[Nfsen-discuss] sflow from Arista Switch

[Hall, Richard]

I have nfsen working with netflow, and am attempting to add a couple of arista 
DCS-7280SR2K-48C6-M-R switches running EOS 4.25.4M that do hardware accelerated 
sflow.  I have added them to the %sources in the nfsen.conf

     'switch1'        => { 'port' => '6343', 'IP' => '10.10.38.8', 'type' => 
'sflow', 'col' => '#FF0099', 'optarg' => ' -T all ' },
     'switch2'        => { 'port' => '6343', 'IP' => '10.10.8.67', 'type' => 
'sflow', 'col' => '#FF0066', 'optarg' => ' -T all ' },

I then run "nfsen reconfig" successfully.

I restart nfsen, the new hosts show up and I have files being created in the 
profiles-data directory with a length of 276B.  I do not have any firewall 
running and I can confirm I can see the sflow v5 data coming from the switch 
using tshark.  I can also see that the sfcapd process is listening:

[root@nfsen ~]# netstat -antup | grep 6343
udp        0      0 0.0.0.0:6343            0.0.0.0:*                           
122944/sfcapd  

I can confirm the process is receiving the packets by running strace -p 122944, 
which shows a recvfrom() for each packet.  When it rotates the files every 5 
min, I see it stat, rename, open and write no problem.  It just doesn't seem to 
write anything other than the default empty file info.  

    recvfrom(3, 
"\0\0\0\5\0\0\0\1\n\322\10C\0\0\0\0\0\2\307\v\5l\362P\0\0\0\7\0\0\0\2"..., 
65535, 0, {sa_family=AF_INET, sin_port=htons(51771), 
sin_addr=inet_addr("10.10.8.67")}, [16]) = 1269
    recvfrom(3, 
"\0\0\0\5\0\0\0\1\n\322&\10\0\0\0\0\0\2\25\6\5l>\240\0\0\0\3\0\0\0\2"..., 
65535, 0, {sa_family=AF_INET, sin_port=htons(41901), 
sin_addr=inet_addr("10.10.38.8")}, [16]) = 565
    alarm(0)                                = 10
    stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0
    lseek(6, 0, SEEK_SET)                   = 0
    write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) 
= 140
    write(6, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 
136
    close(6)                                = 0
    stat("/data/nfsen/profiles-data/live/switch1/2021/08/17", 
{st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
    rename("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942", 
"/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855") = 0
    
stat("/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855", 
{st_mode=S_IFREG|0644, st_size=276, ...}) = 0
    semop(9764873, [{0, -1, 0}], 1)         = 0
    semop(9764873, [{0, 1, 0}], 1)          = 0
    sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 
0) = 121
    open("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942", 
O_RDWR|O_CREAT|O_TRUNC, 0644) = 6
    write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) 
= 140
    write(6, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 
136
    lseek(7, 0, SEEK_SET)                   = 0
    write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) 
= 140
    write(7, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 
136
    close(7)                                = 0
    stat("/data/nfsen/profiles-data/live/switch2/2021/08/17", 
{st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
    rename("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942", 
"/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855") = 0
    
stat("/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855", 
{st_mode=S_IFREG|0644, st_size=276, ...}) = 0
    semop(9797642, [{0, -1, 0}], 1)         = 0
    semop(9797642, [{0, 1, 0}], 1)          = 0
    sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 
0) = 121
    open("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942", 
O_RDWR|O_CREAT|O_TRUNC, 0644) = 7
    write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) 
= 140
    write(7, 
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 
136
    sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 60, MSG_NOSIGNAL, NULL, 0) 
= 60
    alarm(310)                              = 0

If I run the sfcaptd process in the console with -E it just seems to sit there

[root@nfsen ~]# /usr/bin/sfcapd -w -p 6343 -u observium -g observium -B 200000 
-S 1 -P /data/nfsen/var/run/p6343.pid \
                                           -z -n 
switch1,10.210.38.8,/data/nfsen/profiles-data/live/switch1 -E -T all
Add extension: 2 byte input/output interface index
Add extension: 4 byte input/output interface index
Add extension: 2 byte src/dst AS number
Add extension: 4 byte src/dst AS number
Add extension: dst tos, direction, src/dst mask
Add extension: IPv4 next hop
Add extension: IPv6 next hop
Add extension: IPv4 BGP next IP
Add extension: IPv6 BGP next IP
Add extension: src/dst vlan id
Add extension: 4 byte output packets
Add extension: 8 byte output packets
Add extension: 4 byte output bytes
Add extension: 8 byte output bytes
Add extension: 4 byte aggregated flows
Add extension: 8 byte aggregated flows
Add extension: in src/out dst mac address
Add extension: in dst/out src mac address
Add extension: MPLS Labels
Add extension: IPv4 router IP addr
Add extension: IPv6 router IP addr
Add extension: router ID
Add extension: BGP adjacent prev/next AS
Add extension: time packet received
Add extension: NSEL Common block
Add extension: NSEL xlate ports
Add extension: NSEL xlate IPv4 addr
Add extension: NSEL xlate IPv6 addr
Add extension: NSEL ACL ingress/egress acl ID
Add extension: NSEL username
Add extension: NSEL max username
Add extension: nprobe/nfpcapd latency
Add extension: NEL Common block
Add extension: Compat NEL IPv4
Add extension: NAT Port Block Allocation
File Block Header: 
  NumBlocks     =           0
  Size          =           0
  id             =           2

File Block Header: 
  NumBlocks     =           0
  Size          =           0
  id             =           2

The file size doesn't change from 276B, all of the files in the 
profiles-data/live/switch1/2021/08/17/ folders are 276B for the hosts using 
sflow.  Netflow works fine.  Does anyone have any idea why it is not processing 
the sflow data that is being received?

Regards
Rich Hall

For details of how GSA uses your personal information, please see our Privacy 
Notice here: https://www.gsacapital.com/privacy-notice 

This email and any files transmitted with it contain confidential and 
proprietary information and is solely for the use of the intended recipient.
If you are not the intended recipient please return the email to the sender and 
delete it from your computer and you must not use, disclose, distribute, copy, 
print or rely on this email or its contents.
This communication is for informational purposes only.
It is not intended as an offer or solicitation for the purchase or sale of any 
financial instrument or as an official confirmation of any transaction.
Any comments or statements made herein do not necessarily reflect those of GSA 
Capital.
GSA Capital Partners LLP is authorised and regulated by the Financial Conduct 
Authority and is registered in England and Wales at Stratton House, 5 Stratton 
Street, London W1J 8LA, number OC309261.
GSA Capital Services Limited is registered in England and Wales at the same 
address, number 5320529.


_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss