Home / Browse / NFDUMP - Netflow processing tools / Mail / Archive

NFDUMP - Netflow processing tools

Email Archive: nfdump-discuss (read-only)

2005:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul (3)	_Aug (4)	_Sep (1)	_Oct (1)	_Nov (4)	_Dec (4)
2006:	_Jan (20)	_Feb (14)	_Mar (12)	_Apr (4)	_May (9)	_Jun (15)	_Jul (23)	_Aug (12)	_Sep (5)	_Oct (5)	_Nov (1)	_Dec (5)
2007:	_Jan (7)	_Feb (9)	_Mar (6)	_Apr (9)	_May (11)	_Jun (6)	_Jul (25)	_Aug (35)	_Sep (10)	_Oct (21)	_Nov (13)	_Dec (10)
2008:	_Jan (3)	_Feb (5)	_Mar (9)	_Apr (5)	_May (1)	_Jun (2)	_Jul (13)	_Aug (10)	_Sep (1)	_Oct (5)	_Nov (1)	_Dec
2009:	_Jan	_Feb (4)	_Mar (1)	_Apr (4)	_May (5)	_Jun (17)	_Jul (17)	_Aug (18)	_Sep (4)	_Oct (11)	_Nov (22)	_Dec (24)
2010:	_Jan (13)	_Feb (6)	_Mar (5)	_Apr (9)	_May (4)	_Jun (43)	_Jul (4)	_Aug (11)	_Sep (7)	_Oct (6)	_Nov (4)	_Dec (7)
2011:	_Jan (14)	_Feb (20)	_Mar (19)	_Apr (2)	_May (6)	_Jun (15)	_Jul (17)	_Aug (10)	_Sep (14)	_Oct (15)	_Nov (7)	_Dec (1)
2012:	_Jan (16)	_Feb (7)	_Mar (6)	_Apr (6)	_May (5)	_Jun (14)	_Jul (15)	_Aug (27)	_Sep (9)	_Oct (11)	_Nov (10)	_Dec (8)
2013:	_Jan (25)	_Feb (11)	_Mar (11)	_Apr (15)	_May (13)	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

[Nfdump-discuss] sflows and sfcapd stop working after one rotation

From: Kynan Lalone <kynanlalone@gm...> - 2012-12-14 21:48

I'm having an issue with sfcapd:

I have a juniper ex4200 (10.1.1.1) set to send sflow samples to my
collector (10.1.1.5) collecting samples from a trunk interface with no
VLANs
set protocols sflow polling-interval 15
set protocols sflow sample-rate 1000
set protocols sflow source-ip 10.1.1.1
set protocols sflow collector 10.1.1.5 udp-port 6343
set protocols sflow interfaces ge-1/0/13.0

I compiled nfdump with --enable-sflow and compiled nsfen with:
%sources = (
     'switch1'        => { 'port' => '6343', 'col' => '#0000ff',
'type' => 'sflow' },
);

My first run collected sample data!  I can hit up the web UI and run
nfdump from there, the sflow data is awesome!  I get really useful
stuff... for one minute.  I took a look in the collection store and
found that after the first rotate all files were blank:

collector:/usr/local/nfsen/profiles-data/live/switch1/2012/12/12$ wc -l *
 352 nfcapd.201212120155
   0 nfcapd.201212120200
   0 nfcapd.201212120205
   0 nfcapd.201212120210
   0 nfcapd.201212120215
   0 nfcapd.201212120220
   0 nfcapd.201212120225
   0 nfcapd.201212120230
   0 nfcapd.201212120235
   0 nfcapd.201212120240


I tried running sfcapd by hand but I don't get anything there either:
$ sudo sfcapd -E -B 10 -b 10.1.1.5 -4 -p 6343 -S 1 -n
switch1,10.1.1.1,/tmp/nfdump
File Block Header:
NumBlocks     =           0
Size          =           0
id         	 =           2


When I do a "sudo tcpdump -v udp port 6343  -s 1500" I do get sflows
from the switch:
11:52:07.624977 IP (tos 0x0, ttl 254, id 5728, offset 0, flags [none],
proto UDP (17), length 1484)
   10.1.1.1.60578 > collector.6343: sFlowv5, IPv4 agent 128.0.0.127,
agent-id 17, seqnum 38496, uptime 1963373233, samples 8, length 1456
	flow sample (1), length 196,
	flow sample (1), length 148,
	flow sample (1), length 208,
	flow sample (1), length 208,
	flow sample (1), length 148,
	flow sample (1), length 148,
	flow sample (1), length 148,
	flow sample (1), length 160,[|SFLOW]
11:52:07.722853 IP (tos 0x0, ttl 254, id 5729, offset 0, flags [none],
proto UDP (17), length 1372)
    10.1.1.1.60578 > collector.6343: sFlowv5, IPv4 agent 128.0.0.127,
agent-id 17, seqnum 38497, uptime 1963373331, samples 8, length 1344
	flow sample (1), length 148,
	flow sample (1), length 148,
	flow sample (1), length 156,
	flow sample (1), length 148,
	flow sample (1), length 148,
	flow sample (1), length 148,
	flow sample (1), length 148,
	flow sample (1), length 208,


but if I strace the above sfcapd command it I found this interesting tidbit:

...
bind(4, {sa_family=AF_INET, sin_port=htons(6343),
sin_addr=inet_addr("10.1.1.5")}, 16) = 0
sendto(3, "<31>Dec 12 12:04:47 sfcapd[28939"..., 80, MSG_NOSIGNAL, NULL, 0) = 80
listen(4, 128)                          = -1 EOPNOTSUPP (Operation not
supported)
sendto(3, "<30>Dec 12 12:04:47 sfcapd[28939"..., 79, MSG_NOSIGNAL, NULL, 0) = 79
getsockopt(4, SOL_SOCKET, SO_RCVBUF, [17179994112], [4]) = 0
sendto(3, "<30>Dec 12 12:04:47 sfcapd[28939"..., 107, MSG_NOSIGNAL,
NULL, 0) = 107
setsockopt(4, SOL_SOCKET, SO_RCVBUF, [65536], 4) = 0
getsockopt(4, SOL_SOCKET, SO_RCVBUF, [17180000256], [4]) = 0
sendto(3, "<30>Dec 12 12:04:47 sfcapd[28939"..., 83, MSG_NOSIGNAL, NULL, 0) = 83
...

 I'm not sure where else to go from here.  I read that with netflow
data you need to export the a header every once and a while so that
each rotation of nfdump knows how to read the file but that doesn't
seem true with sflow.

Thanks!

Re: [Nfdump-discuss] sflows and sfcapd stop working after one rotation

From: Peter Haag <phaag@us...> - 2012-12-17 12:02

It sees as the process can not write to the disk at all! If the collector
can write, an empty flow fie has 276 bytes in size. So a size of 0 means
it can not write at all. Have you checked the syslogs log daemon file?
The collector does report any errors to this file.
Maybe disk full or anything like this? Apart from that, I have no idea.

	- Peter

On 12/14/12 22:47, Kynan Lalone wrote:
> I'm having an issue with sfcapd:
> 
> I have a juniper ex4200 (10.1.1.1) set to send sflow samples to my
> collector (10.1.1.5) collecting samples from a trunk interface with no
> VLANs
> set protocols sflow polling-interval 15
> set protocols sflow sample-rate 1000
> set protocols sflow source-ip 10.1.1.1
> set protocols sflow collector 10.1.1.5 udp-port 6343
> set protocols sflow interfaces ge-1/0/13.0
> 
> I compiled nfdump with --enable-sflow and compiled nsfen with:
> %sources = (
>      'switch1'        => { 'port' => '6343', 'col' => '#0000ff',
> 'type' => 'sflow' },
> );
> 
> My first run collected sample data!  I can hit up the web UI and run
> nfdump from there, the sflow data is awesome!  I get really useful
> stuff... for one minute.  I took a look in the collection store and
> found that after the first rotate all files were blank:
> 
> collector:/usr/local/nfsen/profiles-data/live/switch1/2012/12/12$ wc -l *
>  352 nfcapd.201212120155
>    0 nfcapd.201212120200
>    0 nfcapd.201212120205
>    0 nfcapd.201212120210
>    0 nfcapd.201212120215
>    0 nfcapd.201212120220
>    0 nfcapd.201212120225
>    0 nfcapd.201212120230
>    0 nfcapd.201212120235
>    0 nfcapd.201212120240
> 
> 
> I tried running sfcapd by hand but I don't get anything there either:
> $ sudo sfcapd -E -B 10 -b 10.1.1.5 -4 -p 6343 -S 1 -n
> switch1,10.1.1.1,/tmp/nfdump
> File Block Header:
> NumBlocks     =           0
> Size          =           0
> id         	 =           2
> 
> 
> When I do a "sudo tcpdump -v udp port 6343  -s 1500" I do get sflows
> from the switch:
> 11:52:07.624977 IP (tos 0x0, ttl 254, id 5728, offset 0, flags [none],
> proto UDP (17), length 1484)
>    10.1.1.1.60578 > collector.6343: sFlowv5, IPv4 agent 128.0.0.127,
> agent-id 17, seqnum 38496, uptime 1963373233, samples 8, length 1456
> 	flow sample (1), length 196,
> 	flow sample (1), length 148,
> 	flow sample (1), length 208,
> 	flow sample (1), length 208,
> 	flow sample (1), length 148,
> 	flow sample (1), length 148,
> 	flow sample (1), length 148,
> 	flow sample (1), length 160,[|SFLOW]
> 11:52:07.722853 IP (tos 0x0, ttl 254, id 5729, offset 0, flags [none],
> proto UDP (17), length 1372)
>     10.1.1.1.60578 > collector.6343: sFlowv5, IPv4 agent 128.0.0.127,
> agent-id 17, seqnum 38497, uptime 1963373331, samples 8, length 1344
> 	flow sample (1), length 148,
> 	flow sample (1), length 148,
> 	flow sample (1), length 156,
> 	flow sample (1), length 148,
> 	flow sample (1), length 148,
> 	flow sample (1), length 148,
> 	flow sample (1), length 148,
> 	flow sample (1), length 208,
> 
> 
> but if I strace the above sfcapd command it I found this interesting tidbit:
> 
> ...
> bind(4, {sa_family=AF_INET, sin_port=htons(6343),
> sin_addr=inet_addr("10.1.1.5")}, 16) = 0
> sendto(3, "<31>Dec 12 12:04:47 sfcapd[28939"..., 80, MSG_NOSIGNAL, NULL, 0) = 80
> listen(4, 128)                          = -1 EOPNOTSUPP (Operation not
> supported)
> sendto(3, "<30>Dec 12 12:04:47 sfcapd[28939"..., 79, MSG_NOSIGNAL, NULL, 0) = 79
> getsockopt(4, SOL_SOCKET, SO_RCVBUF, [17179994112], [4]) = 0
> sendto(3, "<30>Dec 12 12:04:47 sfcapd[28939"..., 107, MSG_NOSIGNAL,
> NULL, 0) = 107
> setsockopt(4, SOL_SOCKET, SO_RCVBUF, [65536], 4) = 0
> getsockopt(4, SOL_SOCKET, SO_RCVBUF, [17180000256], [4]) = 0
> sendto(3, "<30>Dec 12 12:04:47 sfcapd[28939"..., 83, MSG_NOSIGNAL, NULL, 0) = 83
> ...
> 
>  I'm not sure where else to go from here.  I read that with netflow
> data you need to export the a header every once and a while so that
> each rotation of nfdump knows how to read the file but that doesn't
> seem true with sflow.
> 
> Thanks!
> 
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

-- 
--
Be nice to your netflow data