Hi Ed, The log message produced is actually very simple:
Log([..] expecting flow '%u' but received '%u' collector=%s:%u agent=%s:%u [..]); It's a start for some basic analysis but you can get false positives, for example due to out of order arrival of packets. In recent pmacct releases you have a new primitive, export_proto_seqno, precisely to report on sequence numbers. As it can be read in CONFIG-KEYS: export_proto_seqno reports about export protocol (NetFlow, sFlow, IPFIX) sequence number; due to its potential de-aggregation effect, two main use-cases are seen as use of this primitive: 1) if using a log type (de-)aggregation method, ie. for security, forensics, etc., in addition to existing primitives; 2) if using a reporting type aggregation method, it is recommended to split this primitive in a separate plugin instance instead for sequencing analysis. You fall in the use-case #2. You may instantiate a memory or print plugins setting the aggregate to 'peer_src_ip, export_proto_seqno'. This way you can perform a more contextual analysis over periods of time (ie. 1 min). Cheers, Paolo On Thu, Feb 23, 2017 at 11:09:19AM -0600, Edward Henigin wrote: > I see in the config keys for nfacctd that by default it checks sequence > numbers and will log an error if any are missing. > > [ nfacctd_disable_checks | sfacctd_disable_checks ] [GLOBAL, NO_PMACCTD] > Values > > [true|false] > Desc > > both nfacctd and sfacctd check health of incoming NetFlow/sFlow datagrams - > actually this is limited to just verifying sequence numbers progression. > You may want to disable such feature because of non-standard > implementations. By default checks are enabled > > (default: false) > > > My question: what does that log message look like? I suspect I'm losing > flows and I want to check the logs for evidence. I looked in src/nfacctd.c > to see if I could tell what the syslog message would look like but I can't > figure out where it's checking the sequence numbers for continuity and > logging an error on lost data. > > Thanks, > > Ed > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
