search

ntop / nProbe

Open source components and extensions for nProbe
http://ntop.org
GNU General Public License v2.0
1.64k stars 44 forks source link

nProbe not dissecting IPV4 Flows via sflow #339

Closed brentdalgleish closed 5 years ago

brentdalgleish commented 5 years ago

Hi,

When using nprobe to collect sflow and export to ntop, it doesnt seem to work when sflow exported from switch carrying layer 3 traffic. Exporting from a switch carrying layer 2 traffic works fine.

Packet captures confirm sflow packets are arriving at the box, and nprobe debug logs confirm it also receives the packets, but never classifies any as a flow.

02/Mar/2019 22:30:27 [nprobe.c:3130] Processed packets: 20390000 (max bucket search: 0) 02/Mar/2019 22:30:27 [nprobe.c:3113] Fragment queue length: 0 02/Mar/2019 22:30:27 [nprobe.c:3140] Flow collection stats: [collected pkts: 129][processed flows: 0][collection drops: 0] 02/Mar/2019 22:30:27 [nprobe.c:3144] Flow export stats: [0 bytes/0 pkts][0 flows/0 pkts sent] 02/Mar/2019 22:30:27 [nprobe.c:3150] Flow export drop stats: [0 bytes/0 pkts][0 flows] 02/Mar/2019 22:30:27 [nprobe.c:3155] Total flow stats: [0 bytes/0 pkts][0 flows/0 pkts sent] 02/Mar/2019 22:30:27 [nprobe.c:6631] Cleaning globals

Thanks

Astaoth commented 5 years ago

Hi,

Same problem here with HP switches, and it seems to be the same problem as there : http://listgateway.unipi.it/pipermail/ntop/2016-June/019228.html (but no solution publicly given).

Is it a way to force nprobe to use the sflow parser ?

Thank you :)

simonemainardi commented 5 years ago

Are you guys able to enclose a pcap of the sFlow traffic you don't think it's correctly parsed?

brentdalgleish commented 5 years ago

Luca fixed this, as nprobe was not accommodating offset correctly. This is now resolved in latest build

From: simonemainardi notifications@github.com Reply-To: ntop/nProbe reply@reply.github.com Date: Wednesday, 13 March 2019 at 3:42 am To: ntop/nProbe nProbe@noreply.github.com Cc: Brent Dalgleish brent@apn.net.au, Author author@noreply.github.com Subject: Re: [ntop/nProbe] nProbe not dissecting IPV4 Flows via sflow (#339)

Are you guys able to enclose a pcap of the sFlow traffic you don't think it's correctly parsed?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/ntop/nProbe/issues/339#issuecomment-472081434, or mute the threadhttps://github.com/notifications/unsubscribe-auth/At7CD1N5MZFKHUT4uGrTp5Z4DABv-p7Cks5vV9i9gaJpZM4baVaF.

simonemainardi commented 5 years ago

thanks for the update