search

Edgio / vflow

Enterprise Network Flow Collector (IPFIX, sFlow, Netflow)
http://www.verizonmedia.com
Apache License 2.0
1.07k stars 224 forks source link

Can not decode sflow data #55

Closed jackpgao closed 6 years ago

jackpgao commented 6 years ago

run command

./vflow -config vflow.conf -mqueue-conf mq.conf  \
                 -sflow-max-udp-size 100000 -sflow-port 6343

vflow.conf

cat vflow.conf
sflow-workers: 1
log-file: /var/log/vflow.log
verbose: true
mq-name: kafka
ipfix-enabled: false
netflow9-enabled: false
sflow-topic: vflow

mq.conf

brokers:
  - xxxxx.cn:9092

output log

[vflow] 2018/04/26 00:50:49 rcvd sflow data from: xxxx:6343, size: 1396 bytes
[vflow] 2018/04/26 00:50:49 rcvd sflow data from: xxxx:6343, size: 1268 bytes
[vflow] 2018/04/26 00:50:49 rcvd sflow data from: xxxx:6343, size: 1220 bytes
[vflow] 2018/04/26 00:50:49 rcvd sflow data from: xxxx:6343, size: 1312 bytes

monitor

{
    "UDPQueue": 0,
    "MessageQueue": 0,
    "UDPCount": 750,
    "DecodedCount": 0,
    "MQErrorCount": 0,
    "Workers": 1
}

tcpdump of sflow sending

01:09:45.347017 IP xxxxx.sflow > xxxxx.sflow: sFlowv5, IPv4 agent xxxxx.com, agent-id 8, length 1216
01:09:45.482522 IP xxxxx.com.sflow > 1xxxxw: sFlowv5, IPv4 agent xxxx, agent-id 8, length 1372

Problem

mehrdadrad commented 6 years ago

@jackpgao can you increase workers at least to 2?

jackpgao commented 6 years ago

@mehrdadrad At first, the workers number is 200, it doesn't decode either, so I decrease it to only 1

mehrdadrad commented 6 years ago

looks the issue is related to your layer two switch device that it sends counters not raw packet!

jackpgao commented 6 years ago

Actually, it indeed sends the raw packet, cause I use sflowtrend, it works.

mehrdadrad commented 6 years ago

@jackpgao can you send me a pcap?

AlexAkulov commented 6 years ago

I have the same issue with my Cisco Nexus 3000. This is a bug in sFlow, other collectors work fine.

mehrdadrad commented 6 years ago

@AlexAkulov I need a pcap for debugging ...

hhtlxhhxy commented 6 years ago

Hello,I had the same problem,how did you solve it?

meatlayer commented 5 years ago

@AlexAkulov I need a pcap for debugging ...

Hi! Dump with cisco nexus 3000 in attachment. The dump will be available within a month for obvious reasons. Password: vflow Thanks for help!

tcpdump -i ens3 host x.x.x.x and not src port 22 and not dst port 22 and dst port 6343 -ttnnvvv -w dump-nexus3000.pcap

source.pcap