Below is the FlowViewer FAQ ( http://sourceforge.net/p/flowviewer/wiki/FAQ )

1. The v3.0 package is different. Why?
2. With v3.0 my bookmarks don't work Why not?
3. I start a report, but nothing comes back. Why not?
4. I start a report, but nothing comes back. Why not? Part II
5. I get a report back, but it has no data. What's up?
6. I get a report back, but it has no data. Part II
7. I get a report back, but it has no data. Part III
8. The settings are correct, but it still has no data. What's up?
9. On long queries the browser seems to 'time out.' Why?
10. FlowViewer works, but is slow. Why?
11. FlowViewer stops unexpectedly, general unspecified problems, weirdnesses?
12. Will new versions of FlowViewer mess up my existing Monitors?
13. Why do I sometimes get "*** attempt to put segment in horiz list twice"?
14. I'm having problems and I'm running on a 64-bit system. Any known issues?
15. I want to change netflow formats, any problems?
16. FlowMonitor is not letting me create Groups
17. I'm seeing: flow-cat: Warning, partial inflated record before EOF
18. Getting: "Must select a device or an exporter.", but I'm not using devices
19. Does FlowViewer support IPFIX or netflow v9?
20. FlowViewer takes a long time to complete. Why?
21. The FlowMonitor input screen is blank. Why?
22. FlowGrapher will not generate a graph. Why not?
23. flow-capture starts, but is not writing files. Why not?
24. Why are the embedded links to Monitors not lining up on Group graphs?
25. I point my browser to FlowViewer, but only see broken image symbols. Why?
26. What is a good way to set up flow-tools?
27. I'd like to replicate flows to another host. How do I do that?
28. No graphs. HTTP error_log: Illegal division by zero at .../axestype.pm?
29. Sometimes FlowMonitor_Collector takes more than 5 minutes, and freezes. Why?
30. A FlowMonitor name got messed up and I can't remove it. How can I delete it?
31. FlowViewer returns empty for Prefix reports (e.g., Src, Dest prefix, etc.)
32. FlowViewer, FlowGrapher hang in the middle of listing reports or flows?
33. The graphs from my Archived FlowMonitors are missing. Where are they?
34. Appears FlowMonitor and FlowGrapher yield slightly different results. True?
35. I've added an IPFIX (SiLK) device and FlowMonitors are zero. Why?
36. I've added a Dashboard and Thumbnails are not updating. Why not? 37. I can’t get the SiLK implementation going. Why not? 38. Why doesn’t the Port information print for a FlowGrapher_Analysis run? 39. I’m not seeing any data for SiLK runs, but I know it is there?
40. I’m not seeing data. The SiLK command in DEBUG files does not match my environment?
41. My User Interface is all garbled - why?

 

1. The v3.0 package is different. Why?

Version 3.0 introduces FlowMonitor, but also provides an improvement that several users requested. They were tired of inputting the day and time with each invocation of FlowViewer or FlowGrapher. The new architecture does away with create_FlowViewer_webpage and create_FlowGrapher_webpage and has the user point his browser instead to FlowViewer.cgi or FlowGrapher.cgi. Now the start and end times are pre-filled according to how you would like it by the start_offset and end_offset parameters in the FlowViewer_Configuration.pm file.

 

2. With v3.0 my bookmarks don't work. Why not?

See FAQ #1 above. The structure of the scripts has changed and now the user should point the browser (and make a bookmark) to FlowViewer.cgi, FlowGrapher.cgi, and now FlowMonitor.cgi instead of /htp/htdocs/FlowViewer/index.html, etc. (or however your http environment was set up.)

 

3. I start a report, but nothing comes back. Why not?

This could be caused by your web server CGI settings. Examine the httpd.conf file to make sure that the web server is set up to execute CGI. Make sure that the FlowViewer_Configuration parameters $cgi_bin_directory and $cgi_short are set correctly with respect to your web server environment. Typically, the cgi-bin directory is aliased. Here is an example from Apache:

#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
# ScriptAlias /cgi-bin/ "/htp/cgi-bin/"

In this case, provided that the contents of FlowViewer package now resided in the /htp/cgi-bin/FlowViewer_4.0 directory, the relevant parameters and settings would be:
$cgi_bin_directory = "/htp/cgi-bin/FlowViewer_4.0"; $cgi_bin_short = "/cgi-bin/FlowViewer_4.0";

And, as always, make sure that all relevant directories have been created and permit the web-server process to write into them. This includes the 'reports', 'graphs', 'monitor', 'names', 'work', and 'log' (if you're logging) directories.

The following can help you get started. Afterwards you can tighten things up as you want.

From the $cgi_bin_directory issue a 'chmod -R 0777 *' 
From the $flow_data_directory issue a 'chmod -R 0777 *'
From the $reports_directory issue a 'chmod -R 0777 *' 
From the $graphs_directory issue a 'chmod -R 0777 *'
From the $monitor_directory issue a 'chmod -R 0777 *'

Turn on debug ($debug_viewer = "Y";, etc.), make a run, and examine the DEBUG_VIEWER output. The output will have the text of the flow-tools command that was created. Cut and paste this command to a command prompt, run the command, and review the results. This may give you a clue to what is happening.

You can also simply run FlowViewer.cgi, FlowGrapher.cgi, or FlowMonitor.cgi from the command line. This may provide a good hint. For example:

'cannot mkdir /var/www/FlowGrapher_3.2/: Permission denied at FlowGrapher.cgi line 58.'

This would mean that you have to loosen permissions on /var/www, or create the subdirectory yourself with adequate permissions (e.g., 0777).

 

4. I start a report, but nothing comes back. Why not? Part II

Perhaps you haven't created the directory pointed to by $work_directory. This would prevent processing from completing.

 

5. I get a report back, but it has no data. What's up?

Make sure the FlowViewer scripts are reading flow-data from the correct directory. FlowViewer will look for flow-data according to three settings in the FlowViewer_Configuration.pm file. These are:

a. $flow_data_directory
b. @devices
c. $N

For example, here we track netflow data from several devices using the default flow-tools nesting value. Our file structure looks like:

/htp/flows/ecs_edc/2006/2006-01/2006-01-19/ft-v05.2006-01-19.000001-0500
<-- a --->|<- b ->|<---------- c -------->|<-- actual flow-data file -->

In this case:

a) '/htp/flows' is our flow_data_directory,
b) 'ecs_edc' is one of our devices, and
c) the three levels of nested date-ordered directories are addressed by setting $N = 3 (the FlowViewer default.)

Note that $N can be confusing because the flow-tools documentation indicates that -N0 is the default, but if you do not put a '-N' modifier on your flow-capture statement, it will behave as if -N3 has been set.

In our FlowViewer_Configuration.pm, the variables are set as follows:

$flow_data_directory = "/htp/flows";
@devices = ("ecs_edc","router_1","router_2","router_3");
$N = 3;

Also, verify that the flow-tools are in the $flow_bin_directory you have specified. This can be accomplished by, e.g., 'which flow-stat';

 

6. I get a report back, but it has no data. Part II.

Another possibility for this problem is that the timestamps on the flows are not what you are expecting, and hence the data is completely filtered out. For example, you may wish to see everything from 10:00:00 to 11:00:00 but the report is empty, and you're sure you have data because there are plenty of non-zero sized ft... files in your flow-data directory. It may be that the flows are time stamped quite differently from the file timestamp.

In this case a simple "flow-print -f5 < ft-v05.2006-01-19.100001-0500" will list the flows with embedded time stamps. The output could be long so you might want to redirect it to a file first. Compare the flow timestamps to what you are expecting. If they are off - then perhaps your router's time setting is off, or your computer time setting is off.

 

7. I get a report back, but it has no data. Part III.

In the situation where you generated a large FlowViewer or FlowGrapher report you may have generated a temporary intermediate file (e.g., /tmp/FlowGrapher_output_070406) that exceeds the amount of space available to the partition that holds your working directory (e.g., you used up all of /tmp space.) To fix this, remove the offending file and either run a smaller report, or increase the size of your working directory, or move it to a directory on a larger partition.

 

8. The settings are correct, but it still has no data. What's up?

Another possibility for an empty report is that the web server (e.g., Apache) that is running the CGI scripts does not have adequate permission to read from the flow-data directory or files. Review the permissions of the flow-data directories and files to make sure they are 'open' enough.

Make sure that Apache can get access to the flow-tools specified by the $flow_bin_directory parameter.
The following can help you get started. Afterwards you can tighten things up as you want.

From the $cgi_bin_directory issue a 'chmod -R 0777 *'
From the $flow_data_directory issue a 'chmod -R 0777 *'
From the $reports_directory issue a 'chmod -R 0777 *'
From the $graphs_directory issue a 'chmod -R 0777 *'
From the $monitor_directory issue a 'chmod -R 0777 *'

If you are running a version of Security Enhanced Linux (SELinux), verify that there are no file or directory access controls that are preventing Apache from accessing either the flow-data directory and files, or the flow-tools themselves.
Since everything in the stock configuration (original FlowViewer_Configuration.pm) is below /var/www, one can issue the following command to free things up:

host> chcon –R –t public_content_rw_t /var/www

Or you could disable SELinux functionality:

In /etc/selinux/config file, set SELINUX=disabled.

9. On long queries the browser seems to 'time out.' Why?

When you have requested a time period that requires the analysis of many flows, while flow-tools is cranking away no data is being sent to the browser. As a consequence, the connection drops. This closes the data path and no data is sent back to the browser.

Reset either the web server or web browser setting that is controlling this. For example, with Apache there is a timeout value that controls this and is set to 300 seconds. Adjust this to 1800 which will permit browser-to-server connections to stay open for 30 minutes.

Apache example, in the httpd.conf file:

#
# Timeout: The number of seconds before receives and sends time out.
#
#Timeout 300
Timeout 1800

Remember to stop/restart your web server in order to read the new httpd.conf settings.
Some have had to modify a similar setting on their browsers.