Hi, We have upgraded from the palo alto 5020 to the 5220 device. Using pmacct/nfacctd (1.6.2) we have noticed that for each CFLOW packet we get the following message:
unable to read next Flowset (NetFlow v9/IPFIX packet claiming flow_len 0!): nfacctd=148.85.56.21:2055 agent=148.85.56.93:2055 seq=361308650 It appears that code in nfacctd.c reaches: if (off < len) goto process_flowset; and continues even so the number of flowsets were already processed. Let's say a packet has 8 flowsets, all 8 are processed within the loop process_flowset, it then jumps into the 9th flowset which turns out to be null padded space at the end of the packet. Then it looks at the flow_len and finds it to be 0. I can see on the wire capture that the packets are definitely NULL padded. I am asking palo alto to look at that as they are wasting a few bytes on the wire - but it causes endless entries in syslog. Previous wire captures of netflow traffic on the 5020 did not behave like that. Steffen _______________________________________________________________________________________________ Steffen Plotner Amherst College Tel (413) 542-2348 Systems/Network Administrator/Programmer PO BOX 5000 Fax (413) 542-2626 Systems & Networking Amherst, MA 01002-5000 [email protected]
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
