Re: [Nfsen-discuss] sflow from Arista Switch
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
Re: [Nfsen-discuss] sflow from Arista Switch
|
From: Peter H. <ph...@us...> - 2021-08-18 12:01:48
|
Hi Rich, Please open an issue at github https://github.com/phaag/nfdump/issues if you think, it's an sfcapd problem. Collect a pcap sent to the collector and send it to me. I'll have a look Cheers - Peter On 18.08.21 12:16, Hall, Richard wrote: > It is using the Hardware setting, which is 1:1024, even if it was using the 1:20000 it is not logging any packets in nfsen. Port is not mentioned because it is the default of 6343. I have already confirmed it is sending and being received by both a pcap and strace on the sfcapd process. > > > Rich Hall > IT Infrastructure > GSA Capital Partners LLP > Stratton House > 5 Stratton Street > London W1J 8LA > Direct +44 (0)20 33104162 > Mobile +44 (0)79 6821 1716 > Reception +44 (0)20 7959 8800 > www.gsacapital.com<http://www.gsacapital.com> > > > From: Roger B <fla...@gm...> > Sent: 18 August 2021 00:56 > To: Hall, Richard <Ric...@gs...> > Cc: nfs...@li... > Subject: Re: [Nfsen-discuss] sflow from Arista Switch > > > ** This is an external e-mail. Please treat attachments and links as potentially dangerous. ** > > One in 20,000 packets isn’t much IMO. I usually set for 1024 or even 512. Also I don’t see the destination port configured, though is it correct by default? It must match what the collector expects > > Can you run a TCPDUMP session to verify the switch is sending packets? > > > On Aug 17, 2021, at 6:56 PM, Hall, Richard <Ric...@gs...<mailto:Ric...@gs...>> wrote: > > Switch config is as follows: > > sflow sample 20000 > sflow vrf Management destination 10.10.1.136 > sflow vrf Management source-interface Management1 > sflow run > ! > sflow hardware acceleration > sflow hardware acceleration sample 1024 > > > Regards > Rich Hall > > From: Roger B <fla...@gm...<mailto:fla...@gm...>> > Sent: 17 August 2021 21:18 > To: Hall, Richard <Ric...@gs...<mailto:Ric...@gs...>> > Cc: nfs...@li...<mailto:nfs...@li...> > Subject: Re: [Nfsen-discuss] sflow from Arista Switch > > > ** This is an external e-mail. Please treat attachments and links as potentially dangerous. ** > > Can you show your switch config for netflow including sampling/ port/etc? > > On Aug 17, 2021, at 2:39 PM, Hall, Richard <Ric...@gs...<mailto:Ric...@gs...>> wrote: > I have nfsen working with netflow, and am attempting to add a couple of arista DCS-7280SR2K-48C6-M-R switches running EOS 4.25.4M that do hardware accelerated sflow. I have added them to the %sources in the nfsen.conf > > 'switch1' => { 'port' => '6343', 'IP' => '10.10.38.8', 'type' => 'sflow', 'col' => '#FF0099', 'optarg' => ' -T all ' }, > 'switch2' => { 'port' => '6343', 'IP' => '10.10.8.67', 'type' => 'sflow', 'col' => '#FF0066', 'optarg' => ' -T all ' }, > > I then run "nfsen reconfig" successfully. > > I restart nfsen, the new hosts show up and I have files being created in the profiles-data directory with a length of 276B. I do not have any firewall running and I can confirm I can see the sflow v5 data coming from the switch using tshark. I can also see that the sfcapd process is listening: > > [root@nfsen ~]# netstat -antup | grep 6343 > udp 0 0 0.0.0.0:6343 0.0.0.0:* 122944/sfcapd > > I can confirm the process is receiving the packets by running strace -p 122944, which shows a recvfrom() for each packet. When it rotates the files every 5 min, I see it stat, rename, open and write no problem. It just doesn't seem to write anything other than the default empty file info. > > recvfrom(3, "\0\0\0\5\0\0\0\1\n\322\10C\0\0\0\0\0\2\307\v\5l\362P\0\0\0\7\0\0\0\2"..., 65535, 0, {sa_family=AF_INET, sin_port=htons(51771), sin_addr=inet_addr("10.10.8.67")}, [16]) = 1269 > recvfrom(3, "\0\0\0\5\0\0\0\1\n\322&\10\0\0\0\0\0\2\25\6\5l>\240\0\0\0\3\0\0\0\2"..., 65535, 0, {sa_family=AF_INET, sin_port=htons(41901), sin_addr=inet_addr("10.10.38.8")}, [16]) = 565 > alarm(0) = 10 > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0 > lseek(6, 0, SEEK_SET) = 0 > write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 > write(6, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 > close(6) = 0 > stat("/data/nfsen/profiles-data/live/switch1/2021/08/17", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0 > rename("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942", "/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855") = 0 > stat("/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855", {st_mode=S_IFREG|0644, st_size=276, ...}) = 0 > semop(9764873, [{0, -1, 0}], 1) = 0 > semop(9764873, [{0, 1, 0}], 1) = 0 > sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 0) = 121 > open("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942", O_RDWR|O_CREAT|O_TRUNC, 0644) = 6 > write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 > write(6, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 > lseek(7, 0, SEEK_SET) = 0 > write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 > write(7, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 > close(7) = 0 > stat("/data/nfsen/profiles-data/live/switch2/2021/08/17", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0 > rename("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942", "/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855") = 0 > stat("/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855", {st_mode=S_IFREG|0644, st_size=276, ...}) = 0 > semop(9797642, [{0, -1, 0}], 1) = 0 > semop(9797642, [{0, 1, 0}], 1) = 0 > sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 0) = 121 > open("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942", O_RDWR|O_CREAT|O_TRUNC, 0644) = 7 > write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140 > write(7, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136 > sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 60, MSG_NOSIGNAL, NULL, 0) = 60 > alarm(310) = 0 > > If I run the sfcaptd process in the console with -E it just seems to sit there > > [root@nfsen ~]# /usr/bin/sfcapd -w -p 6343 -u observium -g observium -B 200000 -S 1 -P /data/nfsen/var/run/p6343.pid \ > -z -n switch1,10.210.38.8,/data/nfsen/profiles-data/live/switch1 -E -T all > Add extension: 2 byte input/output interface index > Add extension: 4 byte input/output interface index > Add extension: 2 byte src/dst AS number > Add extension: 4 byte src/dst AS number > Add extension: dst tos, direction, src/dst mask > Add extension: IPv4 next hop > Add extension: IPv6 next hop > Add extension: IPv4 BGP next IP > Add extension: IPv6 BGP next IP > Add extension: src/dst vlan id > Add extension: 4 byte output packets > Add extension: 8 byte output packets > Add extension: 4 byte output bytes > Add extension: 8 byte output bytes > Add extension: 4 byte aggregated flows > Add extension: 8 byte aggregated flows > Add extension: in src/out dst mac address > Add extension: in dst/out src mac address > Add extension: MPLS Labels > Add extension: IPv4 router IP addr > Add extension: IPv6 router IP addr > Add extension: router ID > Add extension: BGP adjacent prev/next AS > Add extension: time packet received > Add extension: NSEL Common block > Add extension: NSEL xlate ports > Add extension: NSEL xlate IPv4 addr > Add extension: NSEL xlate IPv6 addr > Add extension: NSEL ACL ingress/egress acl ID > Add extension: NSEL username > Add extension: NSEL max username > Add extension: nprobe/nfpcapd latency > Add extension: NEL Common block > Add extension: Compat NEL IPv4 > Add extension: NAT Port Block Allocation > File Block Header: > NumBlocks = 0 > Size = 0 > id = 2 > > File Block Header: > NumBlocks = 0 > Size = 0 > id = 2 > > The file size doesn't change from 276B, all of the files in the profiles-data/live/switch1/2021/08/17/ folders are 276B for the hosts using sflow. Netflow works fine. Does anyone have any idea why it is not processing the sflow data that is being received? > > Regards > Rich Hall > ________________________________ > For details of how GSA uses your personal information, please see our Privacy Notice here: https://www.gsacapital.com/privacy-notice > > This email and any files transmitted with it contain confidential and proprietary information and is solely for the use of the intended recipient. If you are not the intended recipient please return the email to the sender and delete it from your computer and you must not use, disclose, distribute, copy, print or rely on this email or its contents. This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. Any comments or statements made herein do not necessarily reflect those of GSA Capital. GSA Capital Partners LLP is authorised and regulated by the Financial Conduct Authority and is registered in England and Wales at Stratton House, 5 Stratton Street, London W1J 8LA, number OC309261. GSA Capital Services Limited is registered in England and Wales at the same address, number 5320529. > > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li...<mailto:Nfs...@li...> > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > ________________________________ > For details of how GSA uses your personal information, please see our Privacy Notice here: https://www.gsacapital.com/privacy-notice > > This email and any files transmitted with it contain confidential and proprietary information and is solely for the use of the intended recipient. If you are not the intended recipient please return the email to the sender and delete it from your computer and you must not use, disclose, distribute, copy, print or rely on this email or its contents. This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. Any comments or statements made herein do not necessarily reflect those of GSA Capital. GSA Capital Partners LLP is authorised and regulated by the Financial Conduct Authority and is registered in England and Wales at Stratton House, 5 Stratton Street, London W1J 8LA, number OC309261. GSA Capital Services Limited is registered in England and Wales at the same address, number 5320529. > > For details of how GSA uses your personal information, please see our Privacy Notice here: https://www.gsacapital.com/privacy-notice > > This email and any files transmitted with it contain confidential and proprietary information and is solely for the use of the intended recipient. > If you are not the intended recipient please return the email to the sender and delete it from your computer and you must not use, disclose, distribute, copy, print or rely on this email or its contents. > This communication is for informational purposes only. > It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. > Any comments or statements made herein do not necessarily reflect those of GSA Capital. > GSA Capital Partners LLP is authorised and regulated by the Financial Conduct Authority and is registered in England and Wales at Stratton House, 5 Stratton Street, London W1J 8LA, number OC309261. > GSA Capital Services Limited is registered in England and Wales at the same address, number 5320529. > > > > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li... > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > -- Be nice to your netflow data. Use NfSen and nfdump :) |
