Re: [Nfsen-discuss] sfcapd problem with 3com 4800g router
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfsen-discuss] sfcapd problem with 3com 4800g router
|
From: Johannes L. <joh...@vf...> - 2012-04-25 11:23:01
|
Problem solved the sampling rate was too high for the sflow agent to ever create statisics and send them as sflow to my nfsen/nfdump collector. I turned down the rate to get the router to send create flows even low packet count. Thanks for the help And I will be nice to my flows as Phaag states! Fra: Adrian Popa [mailto:adr...@gm...] Sendt: 25. april 2012 11:31 Til: Johannes Lavre Kopi: NFSen-Discuss Emne: Re: [Nfsen-discuss] sfcapd problem with 3com 4800g router Malformed packets might be due to the bad capture options. If you are capturing via tcpdump, it truncates packets to 64 bytes by default. You would need to use the -s 1500 parameter to specify the capture length. The bad checksums may not be bad. Some NICs are doing TCP/UDP checksum offloading and may be calculating the checksum as part of the driver, which might be displayed differently than what wireshark shows. If you get the same reports for valid traffic (e.g. TCP traffic that is ok and doesn't show retransmissions), you can ignore the checksum check (there's even an option in wireshark). Please keep the discussion on the list, so that others may benefit of your findings as well. On Wed, Apr 25, 2012 at 9:19 AM, Johannes Lavre <joh...@vf...<mailto:joh...@vf...>> wrote: The collector has been on over night now and I see some flows coming in my nfsen/nfdump box. Problem is now finding out how the router behaves because I don't see much coming in. Also in my pcap dump a lot of the sflow packets are malformed packets and I am loosing about 3 out of 7 packet because of bad checksums. I keep investigating this until I figure it out. Thank you very much for some pointers and good advice in troubleshooting. Fra: Adrian Popa [mailto:adr...@gm...<mailto:adr...@gm...>] Sendt: 24. april 2012 10:08 Til: Johannes Lavre Kopi: nfs...@li...<mailto:nfs...@li...> Emne: Re: [Nfsen-discuss] sfcapd problem with 3com 4800g router There are some strange segfaults in your messages - they may be the cause of the problem... However, in order for nfdump to process and save flows in its files, it needs to understand the flows being sent. The router should periodically export a flow template packet that describes the fields exported in the flow. Once that packet is processed, the flows should be recorder. The export interval for such a packet varies from router to router - can be every second, or once in 30 minutes. To see if such a packet is exported, do a packet capture on your server and load it up in wireshark. Choose Decode As -> cflow and if you can see individual fields in the packets (e.g destination prefix, counters, etc), then the template packet is exported. If you don't get granular information, then the packet was not captured. Good luck |