Enrico can you please send (privately) a pcap with sflow packets (full packet size) so I ca what what’s going on? We do support Arista in nProbe and it should work.
Regards Luca > On 13 Jun 2016, at 13:03, Enrico Kern <enrico.k...@glispamedia.com> wrote: > > Hi, > > i have some weird issue with sflow data, > > i try to get nprobe and ntopng working with sflows exported from an Arista > Switch. I installed the latest versions from the centos repository: > > nprobe-7.3.160613-5264.x86_64 > ntopng-2.3.160613-1231.x86_64 > > and launch nprobe: > > nprobe --zmq "tcp://127.0.0.1:5557 <http://127.0.0.1:5557/>" -i none -n none > --collector-port 6343 --verbose 2 --dump-stats -nf -V5 -b 2 > > and ntop: > > > ntopng -i tcp://127.0.0.1:5557 <http://127.0.0.1:5557/> -d /var/tmp -w 3001 > > > on the ntop webinterface i see no traffic at all. I confirmed that zeromq > receives packets with tcpdump and also see the sflow packets coming in. > nprobe also sees the flows and reports that for each new flow: > > 13/Jun/2016 12:54:27 [engine.c:2570] New Flow: [tcp] 192.168.1.6:59339 > <http://192.168.1.6:59339/> -> 192.168.1.7:6800 <http://192.168.1.7:6800/> > [AC:16:2D:71:xx:xx -> 00:50:56:AF:xx:xx][vlan 900][tos 0][ifIdx: 1000011 -> > 1000003][subflowId: 0/0x0000][idx=68177][firstSeen=1465815267/0] > > as example. But the flows never get exported. If i stop nprobe it says that: > > 13/Jun/2016 12:56:35 [cache.c:1224] Redis Cache [0 total/0.0 get/sec][0 > total/0.0 set/sec] > 13/Jun/2016 12:56:35 [nprobe.c:5326] Still allocated 0 hash buckets > 13/Jun/2016 12:56:35 [nprobe.c:2698] Processed packets: 6 (max bucket search: > 0) > 13/Jun/2016 12:56:35 [nprobe.c:2681] Fragment queue length: 0 > 13/Jun/2016 12:56:35 [nprobe.c:2707] Flow export stats: [0 bytes/0 pkts][0 > flows/0 pkts sent] > 13/Jun/2016 12:56:35 [nprobe.c:2714] Flow collection: [collected pkts: > 147][processed flows: 0] > 13/Jun/2016 12:56:35 [nprobe.c:2717] Flow drop stats: [0 bytes/0 pkts][0 > flows] > 13/Jun/2016 12:56:35 [nprobe.c:2722] Total flow stats: [0 bytes/0 pkts][0 > flows/0 pkts sent] > > > so while it received 147 pakets it did not process a single flow. tcpdump > also shows me the flows: > > # tcpdump port 6343 > tcpdump: WARNING: eth0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes > 12:57:58.378005 IP x.10780 > target.sflow: sFlowv5, IPv4 agent xxxx, agent-id > 9, length 1201 > 12:57:58.800558 IP 5x.10780 > target.sflow: sFlowv5, IPv4 agent xxxx, > agent-id 1, length 253 > 12:57:59.800595 IP x.10780 > target.sflow: sFlowv5, IPv4 agent xxxx, agent-id > 9, length 1201 > 12:58:00.505019 IP x.10780 > target.sflow: sFlowv5, IPv4 agent xxxx, agent-id > 9, length 1201 > 12:58:00.800634 IP x.10780 > target.sflow: sFlowv5, IPv4 agent xxxx, agent-id > 1, length 253 > > > I have no issues if i use the arista flows with prtg, imtech analyzer or > solarwinds. Just ntop doesnt like it. Fun is if i use nprobe with an pcap > file it seem to proceess at least 1 flow: > > # nprobe -i sflow.pcap > > 13/Jun/2016 13:01:19 [cache.c:1224] Redis Cache [0 total/0.0 get/sec][0 > total/0.0 set/sec] > 13/Jun/2016 13:01:19 [nprobe.c:2698] Processed packets: 61 (max bucket > search: 0) > 13/Jun/2016 13:01:19 [nprobe.c:2681] Fragment queue length: 0 > 13/Jun/2016 13:01:19 [nprobe.c:2707] Flow export stats: [72589 bytes/61 > pkts][1 flows/1 pkts sent] > 13/Jun/2016 13:01:19 [nprobe.c:2717] Flow drop stats: [0 bytes/0 pkts][0 > flows] > 13/Jun/2016 13:01:19 [nprobe.c:2722] Total flow stats: [72589 bytes/61 > pkts][1 flows/1 pkts sent] > > > i played around now with this for almost a day, i have no idea anymore, i > dont think im doing something wrong and followed the documentation and > googled like hours but no result. I also tried that first on ubuntu 14.04 > before i ended up now on CentOS 6.x on a complete different machine just to > rule out issues, but its the same on both installations. > > Anyone an idea? > > Thanks in advance! > > Regards. > > Enrico > > > -- > > Enrico Kern > > Lead System Engineer > > glispa GmbH > Sonnenburger Straße 73 > 10437 Berlin, Germany > > tel: +49 30 5557130-17 > fax: +49 30 5557130-50 > skype: flyersa > enrico.k...@glispamedia.com <mailto:enrico.k...@glispamedia.com> > www.glispa.com <http://www.glispa.com/> > > __________________________________________ > Sitz Berlin, AG Charlottenburg HRB 114678B > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
