Hi there, I'm just starting my initial testing of an sFlow setup with some HP 3400cl switches and I've already run into some strange behaviour. The setup of sFlow on the switch in question is very simple - it is capturing data from all ports and sending the sFlow packets to my collector machine that is running sfacctd from pmacct-0.11.1.
The problems is that sfacctd is reporting very little data bytes/packets compared to what is actually crossing the network. For example the following output of "sfacctd -c src_host,dst_host,src_port,dst_port,proto -P print": ID CLASS SRC_MAC DST_MAC VLAN SRC_AS DST_AS SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL TOS PACKETS FLOWS BYTES 0 unknown 00:00:00:00:00:00 00:00:00:00:00:00 0 0 0 2.2.2.2 1.1.1.1 22 32899 tcp 0 1 0 1438 0 unknown 00:00:00:00:00:00 00:00:00:00:00:00 0 0 0 2.2.2.2 1.1.1.1 22 32899 tcp 0 1 0 1438 0 unknown 00:00:00:00:00:00 00:00:00:00:00:00 0 0 0 2.2.2.2 1.1.1.1 22 32899 tcp 0 1 0 1438 0 unknown 00:00:00:00:00:00 00:00:00:00:00:00 0 0 0 2.2.2.2 1.1.1.1 22 32899 tcp 0 3 0 4314 I know for a fact that during this period at least 33127 bytes were sent from 1.1.1.1 to 2.2.2.2, and 955427 bytes from 2.2.2.2 to 1.1.1.1. No backchannel traffic shows up from sfacctd at all, and the bulk of the traffic from 2.2.2.2 to 1.1.1.1 has been missed, as in the above printout you can see a total of less than 10000 bytes has been captured. Unfortunately ethereal doesn't appear to be able to parse the sFlow v5 packets or I would have analysed them there to see if the problem lies in the switch configuration or sfacctd. Any tips for correctly setting this up would be appreciated, as will flames for making glaringly obvious configuration errors :) -- Regards, Oliver Hookins _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
