NetFlow File and Directory Structure



This article illustrates the NetFlow file and directory structure.

/home/nfcuser -- user created to drive NetFlow Analyzer, user working directory

configs -- router configs for NFA use (it's not happy with them)
exports -- directory, sym link to directory where NFA drops exported CSV files. Don't delete!
images -- directory to dump screen capture GIF/JPEG saves into

/opt/CSCOnfa -- Cisco Flow Data Analyzer

check.All -- script to check Java, DisplayServer, UtilityServer are running
start.All -- script to start DisplayServer, UtilityServer
stop.All -- stops them

cisco -- mojo (ASN.1/SNMP toolset) -- not for user use

 NFADisplay -- NFA Display UI

bin -- programs, scripts, also *.class = Java classes
start.Display script -- starts NFA Display screen (UI)



NFAServer -- NFA DisplayServer (Display talks to)
AliasDefn -- known AS's, ports, protocols
[not well documented: see perhaps the UsePortText flag in the NFADS.resources file]
bin -- programs, scripts
check.DisplayServer -- script to check DisplayServer
DisplayServer -- program
NFADS.resources -- options for DisplayServer, MaxMB, UsePortText
start.DisplayServer -- starts just DisplayServer
stop.DisplayServer -- stops it
Cache -- cached info

exported_files -- where exported CSV files go, /home/nfcuser/exports sym link to this

logs -- misc log files (server)

RouterGroup -- tree file sets and router groups

util -- utilities

mgmt_NFC.exp -- expect script (is expect installed?).

Appears to copy specified collected info to another directory. Looking at the script, from another machine. Probably used behind the scenes to bring in data from another DisplayServer.

NFAUtility -- NFA UtilityServer (does all backend dirty work, talks to NFCGW)
bin -- scripts, programs, Java classes
config -- config files for UtilityServer

HostPreferences.txt -- address à name translation
NFCCC.txt -- NetFlow collectors and userid and port
RouterConfig.txt -- address, SNMP community, tms/netflow

Conjecture when NFA looks at directory of router configs, it populates this file. (Not very documented?)

data -- AS.txt_0, HostAliases.txt -- purpose not clear, probably not user files

logs -- log files for UtilityServer

NFAU.log -- log file
state -- directory to hold .pid file for UtilityServer

originals -- directory of original config/script files (install probably put locations of things into them)

/opt/CSCOnfc -- Cisco FlowCollector
bin -- programs and scripts
nfcollector -- run nightly to get rid of old data, defaults to after 7 days
config -- config files for NFC
nf.resources -- paths and locations of things and other options for NFC overall
nfcd.config -- NFCD config file -- master daemon -- don't alter
nfconfig.file -- threads defined under New Collector in NFA
nfknown.dstasns, etc. -- known AS's, ports -- EDIT MANUALLY
nfknown.protocols -- edit via NFA GUI, can edit manually
Data -- where NFC puts the data

include -- C header files (why -- acts like documentation for aggregation schemes)

logs -- filesready files, 4 program log files

tmp -- temporary directory

tools -- tool scripts (cf. manual: NFC section, chapter "Troubleshooting FlowCollector")

fdcount -- counts on specified UDP port, suspect you have to stop Collector first
fdget -- similar, prints some of the fields received
fdplayback -- play back a data file --
Can use with RawData? Perhaps start a collector thread for new aggregation scheme, then use this to feed it data. Experiment, waiting to be tried.
nfc_gunzip -- uncompress binary compressed to binary
nfc_bin_to_ascii -- print ASCII version of binary data (use this + previous for data warehousing of all this data)

Other Sun Solaris Directories

/opt -- installed additional programs -- equivalent to Program Files in Windows
answerbooks -- answerbook data
SUNW* -- SUN stuff
/, /usr -- Operating System -- \winnt equivalent

/etc -- small ASCII configuration and startup files and scripts, Operating System  

NetFlow Scripts Note

Run start.All, stop.All, nfcd_run scripts as root.
Run start.Display as nfcuser or whatever.

Dr. Peter J. Welcher (CCIE #1773, CCSI #94014) is a Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. NetCraftsmen has eleven CCIE's (4 of whom are double-CCIE's, R&S and Security). NetCraftsmen has expertise including large network high-availability routing/switching and design, VoIP, QoS, MPLS, network management, security, IP multicast, and other areas. See for more information about NetCraftsmen. . New articles will be posted under the Articles link. Questions, suggestions for articles, etc. can be sent to This email address is being protected from spambots. You need JavaScript enabled to view it. .

Copyright (C)  2001,  Peter J. Welcher