Neil,
Thank you very much for your help! After changing the sampling rate I see
some netflow packets coming but not too many as I was expecting. The
sflowtool seems to be doing what it's supposed to do. I changed the sampling
rates both with the sflowenable script and directly into the switch.
Thanks again,
james
>From: neil mckee <neil.mckee@inmon.com>
>To: clau_cdn clau_cdn <clau_cdn@msn.com>
>CC: traffic-management@inmon.com
>Subject: Re: [traffic-management] converting sflow into netflow using
>sflowtool does not
>Date: Thu, 14 Sep 2006 12:30:00 -0700
>
>James,
>
>The "CNTR" symbol in the output means "counter-sample" here. Sorry I
>didn't make that clear. You are looking for lines marked "FLOW" that have
>IP addresses. I suggest you:
>1. change the sampling-rate to something like 1-in-50.
>2. increase the traffic on the links you are monitoring.
>3. confirm that sFlow was fully enabled on the device. Are you using the
>sflowenable script to turn it on?
>
>(You could also try the free "sFlowTrend" tool. It will configure sFlow
>automatically as part of the initialization).
>
>regards,
>neil
>
>
>On Sep 14, 2006, at 8:40 AM, clau_cdn clau_cdn wrote:
>
>>Neil,
>>
>>I took your advice and downloaded the sflowtool-3.10 sources. Compiled
>>them and tried again but no luck. The conversion doesn't seem to work.
>>The CSV data seems to be ok (I only have data on a couple of ports that
>>explains the zeroes, 172.16.0.5 is the switch itself, the destination
>>myhost is the same machine, destination port for the netflow packets
>>would be 2055):
>>
>>[root@myhost src]# ./sflowtool -c myhost -d 2055 -l -s
>>CNTR,172.16.0.5,23,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,9,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,10,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,5,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,21,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,12,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,20,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,
>>172.16.0.5,3,6,100000000,2,1,6671146,30868,13,126,0,0,0,18788054,51198
>>,6593,27419,0,3514,0
>>CNTR,172.16.0.5,16,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,18,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,19,6,100000000,1,1,9214,0,0,91,0,0,0,495,0,3,0,0,0,0
>>CNTR,172.16.0.5,7,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,9,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,21,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,8,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,14,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,10,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,
>>172.16.0.5,4,6,100000000,2,1,20149958,51198,5792,27516,0,2,0,6740991,3
>>0866,814,126,0,121,0
>>CNTR,172.16.0.5,12,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,15,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>CNTR,172.16.0.5,17,6,10000000,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0
>>
>>
>>In the same time I can see that there is nothing on port 2055:
>>[root@myhost bin]# ./flow-receive 0/0/2055 -V 5 | flow-print | less
>>flow-receive: setsockopt(size=4194304)
>>
>>
>>But the sFlow traffic is arriving from the switch just fine (172.16.0.100
>>is my linux box - the collector):
>>[root@myhost ~]# tcpdump -n udp port 6343
>>tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>decode
>>listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>>09:27:37.650138 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 204
>>09:27:41.665544 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 556
>>09:27:44.641839 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 380
>>09:27:46.619585 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 380
>>09:27:48.652302 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 732
>>09:27:50.660054 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 380
>>09:27:52.643779 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 204
>>09:27:54.634592 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 204
>>09:27:56.635904 IP 172.16.0.5.1262 > 172.16.0.100.6343: UDP, length 732
>>
>>Tcpdump confirms that there are no packets converted and forwarded to
>>port 2055 by sflowtool (even when specifying the -i):
>>[root@myhost ~]# tcpdump -n udp port 2055
>>tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>decode
>>listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>>
>>The same thing occurs when using the sflowtool-3.8 precompiled binary.
>>
>>Thank you!
>>
>>James
>>
>>
>>
>>
>>
>>>From: Neil McKee <neil.mckee@inmon.com>
>>>To: "clau_cdn clau_cdn" <clau_cdn@msn.com>
>>>CC: traffic-management@inmon.com
>>>Subject: Re: [traffic-management] converting sflow into netflow using
>>>sflowtool does not Date: Thu, 14 Sep 2006 08:19:02 -0700
>>>
>>>James,
>>>
>>>Another suggestion is to run "sflowtool -l" to dump the output in ASCII
>>>and confirm that you are getting flow-samples with IPv4 addresses (not
>>>just counter-samples, or other protocols). You may need to reduce the
>>>sampling-rate setting that you are using on the switch if there is not
>>>enough traffic.
>>>
>>>(You may also want to use the "-S" option so that the source address of
>>>each netflow packet is spoofed to look like it came straight from the
>>>switch).
>>>
>>>regards,
>>>neil
>>>
>>>
>>>
>>>On Sep 14, 2006, at 7:42 AM, clau_cdn clau_cdn wrote:
>>>
>>>>Neil,
>>>>
>>>>Thank you for your reply. I did use the -i in tcpdump and there was
>>>>definetly no traffic being forwarded. I will try re- compiling from
>>>>source. Thanks!
>>>>
>>>>James
>>>>
>>>>
>>>>>From: Neil McKee <neil.mckee@inmon.com>
>>>>>To: "clau_cdn clau_cdn" <clau_cdn@msn.com>
>>>>>CC: traffic-management@inmon.com
>>>>>Subject: Re: [traffic-management] converting sflow into netflow using
>>>>> sflowtool does not work
>>>>>Date: Wed, 13 Sep 2006 17:43:40 -0700
>>>>>
>>>>>James,
>>>>>
>>>>>There are no limitations about using localhost. This should work.
>>>>>
>>>>>First thought: did you include "-i lo" in the tcpdump command line?
>>>>>Something like "tcpdump -i lo udp port 2055" should do it.
>>>>>
>>>>>Second thought: you could download the sources, compile with - g,
>>>>>and run using gdb(1). Then you can add print statements, set
>>>>>breakpoints and single-step to make sure it is working. One of the
>>>>>perks of open-source :)
>>>>>
>>>>>regards,
>>>>>neil
>>>>>
>>>>>
>>>>>On Sep 13, 2006, at 4:23 PM, clau_cdn clau_cdn wrote:
>>>>>
>>>>>>I am trying to convert the sFlow datagrams into NetFlow and have a
>>>>>>little problem. The agent is an HP ProCurve switch, the agent is
>>>>>>enabled, configured and the datagrams are arriving at the collector
>>>>>>(a linux box). On the collector (linux box) I do this:
>>>>>>
>>>>>>#./sflowtool -c localhost -d 2055
>>>>>>
>>>>>>I want that the sFlow traffic to be converted and forwarded to the
>>>>>>same machine (localhost) to port 2055. Using tcpdump I can confirm
>>>>>>that there is nothing converted/sent to my 2055 port. I can see
>>>>>>that all the sFlow traffic arrives successfully from the agent and
>>>>>>so far I can isolate this problem at the sflowtool processing
>>>>>>phase. Is this a limitation of sflowtool aka I have to use a
>>>>>>separate machine for collecting than the one which does the
>>>>>>forwarding?
>>>>>>
>>>>>>Any input would be greately appreciated, thanks!
>>>>>>
>>>>>>James
>>>>>>
>>>>>>_________________________________________________________________
>>>>>>Buy what you want when you want it on Sympatico / MSN Shopping
>>>>>>http://shopping.sympatico.msn.ca/content/shp/?
>>>>>>ctId=2,ptnrid=176,ptnrdata=081805
>>>>>
>>>>>
>>>>>
>>>>>----------
>>>>>Neil McKee
>>>>>http://www.inmon.com
>>>>
>>>>_________________________________________________________________
>>>>Don�t waste time standing in line�try shopping online. Visit Sympatico
>>>>/ MSN Shopping today! http://shopping.sympatico.msn.ca
>>>
>>
>>_________________________________________________________________
>>Buy what you want when you want it on Sympatico / MSN Shopping
>>http://shopping.sympatico.msn.ca/content/shp/?
>>ctId=2,ptnrid=176,ptnrdata=081805
>
_________________________________________________________________
Don�t waste time standing in line�try shopping online. Visit Sympatico / MSN
Shopping today! http://shopping.sympatico.msn.ca
Received on Tue Sep 19 13:56:39 2006