Is it a problem to have all three of our routers sending stats to the same port on the cflowd machine?
It depends. Flow export traffic tends to be bursty, so overrunning the socket buffer is always possible. If you see dropped flow messages in the syslogs, you might be seeing socket buffer overflows. You can usually check this condition if it’s persistent by looking at the Recv-Q length in “netstat -an” output; if it looks high all the time (for instance, pegged at the maximum), you should try using more than one port. This will get you the additional room per router in the socket buffers that you need. Q: We are encountering some problems porting legacy scripts that provide ‘outgoing’ numbers to cflowd. I realize that NetFlow is input-interface-specific, but management wants both incoming and outgoing aggregated numbers. While our legacy script uses separate threads for incoming and outgoing traffic, and filters on the dst interface to allow only flows that terminate on the ‘external’ interface (outgoing), or filters on the same interface as the src (incoming). It seems that cflowd has
