Hi folks, this is actual operational question so excuse the interruption in the fiber cut du jour thread. I have a cisco 7500 series router with v11.1(CC) code. I have cflowd running on a Dell PIII system with an IDE hard drive (thankfully fairly large) under RedHat Linux 6.1 . cflowd and friends are compiled with -mcpu=i686 . I have configured a generous cache size of 65535 on the router but it only uses 1024 entries anyway. show ip cache flow says that: IP Flow Switching Cache, 69632 bytes 1002 active, 22 inactive, 3045004972 added 2253347804 ager polls, 0 flow alloc failures Exporting flows to x.x.x.x (2055) Exporting using source interface Loopback0 Version 6 flow records, origin-as Active flows timeout in 60 minutes 3045003952 flows exported in 112978700 udp datagrams, 0 failed last clearing of statistics 5d05h The collector machine is getting hammered on the data collection.
From the log: Apr 1 20:20:19 plan9 cfdcollect[28872]: [I] wrote data for router 172.16.1.2 Apr 1 20:20:19 plan9 cfdcollect[28872]: [I] connected to localhost:2056 Apr 1 20:20:19 plan9 cflowd[16312]: [I] sent data to 216.70.64.120:1877 Apr 1 20:20:22 plan9 cflowd[29964]: [I] missed 195585 of 220926 flows from 172. 16.1.2 engine 0 agg_method 0 (88.5296% loss) Apr 1 20:20:57 plan9 cfdcollect[28872]: [I] localhost has data for 1 router. Apr 1 20:20:59 plan9 cfdcollect[28872]: [I] got data for router 172.16.1.2 from localhost Apr 1 20:20:59 plan9 cfdcollect[28872]: [I] wrote data for router 172.16.1.2 Apr 1 20:20:59 plan9 cfdcollect[28872]: [I] connected to localhost:2056 Apr 1 20:20:59 plan9 cflowd[16315]: [I] sent data to 216.70.64.120:1878 Apr 1 20:21:02 plan9 cflowd[29964]: [I] missed 168234 of 248568 flows from 172. 16.1.2 engine 0 agg_method 0 (67.6813% loss)
At this point, cfdcollect is set to minPollInterval of 15 but I still lose data at peak (sure, at 10am on a weekday its no problem to keep up...) cflowd is configured for FLOWFILELEN: 2097152 and to keep 70 raw flow files. I had pretty much the same % loss with 1Mb flow files and only keeping 10 . I'm thinking that perhaps disk I/O is a problem with cfdcollect and cflowd on 1 machine with 1 disk. Two physical disks (Ultra Wide Fast SCSI) might help keep up. Thanks Dana Hudes