1:- Mismatched tag at line ..., column ..., byte
... at /usr/lib/perl5/site_perl/5.8.0/i686-linux/XML/Parser.pm line ...
2:- Uninitialised values in hashes and additions
!
3:- The <ftp>-element
doesn't catch all passive/active sessions!
4:- What is inbound/outbound traffic for
directions?
5:- How do I write the most efficient configuration?
6:- The percentages shown in the graph are incorrect!
This means that the jkflow.xml file is not valid, like opening a <subnet> element without closing it. The exact position of the error is located by the parser module.
This error is caused by an error in the jkflow.xml, which is valid, but the structure is not recognised by JKFlow. Try looking to the reported linenumbers of the errormessages, look into the sourcecode and you will find that the error will be inside a directorion, subnet, router,... xml configuration file parsing section. Also make sure you run JKFlow version v02052003 or higher.
A possible reason could be that the time or timezone on the routers don't match the time or timezone on the collector. The JKFlow modules keeps FTP control sessions in memory until the flowfile is 2 hours newer than the timestamps of the latest flow of these FTP-sessions. When the flows in the flowfiles are already 2 hours older than the flowfiles itself, it will cause the FTP-sessions to be dropped immediately.
If you define fromsubnets="10.0.0.0/8" and tosubnets="20.0.0.0/8", flows with source IP from 10.0.0.0/8 and destination IP of 20.0.0.0/8 will be assigned to outbound traffic, flows with source IP of 20.0.0.0/8 and destination IP of 10.0.0.0/8 will be assigned to inbound traffic.
Avoid defining subnets as much as possible. Profiling test shows me that Net::Patricia still takes a large portion of processing time while parsing flowfiles. This includes localsubnets, (no)fromsubnets, (to)tosubnets.
[root@homepc flows]# dprofpp tmon.out Garbled profile is missing some exit time stamps: Cflow::find main::wanted JKFlow::wanted Try rerunning dprofpp with -F. [root@homepc flows]# dprofpp -F tmon.out Faking 3 exit timestamp(s). Total Elapsed Time = -1.55103 Seconds User+System Time = 0 Seconds Exclusive Times %Time ExclSec CumulS #Calls sec/call Csec/c Name 0.00 4.022 11.647 12438 0.0003 0.0009 JKFlow::wanted 0.00 2.640 2.591 49097 0.0001 0.0001 JKFlow::countApplications 0.00 2.100 1.582 517474 0.0000 0.0000 Net::Patricia::match_integer 0.00 2.080 2.031 49097 0.0000 0.0000 JKFlow::countpackets 0.00 1.967 3.257 89424 0.0000 0.0000 JKFlow::countDirections 0.00 0.330 0.330 38 0.0087 0.0087 RRDs::create 0.00 0.290 0.265 24876 0.0000 0.0000 Cflow::InetNtoA::FETCH 0.00 0.210 11.838 12438 0.0000 0.0010 main::wanted 0.00 0.170 0.169 679 0.0003 0.0002 RRDs::update 0.00 0.090 0.645 679 0.0001 0.0009 JKFlow::reporttorrd 0.00 0.090 0.550 16 0.0056 0.0344 main::BEGIN 0.00 0.088 11.935 2 0.0439 5.9675 Cflow::find 0.00 0.080 0.129 6 0.0133 0.0216 XML::LibXML::SAX::BEGIN 0.00 0.050 0.050 58 0.0009 0.0009 Exporter::import 0.00 0.050 0.833 25 0.0020 0.0333 JKFlow::reporttorrdfiles [root@homepc flows]#
Also try to subdevide subnets into directions, and define a specific monitoring
set of protocols/services for each.
JKFlow will evaluate flows on directions only if it matches the parent direction.
One possible cause could be that you've selected several directions inside another direction,subnet,router AND selected the direction,subnet,router. JKGrapher counts the sum of the totals of all, which is good for separe directions/subnets/routers, but which is incorrect for directions INSIDE other directions/subnets/routers.