We have upgraded from the palo alto 5020 to the 5220 device. Using
pmacct/nfacctd (1.6.2) we have noticed that for each CFLOW packet we get the
unable to read next Flowset (NetFlow v9/IPFIX packet claiming flow_len 0!):
nfacctd=220.127.116.11:2055 agent=18.104.22.168:2055 seq=361308650
It appears that code in nfacctd.c reaches: if (off < len) goto process_flowset;
and continues even so the number of flowsets were already processed.
Let's say a packet has 8 flowsets, all 8 are processed within the loop
process_flowset, it then jumps into the 9th flowset which turns out to be null
padded space at the end of the packet. Then it looks at the flow_len and finds
it to be 0.
I can see on the wire capture that the packets are definitely NULL padded. I am
asking palo alto to look at that as they are wasting a few bytes on the wire -
but it causes endless entries in syslog.
Previous wire captures of netflow traffic on the 5020 did not behave like that.
Steffen Plotner Amherst College Tel (413)
Systems/Network Administrator/Programmer PO BOX 5000 Fax (413)
Systems & Networking Amherst, MA 01002-5000
pmacct-discussion mailing list