Hi Matt, It might still be the case, but given your description of the issue some emails ago, i hardly think so.
The way in which NetFlow v9 templates are implemented in pmacct, makes them fully transparent to the end-user; so NetFlow agents (routers) generate flows and templates; these, once received, are stored in memory and then associated to flows (see below, flows carry a "template id"). Templates are exported from the router regularly, based (usually) on time or packets; this means until the collector (or tshark) doesn't get the template, it can just tell you that it's unable to decode associated flows. With tshark this means you should produce extensive trace files in the hope to catch the template so that you can decode all the associated flows within that trace file. All this to exaplain such a condition is normal with NetFlow v9 if transient for short periods of time (in the order of seconds or perhaps few minutes in lab environments) and at application or router startup or after a config change (at the router). On a sidenote, pmacct does not buffer flows in the hope that a template will be received soon. Cheers, Paolo On Mon, May 04, 2009 at 12:59:31PM -0700, Matt Lawson wrote: > > OK after some packet dumps with tshark, I use the options: > > /usr/sbin/tshark -ni eth0 -c 20 -R udp.port==5000 -d udp.port==5000,cflow > -V -r cap1 > > Where port 5000 is where I receive the netflow and 'cap1' is a file that I > captured it to: > > Cisco NetFlow/IPFIX > Version: 9 > Count: 15 > SysUptime: 1547322177 > Timestamp: May 4, 2009 19:38:02.000000000 > CurrentSecs: 1241465882 > FlowSequence: 549283765 > SourceId: 1 > FlowSet 1 > Data FlowSet (Template Id): 256 > FlowSet Length: 1384 > Data (1380 bytes), no template found > > There is says "no template found." Is this (part of the) problem? > > - matt > > --- On Fri, 5/1/09, Paolo Lucente <[email protected]> wrote: > > > From: Paolo Lucente <[email protected]> > > Subject: Re: [pmacct-discussion] Q. about aggregate_filter and nfacctd > > To: [email protected] > > Date: Friday, May 1, 2009, 4:05 AM > > Hi Matt, > > > > Good, you already tried out what would have been my first > > suggestion. Something else i would recommend traffic load > > permitting: disable buffering (plugin_buffer_size) > > whenever > > testing a new configuration: to be sure nothing remains > > trapped within the buffers giving the feeling something > > doesn't work properly. > > > > Which version of nfacctd are you using? Which version of > > NetFlow are you using? Would it be possible to send over > > privately some NetFlow datagrams (full-size) in libpcap > > format which are containing traffic not being reported? > > If this is NetFlow v9 be sure to include the template in > > the capture file. > > > > Cheers, > > Paolo > > > > > > On Thu, Apr 30, 2009 at 03:36:59PM -0700, Matt Lawson > > wrote: > > > > > > Hi, > > > > > > I am using nfacctd more or less successfully, however > > I wanted to try narrowing down my results by using the > > aggregate_filter.? I created the name 'total' because > > aggregate_filter can't be applied globally. > > > > > > So I tried the following config: > > > > > > > > > ! debug: true > > > daemonize: false > > > nfacctd_disable_checks: true > > > plugins: print[total] > > > aggregate[total]: dst_host, dst_port, src_host, > > src_port, proto > > > aggregate_filter[total]: dst port 80 > > > print_cache_entries: 1000001 > > > print_refresh_time: 10 > > > plugin_pipe_size: 10240000 > > > plugin_buffer_size: 10240 > > > ! interface: eth0 > > > nfacctd_ip: w.x.y.z (sanitized) > > > nfacctd_port: 5000 > > > pidfile: /var/run/nfacctd > > > logfile: /var/log/nfacctd.log > > > > > > > > > Unfortunately, it captures very, very little > > data.? Only a few records compared to what it > > should.? If I just take out the "aggregate_filter" line > > it works fine. > > > > > > I have tried with and without the "interface eth0" and > > with and without debug, no help there. > > > > > > I saw an earlier post describing a similar problem > > with sFlow to add "vlan and ..." or "mpls and ..." to the > > filter but that didn't help. > > > > > > Any ideas?? TIA. > > > > > > Thanks. > > > > > > > > >? ? ??? > > > > > > _______________________________________________ > > > pmacct-discussion mailing list > > > http://www.pmacct.net/#mailinglists > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > > > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
