So you've seen ONE processable FLOWSAMPLE and 1000s of unprocessable COUNTERSAMPLE?
Sounds like you need to fix the configuration of your switch/router that's sending the stuff. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 12:02 PM To: [email protected] Cc: [email protected] Subject: RE: [Ntop] sFlow not working! > Are there anything else in there? No, all I can see is messages like the one I've pasted in the email, nothing else. This one differ from the others: Mar 29 13:15:03 eyes ntop[8471]: startSample ---------------------- Mar 29 13:15:03 eyes ntop[8471]: sampleType_tag 0:1 Mar 29 13:15:03 eyes ntop[8471]: sampleType FLOWSAMPLE Mar 29 13:15:03 eyes ntop[8471]: sampleSequenceNo 17451 Mar 29 13:15:03 eyes ntop[8471]: sourceId 0:21 Mar 29 13:15:03 eyes ntop[8471]: meanSkipCount 4096 Mar 29 13:15:03 eyes ntop[8471]: samplePool 71479296 Mar 29 13:15:03 eyes ntop[8471]: dropEvents 0 Mar 29 13:15:03 eyes ntop[8471]: inputPort 21 Mar 29 13:15:03 eyes ntop[8471]: outputPort 1 Mar 29 13:15:03 eyes ntop[8471]: flowSampleType HEADER Mar 29 13:15:03 eyes ntop[8471]: headerProtocol 1 Mar 29 13:15:03 eyes ntop[8471]: sampledPacketSize 1395 Mar 29 13:15:03 eyes ntop[8471]: headerLen 128 Mar 29 13:15:03 eyes ntop[8471]: headerBytes 00-0D-56-9A-26-C9-00-30-6E-00-25-CA-08-00-45-00-05-65-57-5D-40-00-80-06-42-A F-AC-10-01-05-AC-10-02-61-0D-17-05-2B-44-07-5C-4D-62-C2-84-94-50-18-21-D4-AC -AF-00-00-3D-05-4E-00-00-00-20-00-00-00-00-00-00-00-00-00-FF-FF-FF-FF-00-00- AC-10-02-61-05-2B-57-52-A0-06-90-07-00-00-05-00-00-00-64-00-00-00-C8-04-00-0 0-C8-04-00-00-58-00-00-00-0C-00-00-00-0C-00-00-00-00-00-00-00-00-07-DB-4A-4D -01 Mar 29 13:15:03 eyes ntop[8471]: dstMAC 000d569a26c9 Mar 29 13:15:03 eyes ntop[8471]: srcMAC 00306e0025ca Mar 29 13:15:03 eyes ntop[8471]: IPSize 1381 Mar 29 13:15:03 eyes ntop[8471]: ip.tot_len = 1381 Mar 29 13:15:03 eyes ntop[8471]: srcIP 172.16.1.5 Mar 29 13:15:03 eyes ntop[8471]: dstIP 172.16.2.97 Mar 29 13:15:03 eyes ntop[8471]: IPProtocol 6 Mar 29 13:15:03 eyes ntop[8471]: IPTOS 0 Mar 29 13:15:03 eyes ntop[8471]: IPTTL 128 Mar 29 13:15:03 eyes ntop[8471]: TCPSrcPort 3351 Mar 29 13:15:03 eyes ntop[8471]: TCPDstPort 1323 Mar 29 13:15:03 eyes ntop[8471]: TCPFlags 24 Mar 29 13:15:03 eyes ntop[8471]: extendedType SWITCH Mar 29 13:15:03 eyes ntop[8471]: in_vlan 1 Mar 29 13:15:03 eyes ntop[8471]: in_priority 0 Mar 29 13:15:03 eyes ntop[8471]: out_vlan 1 Mar 29 13:15:03 eyes ntop[8471]: out_priority 0 Mar 29 13:15:03 eyes ntop[8471]: endSample ---------------------- > All you're showing are COUNTERSAMPLE samples. Are there anything else > in there? > > As I quoted from the FAQ: "COUNTERSAMPLE packets give a quick look at > interface counters on the machine, whereas FLOWSAMPLE packets are > actual packet fragments from IP connections. Ntop seems to simply > parse, debug_print, and discard COUNTERSAMPLE packets..." > > -----Burton > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of [EMAIL PROTECTED] > Sent: Tuesday, March 29, 2005 10:22 AM > To: [email protected] > Cc: [email protected] > Subject: RE: [Ntop] sFlow not working! > > This IP/MASK is the one of my Network Foundry switch -> > 172.16.2.251/255.255.255.0 and the one I've defined into the Virtual > sFlow Interface Network Address, port is 6343, and debug has been set > to On. A tailf on /var/log/message return the following (much more for sure): > > Mar 29 11:33:10 eyes ntop[8471]: sampleType COUNTERSSAMPLE > Mar 29 11:33:10 eyes ntop[8471]: sampleSequenceNo 5651 > Mar 29 11:33:10 eyes ntop[8471]: sourceId 0:19 > Mar 29 11:33:10 eyes ntop[8471]: statsSamplingInterval 60 > Mar 29 11:33:10 eyes ntop[8471]: counterBlockVersion 1 > Mar 29 11:33:10 eyes ntop[8471]: ifIndex 19 > Mar 29 11:33:10 eyes ntop[8471]: networkType 117 > Mar 29 11:33:10 eyes ntop[8471]: ifSpeed 100000000 > Mar 29 11:33:10 eyes ntop[8471]: ifDirection 1 > Mar 29 11:33:10 eyes ntop[8471]: ifStatus 3 > Mar 29 11:33:10 eyes ntop[8471]: ifInOctets 1151905399127 > Mar 29 11:33:10 eyes ntop[8471]: ifInUcastPkts 1145225876 > Mar 29 11:33:10 eyes ntop[8471]: ifInMulticastPkts 5444 > Mar 29 11:33:10 eyes ntop[8471]: ifInBroadcastPkts 2562311 > Mar 29 11:33:10 eyes ntop[8471]: ifInDiscards 0 > Mar 29 11:33:10 eyes ntop[8471]: ifInErrors 1 > Mar 29 11:33:10 eyes ntop[8471]: ifInUnknownProtos 0 > Mar 29 11:33:10 eyes ntop[8471]: ifOutOctets 172371426642 > Mar 29 11:33:10 eyes ntop[8471]: ifOutUcastPkts 704058492 > Mar 29 11:33:10 eyes ntop[8471]: ifOutMulticastPkts 12849313 > Mar 29 11:33:10 eyes ntop[8471]: ifOutBroadcastPkts 12397002 > Mar 29 11:33:10 eyes ntop[8471]: ifOutDiscards 0 > Mar 29 11:33:10 eyes ntop[8471]: ifOutErrors 0 > Mar 29 11:33:10 eyes ntop[8471]: ifPromiscuousMode 1 > Mar 29 11:33:10 eyes ntop[8471]: endSample ---------------------- > Mar 29 11:33:11 eyes ntop[8471]: datagramSourceIP 251.2.16.172 > Mar 29 11:33:11 eyes ntop[8471]: datagramSize 132 > Mar 29 11:33:11 eyes ntop[8471]: unixSecondsUTC 1112113991 > Mar 29 11:33:11 eyes ntop[8471]: datagramVersion 2 > Mar 29 11:33:11 eyes ntop[8471]: agent 172.16.2.251 > Mar 29 11:33:11 eyes ntop[8471]: packetSequenceNo 176510 > Mar 29 11:33:11 eyes ntop[8471]: sysUpTime 4166505708 > Mar 29 11:33:11 eyes ntop[8471]: samplesInPacket 1 > Mar 29 11:33:11 eyes ntop[8471]: startSample ---------------------- > Mar 29 11:33:11 eyes ntop[8471]: sampleType_tag 0:2 > Mar 29 11:33:11 eyes ntop[8471]: sampleType COUNTERSSAMPLE > Mar 29 11:33:11 eyes ntop[8471]: sampleSequenceNo 5652 > Mar 29 11:33:11 eyes ntop[8471]: sourceId 0:21 > Mar 29 11:33:11 eyes ntop[8471]: statsSamplingInterval 60 > Mar 29 11:33:11 eyes ntop[8471]: counterBlockVersion 1 > Mar 29 11:33:11 eyes ntop[8471]: ifIndex 21 > Mar 29 11:33:11 eyes ntop[8471]: networkType 117 > Mar 29 11:33:11 eyes ntop[8471]: ifSpeed 100000000 > Mar 29 11:33:11 eyes ntop[8471]: ifDirection 1 > Mar 29 11:33:11 eyes ntop[8471]: ifStatus 3 > Mar 29 11:33:11 eyes ntop[8471]: ifInOctets 696722336339 > Mar 29 11:33:11 eyes ntop[8471]: ifInUcastPkts 565653474 > Mar 29 11:33:11 eyes ntop[8471]: ifInMulticastPkts 41 > Mar 29 11:33:11 eyes ntop[8471]: ifInBroadcastPkts 92786 > Mar 29 11:33:11 eyes ntop[8471]: ifInDiscards 0 > Mar 29 11:33:11 eyes ntop[8471]: ifInErrors 2035717 > Mar 29 11:33:11 eyes ntop[8471]: ifInUnknownProtos 0 > Mar 29 11:33:11 eyes ntop[8471]: ifOutOctets 56464209045 > Mar 29 11:33:11 eyes ntop[8471]: ifOutUcastPkts 342790372 > Mar 29 11:33:11 eyes ntop[8471]: ifOutMulticastPkts 12852389 > Mar 29 11:33:11 eyes ntop[8471]: ifOutBroadcastPkts 14864175 > Mar 29 11:33:11 eyes ntop[8471]: ifOutDiscards 0 > Mar 29 11:33:11 eyes ntop[8471]: ifOutErrors 0 > Mar 29 11:33:11 eyes ntop[8471]: ifPromiscuousMode 1 > Mar 29 11:33:11 eyes ntop[8471]: endSample ---------------------- > > > >> Sounds like it's not receiving data - are you sure you've configured >> it and activated it? >> >> If so, then you'll have to rebuild with the debug switch for sflow >> and see what's going on internally, but be prepared for a lot of output. >> >> -----Burton >> >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >> Of [EMAIL PROTECTED] >> Sent: Tuesday, March 29, 2005 9:57 AM >> To: [email protected] >> Cc: [email protected] >> Subject: RE: [Ntop] sFlow not working! >> >> This doens't help, no trafic at all are seem. If I look inside the >> sFlow plugin page, I can see this at the end of the page: >> >> Number of Flows with Bad Data 0 >> Total Number of Flows Processed 0 >> >> The sFlow Interface Statistics appears correctly. >> It's look like the plugins work and receive data from the switch but >> Ntop doesn't procced them. >> >>> Check the back traffic - this has come up before - IIRC there are >>> two kinds of sFlow packets, one is some sort of summary which ntop >>> sees and ignores. >>> So you may not really be getting data. But I'm fuzzy on the details >>> - google for it. Or check the FAQ and see if this makes sense: >>> >>> Q. sFlow doesn't work. >>> A. Check this out: >>> >>> This talks about a bad experience I had setting up sFlow >>> reception. >>> For >>> the longest >>> time, I could see that ntop was getting sflow packets, but no >>> data would show up. >>> It turns out the switch I was exporting from didn't see any >>> real traffic, and it was >>> just sending COUNTERSAMPLE packets..... >>> >>> - - - - - - - - I figured out that it was indeed "invalid" >>> sflow packets. >>> >>> Apparently, sflow sends COUNTERSAMPLE and FLOWSAMPLE packets. >>> COUNTERSAMPLE packets >>> give a quick look at interface counters on the machine, whereas >>> FLOWSAMPLE packets >>> are actual packet fragments from IP connections. Ntop seems to >>> simply parse, >>> debug_print, and discard COUNTERSAMPLE packets...which made it >>> confusing to look at >>> the debug output and say "wow, lots of sflow coming in!" when >>> in fact it was just for >>> show, as Burton suggested. I added more switches (with active >>> connections) to the >>> switches sending sflow packets and I now have hosts with pretty >>> graphs. >>> >>> >>> >>> -----Burton >>> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >>> Of [EMAIL PROTECTED] >>> Sent: Tuesday, March 29, 2005 8:14 AM >>> To: [email protected] >>> Subject: [Ntop] sFlow not working! >>> >>> Hello, >>> >>> I'm trying to activate sFlow with Ntop 3.1 and it's not working, no >>> trafic visible. Here my config: >>> >>> sFlow version: 2.99 >>> Local Collector UDP Port: 6343 >>> Virtual sFlow Interface network Address: 172.16.0.0/255.255.0.0 >>> >>> Flow Senders IP is: 172.16.2.251 >>> Flow Collector (Ntop) IP is: 172.16.1.215 >>> >>> Thanks, >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >> >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
