Problem solved the sampling rate was too high for the sflow agent to ever
create statisics and send them as sflow to my nfsen/nfdump collector. I turned
down the rate to get the router to send create flows even low packet count.
Thanks for the help
And I will be nice to my flows as Phaag states!
Fra: Adrian Popa [mailto:[email protected]]
Sendt: 25. april 2012 11:31
Til: Johannes Lavre
Kopi: NFSen-Discuss
Emne: Re: [Nfsen-discuss] sfcapd problem with 3com 4800g router
Malformed packets might be due to the bad capture options. If you are capturing
via tcpdump, it truncates packets to 64 bytes by default. You would need to use
the -s 1500 parameter to specify the capture length.
The bad checksums may not be bad. Some NICs are doing TCP/UDP checksum
offloading and may be calculating the checksum as part of the driver, which
might be displayed differently than what wireshark shows.
If you get the same reports for valid traffic (e.g. TCP traffic that is ok and
doesn't show retransmissions), you can ignore the checksum check (there's even
an option in wireshark).
Please keep the discussion on the list, so that others may benefit of your
findings as well.
On Wed, Apr 25, 2012 at 9:19 AM, Johannes Lavre
<[email protected]<mailto:[email protected]>> wrote:
The collector has been on over night now and I see some flows coming in my
nfsen/nfdump box. Problem is now finding out how the router behaves because I
don't see much coming in. Also in my pcap dump a lot of the sflow packets are
malformed packets and I am loosing about 3 out of 7 packet because of bad
checksums. I keep investigating this until I figure it out. Thank you very much
for some pointers and good advice in troubleshooting.
Fra: Adrian Popa
[mailto:[email protected]<mailto:[email protected]>]
Sendt: 24. april 2012 10:08
Til: Johannes Lavre
Kopi:
[email protected]<mailto:[email protected]>
Emne: Re: [Nfsen-discuss] sfcapd problem with 3com 4800g router
There are some strange segfaults in your messages - they may be the cause of
the problem...
However, in order for nfdump to process and save flows in its files, it needs
to understand the flows being sent. The router should periodically export a
flow template packet that describes the fields exported in the flow. Once that
packet is processed, the flows should be recorder.
The export interval for such a packet varies from router to router - can be
every second, or once in 30 minutes.
To see if such a packet is exported, do a packet capture on your server and
load it up in wireshark. Choose Decode As -> cflow and if you can see
individual fields in the packets (e.g destination prefix, counters, etc), then
the template packet is exported. If you don't get granular information, then
the packet was not captured.
Good luck
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
