Menu
▾
▴
Re: [host-sflow-discuss] hsflowd - packet samplling
|
From: Neil M. <nei...@in...> - 2015-06-04 19:31:43
|
Adam, I checked in the changes to make NFLOG an option for hsflowd packet-sampling too. If you want to try it, here are the steps. To avoid confusion it's probably best to do it on a server that is not already sending sFlow from the Open vSwitch: # probably need this rpm yum install libnfnetlink-devel # build from sources (trunk) cd host-sflow-code svn up make NFLOG=yes make install # configure iptables MOD_STATISTIC="-m statistic --mode random --probability 0.0025" NFLOG_CONFIG="--nflog-group 5 --nflog-prefix SFLOW" sudo iptables -I INPUT -j NFLOG $MOD_STATISTIC $NFLOG_CONFIG sudo iptables -I OUTPUT -j NFLOG $MOD_STATISTIC $NFLOG_CONFIG # add these lines to /etc/hsflowd.conf nflogGroup = 5 nflogProbability = 0.0025 # and restart sudo service hsflowd restart Neil ------ Neil McKee InMon Corp. http://www.inmon.com On Fri, May 29, 2015 at 9:19 AM, Adam Pavlidis <ada...@gm...> wrote: > That seems very useful, i will try it right away. > > Again, thank you very much for all your help > > > > On Thu, May 28, 2015 at 6:36 PM, Neil McKee <nei...@in...> wrote: >> >> Adam, >> >> I think it would probably work if you installed Open vSwitch and then >> added the ethernet and wireless interfaces to it. I have done that sort of >> thing for testing sFlow. For example, on a regular Linux OS with interface >> eth0: >> >> ovs-vsctl add-br br0 >> ovs-vsctl add-port br0 eth0 >> ifconfig eth0 0 >> ifconfig br0 10.0.0.9/24 >> >> ovs-vsctl show >> ovs-dpctl show >> >> As long as the bridge defaults to "learning mode" then this will behave as >> expected. But then of course you will also have the power to add OpenFlow >> rules to do whatever crazy thing you want: >> http://blog.sflow.com/2013/11/udp-packet-replication-using-open.html >> >> And to turn on sFlow packet-sampling you just have to do this: >> service hsflowd start >> service sflowovsd start >> >> But if you'd rather wait until we get the nflog feature into hsflowd, it >> should only be a few days away. >> >> Neil >> >> >> >> ------ >> Neil McKee >> InMon Corp. >> http://www.inmon.com >> >> On Thu, May 28, 2015 at 6:05 AM, Adam Pavlidis <ada...@gm...> >> wrote: >>> >>> >>> >>> >>>> Try configuring the ULOG feature, as described here: >>>> http://blog.sflow.com/2010/12/ulog.html >>>> >>>> If your OS is a recent one, then this won't work because ULOG was >>>> subsumed into netfilter/NFLOG. I am working on adding the NFLOG feature >>>> this week, though it's not clear that we will be able to get the >>>> kernel-based sampling this way, so there might be a performance hit. >>>> >>> >>> I currently use Ubuntu 14.04, but i will give it a try >>> >>> >>>> For packet-samples you should use the sampling.<speed> settings in >>>> hsflowd.conf. Such as: >>>> >>>> sampling.100M = 500 >>>> sampling.1G = 1000 >>> >>> >>> >>> I don't know if i understood the concept correctly, please correct me if >>> i am wrong. >>> >>> For packet sampling, is it necessary for hsflowd to work either, with >>> ULOG, or with netfilter/NFLOG? >>> >>> Or does the configuration above enable the hsflowd to perform packet >>> sampling regardless? >>> If that is the case, i was unsuccessful (after i modified the .conf >>> file). >>> >>> >>>> >>>> If you run Linux hypervisors, then enabling sFlow in Open vSwitch will >>>> also give you the packet-samples (with efficient kernel-based sampling). >>>> The easiest way to configure that is just to run the sflowovsd daemon >>>> alongside hsflowd on the hypervisor. >>>> >>> >>> Unfortunately the machines in question are not VMs running on Linux >>> HyperVisor. >>> My goal is to monitor traffic on nodes that communicate directly via >>> wireless, so sampling the OvS is not an option >>> >>> I know this i probably a question for ovs-discuss, but if i may veer >>> slightly, do you know if i could use Open vSwitch and its sFlow agent to >>> sample the wireless interface? >>> (perhaps by adding the wireless iface on a logical bridge and sampling >>> that bridge, or if that will reserve the wireless iface and make it unusable >>> by the node perhaps mirror the traffic to bridge and sample the mirrored >>> traffic) >>> >>> Thank you for all your help on the matter >> >> > |
