Hi Steffen,

Thanks for this report. I'd be indeed interested in seeing a capture of
the packets myself in order to see whether there is anything that can be
improved on the pmacct side of the things. Should it be possible for you
to send a brief pcap trace over, please get in touch via unicast email.


On Fri, Sep 08, 2017 at 02:24:58PM +0000, Steffen Plotner wrote:
> Hi,
> We have upgraded from the palo alto 5020 to the 5220 device. Using 
> pmacct/nfacctd (1.6.2) we have noticed that for each CFLOW packet we get the 
> following message:
> unable to read next Flowset (NetFlow v9/IPFIX packet claiming flow_len 0!): 
> nfacctd= agent= seq=361308650
> It appears that code in nfacctd.c reaches: if (off < len) goto 
> process_flowset; and continues even so the number of flowsets were already 
> processed.
> Let's say a packet has 8 flowsets, all 8 are processed within the loop 
> process_flowset, it then jumps into the 9th flowset which turns out to be 
> null padded space at the end of the packet. Then it looks at the flow_len and 
> finds it to be 0.
> I can see on the wire capture that the packets are definitely NULL padded. I 
> am asking palo alto to look at that as they are wasting a few bytes on the 
> wire - but it causes endless entries in syslog.
> Previous wire captures of netflow traffic on the 5020 did not behave like 
> that.
> Steffen
> _______________________________________________________________________________________________
> Steffen Plotner                            Amherst College            Tel 
> (413) 542-2348
> Systems/Network Administrator/Programmer   PO BOX 5000                Fax 
> (413) 542-2626
> Systems & Networking                       Amherst, MA 01002-5000     
> swplot...@amherst.edu

> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

pmacct-discussion mailing list

Reply via email to