Paolo Lucente
Fri, 04 Dec 2009 08:52:20 -0800
Hi Slava, I essentially see you reporting two different issues:
a) the debug message saying "unknown template"; which you should see disappearing after a while, ie. as soon as the router exports the template to pmacct. Before that happens, pmacct doesn't know how to parse the NetFlow v9 datagram it's receiving. b) A buffer overflow. By reading the NF_counters_renormalize_handler() there should be only a single place where that can happen. What is the device exporting NetFlow data to pmacct? It seems not to comply to RFC3954 with regards to size of the FLOW_SAMPLER_ID primitive. See if this workaround works: edit NF_counters_renormalize_handler() in the pkt_handlers.c file. Replace the only memcpy() call within the function as: memcpy(&sampler_id, pptrs->f_data+tpl->tpl[NF9_FLOW_SAMPLER_ID].off, MIN(1, tpl->tpl[NF9_FLOW_SAMPLER_ID].len)); Recompile. Do you still see it crashing? If yes, please send me privately a pcap capture of some NetFlow v9 packets - including the template. Cheers, Paolo On Fri, Dec 04, 2009 at 06:23:39PM +0200, Slava Dubrovskiy wrote: > Hi. > > Need switch on sampling and begin get such errors: > > > DEBUG ( default/core ): Discarded NetFlow V9 packet (R: unknown template > 269 [192.168.21.1:0]) > [ ... ] > *** buffer overflow detected ***: nfacctd: Core Process [default] _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists