Hi Paolo,
sflowtool seems to give good results, but there's is still one problem : in each sflow sample, I have this :

skipping unknown flow_sample_element: 43874:2 len=16
This causes problems with perl Net::sFlow library, as Flowdata enterprise: 43874 is not recognized.
I'm unable to trace where this "43874" comes from...


Le 29/12/2016 à 12:38, Paolo Lucente a écrit :
Hi Cedric,

While i can't say it's the very same issue, it seems related to what i
describe in the following comment:


The sFlow dissector of Wireshark seems buggy and i recommend using
sflowtools for debugging and troubleshooting purposes.


On Wed, Dec 28, 2016 at 04:22:19PM +0100, Cédric ML wrote:
I'm trying to make pmacct work with a bgp agent (bird).

pmacct is installed on the bgp router, bgp_agent session is up, and
prefixes are exported to pmacct process.

This bgp router has three vlans (50,51,52) on interface eth0.

I'm trying to get correct correct values in incoming/outgoing VLANs,
and source/destination AS (using pretag.map, maybe there is a
simpler way ?)

My problem, when running "pmacctd -f pmacctd.sflow.conf", is that
wireshark tells me : "Expert Info (Error/Malformed): Malformed
Packet (Exception occurred)"
Agent address & ID are correctly displayed in capture (agent
address= & agent_id=0)

Here's the output of pmacctd :

# pmacctd -f pmacctd.sflow.conf
INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd
1.6.2-git (20161222-00)
INFO ( default/core ):
INFO ( default/core ): Reading configuration file
INFO ( sfprobe/sfprobe ): plugin_pipe_size=4096000 bytes
plugin_buffer_size=384 bytes
INFO ( sfprobe/sfprobe ): ctrl channel: obtained=124928 bytes
target=85328 bytes
INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] (re)loading map.
DEBUG ( sfprobe/sfprobe ): Creating sFlow agent.
INFO ( sfprobe/sfprobe ): Exporting flows to []:6343
INFO ( sfprobe/sfprobe ): Sampling at: 1/1000
INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] map
successfully (re)loaded.
INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] (re)loading map.
INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] map
successfully (re)loaded.
INFO ( default/core ): link type is: 1
WARN ( default/core ): eth0: no IPv4 address assigned
INFO ( default/core ): [/usr/local/etc/pmacct/agent_to_peer.map]
(re)loading map.
INFO ( default/core ): [/usr/local/etc/pmacct/agent_to_peer.map] map
successfully (re)loaded.
DEBUG ( default/core/BGP ): 1 thread(s) initialized
INFO ( default/core/BGP ): maximum BGP peers allowed: 2
INFO ( default/core/BGP ): waiting for BGP data on
INFO ( default/core/BGP ): [] BGP peers usage: 1/2
INFO ( default/core/BGP ): [x.x.x.x] Capability: MultiProtocol [1]
AFI [1] SAFI [1]
INFO ( default/core/BGP ): [x.x.x.x] Capability: 4-bytes AS [41] ASN
INFO ( default/core/BGP ): [x.x.x.x] BGP_OPEN: Local AS: 203596
Remote AS: 203596 HoldTime: 240
DEBUG ( default/core/BGP ): [x.x.x.x] BGP_KEEPALIVE received
DEBUG ( default/core/BGP ): [x.x.x.x] BGP_KEEPALIVE sent
DEBUG ( sfprobe/sfprobe ): c08c60e112a7 -> 6805ca3dca86 (len = 1478,
captured = 128)
DEBUG ( sfprobe/sfprobe ): 78baf965af1f -> 6805ca3dca86 (len = 64,
captured = 64)
DEBUG ( sfprobe/sfprobe ): 78baf965af1f -> 6805ca3dca86 (len = 64,
captured = 64)

Can anybody tell me what may be wrong in my config ?

Best regards,

== file pmacctd.sflow.conf
debug: true
daemonize: false
interface: eth0
aggregate: tag, src_host, dst_host, src_port, dst_port, proto, tos,
src_as, dst_as
plugins: sfprobe[sfprobe]
sfprobe_direction[sfprobe]: tag
sfprobe_ifindex[sfprobe]: tag2
sampling_rate: 1000
pmacctd_as: bgp
bgp_daemon: true
bgp_daemon_port: 17917
bgp_agent_map: /usr/local/etc/pmacct/agent_to_peer.map
bgp_peer_as_skip_subas: true
bgp_peer_src_as_type: bgp
pre_tag_map: /usr/local/etc/pmacct/pretag.map

== file agent_to_peer.map
bgp_ip=x.x.x.x ip=

== file pretag.map (inspired by examples/pretag.map.example)
set_tag=1 filter='ether src 00:26:51:cb:8f:db' jeq=five
set_tag=1 filter='ether src d4:6d:50:23:2b:ea' jeq=six
set_tag=1 filter='ether src 78:ba:f9:65:af:1f' jeq=seven
set_tag=2 filter='ether dst 00:26:51:cb:8f:db' jeq=five
set_tag=2 filter='ether dst d4:6d:50:23:2b:ea' jeq=six
set_tag=2 filter='ether dst 78:ba:f9:65:af:1f' jeq=seven
set_tag2=50 label=five
set_tag2=51 label=six
set_tag2=52 label=seven

pmacct-discussion mailing list
pmacct-discussion mailing list

pmacct-discussion mailing list

Reply via email to