Logging cflowd Flows on M and T Series Routers Before Export
To collect the cflowd flows in a log file before they are exported,
include the local-dump statement at the [edit forwarding-options
sampling output flow-server hostname] hierarchy
level:
[edit forwarding-options sampling output flow-server hostname] local-dump;
By default, the flows are collected in /var/log/sampled; to change the filename, include the filename statement
at the [edit forwarding-options sampling traceoptions] hierarchy
level. For more information about changing the filename, see Configuring
Traffic Sampling Output.
Because the local-dump statement adds extra
overhead, you should use it only while debugging cflowd problems,
not during normal operation.
The following is an example of the flow information. The AS number exported is the origin AS number. All flows that belong under a cflowd header are dumped, followed by the header itself:
Jun 27 18:35:43 v5 flow entry Jun 27 18:35:43 Src addr: 192.0.2.1 Jun 27 18:35:43 Dst addr: 198.51.100.15 Jun 27 18:35:43 Nhop addr: 198.51.100.240 Jun 27 18:35:43 Input interface: 5 Jun 27 18:35:43 Output interface: 3 Jun 27 18:35:43 Pkts in flow: 15 Jun 27 18:35:43 Bytes in flow: 600 Jun 27 18:35:43 Start time of flow: 7230 Jun 27 18:35:43 End time of flow: 7271 Jun 27 18:35:43 Src port: 26629 Jun 27 18:35:43 Dst port: 179 Jun 27 18:35:43 TCP flags: 0x10 Jun 27 18:35:43 IP proto num: 6 Jun 27 18:35:43 TOS: 0xc0 Jun 27 18:35:43 Src AS: 7018 Jun 27 18:35:43 Dst AS: 11111 Jun 27 18:35:43 Src netmask len: 16 Jun 27 18:35:43 Dst netmask len: 0
[... 41 more version 5 flow entries; then the following header:]
Jun 27 18:35:43 cflowd header: Jun 27 18:35:43 Num-records: 42 Jun 27 18:35:43 Version: 5 Jun 27 18:35:43 low seq num: 118 Jun 27 18:35:43 Engine id: 0 Jun 27 18:35:43 Engine type: 3