Hi Ruben, Interesting behaviour you are describing.
In-line for a comment about the high interface value: On Thu, Jan 23, 2014 at 09:01:56PM +0100, Ruben Laban wrote: > As for the ports, I meant to say interfaces ;-) So I did a snmpwalk > against the switch and this told that those interface numbers 211 > and 48 correspond to respectively trk2 (2nd configured trunk) and > port 48. So far, so good. The number 1073741823 doesn't show up at > all in the snmpwalk though, which is rather odd. Then again the > number is 0x3FFFFFFF which is probably something "special". Indeed, that is a "special" indicating that there is no input/output interface (depending which field the 0x3FFFFFFF is found). This is typically the case if you ping the switch itself, for example. Cheers, Paolo > On 2014-01-23 14:50, Paolo Lucente wrote: > >Hi Ruben, > > > >Those are input and ouput interfaces of the switch, expressed as SNMP > >ifIndexes. If you see later in the CSV you have SRC_PORT and DST_PORT > >fields which are zero - making sense since the packets IP protocol is > >ICMP. > > > >In general, if you see anything strange with sFlow and want to debug > >or confirmation whether it's pmacct or the switch, you can resort to > >sflowtool. > > > >On your question about the free traffic generator: +1 for Ostinato. > > > >Cheers, > >Paolo > > > >On Thu, Jan 23, 2014 at 08:28:18AM +0100, Ruben Laban wrote: > >>Hi, > >> > >>I'm currently in the process of migrating from a monitoring and > >>accounting setup based on pmacctd/libpcap to sfacctd/sflow. However, > >>while doing so I ran into a few things: > >> > >>* Can sfacctd somehow also "process" the polled (interface globals) > >>data? > >> > >>* How can one "decipher" the IN_IFACE and OUT_IFACE fields? For > >>example: > >> > >>TAG,TAG2,CLASS,SRC_MAC,DST_MAC,VLAN,COS,ETYPE,SRC_AS,DST_AS,BGP_COMMS,AS_PATH,PREF,MED,PEER_SRC_AS,PEER_DST_AS,PEER_SRC_IP,PEER_DST_IP,IN_IFACE,OUT_IFACE,MPLS_VPN_RD,SRC_IP,DST_IP,SRC_MASK,DST_MASK,SRC_PORT,DST_PORT,TCP_FLAGS,PROTOCOL,TOS,PACKETS,FLOWS,BYTES > >> > >>0,0,unknown,00:00:00:00:00:00,00:00:00:00:00:00,0,0,0,0,0,0,,0,0,0,0,10.255.255.12,,211,48,0:0:0,10.255.255.2,10.255.255.1,0,0,0,0,0,icmp,0,2,0,204 > >> > >>0,0,unknown,00:00:00:00:00:00,00:00:00:00:00:00,0,0,0,0,0,0,,0,0,0,0,10.255.255.12,,1073741823,1073741823,0:0:0,10.255.255.1,10.255.255.2,0,0,0,0,0,icmp,0,1,0,102 > >> > >>I have a continuous ping running between 10.255.255.1 and > >>10.255.255.2 which passes ports that are sampled by sFlow. However, > >>the ports 211, 48 and 1073741823 look rather bogus to me. So either > >>my switches (HP 2920) send garbled data, or some more effort is > >>needed to turn it into something useful. > >> > >>On a slightly related note, but probably rather off-topic: what are > >>commonly used free methods of generating lots of network traffic. > >>Ideally it would be something that could create several hundred Mbps > >>of random traffic. > >> > >>Regards, > >>Ruben > >> > >>_______________________________________________ > >>pmacct-discussion mailing list > >>http://www.pmacct.net/#mailinglists > > > >_______________________________________________ > >pmacct-discussion mailing list > >http://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
