-
Cisco CNS NetFlow Collection Engine Installation and Configuration Guide, 4.0
-
Index
-
About This Guide
-
Overview
-
Installing and Configuring CNS NetFlow Collection Engine
-
Using the CNS NetFlow Collection Engine User Interface
-
Understanding the CNS NetFlow Collection Engine Data File Format
-
Customizing the CNS NetFlow Collection Engine
-
Using Cafeteria-Style Aggregation
-
Troubleshooting CNS NetFlow Collection Engine
-
NetFlow Export Datagram Formats
-
CNS NetFlow Collection Engine Configuration and Control Protocol
-
CNS NetFlow Collection Engine Binary Data File Format
-
CNS NetFlow Collection Engine CNS/XML Interface
-
Table Of Contents
CNS NetFlow Collection Engine Configuration and Control Protocol
GET and GET_RESPONSE and GET_ERROR
List Cafeteria-Style Aggregation Definitions
List Cafeteria-Style Aggregation Field Types
List a Cafeteria-Style Aggregation Definition's Attributes
SET and SET_RESPONSE and SET_ERROR
Start CNS NetFlow Collection Engine
Stop CNS NetFlow Collection Engine
Request to Write CNS NetFlow Collection Engine's In-Memory Configuration into the Log File
Add a Cafeteria-Style Aggregation Definition
Drop a Cafeteria-Style Aggregation Definition
Unsolicited Event Notifications (UENs), or Trap Messages
Disk Consumption Reaches a Certain Limit
Unsolicited Packet Is Received
Active Threads Limit Is Reached
Incompatible Packet with an Aggregation Scheme
CNS NetFlow Collection Engine Configuration and Control Protocol
The CNS NetFlow Collection Engine configuration and control protocol is a text-based (ASCII) messaging protocol that facilitates the remote configuration and control of the CNS NetFlow Collection Engine application. The protocol includes specifications for creating unsolicited event notifications (UENs), or trap messages. Use this appendix as a reference when creating applications that you want the CNS NetFlow Collection Engine to communicate with, or as a reference for use with the Cisco Network Data Analyzer application.
Note
In order for an application to receive UENs from CNS NetFlow Collection Engine, the nf.resources file must be configured to specify the IP address and port (or the DNS system name and port) that will receive UENs. See the "Modifying CNS NetFlow Collection Engine Resources" section on page 5-32 for details on this option.
Overview
This appendix describes the CNS NetFlow Collection Engine configuration and control protocol, a message-based application layer protocol that allows for messaging from, and remote manageability of, the CNS NetFlow Collection Engine application. Messages exchanged between CNS NetFlow Collection Engine and remote applications fall under two broad categories:
•
•
A list of relevant terminology is covered first, followed by the message format. Next, a description of the mode of communication between the CNS NetFlow Collection Engine and remote applications is provided.
Terminology
For the purpose of this document, the NetFlow CNS NetFlow Collection Engine 3.x (referred to as CNS NetFlow Collection Engine hereafter) application is the server, and applications making control or configuration requests are clients. Currently, the primary client is the Cisco Network Data Analyzer (referred to as the Data Analyzer hereafter) application, which provides a central point to configure and control multiple, remote CNS NetFlow Collection Engine stations. The following two terms are used throughout this appendix:
1.
a.
b.
2.
Message Format
This section describes a simple string-based message format to facilitate communication between clients and CNS NetFlow Collection Engine. The protocol is string-based to avoid the inherent big-endian and little-endian problems associated with communication between machines of differing architectures.
The messages fall into the following three categories:
1.
2.
3.
Each message consists of a <seqnum>, <msgtype>, <[login:password:]checksum> (in this order) and one or more character strings. The general syntax is:
<seqnum><ws><msgtype><ws><[login:password:]checksum><endline>
<command|event>[:<argument>] [\n<char string>]
where:
<ws> represents one or more white spaces, and <endline> represents end of line. The <seqnum> value is a randomly assigned positive integer to track messages. The third field provides authentication as well as detection if the message was altered. It consists of the identification of the CNS NetFlow Collection Engine user and its password (on the CNS NetFlow Collection Engine machine) and the bytecount (total number of bytes) of the message. Event messages do not contain the login:password portion. In a response message, CNS NetFlow Collection Engine includes checksum bytes to represent the number of bytes in the response.
The <msgtype> character string is one of the following:
•
•
•
•
•
•
•
•
•
•
GET and SET message types indicate a request message. A request may contain more than one operation (such as modify multiple fields of a thread). EVENT indicates an event message. In the case of response messages, the <seqnum> value is the same as in the corresponding request (so that clients can handle multiple request/response pairs asynchronously).
GET_RESPONSE, SET_RESPONSE, AUTH_ERROR, DOWN_ERROR, GET_ERROR, and SET_ERROR indicate a response message. GET_RESPONSE and SET_RESPONSE messages may include optional lines starting with the keyword "warn:" or "info:". However, receiving a GET_RESPONSE or SET_RESPONSE means the request was successfully executed.
Each GET/SET request contains an authentication string that is used to validate the requester's identity. Authentication failure results in an AUTH_ERROR response. CNS NetFlow Collection Engine sends the same AUTH_ERROR response if the checksum does not match up with the total number of bytes received. If CNS NetFlow Collection Engine cannot process a request because of unavailability of its processing engines (that is, backend processes are not running), it sends a DOWN_ERROR response. If an error is detected in parsing a request, a corresponding SYNTAX_ERROR response is returned.
If CNS NetFlow Collection Engine cannot process a request because of operational reasons (for any reason other than AUTH_ERROR, DOWN_ERROR, or SYNTAX_ERROR), it returns a GET_ERROR or SET_ERROR response. Such an error response includes at least one line starting with the keyword "error:" followed by a description. A GET_ERROR response occurs when a request to fetch attributes of a nonexistent thread is received.
The second line of the message contains a command (event in the case of UENs), optionally followed by an argument. In request and response messages, the response copies this second line from the corresponding request. See Table C-1 for command and argument examples.
The commands filter_attributes, thread_attributes, and protocol_attributes retrieve descriptions of the requested entity (filter/thread/protocol). As shown in Table C-1, these three commands require an additional argument, which is the ID of the entity to be obtained. The body of the corresponding response message is identical to the representation of the corresponding entity in the configuration files of CNS NetFlow Collection Engine (you should refer to the syntax of these entities for keywords, legitimate values of a field, and so forth).
Use the following examples to clarify GET request usage:
•
300 GET login:passwd:checksumfilter_attributes:ALLOW-WWWThe expected sample response (assuming ALLOW-WWW exists) is:
300 GET_RESPONSE login:passwd:newchecksumfilter_attributes:ALLOW-WWWPermit Srcport 80Permit Dstport 8•
301 GET login:passwd:checksumthread_attributes:HMATThe expected sample response (assuming HMAT exists) is:
301 GET_RESPONSE login:passwd:newchecksumthread_attributes:HMATAggregation HostMatrixPeriod 20Port 9991State ActiveDataSetPath /opt/CSCOnfc/DataDiskSpaceLimit 0FileRetain 0•
303 GET login:passwd:checksumprotocol_attributes:WWWThe expected sample response (assuming WWW exists) is:
303 GET_RESPONSE login:passwd:newchecksumprotocol_attributes:WWWDstport 80 OR Srcport 80Prot 6
Note
Table C-2 lists all valid SET commands. Requests for add_filter, add_thread, thread_attributes, and add_protocol append the definition (a description of the attributes) in the same manner as the corresponding GET_RESPONSE messages do to convey a definition of filter, thread, or protocol. CNS NetFlow Collection Engine may respond to a SET request with a SET_RESPONSE or a SET_ERROR response. A SET_ERROR response occurs when the requested entity does not exist, for example.
Use the following examples to clarify SET request usage:
•
400 SET login:passwd:checksumadd_filter:DENY-TELNETDeny Srcport 23Deny Dstport 23Permit Dstaddr 10.0.0.0 255.255.255.255The expected sample response (assuming DENY-TELNET does not exist) is:
400 SET_RESPONSE login:passwd:newchecksumadd_filter:DENY-TELNET•
401 SET login:passwd:checksumdrop_thread:CALLRECORDThe expected sample response (assuming CALLRECORD does not exist) is:
401 SET_ERROR login:passwd:newchecksumdrop_thread:CALLRECORDerror:thread ID not foundEvent conditions and arguments are described in Table C-3.
Communication
CNS NetFlow Collection Engine expects the request messages to come over a TCP socket. CNS NetFlow Collection Engine opens a TCP socket on a well-known port (user-configurable) and awaits messages from all clients on this port. It uses a separate UDP socket to send event messages. It maintains a static list of recipients (IP addresses) of events and sends an event message to all of them. The administrator of CNS NetFlow Collection Engine is responsible for maintaining this list.
CNS NetFlow Collection Engine sends UENs autonomously. CNS NetFlow Collection Engine does not expect a response, so reception of the message cannot be assumed. CNS NetFlow Collection Engine uses a UDP socket to send UENs to a prespecified list of recipients.
On receiving a UEN, a manager (a software module designed to receive UENs, or traps) is free to decide how to process it. Typically, it creates a new entry in the event log. Also, it may signal or distribute the received UEN to other modules. These modules may want to query the agent (CNS NetFlow Collection Engine) for additional information, or may try to correlate the received UEN with other UENs and status information.
Message List
This section describes all valid configuration and control messages. Messages are organized by requests and their corresponding responses (including errors). Some errors apply to all request messages. These error conditions indicate the following:
•
•
•
GET and GET_RESPONSE and GET_ERROR
Filter Definition
Filter Definition ("name, value [, mask]") pairs of all possible attributes of a filter. Any restriction (for example, that a character string should not exceed 20 characters) or the possible values in case of an enum, are included in parentheses immediately after.
200 GET login:passwd:checksumfilter_definitionAn expected sample response is:
200 GET_RESPONSE login:passwd:newchecksumfilter_definitionFilter string(20)enum(permit,deny), Srcaddr, ipaddr, ipaddrenum(permit,deny), Dstaddr, ipaddr, ipaddrenum(permit,deny), Nexthop, ipaddr, ipaddrenum(permit,deny), Srcport, ushortenum(permit,deny), Dstport, ushortenum(permit,deny), Srcinterface, ushortenum(permit,deny), Dstinterface, ushortenum(permit,deny), Prot, ushortenum(permit,deny), Protocol, string(20)enum(permit,deny), TOS, ushortenum(permit,deny), SrcAS, ushortenum(permit,deny), DstAS, ushortThread Definition
Thread Definition ("name, value") pairs of all possible attributes of a thread. Any restrictions, (for example, that a character string should not exceed 20 characters) or the possible values in case of an enum, are included in parentheses immediately after.
200 GET login:passwd:checksumthread_definitionAn expected sample response is:
200 GET_RESPONSE login:passwd:newchecksumthread_definitionThread, string(20)Aggregation, stringFilter, string(20)Port, ushortPeriod, ushortDataSetPath, stringState, enum(Active, Inactive)Compression NoBinary NoMaxUsage 500Protocol Definition
Protocol Definition ("name, value") pairs of all possible attributes of a protocol. Any restrictions, (for example, that a character string should not exceed 20 characters) or the possible values in case of an enum, are included in parentheses immediately after.
200 GET login:passwd:checksumprotocol_definitionAn expected sample response is:
200 GET_RESPONSE login:passwd:newchecksumprotocol_definitionProtocol, string(20)Srcport, ushortDstport, ushortProt, ushortSupported Aggregation SchemesList of supported aggregation schemes ("name, bitmask" pair).200 GET login:passwd:checksumaggregation_listAn expected sample response is:
200 GET_RESPONSE login:passwd:newchecksumaggregation_listRawFlows, bitmaskSourceNode, bitmaskDestNode, bitmaskHostMatrix, bitmaskSourcePort, bitmaskDestPort, bitmaskProtocol, bitmaskDetailDestNode, bitmaskDetailHostMatrix, bitmaskDetailInterface, bitmaskCallRecord, bitmaskASMatrix, bitmaskNetMatrix, bitmaskDetailSourceNode, bitmaskDetailASMatrix, bitmaskRouterAS, bitmaskRouterProtoPort, bitmaskRouterSrcPrefix, bitmaskRouterDstPrefix, bitmaskRouterPrefix, bitmaskASHostMatrix, bitmaskHostMatrixInterface, bitmaskDetailCallRecord, bitmaskApplication Statistics
200 GET login:passwd:checksumapplication_statsAn expected sample response is:
200 GET_RESPONSE login:passwd:newchecksumapplication_stats<to be filled>List Export Sources
Lists sources from which CNS NetFlow Collection Engine has received one or more packets.
201 GET login:passwd:checksumexport_source_listAn expected sample response is:
201 GET_RESPONSE login:passwd:newchecksumexport_source_list171.69.2.77blab-gwbldg-aPossible error responses can be:
201 AUTH_ERROR login:passwd:newchecksumexport_source_listOr:
201 DOWN_ERROR login:passwd:newchecksumexport_source_listList Filters
202 GET login:passwd:checksumfilter_listAn expected sample response is:
202 GET_RESPONSE login:passwd:newchecksumfilter_listallow_wwwdeny_datacenter_subnetPossible error responses can be:
202 AUTH_ERROR login:passwd:newchecksumfilter_listOr:202 DOWN_ERROR login:passwd:newchecksumfilter_listList Threads
202 GET login:passwd:checksumthread_listAn expected sample response is:
202 GET_RESPONSE login:passwd:newchecksumthread_listHMATRIXDETAILASMPossible error responses can be:
202 AUTH_ERROR login:passwd:newchecksumthread_listOr:
202 DOWN_ERROR login:passwd:newchecksumthread_listList Cafeteria-Style Aggregation Definitions
202 GET login:passwd:checksumuserdef_aggregation_listAn expected sample response is:
202 GET_RESPONSE login:passwd:newchecksumuserdef_aggregation_listagg_name_aagg_name_bagg_name_cList Protocols
203 GET login:passwd:checksumprotocol_listAn expected sample response is:
203 GET_RESPONSE login:passwd:newchecksumprotocol_listTELNETWWWFTP-SERVERFTP-CLIENTSNMPNNTPPossible error responses can be:
203 AUTH_ERROR login:passwd:newchecksumprotocol_listOr:
203 DOWN_ERROR login:passwd:newchecksumprotocol_listList Known srcports
205 GET login:passwd:checksumknown_srcport_listAn expected response is:
205 GET_RESPONSE login:passwd:newchecksumknown_srcport_list0, 10241025, 9999 :1K_9K_Port_Rng10000, 19999 :10K_19K_Port_Rng20000, 29999 :20K_29K_Port_Rng30000, 39999 :30K_39K_Port_Rng40000, 49999 :40K_49K_Port_Rng50000, 59999 :50K_59K_Port_Rng60000, 65535 :60K_65K_Port_RngPossible error responses can be:
205 AUTH_ERROR login:passwd:newchecksumknown_srcport_listOr:
205 DOWN_ERROR login:passwd:newchecksumknown_srcport_listList Known dstports
206 GET login:passwd:checksumknown_dstport_listAn expected response is:
206 GET_RESPONSE login:passwd:newchecksumknown_dstport_list0, 10241025, 9999 :1K_9K_Port_Rng10000, 19999 :10K_19K_Port_RngPossible error responses can be:
206 AUTH_ERROR login:passwd:newchecksumknown_dstport_listOr:
206 DOWN_ERROR login:passwd:newchecksumknown_dstport_listList Known srcasns
207 GET login:passwd:checksumknown_srcasns_listAn expected response is:
207 GET_RESPONSE login:passwd:newchecksumknown_srcasns_list0, 16000Possible error responses can be:
207 AUTH_ERROR login:passwd:newchecksumknown_srcasns_listOr:
207 DOWN_ERROR login:passwd:newchecksumknown_srcasns_listList Known dstasns
208 GET login:passwd:checksumknown_dstasns_listAn expected response is:
208 GET_RESPONSE login:passwd:newchecksumknown_dstasns_list0, 16000Possible error responses can be:
208 AUTH_ERROR login:passwd:newchecksumknown_dstasns_listOr:
208 DOWN_ERROR login:passwd:newchecksumknown_dstasns_listList Cafeteria-Style Aggregation Field Types
nnn GET login:passwd:checksumuserdef_typesAn expected response is the contents of nfknown.typefile:
208 GET_RESPONSE login:passwd:newchecksumuserdef_typesType BYTES_32 1Type PKTS_32 2...DOTTED_ADDRESS_TYPE IPSRCADDR,IPDSTADDR,...Scope SYSTEM 1...List a Filter's Attributes
209 GET login:passwd:checksumfilter_attributes:allow-wwwAn expected response is:
209 GET_RESPONSE login:passwd:newchecksumfilter_attributes:allow-wwwFilter allow-www[flextype]Permit Srcport 80Permit DstPort 80Permit Dstaddr 0.0.0.0 255.255.255.255A possible error response can be (excluding AUTH_ERROR and DOWN_ERROR):
209 GET_ERROR login:passwd:newchecksumfilter_attributes:allow-wwwerror:filter ID not foundThe optional userdef keyword is returned only for cafeteria-style aggregation filters. For these filters, type names are from nfknown.typefile; mask values are returned only for fields that are indicated as IP address types in nfknown.typefile.
List a Thread's Attributes
301 GET login:passwd:checksumthread_attributes:HMATAn expected response is:
301 GET_RESPONSE login:passwd:newchecksumthread_attributes:HMATThread HMATAggregation HostMatrixPeriod 20Port 9991State ActiveDataSetPath /opt/CSCOnfc/DataCompression NoBinary NoMaxUsage 500A possible error response can be (excluding AUTH_ERROR and DOWN_ERROR):
301 GET_ERROR login:passwd:newchecksumthread_attributes:allow-wwwerror:thread ID not foundList a Protocol's Attributes
302 GET login:passwd:checksumprotocol_attributes:TELNETAn expected response is:
302 GET_RESPONSE login:passwd:newchecksumprotocol_attributes:TELNETProtocol TELNETSrcport 23 ORDstport 23prot 6A possible error response can be (excluding AUTH_ERROR and DOWN_ERROR):
302 GET_ERROR login:passwd:newchecksumprotocol_attributes:TELNETerror:protocolid not foundList a Cafeteria-Style Aggregation Definition's Attributes
nnn GET login:passwd:checksumuserdef_aggregation_attributes:agg_name_aAn expected response is:
nnn GET_RESPONSE login:passwd:newchecksumuserdef_aggregation_attributes:agg_name_aAggregation agg_name_akeys IPSRCADDR,IPDSTADDRvalues BYTES_32,PKTS_32,FLOWSSET and SET_RESPONSE and SET_ERROR
In this section, AUTH_ERROR and DOWN_ERROR are not shown.
Start CNS NetFlow Collection Engine
500 SET login:passwd:checksumstart_collectorAn expected sample response is:
500 SET_RESPONSE login:passwd:newchecksumstart_collectorA possible error response can be:
500 SET_ERROR login:passwd:newchecksumstart_collectorerror:running
Note
Stop CNS NetFlow Collection Engine
501 SET login:passwd:checksumstop_collectorAn expected sample response is:
501 SET_RESPONSE login:passwd:newchecksumstop_collectorinfo:stopped at Tue Jun 23 23:10:02 1998A possible error response can be:
501 SET_ERROR login:passwd:newchecksumstop_collectorerror:not runninginfo:stopped at Tue Jun 23 23:10:02 1998Request to Write CNS NetFlow Collection Engine's In-Memory Configuration into the Log File
This section refers to requests that are local to the CNS NetFlow Collection Engine box.
501 SET login:passwd:checksumdump_configAn expected sample response is:
501 SET_RESPONSE login:passwd:newchecksumdump_configrAdd a Filter
502 SET login:passwd:checksumadd_filter:DENY-ICMP[flextype]Deny Prot 2Permit Srcaddr 0.0.0.0 255.255.255.255The flextype keyword is included only for filters that will be used in cafeteria-style aggregation. In such a case, the field names must be defined in nfknown.typefile.
An expected sample response is:
502 SET_RESPONSE login:passwd:newchecksumadd_filter:DENY-ICMPDeny Prot 2Permit Srcaddr 0.0.0.0 255.255.255.255Possible error responses can be:
502 SET_ERROR login:passwd:newchecksumadd_filter:DENY-ICMPerror:duplicate filteridOr:
502 SYNTAX_ERROR login:passwd:newchecksumadd_filter:DENY-ICMPerror:syntax errorDrop a Filter
503 SET login:passwd:checksumdrop_filter:DENY-ICMPAn expected sample response is:
503 SET_RESPONSE login:passwd:newchecksumdrop_filter:DENY-ICMPinfo:dropped Filter DENY-ICMPA possible error response can be:
503 SET_ERROR login:passwd:newchecksumdrop_filter:DENY-ICMPerror:filter ID not foundAdd a Thread
504 SET login:passwd:checksumadd_thread:SRCNODEAggregation SourceNodeFilter DENY-ICMPPeriod 15Port 9991State ActiveDataSetPath /opt/CSCOnfc/DataCompression NoBinary NoMaxUsage 500An expected sample response is:
504 SET_RESPONSE login:passwd:newchecksumadd_thread:SRCNODEPossible error responses (only the nonidentical portions are shown) can be:
error:duplicate threadidOr:
error:max active threads limit reachedOr:
error:port, datasetpath and aggregation conflictOr:
error:syntax errorDrop a Thread
505 SET login:passwd:checksumdrop_thread:SRCNODEAn expected sample response is:
505 SET_RESPONSE login:passwd:newchecksumdrop_thread:SRCNODEinfo:dropped Thread SRCNODEA possible error response can be:
505 SET_ERROR login:passwd:newchecksumdrop_thread:SRCNODEerror:thread ID not foundModify a thread:506 SET login:passwd:checksumthread_attributes:SRCNODEPeriod 15Port 9991State ActiveDataSetPath /opt/CSCOnfc/DataCompression NoBinary NoMaxUsage 500An expected sample response is:
506 SET_RESPONSE login:passwd:newchecksumthread_attributes:SRCNODEThread SRCNODEPeriod 15Port 9991State ActiveDataSetPath /opt/CSCOnfc/DataCompression NoBinary NoMaxUsage 500Possible error responses (only the nonidentical portions are shown) can be:
error:thread ID not foundOr:
error:max active threads limit reachedOr:
error:port, datasetpath and aggregation conflictOr:
error:syntax errorAdd a Protocol507 SET login:passwd:checksumadd_protocol:UDP-NNTPSrcport 119 OR Dstport 119Prot 17An expected sample response is:
507 SET_RESPONSE login:passwd:newchecksumadd_protocol:UDP-NNTPinfo:dropped Protocol UDP-NNTPPossible error responses can be:
507 SET_ERROR login:passwd:newchecksumadd_protocol:UDP-NNTPerror:duplicate protocol IDOr:
507 SET_ERROR login:passwd:newchecksumadd_protocol:UDP-NNTPerror:syntax errorDrop a Protocol
508 SET login:passwd:checksumdrop_protocol:DENY-WWWAn expected sample response is:
508 SET_RESPONSE login:passwd:newchecksumdrop_protocol:WWW-SERVERPossible error responses can be:
508 SET_ERROR login:passwd:newchecksumdrop_protocol:WWW-SERVERerror:protocolid not foundrOr:508 SET_ERROR login:passwd:newchecksumdrop_protocol:WWW-SERVERerror:syntax errorAdd a Cafeteria-Style Aggregation Definition
nnn SET login:passwd:checksumadd_userdef_aggregation:agg_name_akeys IPSRCADDR,IPDSTADDRvalues BYTES_32,PKTS_32,FLOWSAn expected sample response is:
nnn SET_RESPONSE login:passwd:newchecksumadd_userdef_aggregation:agg_name_aDrop a Cafeteria-Style Aggregation Definition
nnn SET login:passwd:checksumdrop_userdef_aggregation:agg_name_aAn expected sample response is:
nnn SET_RESPONSE login:passwd:newchecksumdrop_userdef_aggregation:agg_name_aUnsolicited Event Notifications (UENs), or Trap Messages
Disk Consumption Reaches a Certain Limit
801 EVENT checksumdisk_consumption: /opt/CSCOnfcinfo: 80%802 EVENT checksumdisk_consumption: /opt/CSCOnfcinfo: 100%Unsolicited Packet Is Received
802 EVENT checksumrcvd_unsolicited_packet:171.71.34.79Active Threads Limit Is Reached
800 EVENT checksummax_active_threads_limitIncompatible Packet with an Aggregation Scheme
810 EVENT checksumincompatible_pkt_and_aggregationinfo: V1 packet for ASMatrixCould Not Write a Data File
815 EVENT checksumdatafile_not_written:/opt/CSCOnfc/Data/R1/1998_10_12/r1.1215info: insufficient space in /opt/CSCOnfc
