue ...
The content of the source and destination port or autonomous system number lists is determined by the definitions in the nfknown.name file that corresponds to the main menu selection item:
The process used to modify these files is described in the "Defining Protocols" section in the chapter "Customizing FlowCollector," later in this guide.
When you select item 6 (UDP Ports) from the main menu, the user interface displays information similar to that shown in Figure 4-7.
*** List of existing UDP Ports *** 9995 9996 Press Return to continue ...
The UDP port numbers are the ports on which FlowCollector is expecting NetFlow data. In a default FlowCollector installation, UDP ports 9995 and 9996 are automatically configured as the UDP ports. You can define other UDP port numbers (refer to the section "Creating a Thread," in the chapter "Customizing FlowCollector," later in this guide.) The content of the UDP ports list is determined by the active thread definitions in the nfconfig.file.
When you select item 9 (Source(s) IP Address(es)) from the main menu, the user interface displays information similar to that shown in Figure 4-8.
*** List of Existing Export Devices *** 192.168.1.1 192.168.2.2 192.168.3.3 192.168.4.4 192.168.5.5 192.168.6.6 Press Return to continue ...
The list represents those IP addresses from which FlowCollector has received NetFlow data.
The Application Statistics entry (10) on the main menu retrieves and displays a table of statistics on FlowCollector operation (see Figure 4-9).
10. Retrieve application stats FlowCollector has been up since Wed May 20 13:56:49 1998 Port Packets rcvd(wrap) Records(wrap) Discarded Missed Recs(wrap) ---- ------------------ ------------- --------- ----------------- 9995 0(0) 0(0) 0 0(0) 9996 70748(0) 2122440(0) 0 0(0)
where the fields of information are described as follows:
| Field | Description |
|---|---|
| Port | The port number of the UDP port FlowCollector uses to listen for NetFlow data. |
| Packets rcvd(wrap) | The number of packets received on this port, and the number of times this counter has wrapped. This counter wraps after it has reached 4,294,967,295. |
| Records(wrap) | The number of flow records FlowCollector has detected, and the number of times this counter has wrapped. This counter wraps after it has reached 4,294,967,295. |
| Discarded | The number of packets FlowCollector has discarded. FlowCollector discards unsolicited packets, or packets in an invalid version or format.
In its default configuration, FlowCollector accepts NetFlow export packets from any IP address. If necessary, you can use the ACCEPT_PACKETS_FROM configuration parameter to specify the source IP addresses or defined ROUTER_GROUPNAME labels from which FlowCollector should receive NetFlow export packets, thus allowing FlowCollector to discard "unsolicited" packets from unspecified sources. For information on how to do this, refer to the section "Preventing FlowCollector from Accepting Unsolicited Packets," in the chapter "Customizing FlowCollector," later in this guide. |
| Missed Recs(wrap) | The number of flow records that FlowCollector should have detected, but did not, and the number of times this counter has wrapped. This counter wraps after it has reached 4,294,967,295.
This value is derived from the sequence numbers (when present) in each packet. If a UDP port has only received Version 1 datagrams or Version 7 datagrams with short-cut mode enabled (or a combination of these two), the Missed Records column for that UDP port displays a -1 to indicate that this field does not apply. If a UDP port has received any Version 5 or Version 7 (with short-cut mode disabled) datagrams, the Missed Records column for that UDP port displays the true count of missed records. If there are no missed records, the Missed Records column for that UDP port displays a zero. |
The Dump Configuration Parameters entry (11) on the main menu saves the current FlowCollector configuration parameter values in a log file. In a standard installation, the default log file is named nfc.log, and is located in the $NFC_DIR/logs directory.
The remaining chapters and appendixes in this guide provide information on the following topics:
| For more information on... | Refer to ... |
|---|---|
| Locating and understanding FlowCollector data files | "Understanding the FlowCollector Data File Format" |
| Customizing FlowCollector operation using thread, filter, and protocol definitions, lists of port and autonomous system numbers, and other FlowCollector configuration parameters | "Customizing FlowCollector" |
| Helpful information and procedures in case you encounter problems while using FlowCollector | "Troubleshooting" |
| NetFlow export datagram formats | "NetFlow Export Datagram Format" |
|
|