Hi Cedric, While i can't say it's the very same issue, it seems related to what i describe in the following comment:
https://github.com/pmacct/pmacct/issues/71#issuecomment-265497661 The sFlow dissector of Wireshark seems buggy and i recommend using sflowtools for debugging and troubleshooting purposes. Cheers, Paolo On Wed, Dec 28, 2016 at 04:22:19PM +0100, Cédric ML wrote: > Hello, > I'm trying to make pmacct work with a bgp agent (bird). > > pmacct is installed on the bgp router, bgp_agent session is up, and > prefixes are exported to pmacct process. > > This bgp router has three vlans (50,51,52) on interface eth0. > > I'm trying to get correct correct values in incoming/outgoing VLANs, > and source/destination AS (using pretag.map, maybe there is a > simpler way ?) > > My problem, when running "pmacctd -f pmacctd.sflow.conf", is that > wireshark tells me : "Expert Info (Error/Malformed): Malformed > Packet (Exception occurred)" > Agent address & ID are correctly displayed in capture (agent > address=127.0.0.1 & agent_id=0) > > Here's the output of pmacctd : > > # pmacctd -f pmacctd.sflow.conf > INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd > 1.6.2-git (20161222-00) > INFO ( default/core ): > INFO ( default/core ): Reading configuration file > '/usr/local/etc/pmacct/pmacctd.sflow.conf'. > INFO ( sfprobe/sfprobe ): plugin_pipe_size=4096000 bytes > plugin_buffer_size=384 bytes > INFO ( sfprobe/sfprobe ): ctrl channel: obtained=124928 bytes > target=85328 bytes > INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] (re)loading map. > DEBUG ( sfprobe/sfprobe ): Creating sFlow agent. > INFO ( sfprobe/sfprobe ): Exporting flows to [192.168.156.109]:6343 > INFO ( sfprobe/sfprobe ): Sampling at: 1/1000 > INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] map > successfully (re)loaded. > INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] (re)loading map. > INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] map > successfully (re)loaded. > INFO ( default/core ): link type is: 1 > WARN ( default/core ): eth0: no IPv4 address assigned > INFO ( default/core ): [/usr/local/etc/pmacct/agent_to_peer.map] > (re)loading map. > INFO ( default/core ): [/usr/local/etc/pmacct/agent_to_peer.map] map > successfully (re)loaded. > DEBUG ( default/core/BGP ): 1 thread(s) initialized > INFO ( default/core/BGP ): maximum BGP peers allowed: 2 > INFO ( default/core/BGP ): waiting for BGP data on 127.0.0.1:17917 > INFO ( default/core/BGP ): [127.0.0.1] BGP peers usage: 1/2 > INFO ( default/core/BGP ): [x.x.x.x] Capability: MultiProtocol [1] > AFI [1] SAFI [1] > INFO ( default/core/BGP ): [x.x.x.x] Capability: 4-bytes AS [41] ASN > [203596] > INFO ( default/core/BGP ): [x.x.x.x] BGP_OPEN: Local AS: 203596 > Remote AS: 203596 HoldTime: 240 > DEBUG ( default/core/BGP ): [x.x.x.x] BGP_KEEPALIVE received > DEBUG ( default/core/BGP ): [x.x.x.x] BGP_KEEPALIVE sent > DEBUG ( sfprobe/sfprobe ): c08c60e112a7 -> 6805ca3dca86 (len = 1478, > captured = 128) > DEBUG ( sfprobe/sfprobe ): 78baf965af1f -> 6805ca3dca86 (len = 64, > captured = 64) > DEBUG ( sfprobe/sfprobe ): 78baf965af1f -> 6805ca3dca86 (len = 64, > captured = 64) > ... > > > Can anybody tell me what may be wrong in my config ? > > Best regards, > Cédric > > ======================================== > == file pmacctd.sflow.conf > debug: true > daemonize: false > interface: eth0 > aggregate: tag, src_host, dst_host, src_port, dst_port, proto, tos, > src_as, dst_as > plugins: sfprobe[sfprobe] > sfprobe_receiver: 192.168.156.109:6343 > sfprobe_direction[sfprobe]: tag > sfprobe_ifindex[sfprobe]: tag2 > sampling_rate: 1000 > pmacctd_as: bgp > bgp_daemon: true > bgp_daemon_ip: 127.0.0.1 > bgp_daemon_port: 17917 > bgp_agent_map: /usr/local/etc/pmacct/agent_to_peer.map > bgp_peer_as_skip_subas: true > bgp_peer_src_as_type: bgp > pre_tag_map: /usr/local/etc/pmacct/pretag.map > > == file agent_to_peer.map > bgp_ip=x.x.x.x ip=0.0.0.0/0 > > == file pretag.map (inspired by examples/pretag.map.example) > set_tag=1 filter='ether src 00:26:51:cb:8f:db' jeq=five > set_tag=1 filter='ether src d4:6d:50:23:2b:ea' jeq=six > set_tag=1 filter='ether src 78:ba:f9:65:af:1f' jeq=seven > set_tag=2 filter='ether dst 00:26:51:cb:8f:db' jeq=five > set_tag=2 filter='ether dst d4:6d:50:23:2b:ea' jeq=six > set_tag=2 filter='ether dst 78:ba:f9:65:af:1f' jeq=seven > set_tag2=50 label=five > set_tag2=51 label=six > set_tag2=52 label=seven > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists