Checking Your Work

[Contents] [Prev] [Next] [Index] [Report an Error]

Checking Your Work
To verify that your flow collector configuration is working, use the following commands on the monitoring station that is configured for flow collection:

clear services flow-collector statistics

request services flow-collector change-destination (primary | secondary)

request services flow-collector test-file-transfer

show services flow-collector file interface (detail | extensive | terse)

show services flow-collector (detail | extensive)

show services flow-collector input interface (detail | extensive | terse)

The following section shows the output of the show commands used with the configuration example:
user@router1> show services flow-collector input interface cp-6/0/0 detail
Interface                      Packets        Bytes
mo-7/1/0.0                        6170      8941592
user@router1> show services flow-collector interface all detail
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
  Packets     Bytes     Flows Uncompressed  Compressed     FTP bytes FTP files
                                     Bytes       Bytes
     6736   9757936    195993     21855798     3194148             0         0
Flow collector interface: cp-7/0/0
Interface state: Collecting flows
  Packets     Bytes     Flows Uncompressed  Compressed     FTP bytes FTP files
                                     Bytes       Bytes
        0         0         0            0           0             0         0
user@router1> show services flow-collector input interface cp-6/0/0 extensive
Interface                      Packets        Bytes
mo-7/1/0.0                        6260      9074096
user@router1> show services flow-collector interface cp-6/0/0 extensive
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
Memory:
    Used: 19593212, Free: 479528656
Input:
    Packets: 6658, per second: 0, peak per second: 0
    Bytes: 9647752, per second: 12655, peak per second: 14311
    Flow records processed: 193782, per second: 252, peak per second: 287
Allocation:
    Blocks allocated: 174, per second: 0, peak per second: 0
    Blocks freed: 0, per second: 0, peak per second: 0
    Blocks unavailable: 0, per second: 0, peak per second: 0
Files:
    Files created: 1, per second: 0, peak per second: 0
    Files exported: 0, per second: 0, peak per second: 0
    Files destroyed: 0, per second: 0, peak per second: 0
Throughput:
    Uncompressed bytes: 21075152, per second: 52032, peak per second: 156172
    Compressed bytes: 3079713, per second: 7618, peak per second: 22999
Packet drops:
    No memory: 0, Not IP: 0
    Not IPv4: 0, Too small: 0
    Fragments: 0, ICMP: 0
    TCP: 0, Unknown: 0
    Not JUNOS flow: 0
File Transfer:
    FTP bytes: 0, per second: 0, peak per second: 0
    FTP files: 0, per second: 0, peak per second: 0
    FTP failure: 0
Export channel: 0   
    Current server: Secondary
    Primary server state: OK, Secondary server state: OK
Export channel: 1
    Current server: Secondary
    Primary server state: OK, Secondary server state: OK
user@router1> show services flow-collector file interface cp-6/0/0 terse
File name                                                        Flows State
cFlowd-py69Ni69-0-20031112_014301-so_3_0_0_0.bcp.bi.gz          185643 Active
user@router1> show services flow-collector file interface cp-6/0/0 detail
Filename: cFlowd-py69Ni69-0-20031112_014301-so_3_0_0_0.bcp.bi.gz
  Throughput:
    Flow records: 187067, Uncompressed bytes: 21121960, Compressed bytes: 
2965643
  Status:
    State: Active, Transfer attempts: 0
user@router1> show services flow-collector file interface cp-6/0/0 extensive
Filename: cFlowd-py69Ni69-0-20031112_014301-so_3_0_0_0.bcp.bi.gz
  Throughput:
    Flow records: 188365, per second: 238, peak per second: 287
    Uncompressed bytes: 21267756, per second: 27007, peak per second: 32526
    Compressed bytes: 2965643, per second: 0, peak per second: 22999
  Status:
    Compressed blocks: 156, Block count: 156
    State: Active, Transfer attempts: 0
To clear statistics for a flow collector interface, issue the clear services flow-collector statistics interface (all | interface-name) command.

Another useful flow collector option allows you to change the FTP server from primary to secondary and test for FTP transfers. To force the flow collector interface to use a primary or secondary FTP server, include the primary or secondary option when you issue the request services flow-collector change-destination interface cp-fpc/pic/port command.

If you configure only one primary server and issue this command with the primary option, you receive the error message "Destination change not needed." If the secondary server is not configured and you issue this command with the secondary option, you receive the error message "Destination not configured." Otherwise, when both servers are configured properly, successful output appears as follows.
user@router1> request services flow-collector change-destination interface 
cp-6/0/0 primary
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
Destination change successful
user@router1> request services flow-collector change-destination interface 
cp-6/0/0 secondary
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
Destination change successful
Other options for the request services flow-collector change-destination interface cp-fpc/pic/port command are immediately (which forces an instant switchover), gracefully (the default behavior that allows a gradual switchover), clear-files (which purges existing data files), and clear-logs (which purges existing log files).

To verify that transfer log files are being scheduled for delivery to the FTP servers, issue the request services flow-collector test-file-transfer filename interface cp-fpc/pic/port command. Include the desired export channel (zero or one) and target FTP server (primary or secondary) with this command.
user@router> request services flow-collector test-file-transfer test_file 
interface cp-6/0/0 channel-one primary
Flow collector interface: cp-6/0/0
Interface state: Collecting flows
Response: Test file transfer successfully scheduled 
Another way you can check for the success of your file transfers is by analyzing the transfer log. A transfer log sends detailed information about files that are collected and processed by the flow collector interface. Table 28 explains the various fields available in the transfer log.

Table 28: Flow Collector Interface Transfer Log Fields

Field

Explanation

fn

Filename

sz

File size

nr

Number of records

ts

Time stamp with the format of year (4 digits), month (2 digits), day (2 digits), hours (2 digits), minutes (2 digits), and seconds (2 digits).

sf

Success flag—The values are 1 for success and 0 for failure.

ul

Server URL

rc

FTP result code

er

FTP error text

tt

Transfer time

This is an example of a successful transfer log:
fn="cFlowd-py69Ni69-0-20040227_230438-at_4_0_0_4_3.bcp.bi.gz":sz=552569:nr=20000
:ts="20040227230855":sf=1:ul="ftp://10.63.152.1/tmp/server1/:"rc=250:er=""

:tt=3280
This is an example of a transfer log when an FTP session fails:
fn="cFlowd-py69Ni69-0-20040227_230515-at_4_0_0_2_8.bcp.bi.gz":sz=560436:nr=20000
:ts="20040227230855":sf=1:ul="ftp://10.63.152.1/tmp/server1/:"rc=250:er=""

:tt=3290
As the flow collector interface receives and processes cflowd records, the PIC services logging process (fsad) handles the following tasks:

When the flow collector interface transfers a file to the FTP server, a temporary log file is created in the /var/log/flowc directory. The temporary log file has this filenaming convention:

<hostname>_<filename_prefix>_YYYYMMDD_hhmmss.tmp

hostname is the hostname of the transfer server, filename_prefix is the same value defined with the filename-prefix statement at the [edit services flow-collector transfer-log-archive] hierarchy level, YYYYMMDD is the year, month, and date, and hhmmss is the timestamp indicating hours, minutes, and seconds.

After the log file has been stored in the routing platform for the length of time specified by the maximum-age statement at the [edit services flow-collector transfer-log-archive] hierarchy level (the default is 120 minutes), the temporary log file is converted to an actual log file and the temporary file is deleted. The new log file retains the same naming conventions, except the extension is *.log.

When the final log file is created and compressed, the PIC services logging process (fsad) tries to send the log file from the /var/log/flowc directory to an FTP server. You can specify up to five FTP servers to receive the log files by including the archive-sites statement at the [edit services flow-collector transfer-log-archive] hierarchy level. The logging process attempts to send the log file to one server at a time, in order of their appearance in the configuration. Upon the first successful transfer, the log file is deleted and the logging process stops sending log files to the remaining FTP servers in the list.

If the log file transfer is not successful, the log file is moved to the /var/log/flowc/failed directory. Every 30 minutes, the logging process tries to resend the log files. After the log files are transferred successfully, they are deleted from the /var/log/flowc/failed directory.

NOTE: If the memory for a flow collector interface is full, the interface might drop incoming packets.

After the flow collector interface successfully delivers the processed information file to the FTP server, you can analyze the file. The file contains detailed information about the flows collected and processed by the flow collector interface. Table 29 explains the various fields available in the flow collector interface file.

Table 29: Flow Collector Interface File Fields in Order of Appearance

Field

Explanation

linkDir

Link directory—A randomly generated number used to identify the record

analyzer-address

Analyzer address

analyzer-ID

Analyzer identifier

ifAlias

Interface identifier

source-address

Source address

destination-address

Destination address

packets

Number of packets

bytes

Number of bytes

start-time

Start time

end-time

End time

source-port

Source port

destination-port

Destination port

tcp_flag

TCP flag

protocol

IP protocol number

src_AS_number

Source AS number

dst_AS_number

Destination AS number

This is an example of output from a flow collector interface file:
11799241612374557782|10.10.10.1|server1|at_4_0_0_4|192.168.10.100|10.0.0.1|8|
3136|1077926402|1077926402|8224|12336|27|6|0|0

Field	Explanation
`fn`	Filename
`sz`	File size
`nr`	Number of records
`ts`	Time stamp with the format of year (4 digits), month (2 digits), day (2 digits), hours (2 digits), minutes (2 digits), and seconds (2 digits).
`sf`	Success flag—The values are `1` for success and `0` for failure.
`ul`	Server URL
`rc`	FTP result code
`er`	FTP error text
`tt`	Transfer time

Field	Explanation
`linkDir`	Link directory—A randomly generated number used to identify the record
`analyzer-address`	Analyzer address
`analyzer-ID`	Analyzer identifier
`ifAlias`	Interface identifier
`source-address`	Source address
`destination-address`	Destination address
`packets`	Number of packets
`bytes`	Number of bytes
`start-time`	Start time
`end-time`	End time
`source-port`	Source port
`destination-port`	Destination port
`tcp_flag`	TCP flag
`protocol`	IP protocol number
`src_AS_number`	Source AS number
`dst_AS_number`	Destination AS number

[Contents] [Prev] [Next] [Index] [Report an Error]