Re: converting sflow into netflow using sflowtool does not

Neil,

I took your advice and downloaded the sflowtool-3.10 sources. Compiled them
and tried again but no luck. The conversion doesn't seem to work. The CSV
data seems to be ok (I only have data on a couple of ports that explains the
zeroes, 172.16.0.5 is the switch itself, the destination myhost is the same
machine, destination port for the netflow packets would be 2055):

[root@myhost src]# ./sflowtool -c myhost -d 2055 -l -s
CNTR,172.16.0.5,23,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,9,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,10,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,5,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,21,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,12,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,20,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,3,6,100000000,2,1,6671146,30868,13,126,0,0,0,18788054,51198,6593,27419,0,3514,0
CNTR,172.16.0.5,16,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,18,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,19,6,100000000,1,1,9214,0,0,91,0,0,0,495,0,3,0,0,0,0
CNTR,172.16.0.5,7,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,9,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,21,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,8,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,14,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,10,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,4,6,100000000,2,1,20149958,51198,5792,27516,0,2,0,6740991,30866,814,126,0,121,0
CNTR,172.16.0.5,12,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,15,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,172.16.0.5,17,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0

In the same time I can see that there is nothing on port 2055:
[root@myhost bin]# ./flow-receive 0/0/2055 -V 5 | flow-print | less
flow-receive: setsockopt(size=4194304)

But the sFlow traffic is arriving from the switch just fine (172.16.0.100 is
my linux box - the collector):
[root@myhost ~]# tcpdump -n udp port 6343
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:27:37.650138 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 204
09:27:41.665544 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 556
09:27:44.641839 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 380
09:27:46.619585 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 380
09:27:48.652302 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 732
09:27:50.660054 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 380
09:27:52.643779 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 204
09:27:54.634592 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 204
09:27:56.635904 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 732

Tcpdump confirms that there are no packets converted and forwarded to port
2055 by sflowtool (even when specifying the -i):
[root@myhost ~]# tcpdump -n udp port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

The same thing occurs when using the sflowtool-3.8 precompiled binary.

Thank you!

James

>From: Neil McKee <neil.mckee@inmon.com>
>To: "clau_cdn clau_cdn" <clau_cdn@msn.com>
>CC: traffic-management@inmon.com
>Subject: Re: [traffic-management] converting sflow into netflow using
>sflowtool does not Date: Thu, 14 Sep 2006 08:19:02 -0700
>
>James,
>
>Another suggestion is to run "sflowtool -l" to dump the output in ASCII
>and confirm that you are getting flow-samples with IPv4 addresses (not
>just counter-samples, or other protocols). You may need to reduce the
>sampling-rate setting that you are using on the switch if there is not
>enough traffic.
>
>(You may also want to use the "-S" option so that the source address of
>each netflow packet is spoofed to look like it came straight from the
>switch).
>
>regards,
>neil
>
>
>
>On Sep 14, 2006, at 7:42 AM, clau_cdn clau_cdn wrote:
>
>>Neil,
>>
>>Thank you for your reply. I did use the -i in tcpdump and there was
>>definetly no traffic being forwarded. I will try re-compiling from
>>source. Thanks!
>>
>>James
>>
>>
>>>From: Neil McKee <neil.mckee@inmon.com>
>>>To: "clau_cdn clau_cdn" <clau_cdn@msn.com>
>>>CC: traffic-management@inmon.com
>>>Subject: Re: [traffic-management] converting sflow into netflow using
>>>sflowtool does not work
>>>Date: Wed, 13 Sep 2006 17:43:40 -0700
>>>
>>>James,
>>>
>>>There are no limitations about using localhost. This should work.
>>>
>>>First thought: did you include "-i lo" in the tcpdump command line?
>>>Something like "tcpdump -i lo udp port 2055" should do it.
>>>
>>>Second thought: you could download the sources, compile with - g, and
>>>run using gdb(1). Then you can add print statements, set breakpoints
>>>and single-step to make sure it is working. One of the perks of
>>>open-source :)
>>>
>>>regards,
>>>neil
>>>
>>>
>>>On Sep 13, 2006, at 4:23 PM, clau_cdn clau_cdn wrote:
>>>
>>>>I am trying to convert the sFlow datagrams into NetFlow and have a
>>>>little problem. The agent is an HP ProCurve switch, the agent is
>>>>enabled, configured and the datagrams are arriving at the collector (a
>>>>linux box). On the collector (linux box) I do this:
>>>>
>>>>#./sflowtool -c localhost -d 2055
>>>>
>>>>I want that the sFlow traffic to be converted and forwarded to the
>>>>same machine (localhost) to port 2055. Using tcpdump I can confirm
>>>>that there is nothing converted/sent to my 2055 port. I can see that
>>>>all the sFlow traffic arrives successfully from the agent and so far I
>>>>can isolate this problem at the sflowtool processing phase. Is this a
>>>>limitation of sflowtool aka I have to use a separate machine for
>>>>collecting than the one which does the forwarding?
>>>>
>>>>Any input would be greately appreciated, thanks!
>>>>
>>>>James
>>>>
>>>>_________________________________________________________________
>>>>Buy what you want when you want it on Sympatico / MSN Shopping
>>>>http://shopping.sympatico.msn.ca/content/shp/?
>>>>ctId=2,ptnrid=176,ptnrdata=081805
>>>
>>>
>>>
>>>----------
>>>Neil McKee
>>>http://www.inmon.com
>>
>>_________________________________________________________________
>>Dont waste time standing in linetry shopping online. Visit Sympatico /
>>MSN Shopping today! http://shopping.sympatico.msn.ca
>

_________________________________________________________________
Buy what you want when you want it on Sympatico / MSN Shopping
http://shopping.sympatico.msn.ca/content/shp/?ctId=2,ptnrid=176,ptnrdata=081805
Received on Thu Sep 14 08:40:10 2006