On 25/4/12 1:22 PM, Johannes Lavre wrote:
> Problem solved the sampling rate was too high for the sflow agent to ever
> create statisics and send them as sflow to my nfsen/nfdump collector. I
> turned down the rate to get the router to send create flows even low packet
> count. Thanks for the help
>
> And I will be nice to my flows as Phaag states!
*lol*
- Peter
>
> Fra: Adrian Popa [mailto:[email protected]]
> Sendt: 25. april 2012 11:31
> Til: Johannes Lavre
> Kopi: NFSen-Discuss
> Emne: Re: [Nfsen-discuss] sfcapd problem with 3com 4800g router
>
> Malformed packets might be due to the bad capture options. If you are
> capturing via tcpdump, it truncates packets to 64 bytes by default. You would
> need to use the -s 1500 parameter to specify the capture length.
>
> The bad checksums may not be bad. Some NICs are doing TCP/UDP checksum
> offloading and may be calculating the checksum as part of the driver, which
> might be displayed differently than what wireshark shows.
> If you get the same reports for valid traffic (e.g. TCP traffic that is ok
> and doesn't show retransmissions), you can ignore the checksum check (there's
> even an option in wireshark).
>
> Please keep the discussion on the list, so that others may benefit of your
> findings as well.
>
> On Wed, Apr 25, 2012 at 9:19 AM, Johannes Lavre
> <[email protected]<mailto:[email protected]>> wrote:
> The collector has been on over night now and I see some flows coming in my
> nfsen/nfdump box. Problem is now finding out how the router behaves because I
> don't see much coming in. Also in my pcap dump a lot of the sflow packets are
> malformed packets and I am loosing about 3 out of 7 packet because of bad
> checksums. I keep investigating this until I figure it out. Thank you very
> much for some pointers and good advice in troubleshooting.
>
> Fra: Adrian Popa
> [mailto:[email protected]<mailto:[email protected]>]
> Sendt: 24. april 2012 10:08
> Til: Johannes Lavre
> Kopi:
> [email protected]<mailto:[email protected]>
> Emne: Re: [Nfsen-discuss] sfcapd problem with 3com 4800g router
>
> There are some strange segfaults in your messages - they may be the cause of
> the problem...
>
> However, in order for nfdump to process and save flows in its files, it needs
> to understand the flows being sent. The router should periodically export a
> flow template packet that describes the fields exported in the flow. Once
> that packet is processed, the flows should be recorder.
>
> The export interval for such a packet varies from router to router - can be
> every second, or once in 30 minutes.
>
> To see if such a packet is exported, do a packet capture on your server and
> load it up in wireshark. Choose Decode As -> cflow and if you can see
> individual fields in the packets (e.g destination prefix, counters, etc),
> then the template packet is exported. If you don't get granular information,
> then the packet was not captured.
>
> Good luck
>
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
