We have upgraded from the palo alto 5020 to the 5220 device. Using 
pmacct/nfacctd (1.6.2) we have noticed that for each CFLOW packet we get the 
following message:

unable to read next Flowset (NetFlow v9/IPFIX packet claiming flow_len 0!): 
nfacctd= agent= seq=361308650

It appears that code in nfacctd.c reaches: if (off < len) goto process_flowset; 
and continues even so the number of flowsets were already processed.

Let's say a packet has 8 flowsets, all 8 are processed within the loop 
process_flowset, it then jumps into the 9th flowset which turns out to be null 
padded space at the end of the packet. Then it looks at the flow_len and finds 
it to be 0.

I can see on the wire capture that the packets are definitely NULL padded. I am 
asking palo alto to look at that as they are wasting a few bytes on the wire - 
but it causes endless entries in syslog.

Previous wire captures of netflow traffic on the 5020 did not behave like that.


Steffen Plotner                            Amherst College            Tel (413) 
Systems/Network Administrator/Programmer   PO BOX 5000                Fax (413) 
Systems & Networking                       Amherst, MA 01002-5000     

pmacct-discussion mailing list

Reply via email to