James,
The "CNTR" symbol in the output means "counter-sample" here. Sorry I
didn't make that clear. You are looking for lines marked "FLOW" that
have IP addresses. I suggest you:
1. change the sampling-rate to something like 1-in-50.
2. increase the traffic on the links you are monitoring.
3. confirm that sFlow was fully enabled on the device. Are you using
the sflowenable script to turn it on?
(You could also try the free "sFlowTrend" tool. It will configure
sFlow automatically as part of the initialization).
regards,
neil
On Sep 14, 2006, at 8:40 AM, clau_cdn clau_cdn wrote:
> Neil,
>
> I took your advice and downloaded the sflowtool-3.10 sources.
> Compiled them and tried again but no luck. The conversion doesn't
> seem to work. The CSV data seems to be ok (I only have data on a
> couple of ports that explains the zeroes, 172.16.0.5 is the switch
> itself, the destination myhost is the same machine, destination
> port for the netflow packets would be 2055):
>
> [root@myhost src]# ./sflowtool -c myhost -d 2055 -l -s
> CNTR,172.16.0.5,23,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,9,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,10,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,5,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,21,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,12,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,20,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,
> 172.16.0.5,3,6,100000000,2,1,6671146,30868,13,126,0,0,0,18788054,51198
> ,6593,27419,0,3514,0
> CNTR,172.16.0.5,16,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,18,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,19,6,100000000,1,1,9214,0,0,91,0,0,0,495,0,3,0,0,0,0
> CNTR,172.16.0.5,7,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,9,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,21,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,8,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,14,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,10,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,
> 172.16.0.5,4,6,100000000,2,1,20149958,51198,5792,27516,0,2,0,6740991,3
> 0866,814,126,0,121,0
> CNTR,172.16.0.5,12,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,15,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
> CNTR,172.16.0.5,17,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>
>
> In the same time I can see that there is nothing on port 2055:
> [root@myhost bin]# ./flow-receive 0/0/2055 -V 5 | flow-print | less
> flow-receive: setsockopt(size=4194304)
>
>
> But the sFlow traffic is arriving from the switch just fine
> (172.16.0.100 is my linux box - the collector):
> [root@myhost ~]# tcpdump -n udp port 6343
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 09:27:37.650138 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length
> 204
> 09:27:41.665544 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length
> 556
> 09:27:44.641839 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length
> 380
> 09:27:46.619585 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length
> 380
> 09:27:48.652302 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length
> 732
> 09:27:50.660054 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length
> 380
> 09:27:52.643779 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length
> 204
> 09:27:54.634592 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length
> 204
> 09:27:56.635904 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length
> 732
>
> Tcpdump confirms that there are no packets converted and forwarded
> to port 2055 by sflowtool (even when specifying the -i):
> [root@myhost ~]# tcpdump -n udp port 2055
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>
> The same thing occurs when using the sflowtool-3.8 precompiled binary.
>
> Thank you!
>
> James
>
>
>
>
>
>> From: Neil McKee <neil.mckee@inmon.com>
>> To: "clau_cdn clau_cdn" <clau_cdn@msn.com>
>> CC: traffic-management@inmon.com
>> Subject: Re: [traffic-management] converting sflow into netflow
>> using sflowtool does not Date: Thu, 14 Sep 2006 08:19:02 -0700
>>
>> James,
>>
>> Another suggestion is to run "sflowtool -l" to dump the output in
>> ASCII and confirm that you are getting flow-samples with IPv4
>> addresses (not just counter-samples, or other protocols). You
>> may need to reduce the sampling-rate setting that you are using
>> on the switch if there is not enough traffic.
>>
>> (You may also want to use the "-S" option so that the source
>> address of each netflow packet is spoofed to look like it came
>> straight from the switch).
>>
>> regards,
>> neil
>>
>>
>>
>> On Sep 14, 2006, at 7:42 AM, clau_cdn clau_cdn wrote:
>>
>>> Neil,
>>>
>>> Thank you for your reply. I did use the -i in tcpdump and there
>>> was definetly no traffic being forwarded. I will try re-
>>> compiling from source. Thanks!
>>>
>>> James
>>>
>>>
>>>> From: Neil McKee <neil.mckee@inmon.com>
>>>> To: "clau_cdn clau_cdn" <clau_cdn@msn.com>
>>>> CC: traffic-management@inmon.com
>>>> Subject: Re: [traffic-management] converting sflow into netflow
>>>> using sflowtool does not work
>>>> Date: Wed, 13 Sep 2006 17:43:40 -0700
>>>>
>>>> James,
>>>>
>>>> There are no limitations about using localhost. This should work.
>>>>
>>>> First thought: did you include "-i lo" in the tcpdump command
>>>> line? Something like "tcpdump -i lo udp port 2055" should do it.
>>>>
>>>> Second thought: you could download the sources, compile with -
>>>> g, and run using gdb(1). Then you can add print statements,
>>>> set breakpoints and single-step to make sure it is working.
>>>> One of the perks of open-source :)
>>>>
>>>> regards,
>>>> neil
>>>>
>>>>
>>>> On Sep 13, 2006, at 4:23 PM, clau_cdn clau_cdn wrote:
>>>>
>>>>> I am trying to convert the sFlow datagrams into NetFlow and
>>>>> have a little problem. The agent is an HP ProCurve switch,
>>>>> the agent is enabled, configured and the datagrams are
>>>>> arriving at the collector (a linux box). On the collector
>>>>> (linux box) I do this:
>>>>>
>>>>> #./sflowtool -c localhost -d 2055
>>>>>
>>>>> I want that the sFlow traffic to be converted and forwarded to
>>>>> the same machine (localhost) to port 2055. Using tcpdump I
>>>>> can confirm that there is nothing converted/sent to my 2055
>>>>> port. I can see that all the sFlow traffic arrives
>>>>> successfully from the agent and so far I can isolate this
>>>>> problem at the sflowtool processing phase. Is this a
>>>>> limitation of sflowtool aka I have to use a separate machine
>>>>> for collecting than the one which does the forwarding?
>>>>>
>>>>> Any input would be greately appreciated, thanks!
>>>>>
>>>>> James
>>>>>
>>>>> _________________________________________________________________
>>>>> Buy what you want when you want it on Sympatico / MSN
>>>>> Shopping http://shopping.sympatico.msn.ca/content/shp/?
>>>>> ctId=2,ptnrid=176,ptnrdata=081805
>>>>
>>>>
>>>>
>>>> ----------
>>>> Neil McKee
>>>> http://www.inmon.com
>>>
>>> _________________________________________________________________
>>> Don�t waste time standing in line�try shopping online. Visit
>>> Sympatico / MSN Shopping today! http://shopping.sympatico.msn.ca
>>
>
> _________________________________________________________________
> Buy what you want when you want it on Sympatico / MSN Shopping
> http://shopping.sympatico.msn.ca/content/shp/?
> ctId=2,ptnrid=176,ptnrdata=081805
Received on Thu Sep 14 12:30:00 2006