Hi Cedric,

43874 is the IANA-assigned enterprise number of pmacct. You have that
as part of your sFlow packets since tag or tag2 are part of your config
directive aggregate. Tags is pmacct-specific information and hence it's
encoded with the pmacct enterprise number. I believe you have two ways
forward: either you remove tags from your aggregate; or you find a way
to make them swallowed (decoded or skipped) by Net::sFlow (btw we should
have Elisa, the author of Net::sFlow, on the list - dunno if she has
anything to comment at this propo).

Cheers,
Paolo

On Wed, Jan 04, 2017 at 03:09:07PM +0100, Cédric ML wrote:
> Hi Paolo,
> sflowtool seems to give good results, but there's is still one
> problem : in each sflow sample, I have this :
> 
> skipping unknown flow_sample_element: 43874:2 len=16
> This causes problems with perl Net::sFlow library, as Flowdata
> enterprise: 43874 is not recognized.
> I'm unable to trace where this "43874" comes from...
> 
> Regards,
> Cédric
> 
> 
> Le 29/12/2016 à 12:38, Paolo Lucente a écrit :
> >Hi Cedric,
> >
> >While i can't say it's the very same issue, it seems related to what i
> >describe in the following comment:
> >
> >https://github.com/pmacct/pmacct/issues/71#issuecomment-265497661
> >
> >The sFlow dissector of Wireshark seems buggy and i recommend using
> >sflowtools for debugging and troubleshooting purposes.
> >
> >Cheers,
> >Paolo
> >
> >On Wed, Dec 28, 2016 at 04:22:19PM +0100, Cédric ML wrote:
> >>Hello,
> >>I'm trying to make pmacct work with a bgp agent (bird).
> >>
> >>pmacct is installed on the bgp router, bgp_agent session is up, and
> >>prefixes are exported to pmacct process.
> >>
> >>This bgp router has three vlans (50,51,52) on interface eth0.
> >>
> >>I'm trying to get correct correct values in incoming/outgoing VLANs,
> >>and source/destination AS (using pretag.map, maybe there is a
> >>simpler way ?)
> >>
> >>My problem, when running "pmacctd -f pmacctd.sflow.conf", is that
> >>wireshark tells me : "Expert Info (Error/Malformed): Malformed
> >>Packet (Exception occurred)"
> >>Agent address & ID are correctly displayed in capture (agent
> >>address=127.0.0.1 & agent_id=0)
> >>
> >>Here's the output of pmacctd :
> >>
> >># pmacctd -f pmacctd.sflow.conf
> >>INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd
> >>1.6.2-git (20161222-00)
> >>INFO ( default/core ):
> >>INFO ( default/core ): Reading configuration file
> >>'/usr/local/etc/pmacct/pmacctd.sflow.conf'.
> >>INFO ( sfprobe/sfprobe ): plugin_pipe_size=4096000 bytes
> >>plugin_buffer_size=384 bytes
> >>INFO ( sfprobe/sfprobe ): ctrl channel: obtained=124928 bytes
> >>target=85328 bytes
> >>INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] (re)loading map.
> >>DEBUG ( sfprobe/sfprobe ): Creating sFlow agent.
> >>INFO ( sfprobe/sfprobe ): Exporting flows to [192.168.156.109]:6343
> >>INFO ( sfprobe/sfprobe ): Sampling at: 1/1000
> >>INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] map
> >>successfully (re)loaded.
> >>INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] (re)loading map.
> >>INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] map
> >>successfully (re)loaded.
> >>INFO ( default/core ): link type is: 1
> >>WARN ( default/core ): eth0: no IPv4 address assigned
> >>INFO ( default/core ): [/usr/local/etc/pmacct/agent_to_peer.map]
> >>(re)loading map.
> >>INFO ( default/core ): [/usr/local/etc/pmacct/agent_to_peer.map] map
> >>successfully (re)loaded.
> >>DEBUG ( default/core/BGP ): 1 thread(s) initialized
> >>INFO ( default/core/BGP ): maximum BGP peers allowed: 2
> >>INFO ( default/core/BGP ): waiting for BGP data on 127.0.0.1:17917
> >>INFO ( default/core/BGP ): [127.0.0.1] BGP peers usage: 1/2
> >>INFO ( default/core/BGP ): [x.x.x.x] Capability: MultiProtocol [1]
> >>AFI [1] SAFI [1]
> >>INFO ( default/core/BGP ): [x.x.x.x] Capability: 4-bytes AS [41] ASN
> >>[203596]
> >>INFO ( default/core/BGP ): [x.x.x.x] BGP_OPEN: Local AS: 203596
> >>Remote AS: 203596 HoldTime: 240
> >>DEBUG ( default/core/BGP ): [x.x.x.x] BGP_KEEPALIVE received
> >>DEBUG ( default/core/BGP ): [x.x.x.x] BGP_KEEPALIVE sent
> >>DEBUG ( sfprobe/sfprobe ): c08c60e112a7 -> 6805ca3dca86 (len = 1478,
> >>captured = 128)
> >>DEBUG ( sfprobe/sfprobe ): 78baf965af1f -> 6805ca3dca86 (len = 64,
> >>captured = 64)
> >>DEBUG ( sfprobe/sfprobe ): 78baf965af1f -> 6805ca3dca86 (len = 64,
> >>captured = 64)
> >>...
> >>
> >>
> >>Can anybody tell me what may be wrong in my config ?
> >>
> >>Best regards,
> >>Cédric
> >>
> >>========================================
> >>== file pmacctd.sflow.conf
> >>debug: true
> >>daemonize: false
> >>interface: eth0
> >>aggregate: tag, src_host, dst_host, src_port, dst_port, proto, tos,
> >>src_as, dst_as
> >>plugins: sfprobe[sfprobe]
> >>sfprobe_receiver: 192.168.156.109:6343
> >>sfprobe_direction[sfprobe]: tag
> >>sfprobe_ifindex[sfprobe]: tag2
> >>sampling_rate: 1000
> >>pmacctd_as: bgp
> >>bgp_daemon: true
> >>bgp_daemon_ip: 127.0.0.1
> >>bgp_daemon_port: 17917
> >>bgp_agent_map: /usr/local/etc/pmacct/agent_to_peer.map
> >>bgp_peer_as_skip_subas: true
> >>bgp_peer_src_as_type: bgp
> >>pre_tag_map: /usr/local/etc/pmacct/pretag.map
> >>
> >>== file agent_to_peer.map
> >>bgp_ip=x.x.x.x ip=0.0.0.0/0
> >>
> >>== file pretag.map (inspired by examples/pretag.map.example)
> >>set_tag=1 filter='ether src 00:26:51:cb:8f:db' jeq=five
> >>set_tag=1 filter='ether src d4:6d:50:23:2b:ea' jeq=six
> >>set_tag=1 filter='ether src 78:ba:f9:65:af:1f' jeq=seven
> >>set_tag=2 filter='ether dst 00:26:51:cb:8f:db' jeq=five
> >>set_tag=2 filter='ether dst d4:6d:50:23:2b:ea' jeq=six
> >>set_tag=2 filter='ether dst 78:ba:f9:65:af:1f' jeq=seven
> >>set_tag2=50 label=five
> >>set_tag2=51 label=six
> >>set_tag2=52 label=seven
> >>
> >>_______________________________________________
> >>pmacct-discussion mailing list
> >>http://www.pmacct.net/#mailinglists
> >_______________________________________________
> >pmacct-discussion mailing list
> >http://www.pmacct.net/#mailinglists
> 

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to