search

javadmohebbi / nfCollector

Collects Netflow version 1, 5, 6, 7, 9 & IPFIX & stores them on InfluxData time-series DB (InfluxDB)
43 stars 11 forks source link

Decoder error: EOF (again) #16

Closed yaquaholic closed 3 years ago

yaquaholic commented 3 years ago

Hi there,

I am also suffering with this error, I suspect that it is my Flow config at fault:

Flow exporter nfCollector: Destination: 10.x.x.x VRF: cloudthingy (1) Destination UDP Port 9995 Source Interface VlanXX (10.x.x.x) Export Version 9 Exporter Statistics Number of Flow Records Exported 43 Number of Templates Exported 3 Number of Export Packets Sent 39 Number of Export Bytes Sent 3388

Can you spot anything that might be causing me issues?

Many thanks.

javadmohebbi commented 3 years ago

Hi @yaquaholic

Would you please let me know whats the error ?

yaquaholic commented 3 years ago

Good morning @javadmohebbi

I can see from tcpdump that we have incoming NetFlow v9 traffic on UDO 9995:

tcpdump -i ens192 -n udp port 9995 -c 10 -T cnfp -vv

tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 10:44:35.704626 IP (tos 0x0, ttl 64, id 9298, offset 0, flags [none], proto UDP (17), length 104) 10.x.x.x.54119 > 10.y.y.y.9995: NetFlow v9 10:44:50.701318 IP (tos 0x0, ttl 64, id 10094, offset 0, flags [none], proto UDP (17), length 104) 10.x.x.x.54119 > 10.y.y.y.9995: NetFlow v9

But when looking at 'journalctl -u nfcol.service' all I can see are "decoder error: EOF" errors.

Oct 26 12:42:03 nfcollector systemd[1]: Started Netflow Collector is a tool that collect Netflow v1, v5, v9 & IPFIX and export them Oct 26 12:42:03 nfcollector nfcol[1102]: 2020/10/26 12:42:03 Server is listening on 10.x.x.x:9995 Oct 26 12:42:03 nfcollector nfcol[1102]: 2020/10/26 12:42:03 Export job started Oct 26 12:42:19 nfcollector nfcol[1102]: 2020/10/26 12:42:19 decoder error: EOF Oct 26 12:42:29 nfcollector nfcol[1102]: 2020/10/26 12:42:29 decoder error: EOF Oct 26 12:42:59 nfcollector nfcol[1102]: 2020/10/26 12:42:59 decoder error: EOF Oct 26 12:43:24 nfcollector nfcol[1102]: 2020/10/26 12:43:24 decoder error: EOF Oct 26 12:44:19 nfcollector nfcol[1102]: 2020/10/26 12:44:19 decoder error: EOF Oct 26 12:45:29 nfcollector nfcol[1102]: 2020/10/26 12:45:29 decoder error: EOF Oct 26 12:47:19 nfcollector nfcol[1102]: 2020/10/26 12:47:19 decoder error: EOF Oct 26 12:47:24 nfcollector nfcol[1102]: 2020/10/26 12:47:24 decoder error: EOF Oct 26 12:47:34 nfcollector nfcol[1102]: 2020/10/26 12:47:34 decoder error: EOF Oct 26 12:48:19 nfcollector nfcol[1102]: 2020/10/26 12:48:19 decoder error: EOF

With a similar view from systemctl status nfcol.

systemctl status nfcol

● nfcol.service - Netflow Collector is a tool that collect Netflow v1, v5, v9 & IPFIX and export them in many databases like InfluxDB Loaded: loaded (/lib/systemd/system/nfcol.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-10-26 12:42:03 GMT; 21h ago Docs: https://mjmohebbi.com Main PID: 1102 (nfcol) Tasks: 10 (limit: 19176) Memory: 29.9M CGroup: /system.slice/nfcol.service └─1102 /usr/local/bin/nfcol

Oct 26 13:04:59 nfcollector nfcol[1102]: 2020/10/26 13:04:59 decoder error: EOF Oct 26 13:05:19 nfcollector nfcol[1102]: 2020/10/26 13:05:19 decoder error: EOF Oct 26 13:05:39 nfcollector nfcol[1102]: 2020/10/26 13:05:39 decoder error: EOF Oct 26 13:06:19 nfcollector nfcol[1102]: 2020/10/26 13:06:19 decoder error: EOF Oct 26 13:06:29 nfcollector nfcol[1102]: 2020/10/26 13:06:29 decoder error: EOF Oct 26 13:06:39 nfcollector nfcol[1102]: 2020/10/26 13:06:39 decoder error: EOF Oct 26 13:07:09 nfcollector nfcol[1102]: 2020/10/26 13:07:09 decoder error: EOF Oct 26 13:07:19 nfcollector nfcol[1102]: 2020/10/26 13:07:19 decoder error: EOF Oct 26 13:07:24 nfcollector nfcol[1102]: 2020/10/26 13:07:24 decoder error: EOF Oct 26 13:07:39 nfcollector nfcol[1102]: 2020/10/26 13:07:39 decoder error: EOF

The thing that looks odd is the packet size, with each being 104, where as I'd expect a little more variation in packet sizes, which leads me to believe that i've gotten something wrong in my flow config.

Many thanks, yaquaholic

Nokawi commented 3 years ago

Hello guys!

I have the same problem =/ Any one have solution to fix this problem?

image

thanks!

yaquaholic commented 3 years ago

Okay, sorted the problem, which was entirely my own fault.... After updating the nfc.yaml file with:

exporter:
enabled: true

And I restarted the daemon, and I have flow data! :)

Nokawi commented 3 years ago

Thank u yaquaholic! <3