|
|
This chapter describes how to customize FlowCollector operation using thread, filter, and protocol definitions, lists of port and autonomous system numbers, and other FlowCollector configuration parameters.
This chapter includes the following sections:
The process of customizing FlowCollector operation involves changes and additions to one or more of the following FlowCollector configuration and resource files located in the $NFC_DIR/config directory:
For more information about creating or modifying threads and filters, see the "Understanding FlowCollector Data Collection and Aggregation" section.
For more information about creating or modifying protocols, see the "Defining Protocols" section.
Flow records having source ports that match defined values in the nfknown.srcports file are aggregated together. Flow records from source ports not defined in this file are aggregated under "Others."
For more information about creating or modifying source port numbers, see the "Defining Source and Destination Port Numbers" section.
Flow records having destination ports that match defined values in the nfknown.dstports file are aggregated together. Flow records from destination ports not defined in this file are aggregated under "Others."
For more information about creating or modifying destination port numbers, see the "Defining Source and Destination Port Numbers" section.
Flow records having source autonomous system numbers that match defined values in the nfknown.srcasns file are aggregated together. Flow records from source autonomous system numbers not defined in this file are aggregated under "Others."
For more information about creating or modifying source autonomous system numbers, see the "Defining Source and Destination Autonomous System Numbers" section.
Flow records having destination autonomous system numbers that match defined values in the nfknown.dstasns file are aggregated together. Flow records from destination autonomous system numbers not defined in this file are aggregated under "Others."
For more information about creating or modifying destination autonomous system numbers, see the "Defining Source and Destination Autonomous System Numbers" section.
For more information about this file, see the "Modifying FlowCollector Resources" section.
For more information, see the "Configuring the Daemon (NFCD)" section.
FlowCollector collects and summarizes (aggregates) data into data files based on user-defined criteria specified in a FlowCollector thread. A thread is an aggregation task defined by a set of user-configurable attributes that specify how FlowCollector aggregates the traffic flows stored on the workstation. Two key thread attributes are:
Figure 5-1 shows an example of how FlowCollector uses threads and filters. In this example, threadA uses filterA and the SourceNode aggregation scheme; threadB uses both filterA and filterB
(filters can be shared among threads) and the DestPort aggregation scheme; threadC does not use any filters, but it also uses the DestPort aggregation scheme.
The following nf.config file example contains the thread definitions to accomplish the general data aggregation scheme shown in Figure 5-1. The file contains two filter definitions (filterA and filterB) and three thread definitions (threadA, threadB, and threadC) to accomplish the aggregation. NetFlow export traffic arrives on FlowCollector UDP port 9991. Data is to be aggregated by the following aggregation schemes:
FilterfilterA permitnexthop172.16.23.650.0.0.0 FilterfilterB denysrcaddr172.16.0.00.0.255.255 permitsrcaddr0.0.0.00.0.0.0 ThreadthreadA FilterfilterA AggregationSourceNode Period10 Port9991 StateActive DataSetPath/opt/CSCOnfc/Data Compression6 BinaryN MaxUsage500 ThreadthreadB FilterfilterA Filter filterB Aggregation DestPort Period 10 Port 9991 State Active DataSetPath /opt/CSCOnfc/Data Compression6 BinaryN MaxUsage500 ThreadthreadC Aggregation DestPort Period 10 Port 9991 State Active DataSetPath /opt/CSCOnfc/Data Compression6 BinaryN MaxUsage500
In the example, threadA uses filterA to include only the traffic passing through the export device 172.16.23.65, whereas threadB uses both filters---filterA to include only the traffic passing through the export device 172.16.23.65, and filterB to exclude traffic from network 172.16.0.0. All three threads flush their aggregated data every 10 minutes into data files saved in the /opt/CSCOnfc/Data directory.
The syntax for a filter definition is as follows:
filterfilter-name
{permit|deny}typevaluemask
.
.
.
{permit|deny}typevaluemask
filter | The keyword that identifies the definition as a filter. |
filter-name | The unique, user-specified name of the filter. The name can be up to 16 alphanumeric characters. |
permit | The keyword that keeps the data that matches the specified filter type and value. |
deny | The keyword that rejects the data that matches the specified filter type and value (matching flow data is ignored and not aggregated). |
type | The filter type. See Table 5-1 for a description of filter types. |
value | The value associated with the filter type. All filter types require a value. See Table 5-1 for a description of filter types and values. |
mask | Required if the filter uses the srcaddr, dstaddr, or nexthop type. The IP netmask that qualifies the IP address used as value. See Table 5-1 for a description. |
Filter keyword and variable entries are not case sensitive. Table 5-1 describes the default filter types provided with FlowCollector, the type of input required for the value, and whether the value requires a mask.
| Type | Value | Mask Required | Description |
|---|---|---|---|
Source IP address | Yes | Filter the input data based on the source IP address. If you use this type, you must provide the IP netmask that qualifies the source IP address. | |
Destination IP address | Yes | Filter the input data based on the destination IP address. If you use this type, you must provide the IP netmask that qualifies the destination IP address. | |
Source port number | No | Filter the input data based on the source port number. | |
Destination port number | No | Filter the input data based on the destination port number. | |
Source interface number | No | Filter the input data based on the source interface number. | |
Destination interface number | No | Filter the input data based on the destination interface number. | |
Next hop IP address | Yes | Filter the input data based on the next hop IP address. If you use this type, you must provide the IP netmask that qualifies the next hop IP address. | |
Protocol name | No | Filter the input data based on the protocol definitions in the nfknown.protocols file. For more information on protocol definitions, see the "Defining Protocols" section. | |
Protocol number | No | Filter the input data based on the protocol number in the flow record, where the protocol number corresponds to a protocol specified in the /etc/protocols file of your workstation. | |
Type of service | No | Filter the input data based on the type of service (ToS). | |
Source AS | No | Filter the input data based on the autonomous system number of the source, either origin or peer. | |
Destination AS | No | Filter the input data based on the autonomous system number of the destination, either origin or peer. |
When defining a filter, keep in mind the following qualifications:
filter kill-www denyDstport80
filter kill-www denyDstport80 permitDstaddr10.0.0.0255.255.255.255
FilterfilterA permitSrcaddr172.16.1.240.0.0.255 denySrcaddr192.168.0.00.0.255.255 denySrcport53 permitDstaddr10.0.0.0255.255.255.255
FilterfilterA denySrcaddr192.168.0.00.0.255.255 denySrcport53 permitSrcaddr172.16.1.240.0.0.255 permitSrcaddr10.0.0.0255.255.255.255
A thread is a set of defined attributes that tells FlowCollector how to aggregate the traffic flows stored on the workstation.
The syntax for a thread definition is as follows:
Thread thread-name [Filter filter-name] . . . [Filter filter-name] Aggregation scheme Period minutes Port value DataSetPath directory-path State active|inactive Compression value (1-9) Binary yes|no MaxUsage megabytes
The keywords and their arguments are listed on separate lines for legibility. Keyword and argument entries are not case sensitive. Table 5-2 lists thread attributes and variables.
| Attribute | Variable | Definition |
|---|---|---|
thread-name | Unique, user-defined name of the thread. Can be up to 16 alphanumeric characters. | |
filter-name | (Optional.) Unique name of a previously defined filter. You can specify one or more filters in a thread definition. When more than one filter is specified in a thread, the result is a logical AND of the functions defined in the filters. Filters can be shared among threads. For more information on filters, see the previous section, "Creating a Filter." | |
scheme | A way to summarize data collected by FlowCollector. For more information about aggregation schemes, see the "Aggregation Schemes" section. | |
minutes | The frequency, in minutes, for how often FlowCollector writes aggregated data from its memory buffers into a data file. Data received in each period is written into a separate file. For example, setting the period to 30 minutes generates two data files every hour. | |
value | UDP port number on which FlowCollector is expecting NetFlow data from NetFlow export devices. The valid range of ports is between 1024 and 65535. In a default FlowCollector installation, UDP ports 9995 and 9996 are automatically configured as the UDP ports FlowCollector uses to receive NetFlow exported data. These numbers are defined in the default set of threads provided as part of the FlowCollector installation. You can define other UDP port numbers by selecting a number in the range 1024 to 65535 and using that number as the value in the Port attribute of an active thread definition. | |
directory-path | Directory path used for storing the aggregated data (data files). If FlowCollector does not have write permission to the directory specified by a DataSetPath attribute in a thread definition, it uses $NFC_DIR as the root directory for the data files. For more details on data files, see "Understanding the FlowCollector Data File Format," for more information. | |
active or inactive | The state of a thread. With an active thread, FlowCollector aggregates data according to the attributes defined for the thread and produces data files; when the thread is inactive, FlowCollector does not aggregate data according to the attributes defined for the thread and does not produce data files. You can have a maximum of 10 active threads at any time. | |
|
| value between 1 and 9 | Value that determines different compression levels for data files. The default value is 6. A value of 1 provides quicker access, while a value of 9 provides the maximum amount of compression. Data files are compressed using the gzip compression scheme. Compressed data files are identified with a .gz file extension. Compression is supported on all aggregation schemes and can be configured locally though the NFUI or remotely through the NetFlow Configuration and Control protocol. If you change this setting in an NF_Thread while it is collecting data, the modified NF_Thread flushes its existing buffer based on the existing NF_Thread attributes and it starts again. A gunzip utility (nfc_gunzip) is located in the $NFC_DIR/tools directory to unzip these data files. |
|
| yes or no | Format of data files. Binary format data files are generated when this parameter is set to yes. When used in combination with the Compression parameter set to yes, small binary data files are generated that reduce the amount of disk space used by the data file and enhance system performance. Binary files that are generated without compression are identified with a .bin extension. Binary files that are generated with compression are identified with a .bin.gz extension. Binary data file creation is supported on all aggregation schemes (except RawFlows) and can be configured locally though the NFUI or remotely through the configuration and control protocol language documented in Appendix C. If you change this setting in an NF_Thread while it is collecting data, the modified NF_Thread flushes its existing buffer based on the existing NF_Thread attributes and starts again. |
|
| megabytes |
This option does not function if you are operating in FlowCollector 2.0-compatible mode. See the "Understanding Installation Modes" section on page 2-2 and the "Modifying FlowCollector Resources" section on page 5-24 for details on FlowCollector 2.0-compatible mode and for other options that affect disk space management. |
In the following example, thread Alpha uses the SourceNode aggregation scheme. FlowCollector creates a compressed binary data file in the directory /opt/CSCOnfc/Data every 30 minutes, keeps the last 24 data files per day, and specifies 500 MB in maximum disk space usage:
ThreadAlpha AggregationSourceNode Period30 Port9991 StateActive DataSetPath/opt/CSCOnfc/Data Compression 6 Binary yes MaxUsage 500
FlowCollector provides a library of predefined aggregation schemes (see Table 5-3) that you can use to determine the type of information that is aggregated and stored in the data files.
Each aggregation scheme consists of one or more key fields, which tell FlowCollector what to look for in the exported NetFlow datagram, and one or more value fields, which contain statistical information pulled from the exported NetFlow datagram. The key fields and value fields shown in Table 5-3 correspond to the fields found in Version 1, Version 5, Version 7, and Version 8 NetFlow export datagrams. Table 5-4 provides brief definitions of each key and value field. For more information about these three versions of the NetFlow export datagram format, see "NetFlow Export Datagram Format."
For example, the SourceNode aggregation scheme uses just one key field, srcaddr (source address), and returns data for three value fields: the total number of packets sent, the total number of bytes sent, and the total number of flows aggregated into this record. Other aggregation schemes offer different combinations of key and value fields (see Table 5-3) and are described individually in the sections that follow.
| Aggregation Scheme | Key Fields | Value Fields | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| srcaddr | dstaddr | srcport | dstport | protocol | protocol byte (prot) | ToS | input interface | output interface | nexthop | src_as | dst_as | masked srcaddr | masked dstaddr | src_mask | dst_mask | packet count | byte count | flow count | firstTimeStamp | lastTimeStamp | totalActiveTime | |
RawFlows |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SourceNode | · |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| · | · | · |
|
|
|
DestNode |
| · |
|
|
|
|
|
|
|
|
|
|
|
|
|
| · | · | · |
|
|
|
HostMatrix | · | · |
|
|
|
|
|
|
|
|
|
|
|
|
|
| · | · | · |
|
|
|
SourcePort |
|
| · |
|
|
|
|
|
|
|
|
|
|
|
|
| · | · | · |
|
|
|
DestPort |
|
|
| · |
|
|
|
|
|
|
|
|
|
|
|
| · | · | · |
|
|
|
Protocol |
|
|
|
| · |
|
|
|
|
|
|
|
|
|
|
| · | · | · |
|
|
|
DetailDestNode |
| · | · | · | · |
|
|
|
|
|
|
|
|
|
|
| · | · | · |
|
|
|
DetailHostMatrix | · | · | · | · | · |
|
|
|
|
|
|
|
|
|
|
| · | · | · | · | · |
|
DetailInterface | · | · |
|
|
|
|
| · | · | · |
|
|
|
|
|
| · | · | · |
|
|
|
CallRecord | · | · | · | · |
| · | · |
|
|
|
|
|
|
|
|
| · | · | · | · | · | · |
ASMatrix1 |
|
|
|
|
|
|
|
|
|
| · | · |
|
|
|
| · | · | · |
|
|
|
NetMatrix1 |
|
|
|
|
|
|
| · | · |
|
|
| · | · | · | · | · | · | · |
|
|
|
DetailSourceNode | · |
| · | · | · |
|
|
|
|
|
|
|
|
|
|
| · | · | · |
|
|
|
DetailASMatrix1 | · | · | · | · | · |
|
| · | · |
| · | · |
|
|
|
| · | · | · |
|
|
|
RouterAS2 |
|
|
|
|
|
|
| · | · |
| · | · |
|
|
|
| · | · | · | · | · | · |
RouterProtoPort2 |
|
| · | · | · |
|
|
|
|
|
|
|
|
|
|
| · | · | · | · | · | · |
RouterSrcPrefix2 |
|
|
|
|
|
|
| · |
|
| · |
| · |
| · |
| · | · | · | · | · | · |
RouterDstPrefix2 |
|
|
|
|
|
|
|
| · |
|
| · |
| · |
| · | · | · | · | · | · | · |
RouterPrefix2 |
|
|
|
|
|
|
| · | · |
| · | · | · | · | · | · | · | · | · | · | · | · |
AsHostMatrix1 | · | · |
|
|
|
|
|
|
|
| · | · |
|
|
|
| · | · | · | · | · | · |
HostMatrixInterface | · | · |
|
| · |
|
| · | · |
|
|
|
|
|
|
| · | · | · |
|
|
|
DetailCallRecord | · | · | · | · | · |
| · | · | · |
|
|
|
|
|
|
| · | · | · | · | · | · |
| Field | Description |
|---|---|
srcaddr | Source IP address |
dstaddr | Destination IP address |
srcport | TCP/UDP source port number or equivalent |
dstport | TCP/UDP destination port number or equivalent |
protocol | Name or label assigned to a protocol definition in the nfknown.protocols file |
protocol byte (prot) | IP protocol type (for example, TCP = 6; UDP = 17) |
ToS | IP type of service |
input interface | SNMP index of input interface |
output interface | SNMP index of output interface |
nexthop | IP address of next hop export device |
src_as | Autonomous system number of the source, either origin or peer |
dst_as | Autonomous system number of the destination, either origin or peer |
masked srcaddr | Source IP address masked with the source netmask (src_mask) |
masked dstaddr | Destination IP address masked with the destination netmask (dst_mask) |
src_mask | Source IP address prefix mask bits |
dst_mask | Destination IP address prefix mask bits |
packet count | Packets counted as part of this record |
byte count | Total number of Layer 3 bytes counted as part of this record |
flow count | Total number of flows aggregated into this record |
firstTimeStamp | Time, in UTC seconds, of the first packet summarized into this record |
lastTimeStamp | Time, in UTC seconds, of the last packet summarized into this record |
totalActiveTime | Sum of individual activetime for all the flows summarized into the current record |
The output of this aggregation scheme is an exact image of the NetFlow export datagram without aggregation and is stored in binary data files of n minutes' worth of data as specified by the Period attribute in the thread definition.
The output of this aggregation scheme consists of one record for each unique source IP address present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key field: | srcaddr |
Value fields: | packet count, byte count, flow count |
The output of this aggregation scheme consists of one record for each unique destination IP address present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key field: | dstaddr |
Value fields: | packet count, byte count, flow count |
The output of this aggregation scheme consists of one record for each unique source and destination IP address pair present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key fields: | srcaddr, dstaddr |
Value fields: | packet count, byte count, flow count |
The output of this aggregation scheme consists of one record for each unique source port present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key field: | srcport |
Value fields: | packet count, byte count, flow count |
Known source ports are defined in the nfknown.srcports file. Undefined source ports are aggregated as "Others" in the data file.
The output of this aggregation scheme consists of one record for each unique destination port present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key field: | dstport |
Value fields: | packet count, byte count, flow count |
Known destination ports are defined in the nfknown.dstports file. Undefined destination ports are aggregated as "Others" in the data file.
The output of this aggregation scheme consists of one record for each unique protocol (as defined in the nfknown.protocols file) present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key field: | protocol |
Value fields: | packet count, byte count, flow count |
Known protocols are defined in the nfknown.protocols file. Undefined protocols are aggregated as "Others" in the data file.
The output of this aggregation scheme consists of one record for each unique combination of destination IP address, source port, destination port, and protocol present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key fields: | dstaddr, srcport, dstport, protocol |
Value fields: | packet count, byte count, flow count |
Key fields: | srcaddr, dstaddr, srcport, dstport, protocol |
Value fields: | packet count, byte count, flow count, firstTimeStamp, lastTimeStamp |
The output of this aggregation scheme consists of one record for each unique combination of source IP address, destination IP address, input, output, and nexthop present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key fields: | srcaddr, dstaddr, input, output, nexthop |
Value fields: | packet count, byte count, flow count |
Key fields: | srcaddr, dstaddr, srcport, dstport, protocol byte, ToS |
Value fields: | packet count, byte count, flow count, firstTimeStamp, lastTimeStamp, totalActiveTime |
The output of this aggregation scheme consists of one record for each unique source and destination autonomous system number pair present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key fields: | src_as, dst_as |
Value fields: | packet count, byte count, flow count |
Key fields: | input interface, output interface, masked srcaddr, masked dstaddr, src_mask, dst_mask |
Value fields: | packet count, byte count, flow count |
The output of this aggregation scheme consists of one record for each unique combination of source IP address, source port, destination port, and protocol present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key fields: | srcaddr, srcport, destport, protocol |
Value fields: | packet count, byte count, flow count |
Key fields: | srcaddr, dstaddr, srcport, dstport, protocol, input interface, output interface, src_as, dst_as |
Value fields: | packet count, byte count, flow count |
Key fields: | input interface, output interface, src_as, dst_as |
Value fields: | packet count, byte count, flow count, firstTimeStamp, lastTimeStamp, totalActiveTime |
The output of this aggregation scheme consists of one record for each unique combination of source port, destination port, and protocol present in the flow data received by FlowCollector during the current collection period. Each output record contains the following fields:
Key fields: | srcport, destport, protocol |
Value fields: | packet count, byte count, flow count, firstTimeStamp, lastTimeStamp, totalActiveTime |
Key fields: | input interface, src_as, masked srcaddr, src_mask |
Value fields: | packet count, byte count, flow count, firstTimeStamp, lastTimeStamp, totalActiveTime |
Key fields: | output interface, dst_as, masked dstaddr, dst_mask |
Value fields: | packet count, byte count, flow count, firstTimeStamp, lastTimeStamp, totalActiveTime |
Key fields: | input interface, output interface, src_as, dst_as, masked srcaddr, masked dstaddr, src_mask, dst_mask |
Value fields: | packet count, byte count, flow count, firstTimeStamp, lastTimeStamp, totalActiveTime |
Key fields: | srcaddr, dstaddr, src_as, dst_as |
Value fields: | packet count, byte count, flow count, firstTimeStamp, lastTimeStamp, totalActiveTime |
Key fields: | srcaddr, dstaddr, protocol, input interface, output interface |
Value fields: | packet count, byte count, flow count |
Key fields: | srcaddr, dstaddr, srcport, dstport, protocol, ToS, input interface, output interface |
Value fields: | packet count, byte count, flow count, firstTimeStamp, lastTimeStamp, totalActiveTime |
Use the information in this section to define the protocols that you want FlowCollector to recognize as it aggregates data. The protocols FlowCollector recognizes are defined in the nfknown.protocols file, located in the $NFC_DIR/config directory.
FlowCollector recognizes the protocol and aggregates traffic statistics associated with the protocol only when the following conditions are met:
Figure 5-2 shows an example of a typical communication session between Host A and Host B. This example assumes that NetFlow data export is enabled for the export device interfaces to both Host A and Host B so that exported NetFlow data gives FlowCollector statistics for communication in both directions (A to B; B to A). In this example, FlowCollector aggregates data for two protocols--- Telnet and FTP---between Host A (the Telnet server, using port 23) and Host B (the Telnet client, using port 9001).
Whether the aggregated data is stored in data files for later retrieval depends on how FlowCollector is customized.
Table 5-5 lists the raw data received in the data collection example shown in Figure 5-2.
| Source Address | Destination Address | Source Port | Destination Port | Protocol Byte | Packets | Bytes |
|---|---|---|---|---|---|---|
A | B | 23 | 9001 | 6 | 20 | 2000 |
B | A | 9001 | 23 | 6 | 30 | 1000 |
A | B | 20 | 9002 | 6 | 20 | 200 |
B | A | 9002 | 20 | 6 | 50 | 300 |
When you add the Telnet protocol definition to the nfknown.protocols file, the data file produced by the protocol aggregation scheme contains a row with 50 packets (20 plus 30) and 3000 bytes (2000 plus 1000).
In this example, no FTP protocol definition was added to the nfknown.protocols file, so the data file also has another row for "Others" (including the FTP data) containing 70 packets (20 plus 50) and 500 bytes (200 plus 300).
The protocols listed in the nfknown.protocols file are used by the aggregation schemes and protocol filters you define in the nfconfig.file. To configure the protocols that FlowCollector recognizes, you must edit the nfknown.protocols file and add a definition that includes the following information:
The command syntax for a protocol definition is
protocolname [[srcport|dstport]number[OR[srcport|dstport]number]] protvalue
where:
protocol | Keyword that identifies the definition as a protocol. |
name | Unique, user-specified name of the protocol definition. Can be up to 16 alphanumeric characters. |
srcport | Source port. |
dstport | Destination port. |
number | Port number. |
OR | (Optional.) Provides a Boolean OR functionality when you have more than one srcport or dstport. |
prot | Protocol byte. |
value | Protocol type (similar to those specified in the /etc/protocols file on a UNIX workstation; for example, TCP = 6, UDP = 17). |
The known protocols (such as WWW, Telnet, and FTP) listed in the nfknown.protocols files are similar to the definitions specified in the /etc/services file of a UNIX workstation. For information about the protocols and protocol types supported on your workstation, refer to the protocols file in the /etc directory on your workstation.
The protocol definitions in the nfknown.protocols file cause FlowCollector to recognize the protocols originating from or terminating on the specified ports. For example, in the sample protocol list shown below, the first protocol definition uses the OR option to cause FlowCollector to recognize traffic flows for all Telnet sessions originating from or terminating on port 23.
ProtocolTCP-Telnet Dstport23 OR Srcport23 Prot6 ProtocolTCP-FTP Srcport 20 OR Srcport 21 OR Dstport 20 OR Dstport 21 Prot 6 ProtocolTCP-WWW Dstport 80 OR Srcport 80 Prot 6 ProtocolTCP-SMTP Srcport 25 OR Dstport 25 Prot 6 ProtocolTCP-Other Prot 6 ProtocolUDP-TFTP Srcport 69 OR Dstport 69 Prot 17
Use the information in this section to specify the source and destination port numbers from which FlowCollector collects and aggregates data. The port numbers FlowCollector recognizes are defined in the following files, located in the $NFC_DIR/config directory:
FlowCollector uses the contents of the nfknown.srcports and nfknown.dstports files in any aggregation scheme that uses the SourcePort and DestPort fields. When you add a port definition to either of these files, traffic to or from the defined port is counted separately in the data file. Unrecognized ports (ports not defined in their respective files) are aggregated as "Others" in the
data file.
The command syntax for a port number, range of port numbers, or range grouped under an assigned label is:
value[,value[:label]] . . . value[,value[:label]]
where:
value | A number between 0 and 65535. |
label | (Optional.) An alphanumeric ASCII string of up to 16 characters. |
A range of ports is defined by using a comma to separate two numbers (an optional space can be added for legibility). A range can span any set of ports up to the maximum number of ports available on the system (currently 65,535). The following example shows a range of ports:
50, 100
You can also define a range of source or destination ports to be treated as one logical port, and assign a label to represent that range of ports. The following example shows a range of ports to be treated as the logical port named 10K_19K_Pt_Rng.
10000, 19999: 10K_19K_Pt_Rng
In this case, traffic is aggregated and reported for the logical port 10K_19K_Pt_Rng, rather than for each of the individual port numbers in the range.
The following example shows the contents of a sample nfknown.srcports file:
21:ftp 88 50, 100 10000, 19999: 10K_19K_Pt_Rng 20000, 29999: My_Range 40000, 49999: My_Range
In the preceding example the meaning of the entries is as follows:
21:ftp | Indicates that a flow with a port number of 21 is aggregated under the label ftp in the data file. |
88 | Indicates that a flow with a port number of 88 is aggregated under the label 88 in the data file. |
50, 100 | Indicates that a flow with a port number in the range from 50 to 100 is aggregated under a label that is the same as its port number. For example, if a flow has the port number 75, the label of the flow in the data file is 75. Flows within the range, but with different port numbers, are aggregated individually in the data file. |
10000, 19999: 10K_19K_Port_Rng | Indicates that the port number of any port in the range is replaced by the label 10K_19K_Port_Rng, and that flows within the range are aggregated together under the label 10K_19K_Port_Rng in the data file. |
20000, 29999: My_Range | Indicate that the port number of any port in the two ranges is replaced by the label My_Range, and that flows within the specified ranges are aggregated together under the label My_Range in the data file. |
Use the information in this section to specify the source and destination autonomous systems from which FlowCollector collects and aggregates data. The autonomous systems FlowCollector recognizes are defined in the following files, located in the $NFC_DIR/config directory:
FlowCollector uses the contents of the nfknown.srcasns and nfknown.dstasns files in aggregation schemes that make use of source or destination autonomous system numbers. When you add an autonomous system definition to either of these files, traffic to or from the autonomous system is counted separately in the data file. Any unrecognized autonomous system numbers (autonomous system numbers not defined in their respective files) are aggregated together and appear as "Others" in the data file.
The following example shows the contents of an nfknown.srcasns file.
1: Your_Network 2 10, 15 20, 30: My_Network 35, 40: My_Network
In this example, the entry:
1: Your_Network | Indicates that a flow with an autonomous system number of 1 is aggregated under the label Your_Network in the data file. |
2 | Indicates that a flow with an autonomous system number of 2 is aggregated under the label 2 in the data file. |
10, 15 | Indicates that a flow with an autonomous system number in the range from 10 to 15 is aggregated under a label that is the same as its autonomous system number. For example, if a flow has the autonomous system number 13, the label of the flow in the data file is 13. Flows within the range, but with different autonomous system numbers, are aggregated individually in the data file. |
20, 30: My_Network | Indicate that the autonomous system number is replaced by the label My_Network, and that flows within the specified ranges are aggregated together in the data file under the label My_Network in the data file. |
Table 5-6 describes the available configuration parameters and their values.
| Flag | Possible Values | Description | Default Value |
|---|---|---|---|
Yes | Writes the IP address to the data files in dotted decimal format, for example, 172.16.3.100. | Yes | |
Yes | Uses a comma (,) as the delimiter in writing aggregation output. | No | |
Yes | Sets the output file extension to add the year, month, and day to the hour and minute, for example, | No | |
Yes | Uses the Greenwich Mean Time reference to set date and time. | Yes | |
Yes | Uses the IP address of the sending export device for storage. | Yes | |
SOURCENODE_BUCSIZE | Varies according to configuration | Controls performance. The term BUCSIZE refers to the number of buffer pages set aside to hold aggregated data for a given aggregation scheme. | 2000 |
Buffer size (in bytes) | Specifies the size of the UDP socket receive buffer. | 900000 | |
List of IP addresses | Allows a user-specified IP address or label to be substituted for a list of IP addresses from which FlowCollector can receive NetFlow export datagrams. | Disabled | |
List of IP addresses | Allows packets to be filtered by source address (or by defined ROUTER_GROUPNAME label). For more information, see the "Preventing FlowCollector from Accepting Unsolicited Packets" section. | Disabled | |
Yes | Uses the address of the router being bypassed (shortcut) as the source of the corresponding flow. | No | |
Path name and filename | Specifies the location of a user-supplied script. | Disabled | |
1, 2, 4, 8, 16 | Specifies the size (in megabytes) of the memory buffer FlowCollector uses for I/O operations. | 4 | |
User name | Specifies the registered FlowCollector user. Only root and this specified user can access or modify FlowCollector configuration items and statistics from a remote location. | nfcuser | |
Hours | Specifies the number of hours between each data file CLEANUP_JOB. Setting this parameter to zero disables this feature. | 24 hours | |
Path name and filename | Specifies the location of the script or program that is run at the end of the time period specified in the CLEANUP_INTERVAL parameter. This script could be the default shell script, a user-defined script, or a binary program file. The default shell script path and filename is $NFC_DIR/bin/nfc_clean_up_job.sh. | Shell script supplied by FlowCollector that deletes any files older than 7 days | |
Percentage | Specifies a disk usage threshold percentage level. Every time a data file is written to disk, information on disk space usage is obtained. If disk space usage exceeds the specified percentage value, one unsolicited event notification (UEN) is sent. Future UENs are sent only after disk space levels have fallen below the percentage amount specified in the DISK_USAGE_CLEAR_THRESHOLD value. Setting this parameter to zero disables this feature. | 85% | |
Percentage | An "all-clear" UEN is sent when disk usage falls below this threshold percentage value once a DISK_USAGE_THRESHOLD UEN has been sent. | 75% | |
|
| Yes | Instructs FlowCollector 3.0 to generate
FlowCollector 3.0-compatible files and directories are generated. | Yes |
|
| IP Address, port | Specifies a list of the IP addresses and ports (or DNS system names and ports) of the client programs running to receive unsolicited event notifications (UENs). For example, an entry "flow-ultra1, 12345" implies that a program executing on flow-ultra1 and listening to port 12345 would receive UENs dispatched by the NFCGW. | None |
Because of the high volume of NetFlow data export traffic, you might have to increase the normal buffer size associated with the UDP socket on which data is received. To do so, edit the value
(in bytes) of the SOCKET_BUFSIZE parameter in the $NFC_DIR/config/nf.resources file.
You can substitute a user-specified IP address or label for a set of IP addresses from which FlowCollector receives NetFlow export datagrams. For example, you can specify the label "blab-gateway" as the label representing packets coming from three separate IP addresses: 172.16.1.172, 172.16.1.173, and 192.68.1.25.
To do this, you must edit the ROUTER_GROUPNAME parameter in the nf.resources file. The syntax is
ROUTER_GROUPNAMElabel {
a.b.c.d
.
.
.
w.x.y.z
}
where label is either an IP address or an ASCII word. Each of the IP addresses in the body of the ROUTER_GROUPNAME block must be on a separate line. An example of a ROUTER_GROUPNAME definition follows:
ROUTER_GROUPNAMEblab-gateway {
172.16.1.172
172.16.1.173
192.68.1.25
}
If applicable, the mapped ROUTER_GROUPNAME parameter is used with all aggregation schemes, but FlowCollector uses the real IP address to report errors involving receipt of an invalid or unsolicited NetFlow export packet.
In its default configuration, FlowCollector accepts NetFlow export packets from any IP address. If necessary, you can specify the source IP addresses or defined ROUTER_GROUPNAME labels from which FlowCollector should receive NetFlow export packets, thus preventing FlowCollector from accepting packets from any unspecified sources.
To do this, you must remove the comment character from the beginning of each line in the ACCEPT_PACKETS_FROM parameter in the nf.resources file and edit the parameter to include the source IP addresses or ROUTER_GROUPNAME labels. The syntax of the parameter is
ACCEPT_PACKETS_FROM {
a.b.c.d
.
.
.
w.x.y.z
}
where each of the IP addresses (or ROUTER_GROUPNAME labels) defined in the body of the ACCEPT_PACKETS_FROM block must be on a separate line. An example of a ACCEPT_PACKETS_FROM definition follows:
ACCEPT_PACKETS_FROM {
172.31.2.1
172.31.2.2
172.31.2.3
blab_gateway
}
For information on ROUTER_GROUPNAME labels, see the previous section, "Mapping a List of IP Addresses to One IP Address or Label."
If your network includes switching devices that support Version 7 (Catalyst 5000 series switch with an NFFC) NetFlow export datagrams, you can configure FlowCollector to retain the IP address of the shortcut router as the source of data switched through a Cisco Catalyst 5000 series switch. To do this, you must edit the USE_SHORT_CUT_ADDRESS_AS_SOURCE_IP parameter in the nf.resources file. The syntax of the parameter is
USE_SHORT_CUT_ADDRESS_AS_SOURCE_IP value
where value is either yes or no. The default setting is no. If you change the setting to yes, FlowCollector uses the IP address of the bypassed router as the source of the corresponding flow.
You can specify the location of a script file that FlowCollector executes after it has written a new data file. This capability makes it easier for your client applications to process a new data file without having to poll for it. FlowCollector invokes the script with the absolute path name of the newly written FlowCollector data file. FlowCollector expects the location of your user-supplied script to be defined by the USER_SCRIPT_LOCATION parameter in the nf.resources file. This parameter is read only at startup.
To use the USER_SCRIPT_LOCATION parameter, perform the following steps:
Step 1 Remove the comment character from the beginning of the USER_SCRIPT_LOCATION entry in the nf.resources file, so that it looks like this:
USER_SCRIPT_LOCATION/opt/CSCOnfc/bin/userscript.sh
Step 2 Replace the existing path name with the path name for your script.
For example, if the path name for your script is /opt/CSCOnfc/my_script.sh, the revised parameter should read:
USER_SCRIPT_LOCATION/opt/CSCOnfc/my_script.sh
FlowCollector transfers output data in blocks to optimize performance and ensure the most efficient handling of data files as they are generated and written as disk files. The size of a block is user-configurable, and defined by the OUTPUT_BUFFER_SIZE parameter in the nf.resources file. The syntax of the parameter is
OUTPUT_BUFFER_SIZE size
where size is the new block size in megabytes (MB). The valid sizes are 1, 2, 4, 8, and 16 MB. The recommended setting is approximately 1/32 of the physical memory installed in the FlowCollector workstation. For example, if the physical memory of your FlowCollector workstation is 128 MB, the best setting is 4. If you inadvertently enter an invalid number, FlowCollector uses the next smaller valid number. For example, if your system is equipped with 128 MB and you enter the number 6, FlowCollector uses the next smaller valid number, 4, as the output buffer size.
The Daemon (NFCD) provides high availability to the FlowCollector system. The Daemon is loaded as a configuration file is called nfcd.config when the system is booted. It is located in the $NFC_DIR/config directory. The Daemon performs the following functions:
See Table 5-7 for nfcd.config parameter descriptions.
The following is an example of an nfcd.config file:
--------------------Begin nfcd.config --------------------
NFCD_LOGFILE /opt/CSCOnfc/logs/nfcd.log
MAX_RESTART_ATTEMPTS 3
APPLICATION {
PATH /opt/CSCOnfc/bin/NFCollector
PROGRAMFLAGS
RESTART Yes
AUTOSTART Yes
TMPFILES /tmp/nfcollector.pid
SCHEDULING_PRIORITY {
SCHEDULING_CLASS RealTime
DEFAULT_PRIORITY -20
}
}
APPLICATION {
PATH /opt/CSCOnfc/bin/NFCGW
PROGRAMFLAGS -i
RESTART Yes
AUTOSTART Yes
RETRY_INTERVAL 120
TMPFILES /tmp/nfcgw.pid /tmp/nfc.events
SCHEDULING_PRIORITY {
SCHEDULING_CLASS RealTime
DEFAULT_PRIORITY -20
}
}
--------------- End of nfcd.config ------------------------
| Parameter | Variable Type | Description | Default | ||||||
|---|---|---|---|---|---|---|---|---|---|
NFCD_LOGFILE | NFCD Config | Name and location of the nfcd.log file. | $NFC_DIR/logs | ||||||
MAX_RESTART_ATTEMPTS | NFCD Config | Number of times that NFCD attempts to automatically restart NFCollector and NFCGW if they terminate abnormally. | 3 | ||||||
PATH | APPLICATION | Path of NFCollector and NFCGW executable files. | $NFC_DIR/bin | ||||||
PROGRAMFLAGS | APPLICATION | Flags used in invoking NFCollector and NFCGW. This can be used to pass "-i" to NFCGW, turning off authentication on HP-UX platforms. | Empty string | ||||||
RESTART (Yes/No) | APPLICATION | Specifies whether NFCollector and NFCGW should be restarted by NFCD upon an abnormal exit. | No | ||||||
RETRY_INTERVAL | APPLICATION | If RESTART is set to Yes, this parameter specifies the number of seconds to wait before attempting to restart NFCollector and NFCGW. | 1 second | ||||||
AUTOSTART (Yes/No) | APPLICATION | Specifies whether NFCollector and NFCGW should be started when NFCD is started. | No | ||||||
TMPFILES | APPLICATION | List of temporary files used by NFCollector and NFCGW. Not user- configurable. | NA | ||||||
SCHEDULING_CLASS | APPLICATION/ SCHEDULING_PRIORITY | The scheduling class of the process executing NFCollector and NFCGW. Values include RealTime or TimeShared. This parameter is supported only on Solaris systems. For more details refer to the "priocntl" or "nice" Solaris man pages. | TimeShared | ||||||
DEFAULT_PRIORITY | APPLICATION/ SCHEDULING_PRIORITY | The default priority of the process. Acceptable values are in the range of [-20, 20]. This value applies to time-shared scheduling and is used when one of these conditions occurs.
| 0 |
Depending on the volume of flow data being exported from the export devices, as well as the FlowCollector thread attribute settings you use, FlowCollector can consume large amounts of disk space in a short period. FlowCollector provides several thread attributes and features that can help you manage your disk space usage:
You can estimate the amount of UDP traffic that an export device generates when NetFlow data export is enabled. To do this you must understand the characteristics of the traffic in your network, including the average packets per second of switching throughput and the average number of packets per flow.
For example, if the average throughput on a NetFlow enabled export device is 150 pps and the average number of packets per flow is 100, you may have approximately 1500 flow records per second (150 x 100) to be exported by the export device. If NetFlow data export format Version 5 datagrams are used, you should expect approximately 50 NetFlow export datagrams per second (1500 flows/30 per export datagram) or 45 KB per second (30 x 1500 bytes per datagram) from the export device.
Optional parameters are available on a per NF_Thread basis to limit disk space and improve system performance at the same time. These parameters are documented in the "Creating a Thread" section. These parameters include:
The nf.resources file contains parameters that assist in managing disk space. See the "Modifying FlowCollector Resources" section for more details. These parameters include:
When FlowCollector encounters an error or needs to issue a warning on some aspect of FlowCollector operations, it generates messages to inform the user that something is wrong and needs to be addressed. These messages are called unsolicited event notifications (UENs). These messages do not appear within the FlowCollector application. Instead, they consist of UDP packets that are sent by NFCollector and received at the IP address and port number specified in the nf.resources file.
UENs are not enabled by default. You must edit the nf.resources file and indicate the
IP address and port (or the DNS system name and port) where a client application is running and listening for these events. This parameter supports multiple entries formatted as a list.
Posted: Fri Jul 9 11:08:55 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.