Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

How to Troubleshoot Discrepancies Between Ports Reported by a Netflow Collector and thePorts in the Router Configuration

« Go Back

Information

 
TitleHow to Troubleshoot Discrepancies Between Ports Reported by a Netflow Collector and thePorts in the Router Configuration
Objective
Use this method to troubleshoot discrepancies in ports reported by the Netflow collector and those in the router Netflow config.
Environment
S-Series
Netflow
Procedure
1.  Check which ports are configured to write Netflow records
(Some output eliminated for brevity)
 
show config netflow
set netflow port lag.0.2 enable both
set netflow port ge.2.201 enable both
set netflow port tg.2.1 enable both
set netflow port ge.3.204 enable both
set netflow port tg.3.1 enable both

This configures  the router to write a Netflow record if the traffic is either ingressing or egressing any of the 5 ports,
Within the Netflow packets, the inbound and outbound port are identified as InputInt and OutputInt.  the value corresponds to the MIB2 Interface from the "show port counters" output (For instance, ge.3.204 = 32204).

2.  Type show port counters to check the MIB2 Interface value:
 
show port counters lag.0.2;ge.2.201;tg.2.1;ge.3.204;tg.3.1

Port: ge.3.204   MIB2 Interface: 32204   Bridge Port: 772

(only one of the ports is shown in the output for brevity)

3.  Take a Wireshark trace on the Netflow Collector,  or a port mirror of traffic going to the collector

4.  Use the MIB2 Interface values of the 5 ports, to ccreate  the following Wireshark filter (the leading ! negates the expression that follows):

!(cflow.inputint == 22201 or cflow.inputint == 23001 or cflow.inputint == 32204 or cflow.inputint == 33001 or cflow.inputint == 1005002 or cflow.outputint == 22201 or cflow.outputint == 23001 or cflow.outputint == 32204 or cflow.outputint == 33001 or cflow.outputint == 1005002)

This filter displays any Netflow packets that have a flow(s) that does NOT ingress OR egress lag.0.2, ge.2.201, tg.2.1, ge.3.204, or tg.3.1.

4.  remove the Netflow template packets, because they contain no data,by  affixing "and !(cflow.flowset_id == 0)".

The final Wireshark Display filter used is:
 
!(cflow.inputint == 22201 or cflow.inputint == 23001 or cflow.inputint == 32204 or cflow.inputint == 33001 or cflow.inputint == 1005002 or cflow.outputint == 22201 or cflow.outputint == 23001 or cflow.outputint == 32204 or cflow.outputint == 33001 or cflow.outputint == 1005002) and !(cflow.flowset_id == 0)

If this filter does not eliminate all packets then the router is sending Netflow data for ports, other than the ones configured
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255