Hi Daniel, this is kind of a composite reply for both the sFlow issues you are reporting. To debug the content of the packets i have used the last version of sflowtool, 3.10, which comes straight from the InMon's folks and therefore should be reliable enough.
a) Seems some of the sFlow v5 Flow Samples generated by your box are not correct. Both pmacct and sflowtool kick out similar messages: pmacct: "DEBUG: Discarding unknown v5 sample: ..." sflowtool: "flow_sample_element length error (expected 44, found 48)" To be more precise, seems the source of the problems is the Extended Gateway element (which is the one carrying the BGP stuff). If you retain any control over the extended elements inserted in the Flow Sample, try disabling the Gateway one and i'm fairly confident you will see the error disappearing aswell. b) The ASN0 issue: pmacct can create zeroed entries (ie. ASN0) only if you are using a 'networks_file' directive - but that doesn't seem your case as you have full AS info inside your Flow Samples. Am i correct saying this? Now, by having a look to your packets, i spotted a thing that might be of your interest: === src_as 0 src_peer_as 0 dst_as_path xxxxx-yyyyy dst_as yyyyy dst_peer_as xxxxx BGP_localpref 0 === The src_as element in your Extended Gateway element is everytime zero. Your ASN appears only in another field named "my_as". Seems that if the traffic originates inside your AS, those fields are set (or left?) to zero - I've seen this already happening in a NetFlow implementation. Don't know whether this is kind of standard/documented behaviour, as if it was the case, i could write a trivial patch which uses the "my_as" value as "src_as" if "src_as" is zero. Does anyone reading have any comments regarding this? If we don't come up to something ourselve, Daniel, can you please put a word to your Vendor and let me know? Cheers, Paolo On Sat, May 05, 2007 at 05:05:20PM +0200, Daniel wrote: > Guten Tag Daniel, > > am Donnerstag, 3. Mai 2007 um 17:47 schrieben Sie: > > > Guten Tag Paolo Lucente, > > > am Donnerstag, 3. Mai 2007 um 00:58 schrieben Sie: > > >> Hi Daniel, > >> Which network device are you getting the sFlow datagrams from? > >> Any chance i can have a look to these samples? If yes, can you > >> please post me privately some full-datagrams captured in > >> libpcap/tcpdump format? > > i installed 0.11.4 and here is it the same error. > Hope it helps u too. > > > > -- > Mit freundlichen Gr??en > Daniel > mailto:[EMAIL PROTECTED] > > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
