Hi Steffen, Thanks for this report. I'd be indeed interested in seeing a capture of the packets myself in order to see whether there is anything that can be improved on the pmacct side of the things. Should it be possible for you to send a brief pcap trace over, please get in touch via unicast email.
Cheers, Paolo On Fri, Sep 08, 2017 at 02:24:58PM +0000, Steffen Plotner wrote: > Hi, > > We have upgraded from the palo alto 5020 to the 5220 device. Using > pmacct/nfacctd (1.6.2) we have noticed that for each CFLOW packet we get the > following message: > > unable to read next Flowset (NetFlow v9/IPFIX packet claiming flow_len 0!): > nfacctd=22.214.171.124:2055 agent=126.96.36.199:2055 seq=361308650 > > It appears that code in nfacctd.c reaches: if (off < len) goto > process_flowset; and continues even so the number of flowsets were already > processed. > > Let's say a packet has 8 flowsets, all 8 are processed within the loop > process_flowset, it then jumps into the 9th flowset which turns out to be > null padded space at the end of the packet. Then it looks at the flow_len and > finds it to be 0. > > I can see on the wire capture that the packets are definitely NULL padded. I > am asking palo alto to look at that as they are wasting a few bytes on the > wire - but it causes endless entries in syslog. > > Previous wire captures of netflow traffic on the 5020 did not behave like > that. > > Steffen > > _______________________________________________________________________________________________ > Steffen Plotner Amherst College Tel > (413) 542-2348 > Systems/Network Administrator/Programmer PO BOX 5000 Fax > (413) 542-2626 > Systems & Networking Amherst, MA 01002-5000 > swplot...@amherst.edu > > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists