Multiple netflow exporters to the same collector IP and port.
I setup 4 exporters on a router with the same destination Ip and port 2055.
But I only get data in trisul for the first exporter I added to the router.
I have verified that the exportermaps are exporting flows to the correct ip and port.
Cant a probe handle multiple incomming netflow to the same port?
Hi,
Trisul can handle any number of exporters. It distinguishes the routers by their Source IP. Is it possible to assign a different source IP to each exporter?
If all the exporters use the same source IP then the records will show up as one router. Can you click on Netflow -> Routers and Intefaces to check.
Thanks,
Odd I see no routers or interfaces under "netflow" in trisul , but I have active netflow data both incomming in realtime and stored that I can search/analyze.
" Select a router / Showing 0 routers of total 0 / Time Interval : 15 m ending 2017-09-21 10:59:00"
I tried to purge trisul, but the config are still there , how can I do a complete reinstall? Need to remove all conf files from trisul
If you are trying to uninstall Trisul 6.0 and purge everything try the following
Uninstall the packages
sudo dpkg -r trisul-probe trisul-hub webtrisul trisul-badfellas trisul-geo trisul-urlfilterThen clean up the following directories
/usr/local/share/trisul*
/usr/local/etc/trisul*
/usr/local/var/lib/trisul*
/usr/local/var/log/trisul*
/usr/local/var/run/trisulIf you are purging a previous version of Trisul let me know I will give you instructions.
WE have a Netflow Config Wizard that helps you set it up correctly.
Login as admin
Go to Context:default > profile0 > Netflow Wizard
Check if all items are checked in Basics tab. Especially the last item.
admin "Netflow mode not enabled."
which run mode is correct for netflow v9 ?
I get netflow data but the sip and dip are from a VRF I disabled a hour ago, and its expoerter-map isnt exporting flows. I even changed the port !=2055
I dont see the netflow data from the VRF I want to monitor, even tho the box is receving udp data on port 2055.
NETFLOW_TAP will cover all NETFLOW/SFLOW/JFLOW/IPFIX etc all versions are automatically detected.
Are you exporting the VRFID ? You can go to Retro > Retro Counters > Then select Flow VRF from counter group.
When you go to Netflow > Routers and Interfaces do you see the router IP ?
If using Flexible Netflow , can you try assigning a source interface to the export. (eg source ethernet0/0) this will use the interface IP as the netflow source IP and that will show up as a separate routers in Trisul.
How do I config trisul to only listen on incomming netflow v9 on a specific port? It seems that it is picking up all traffic on interface eth0
I want it only to listen for netflow from a specific sip and dport.
I have silk running on the same box, Im just evaluating trisul right now.
If you only want to listen to Netflow from a single IP then do the following.
Then
1. Go to Admin Tasks > Start / Stop Tasks
2. Change the Run Mode for probe0 to online_libpcap
Then restart the probe.
You should now only process netflow from that one IP.
I am online, let me know any issue you have with the eval.
Thanks,
Vivek
1, Im using standard export from a asr9000
2, No I dont see any interface or router https://imgur.com/a/bPoS1
3, Im using a specific source interface (a interface close to the collector)
Can you check the following?
It should say NETFLOW_TAP.
Also can you check the log file like so.
source /usr/local/share/trisul-probe/trisbashrc
tailf.nsIt seems that trisul only sees local traffic, not the netflow data it self
Had to manually edit to
<TrisulMode>NETFLOW_TAP</TrisulMode>
<ValidTrisulModes>TAP,NETFLOW_TAP</ValidTrisulModes>
Under Sessions I can only see the netflow exporting router and the collector
https://ibb.co/gxZ3M5
Can you restart the Probe after you've made that change to NETFLOW_TAP?
That should do it.
Finally! Thanx for the help. Now I can start to eval trisul.
Great !
Next you may want to enable "Interface Tracking" for long term breakup of interface traffic.
Enable Interface Tracking on key interfaces ;
Routers and Interfaces
Click on Router
Now for each interface , select "Options > Enable Interface Tracking"
Restart probe
Cheeers!