Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Directing Traffic Sampling Output to a Server Running the cflowd Application

date_range 24-Nov-23

You can collect an aggregate of sampled flows and send the aggregate to a specified host that runs the cflowd application available from the Cooperative Association for Internet Data Analysis (CAIDA) (http://www.caida.org). By using cflowd, you can obtain various types of byte and packet counts of flows through a router.

The cflowd application collects the sampled flows over a period of 1 minute. At the end of the minute, the number of samples to be exported are divided over the period of another minute and are exported over the course of the same minute.

Before you can perform flow aggregation, the routing protocol process must export the autonomous system (AS) path and routing information to the sampling process. To do this, include the route-record statement:

content_copy zoom_out_map
route-record;

You can include this statement at the following hierarchy levels:

  • [edit routing-options]

  • [edit routing-instances routing-instance-name routing-options]

By default, flow aggregation is disabled. To enable the collection of flow aggregates, include the flow-server statement at the [edit forwarding-options sampling output] hierarchy level:

content_copy zoom_out_map
[edit forwarding-options sampling family (inet | inet6 | mpls) output ]
flow-server hostname {
    aggregation {
        autonomous-system;
        destination-prefix;
        protocol-port;
        source-destination-prefix {
            caida-compliant;
        }
        source-prefix;
    }
    autonomous-system-type (origin | peer);
    (local-dump | no-local-dump);
    port port-number;
    source-address address;
    version format;
}

In the cflowd statement, specify the name, identifier, and source-address of the host that collects the flow aggregates. You must also include the UDP port number on the host and the version, which gives the format of the exported cflowd aggregates. To specify an IPv4 source address, include the source-address statement. To collect cflowd records in a log file before exporting, include the local-dump statement. To specify the cflowd version number, include the version statement. The cflowd version is either 5 or 8.

You can specify both host (cflowd) sampling and port mirroring in the same configuration. You can perform RE-sampling and port mirroring actions simultaneously. However, you cannot perform PIC-sampling and port mirroring actions simultaneously.

To specify aggregation of specific types of traffic, include the aggregation statement. This conserves memory and bandwidth enabling cflowd to export targeted flows rather than all the aggregated

Note:

Aggregation is valid only if cflowd version 8 is specified.

To specify a flow type, include the aggregation statement at the [edit forwarding-options sampling output cflowd hostname] hierarchy level:

content_copy zoom_out_map
[edit forwarding-options sampling family (inet | inet6 | mpls) output hostname]
aggregation {
    source-destination-prefix;
}

You specify the aggregation type using one of the following options:

  • autonomous-system—Aggregate by AS number; may require setting the separate cflowd autonomous-system-type statement to include either origin or peer AS numbers. The origin option specifies to use the origin AS of the packet source address in the Source Autonomous System cflowd field. The peer option specifies to use the peer AS through which the packet passed in the Source Autonomous System cflowd field. By default, cflowd exports the origin AS number.

  • destination-prefix—Aggregate by destination prefix (only).

  • protocol-port—Aggregate by protocol and port number; requires setting the separate cflowd port statement.

  • source-destination-prefix—Aggregate by source and destination prefix. Version 2.1b1 of CAIDA’s cflowd application does not record source and destination mask length values in compliance with CAIDA’s cflowd Configuration Guide, dated August 30, 1999. If you configure the caida-compliant statement, Junos OS complies with Version 2.1b1 of cflowd. If you do not include the caida-compliant statement in the configuration, Junos OS records source and destination mask length values in compliance with the cflowd Configuration Guide.

  • source-prefix—Aggregate by source prefix (only).

Collection of sampled packets in a local ASCII file is not affected by the cflowd statement.

Debugging cflowd Flow Aggregation

To collect the cflowd flows in a log file before they are exported, include the local-dump option at the [edit forwarding-options sampling output cflowd hostname] hierarchy level:

content_copy zoom_out_map
[edit forwarding-options sampling family (inet | inet6 | mpls) output flow-server hostname]
local-dump;

By default, the flows are collected in /var/log/sampled; to change the filename, include the filename statement at the [edit forwarding-options sampling traceoptions] hierarchy level. For more information about changing the filename, see Collecting Traffic Sampling Output in a File.

Note:

Because the local-dump option adds extra overhead, you should use it only while debugging cflowd problems, not during normal operation.

The following is an example of the flow information. The AS number exported is the origin AS number. All flows that belong under a cflowd header are dumped, followed by the header itself:

content_copy zoom_out_map
Jun 27 18:35:43 v5 flow entry
Jun 27 18:35:43    Src addr: 10.53.127.1 
Jun 27 18:35:43    Dst addr: 10.6.255.15 
Jun 27 18:35:43    Nhop addr: 192.168.255.240 
Jun 27 18:35:43    Input interface: 5
Jun 27 18:35:43    Output interface: 3
Jun 27 18:35:43    Pkts in flow: 15
Jun 27 18:35:43    Bytes in flow: 600 
Jun 27 18:35:43    Start time of flow: 7230 
Jun 27 18:35:43    End time of flow: 7271 
Jun 27 18:35:43    Src port: 26629 
Jun 27 18:35:43    Dst port: 179 
Jun 27 18:35:43    TCP flags: 0x10 
Jun 27 18:35:43    IP proto num: 6 
Jun 27 18:35:43    TOS: 0xc0 
Jun 27 18:35:43    Src AS: 64496
Jun 27 18:35:43    Dst AS: 64511
Jun 27 18:35:43    Src netmask len: 16
Jun 27 18:35:43    Dst netmask len: 0

[... 41 more v5 flow entries; then the following header:]

content_copy zoom_out_map
Jun 27 18:35:43 cflowd header:
Jun 27 18:35:43   Num-records: 42
Jun 27 18:35:43   Version: 5
Jun 27 18:35:43   Flow seq num: 118
Jun 27 18:35:43   Engine id: 0
Jun 27 18:35:43   Engine type: 3
footer-navigation