Hi Ed,

The log message produced is actually very simple:

Log([..] expecting flow '%u' but received '%u' collector=%s:%u agent=%s:%u 

It's a start for some basic analysis but you can get false positives,
for example due to out of order arrival of packets. In recent pmacct
releases you have a new primitive, export_proto_seqno, precisely to
report on sequence numbers. As it can be read in CONFIG-KEYS:

export_proto_seqno reports about export protocol (NetFlow, sFlow, IPFIX)
sequence number; due to its potential de-aggregation effect, two main
use-cases are seen as use of this primitive:

1) if using a log type (de-)aggregation method, ie. for security,
   forensics, etc., in addition to existing primitives;

2) if using a reporting type aggregation method, it is recommended to
   split this primitive in a separate plugin instance instead for
   sequencing analysis.

You fall in the use-case #2. You may instantiate a memory or print
plugins setting the aggregate to 'peer_src_ip, export_proto_seqno'. This
way you can perform a more contextual analysis over periods of time (ie.
1 min). 


On Thu, Feb 23, 2017 at 11:09:19AM -0600, Edward Henigin wrote:
> I see in the config keys for nfacctd that by default it checks sequence
> numbers and will log an error if any are missing.
> [ nfacctd_disable_checks | sfacctd_disable_checks ] [GLOBAL, NO_PMACCTD]
> Values
> [true|false]
> Desc
> both nfacctd and sfacctd check health of incoming NetFlow/sFlow datagrams -
> actually this is limited to just verifying sequence numbers progression.
> You may want to disable such feature because of non-standard
> implementations. By default checks are enabled
> (default: false)
> My question: what does that log message look like? I suspect I'm losing
> flows and I want to check the logs for evidence. I looked in src/nfacctd.c
> to see if I could tell what the syslog message would look like but I can't
> figure out where it's checking the sequence numbers for continuity and
> logging an error on lost data.
> Thanks,
> Ed

> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

pmacct-discussion mailing list

Reply via email to