Re: [pmacct-discussion] Enterasys nfacctd expecting flow error
Paolo has provided the answer below. How sequencing works in NetFlow? Imagine you start from 0; imagine that you can pack a maximum of 30 flows within a NetFlow datagram: with 30 flows packed, the datagram is very close to 1500 bytes. The exact number of flows packed in a datagram depends on the traffic conditions. Now, the sequence number is incremented by the number of flows within a NetFlow datagram - ie. packet 1 comes with seq 0 and 30 flows inside; packet 2 comes with seq 30 and, say, 25 flows inside; packet 3 comes with seq 55 and X flows inside; and so on. What is the problem? Enterasys increments the sequence number by 30 - statically, regardless of how many flows are packed inside a NetFlow datagram. Hence, every time there are less, you get pmacct complaining of sequencing. The good news is: you are not loosing any data and sequencing checks can be disabled in pmacct. - Original Message From: Paolo Lucente pa...@pmacct.net To: pmacct-discussion@pmacct.net Sent: Fri, January 15, 2010 3:22:42 AM Subject: Re: [pmacct-discussion] Enterasys nfacctd expecting flow error Hi Marc, I would ask you if you can send me privately a packet capture (in tcpdump format, full payload) so that i can have a look into it and possibly replay in lab. This should very well give an insight on the sequence jumps; and might also give an hint why not all the traffic is accounted for ie. if there is a cause-effect relationship between the twos. Let me know if this is acceptable to you. Cheers, Paolo On Thu, Jan 14, 2010 at 02:54:55PM -0800, marc slice wrote: They appear frequently. Every 10-15 secs. We have between 25-80Mbps running across the interfaces recording netflow data on the enterasys through out the day. Not all the traffic is getting recorded when compared to port statistics. No real pattern that we have found. We have 1Gbps connections from the enterasys to the collector and the collector is a HP 2 CPU opteron box with 8GB of memory. CPU is seeing very little use at all times. - Original Message From: Paolo Lucente pa...@pmacct.net To: pmacct-discussion@pmacct.net Sent: Wed, January 13, 2010 3:33:36 PM Subject: Re: [pmacct-discussion] Enterasys nfacctd expecting flow error Hi Marc, Such messages tell it has been detected some issues with NetFlow datagram sequence numbers. This can be caused by packet loss between an agent and the collector, mistakes in the sequencing encoding among the others. Besides the warning messages, which can be turned off, NetFlow datagrams reaching pmacct are processed as usual. Do you see such messages appearing regularly or occasionally? Can you spot a pattern (ie. only a subset of the devices are affected, jumps repeat the same way, etc.)? Cheers, Paolo On Wed, Jan 13, 2010 at 11:52:07AM -0800, marc slice wrote: I have setup netflow from an Enterasys N series switch and receive the following when running nfacctd. WARN: expecting flow '2727940030' but received '2727940026' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226450' but received '11226438' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727940052' but received '2727940056' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226456' but received '11226468' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952866' but received '2727952852' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226618' but received '11226617' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952868' but received '2727952882' collector=0.0.0.0:2055 agent=172.16.32.2:513 Couldn't find much info on this problem and was wondering if someone could help? [ ... ] ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Enterasys nfacctd expecting flow error
Hi Marc, I would ask you if you can send me privately a packet capture (in tcpdump format, full payload) so that i can have a look into it and possibly replay in lab. This should very well give an insight on the sequence jumps; and might also give an hint why not all the traffic is accounted for ie. if there is a cause-effect relationship between the twos. Let me know if this is acceptable to you. Cheers, Paolo On Thu, Jan 14, 2010 at 02:54:55PM -0800, marc slice wrote: They appear frequently. Every 10-15 secs. We have between 25-80Mbps running across the interfaces recording netflow data on the enterasys through out the day. Not all the traffic is getting recorded when compared to port statistics. No real pattern that we have found. We have 1Gbps connections from the enterasys to the collector and the collector is a HP 2 CPU opteron box with 8GB of memory. CPU is seeing very little use at all times. - Original Message From: Paolo Lucente pa...@pmacct.net To: pmacct-discussion@pmacct.net Sent: Wed, January 13, 2010 3:33:36 PM Subject: Re: [pmacct-discussion] Enterasys nfacctd expecting flow error Hi Marc, Such messages tell it has been detected some issues with NetFlow datagram sequence numbers. This can be caused by packet loss between an agent and the collector, mistakes in the sequencing encoding among the others. Besides the warning messages, which can be turned off, NetFlow datagrams reaching pmacct are processed as usual. Do you see such messages appearing regularly or occasionally? Can you spot a pattern (ie. only a subset of the devices are affected, jumps repeat the same way, etc.)? Cheers, Paolo On Wed, Jan 13, 2010 at 11:52:07AM -0800, marc slice wrote: I have setup netflow from an Enterasys N series switch and receive the following when running nfacctd. WARN: expecting flow '2727940030' but received '2727940026' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226450' but received '11226438' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727940052' but received '2727940056' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226456' but received '11226468' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952866' but received '2727952852' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226618' but received '11226617' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952868' but received '2727952882' collector=0.0.0.0:2055 agent=172.16.32.2:513 Couldn't find much info on this problem and was wondering if someone could help? [ ... ] ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Enterasys nfacctd expecting flow error
They appear frequently. Every 10-15 secs. We have between 25-80Mbps running across the interfaces recording netflow data on the enterasys through out the day. Not all the traffic is getting recorded when compared to port statistics. No real pattern that we have found. We have 1Gbps connections from the enterasys to the collector and the collector is a HP 2 CPU opteron box with 8GB of memory. CPU is seeing very little use at all times. - Original Message From: Paolo Lucente pa...@pmacct.net To: pmacct-discussion@pmacct.net Sent: Wed, January 13, 2010 3:33:36 PM Subject: Re: [pmacct-discussion] Enterasys nfacctd expecting flow error Hi Marc, Such messages tell it has been detected some issues with NetFlow datagram sequence numbers. This can be caused by packet loss between an agent and the collector, mistakes in the sequencing encoding among the others. Besides the warning messages, which can be turned off, NetFlow datagrams reaching pmacct are processed as usual. Do you see such messages appearing regularly or occasionally? Can you spot a pattern (ie. only a subset of the devices are affected, jumps repeat the same way, etc.)? Cheers, Paolo On Wed, Jan 13, 2010 at 11:52:07AM -0800, marc slice wrote: I have setup netflow from an Enterasys N series switch and receive the following when running nfacctd. WARN: expecting flow '2727940030' but received '2727940026' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226450' but received '11226438' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727940052' but received '2727940056' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226456' but received '11226468' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952866' but received '2727952852' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226618' but received '11226617' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952868' but received '2727952882' collector=0.0.0.0:2055 agent=172.16.32.2:513 Couldn't find much info on this problem and was wondering if someone could help? [ ... ] ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Enterasys nfacctd expecting flow error
I have setup netflow from an Enterasys N series switch and receive the following when running nfacctd. WARN: expecting flow '2727940030' but received '2727940026' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226450' but received '11226438' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727940052' but received '2727940056' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226456' but received '11226468' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952866' but received '2727952852' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226618' but received '11226617' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952868' but received '2727952882' collector=0.0.0.0:2055 agent=172.16.32.2:513 Couldn't find much info on this problem and was wondering if someone could help? The current configuration on the enterasys is set as follows: Destination UDP Port: 2055 Export Version: 5 Export Interval: 1 (min) The nfacctd configuration is daemonize: false plugin_buffer_size: 40960 plugin_pipe_size: 4096 interface: eth0 aggregate[in]: dst_host aggregate[out]: src_host aggregate_filter[in]: dst net (xxx.xxx.xxx.xxx/25) aggregate_filter[out]: src net (xxx.xxx.xxx.xxx/25) nfacctd_port:2055 nfacctd_time_new: true plugins: mysql[in],mysql[out] sql_db: pmacct sql_table[in]: acct_in sql_table[out]: acct_out sql_table_version: 7 sql_user: pmacct sql_passwd: x sql_refresh_time: 300 sql_history: 5m sql_history_roundoff: m sql_dont_try_update: true ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
