It is using the Hardware setting, which is 1:1024, even if it was using the 1:20000 it is not logging any packets in nfsen. Port is not mentioned because it is the default of 6343. I have already confirmed it is sending and being received by both a pcap and strace on the sfcapd process.
Rich Hall IT Infrastructure GSA Capital Partners LLP Stratton House 5 Stratton Street London W1J 8LA Direct +44 (0)20 33104162 Mobile +44 (0)79 6821 1716 Reception +44 (0)20 7959 8800 www.gsacapital.com<http://www.gsacapital.com> From: Roger B <flahammerh...@gmail.com> Sent: 18 August 2021 00:56 To: Hall, Richard <richard.h...@gsacapital.com> Cc: nfsen-discuss@lists.sourceforge.net Subject: Re: [Nfsen-discuss] sflow from Arista Switch ** This is an external e-mail. Please treat attachments and links as potentially dangerous. ** One in 20,000 packets isn’t much IMO. I usually set for 1024 or even 512. Also I don’t see the destination port configured, though is it correct by default? It must match what the collector expects Can you run a TCPDUMP session to verify the switch is sending packets? On Aug 17, 2021, at 6:56 PM, Hall, Richard <richard.h...@gsacapital.com<mailto:richard.h...@gsacapital.com>> wrote: Switch config is as follows: sflow sample 20000 sflow vrf Management destination 10.10.1.136 sflow vrf Management source-interface Management1 sflow run ! sflow hardware acceleration sflow hardware acceleration sample 1024 Regards Rich Hall From: Roger B <flahammerh...@gmail.com<mailto:flahammerh...@gmail.com>> Sent: 17 August 2021 21:18 To: Hall, Richard <richard.h...@gsacapital.com<mailto:richard.h...@gsacapital.com>> Cc: nfsen-discuss@lists.sourceforge.net<mailto:nfsen-discuss@lists.sourceforge.net> Subject: Re: [Nfsen-discuss] sflow from Arista Switch ** This is an external e-mail. Please treat attachments and links as potentially dangerous. ** Can you show your switch config for netflow including sampling/ port/etc? On Aug 17, 2021, at 2:39 PM, Hall, Richard <richard.h...@gsacapital.com<mailto:richard.h...@gsacapital.com>> wrote: I have nfsen working with netflow, and am attempting to add a couple of arista DCS-7280SR2K-48C6-M-R switches running EOS 4.25.4M that do hardware accelerated sflow. I have added them to the %sources in the nfsen.conf 'switch1' => { 'port' => '6343', 'IP' => '10.10.38.8', 'type' => 'sflow', 'col' => '#FF0099', 'optarg' => ' -T all ' }, 'switch2' => { 'port' => '6343', 'IP' => '10.10.8.67', 'type' => 'sflow', 'col' => '#FF0066', 'optarg' => ' -T all ' }, I then run "nfsen reconfig" successfully. I restart nfsen, the new hosts show up and I have files being created in the profiles-data directory with a length of 276B. I do not have any firewall running and I can confirm I can see the sflow v5 data coming from the switch using tshark. I can also see that the sfcapd process is listening: [root@nfsen ~]# netstat -antup | grep 6343 udp 0 0 0.0.0.0:6343 0.0.0.0:* 122944/sfcapd I can confirm the process is receiving the packets by running strace -p 122944, which shows a recvfrom() for each packet. When it rotates the files every 5 min, I see it stat, rename, open and write no problem. It just doesn't seem to write anything other than the default empty file info. recvfrom(3, "\0\0\0\5\0\0\0\1\n\322\10C\0\0\0\0\0\2\307\v\5l\362P\0\0\0\7\0\0\0\2"..., 65535, 0, {sa_family=AF_INET, sin_port=htons(51771), sin_addr=inet_addr("10.10.8.67")}, [16]) = 1269 recvfrom(3, "\0\0\0\5\0\0\0\1\n\322&\10\0\0\0\0\0\2\25\6\5l>\240\0\0\0\3\0\0\0\2"..., 65535, 0, {sa_family=AF_INET, sin_port=htons(41901), sin_addr=inet_addr("10.10.38.8")}, [16]) = 565 alarm(0) = 10 stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0 lseek(6, 0, SEEK_SET) = 0 write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 write(6, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 close(6) = 0 stat("/data/nfsen/profiles-data/live/switch1/2021/08/17", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0 rename("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942", "/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855") = 0 stat("/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855", {st_mode=S_IFREG|0644, st_size=276, ...}) = 0 semop(9764873, [{0, -1, 0}], 1) = 0 semop(9764873, [{0, 1, 0}], 1) = 0 sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 0) = 121 open("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942", O_RDWR|O_CREAT|O_TRUNC, 0644) = 6 write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 write(6, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 lseek(7, 0, SEEK_SET) = 0 write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 write(7, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 close(7) = 0 stat("/data/nfsen/profiles-data/live/switch2/2021/08/17", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0 rename("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942", "/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855") = 0 stat("/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855", {st_mode=S_IFREG|0644, st_size=276, ...}) = 0 semop(9797642, [{0, -1, 0}], 1) = 0 semop(9797642, [{0, 1, 0}], 1) = 0 sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 0) = 121 open("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942", O_RDWR|O_CREAT|O_TRUNC, 0644) = 7 write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 write(7, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 60, MSG_NOSIGNAL, NULL, 0) = 60 alarm(310) = 0 If I run the sfcaptd process in the console with -E it just seems to sit there [root@nfsen ~]# /usr/bin/sfcapd -w -p 6343 -u observium -g observium -B 200000 -S 1 -P /data/nfsen/var/run/p6343.pid \ -z -n switch1,10.210.38.8,/data/nfsen/profiles-data/live/switch1 -E -T all Add extension: 2 byte input/output interface index Add extension: 4 byte input/output interface index Add extension: 2 byte src/dst AS number Add extension: 4 byte src/dst AS number Add extension: dst tos, direction, src/dst mask Add extension: IPv4 next hop Add extension: IPv6 next hop Add extension: IPv4 BGP next IP Add extension: IPv6 BGP next IP Add extension: src/dst vlan id Add extension: 4 byte output packets Add extension: 8 byte output packets Add extension: 4 byte output bytes Add extension: 8 byte output bytes Add extension: 4 byte aggregated flows Add extension: 8 byte aggregated flows Add extension: in src/out dst mac address Add extension: in dst/out src mac address Add extension: MPLS Labels Add extension: IPv4 router IP addr Add extension: IPv6 router IP addr Add extension: router ID Add extension: BGP adjacent prev/next AS Add extension: time packet received Add extension: NSEL Common block Add extension: NSEL xlate ports Add extension: NSEL xlate IPv4 addr Add extension: NSEL xlate IPv6 addr Add extension: NSEL ACL ingress/egress acl ID Add extension: NSEL username Add extension: NSEL max username Add extension: nprobe/nfpcapd latency Add extension: NEL Common block Add extension: Compat NEL IPv4 Add extension: NAT Port Block Allocation File Block Header: NumBlocks = 0 Size = 0 id = 2 File Block Header: NumBlocks = 0 Size = 0 id = 2 The file size doesn't change from 276B, all of the files in the profiles-data/live/switch1/2021/08/17/ folders are 276B for the hosts using sflow. Netflow works fine. Does anyone have any idea why it is not processing the sflow data that is being received? Regards Rich Hall ________________________________ For details of how GSA uses your personal information, please see our Privacy Notice here: https://www.gsacapital.com/privacy-notice This email and any files transmitted with it contain confidential and proprietary information and is solely for the use of the intended recipient. If you are not the intended recipient please return the email to the sender and delete it from your computer and you must not use, disclose, distribute, copy, print or rely on this email or its contents. This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. Any comments or statements made herein do not necessarily reflect those of GSA Capital. GSA Capital Partners LLP is authorised and regulated by the Financial Conduct Authority and is registered in England and Wales at Stratton House, 5 Stratton Street, London W1J 8LA, number OC309261. GSA Capital Services Limited is registered in England and Wales at the same address, number 5320529. _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net<mailto:Nfsen-discuss@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss ________________________________ For details of how GSA uses your personal information, please see our Privacy Notice here: https://www.gsacapital.com/privacy-notice This email and any files transmitted with it contain confidential and proprietary information and is solely for the use of the intended recipient. If you are not the intended recipient please return the email to the sender and delete it from your computer and you must not use, disclose, distribute, copy, print or rely on this email or its contents. This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. Any comments or statements made herein do not necessarily reflect those of GSA Capital. GSA Capital Partners LLP is authorised and regulated by the Financial Conduct Authority and is registered in England and Wales at Stratton House, 5 Stratton Street, London W1J 8LA, number OC309261. GSA Capital Services Limited is registered in England and Wales at the same address, number 5320529. For details of how GSA uses your personal information, please see our Privacy Notice here: https://www.gsacapital.com/privacy-notice This email and any files transmitted with it contain confidential and proprietary information and is solely for the use of the intended recipient. If you are not the intended recipient please return the email to the sender and delete it from your computer and you must not use, disclose, distribute, copy, print or rely on this email or its contents. This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. Any comments or statements made herein do not necessarily reflect those of GSA Capital. GSA Capital Partners LLP is authorised and regulated by the Financial Conduct Authority and is registered in England and Wales at Stratton House, 5 Stratton Street, London W1J 8LA, number OC309261. GSA Capital Services Limited is registered in England and Wales at the same address, number 5320529.
_______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
