Hi Rich,
Please open an issue at github https://github.com/phaag/nfdump/issues if you
think, it's an sfcapd problem.
Collect a pcap sent to the collector and send it to me. I'll have a look
Cheers
- Peter
On 18.08.21 12:16, Hall, Richard wrote:
> It is using the Hardware setting, which is 1:1024, even if it was using the
> 1:20000 it is not logging any packets in nfsen. Port is not mentioned
> because it is the default of 6343. I have already confirmed it is sending
> and being received by both a pcap and strace on the sfcapd process.
>
>
> Rich Hall
> IT Infrastructure
> GSA Capital Partners LLP
> Stratton House
> 5 Stratton Street
> London W1J 8LA
> Direct +44 (0)20 33104162
> Mobile +44 (0)79 6821 1716
> Reception +44 (0)20 7959 8800
> www.gsacapital.com<http://www.gsacapital.com>
>
>
> From: Roger B <flahammerh...@gmail.com>
> Sent: 18 August 2021 00:56
> To: Hall, Richard <richard.h...@gsacapital.com>
> Cc: nfsen-discuss@lists.sourceforge.net
> Subject: Re: [Nfsen-discuss] sflow from Arista Switch
>
>
> ** This is an external e-mail. Please treat attachments and links as
> potentially dangerous. **
>
> One in 20,000 packets isn’t much IMO. I usually set for 1024 or even 512.
> Also I don’t see the destination port configured, though is it correct by
> default? It must match what the collector expects
>
> Can you run a TCPDUMP session to verify the switch is sending packets?
>
>
> On Aug 17, 2021, at 6:56 PM, Hall, Richard
> <richard.h...@gsacapital.com<mailto:richard.h...@gsacapital.com>> wrote:
>
> Switch config is as follows:
>
> sflow sample 20000
> sflow vrf Management destination 10.10.1.136
> sflow vrf Management source-interface Management1
> sflow run
> !
> sflow hardware acceleration
> sflow hardware acceleration sample 1024
>
>
> Regards
> Rich Hall
>
> From: Roger B <flahammerh...@gmail.com<mailto:flahammerh...@gmail.com>>
> Sent: 17 August 2021 21:18
> To: Hall, Richard
> <richard.h...@gsacapital.com<mailto:richard.h...@gsacapital.com>>
> Cc:
> nfsen-discuss@lists.sourceforge.net<mailto:nfsen-discuss@lists.sourceforge.net>
> Subject: Re: [Nfsen-discuss] sflow from Arista Switch
>
>
> ** This is an external e-mail. Please treat attachments and links as
> potentially dangerous. **
>
> Can you show your switch config for netflow including sampling/ port/etc?
>
> On Aug 17, 2021, at 2:39 PM, Hall, Richard
> <richard.h...@gsacapital.com<mailto:richard.h...@gsacapital.com>> wrote:
> I have nfsen working with netflow, and am attempting to add a couple of
> arista DCS-7280SR2K-48C6-M-R switches running EOS 4.25.4M that do hardware
> accelerated sflow. I have added them to the %sources in the nfsen.conf
>
> 'switch1' => { 'port' => '6343', 'IP' => '10.10.38.8', 'type' => 'sflow',
> 'col' => '#FF0099', 'optarg' => ' -T all ' },
> 'switch2' => { 'port' => '6343', 'IP' => '10.10.8.67', 'type' => 'sflow',
> 'col' => '#FF0066', 'optarg' => ' -T all ' },
>
> I then run "nfsen reconfig" successfully.
>
> I restart nfsen, the new hosts show up and I have files being created in the
> profiles-data directory with a length of 276B. I do not have any firewall
> running and I can confirm I can see the sflow v5 data coming from the switch
> using tshark. I can also see that the sfcapd process is listening:
>
> [root@nfsen ~]# netstat -antup | grep 6343
> udp 0 0 0.0.0.0:6343 0.0.0.0:* 122944/sfcapd
>
> I can confirm the process is receiving the packets by running strace -p
> 122944, which shows a recvfrom() for each packet. When it rotates the files
> every 5 min, I see it stat, rename, open and write no problem. It just
> doesn't seem to write anything other than the default empty file info.
>
> recvfrom(3,
> "\0\0\0\5\0\0\0\1\n\322\10C\0\0\0\0\0\2\307\v\5l\362P\0\0\0\7\0\0\0\2"...,
> 65535, 0, {sa_family=AF_INET, sin_port=htons(51771),
> sin_addr=inet_addr("10.10.8.67")}, [16]) = 1269
> recvfrom(3,
> "\0\0\0\5\0\0\0\1\n\322&\10\0\0\0\0\0\2\25\6\5l>\240\0\0\0\3\0\0\0\2"...,
> 65535, 0, {sa_family=AF_INET, sin_port=htons(41901),
> sin_addr=inet_addr("10.10.38.8")}, [16]) = 565
> alarm(0) = 10
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0
> lseek(6, 0, SEEK_SET) = 0
> write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) =
> 140
> write(6,
> "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) =
> 136
> close(6) = 0
> stat("/data/nfsen/profiles-data/live/switch1/2021/08/17",
> {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
> rename("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942",
> "/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855") = 0
> stat("/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855",
> {st_mode=S_IFREG|0644, st_size=276, ...}) = 0
> semop(9764873, [{0, -1, 0}], 1) = 0
> semop(9764873, [{0, 1, 0}], 1) = 0
> sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 0)
> = 121
> open("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942",
> O_RDWR|O_CREAT|O_TRUNC, 0644) = 6
> write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) =
> 140
> write(6,
> "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) =
> 136
> lseek(7, 0, SEEK_SET) = 0
> write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) =
> 140
> write(7,
> "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) =
> 136
> close(7) = 0
> stat("/data/nfsen/profiles-data/live/switch2/2021/08/17",
> {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
> rename("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942",
> "/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855") = 0
> stat("/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855",
> {st_mode=S_IFREG|0644, st_size=276, ...}) = 0
> semop(9797642, [{0, -1, 0}], 1) = 0
> semop(9797642, [{0, 1, 0}], 1) = 0
> sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 0)
> = 121
> open("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942",
> O_RDWR|O_CREAT|O_TRUNC, 0644) = 7
> write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) =
> 140
> write(7,
> "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) =
> 136
> sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 60, MSG_NOSIGNAL, NULL, 0) =
> 60
> alarm(310) = 0
>
> If I run the sfcaptd process in the console with -E it just seems to sit there
>
> [root@nfsen ~]# /usr/bin/sfcapd -w -p 6343 -u observium -g observium -B
> 200000 -S 1 -P /data/nfsen/var/run/p6343.pid \
> -z -n switch1,10.210.38.8,/data/nfsen/profiles-data/live/switch1 -E -T all
> Add extension: 2 byte input/output interface index
> Add extension: 4 byte input/output interface index
> Add extension: 2 byte src/dst AS number
> Add extension: 4 byte src/dst AS number
> Add extension: dst tos, direction, src/dst mask
> Add extension: IPv4 next hop
> Add extension: IPv6 next hop
> Add extension: IPv4 BGP next IP
> Add extension: IPv6 BGP next IP
> Add extension: src/dst vlan id
> Add extension: 4 byte output packets
> Add extension: 8 byte output packets
> Add extension: 4 byte output bytes
> Add extension: 8 byte output bytes
> Add extension: 4 byte aggregated flows
> Add extension: 8 byte aggregated flows
> Add extension: in src/out dst mac address
> Add extension: in dst/out src mac address
> Add extension: MPLS Labels
> Add extension: IPv4 router IP addr
> Add extension: IPv6 router IP addr
> Add extension: router ID
> Add extension: BGP adjacent prev/next AS
> Add extension: time packet received
> Add extension: NSEL Common block
> Add extension: NSEL xlate ports
> Add extension: NSEL xlate IPv4 addr
> Add extension: NSEL xlate IPv6 addr
> Add extension: NSEL ACL ingress/egress acl ID
> Add extension: NSEL username
> Add extension: NSEL max username
> Add extension: nprobe/nfpcapd latency
> Add extension: NEL Common block
> Add extension: Compat NEL IPv4
> Add extension: NAT Port Block Allocation
> File Block Header:
> NumBlocks = 0
> Size = 0
> id = 2
>
> File Block Header:
> NumBlocks = 0
> Size = 0
> id = 2
>
> The file size doesn't change from 276B, all of the files in the
> profiles-data/live/switch1/2021/08/17/ folders are 276B for the hosts using
> sflow. Netflow works fine. Does anyone have any idea why it is not processing
> the sflow data that is being received?
>
> Regards
> Rich Hall
> ________________________________
> For details of how GSA uses your personal information, please see our Privacy
> Notice here: https://www.gsacapital.com/privacy-notice
>
> This email and any files transmitted with it contain confidential and
> proprietary information and is solely for the use of the intended recipient.
> If you are not the intended recipient please return the email to the sender
> and delete it from your computer and you must not use, disclose, distribute,
> copy, print or rely on this email or its contents. This communication is for
> informational purposes only. It is not intended as an offer or solicitation
> for the purchase or sale of any financial instrument or as an official
> confirmation of any transaction. Any comments or statements made herein do
> not necessarily reflect those of GSA Capital. GSA Capital Partners LLP is
> authorised and regulated by the Financial Conduct Authority and is registered
> in England and Wales at Stratton House, 5 Stratton Street, London W1J 8LA,
> number OC309261. GSA Capital Services Limited is registered in England and
> Wales at the same address, number 5320529.
>
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net<mailto:Nfsen-discuss@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
> ________________________________
> For details of how GSA uses your personal information, please see our Privacy
> Notice here: https://www.gsacapital.com/privacy-notice
>
> This email and any files transmitted with it contain confidential and
> proprietary information and is solely for the use of the intended recipient.
> If you are not the intended recipient please return the email to the sender
> and delete it from your computer and you must not use, disclose, distribute,
> copy, print or rely on this email or its contents. This communication is for
> informational purposes only. It is not intended as an offer or solicitation
> for the purchase or sale of any financial instrument or as an official
> confirmation of any transaction. Any comments or statements made herein do
> not necessarily reflect those of GSA Capital. GSA Capital Partners LLP is
> authorised and regulated by the Financial Conduct Authority and is registered
> in England and Wales at Stratton House, 5 Stratton Street, London W1J 8LA,
> number OC309261. GSA Capital Services Limited is registered in England and
> Wales at the same address, number 5320529.
>
> For details of how GSA uses your personal information, please see our Privacy
> Notice here: https://www.gsacapital.com/privacy-notice
>
> This email and any files transmitted with it contain confidential and
> proprietary information and is solely for the use of the intended recipient.
> If you are not the intended recipient please return the email to the sender
> and delete it from your computer and you must not use, disclose, distribute,
> copy, print or rely on this email or its contents.
> This communication is for informational purposes only.
> It is not intended as an offer or solicitation for the purchase or sale of
> any financial instrument or as an official confirmation of any transaction.
> Any comments or statements made herein do not necessarily reflect those of
> GSA Capital.
> GSA Capital Partners LLP is authorised and regulated by the Financial Conduct
> Authority and is registered in England and Wales at Stratton House, 5
> Stratton Street, London W1J 8LA, number OC309261.
> GSA Capital Services Limited is registered in England and Wales at the same
> address, number 5320529.
>
>
>
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
