Debugging cflowd Flow Aggregation

To collect the cflowd flows in a log file before they are exported, include the local-dump statement at the [edit forwarding-options sampling output cflowd hostname] hierarchy level:

local-dump;

By default, the flows are collected in /var/log/sampled; to change the filename, include the filename statement at the [edit forwarding-options sampling traceoptions] hierarchy level. For more information about changing the filename, see Configuring Traffic Sampling Output.

NOTE: Because the local-dump statement adds extra overhead, you should use it only while debugging cflowd problems, not during normal operation.

The following is an example of the flow information. The AS number exported is the origin AS number. All flows that belong under a cflowd header are dumped, followed by the header itself:

Jun 27 18:35:43 v5 flow entry

Jun 27 18:35:43    Src addr: 192.53.127.1 

Jun 27 18:35:43    Dst addr: 192.6.255.15 

Jun 27 18:35:43    Nhop addr: 192.6.255.240 

Jun 27 18:35:43    Input interface: 5

Jun 27 18:35:43    Output interface: 3

Jun 27 18:35:43    Pkts in flow: 15

Jun 27 18:35:43    Bytes in flow: 600 

Jun 27 18:35:43    Start time of flow: 7230 

Jun 27 18:35:43    End time of flow: 7271 

Jun 27 18:35:43    Src port: 26629 

Jun 27 18:35:43    Dst port: 179 

Jun 27 18:35:43    TCP flags: 0x10 

Jun 27 18:35:43    IP proto num: 6 

Jun 27 18:35:43    TOS: 0xc0 

Jun 27 18:35:43    Src AS: 7018

Jun 27 18:35:43    Dst AS: 11111

Jun 27 18:35:43    Src netmask len: 16

Jun 27 18:35:43    Dst netmask len: 0

[... 41 more version 5 flow entries; then the following header:]

Jun 27 18:35:43 cflowd header:

Jun 27 18:35:43   Num-records: 42

Jun 27 18:35:43   Version: 5

Jun 27 18:35:43   Flow seq num: 118

Jun 27 18:35:43   Engine id: 0

Jun 27 18:35:43   Engine type: 3