Error parsing sflow

[Ios77]

Dear, the codec give me this error:

{:timestamp=>"2016-10-20T15:28:38.220000+0200", :message=>"Unknown record entreprise 0, format 7", :level=>:warn}

referring to existent lag_port_stats as explained here http://www.sflow.org/developers/structures.php.

Other thing I am not able to understand is what exactly frame_length_times_sampling_rate is:

frame lenght * sampling rate (1 packet every 1024 in my case) = bit/sec??

Thanks

[ashangit]

Hi,

The frame lenght * sampling rate is just the number of bit at the time of the event. For exemple if you display on kibana the frame_length_times_sampling_rate per source IP by timestamp with one point every 10min you will get the bits/10min (hope to be clear)

Would you be able to provide me some (at least one) network capture (readable in wireshark) of the sflow tram for lag_port stats. This will ensure good development and add of tests.

[Ios77]

Ok, I am doing exactly this on kibana. But if I take a packet every 1024 packet I don't known how this statistic can be accurate. Here, gdrive you can find a tcpdump of 1000 packets.

Thanks.

[ashangit]

You should take a look to have a good idea on the accuracy of packet sampling: http://www.sflow.org/packetSamplingBasics/index.htm On my side comparing the result to those provided by the F5 LB equipment on which I had to use this plugin I found it quite accurate

Will revert to you once the sflow lag_port stats will be added

[ashangit]

Hi,

Just to let you know that I've started to implement the lag_port_stats counter. I'm currently facing an issue the slow spec define a 52 bytes counter (if I took 6 bytes fo the mac) but the data length of this flow counter is 56 bytes. From other sampling flow the mac is usually encoded with 6 bytes + 2 bytes for padding. Using this will solve the "length issue" but I have not been able to double check that it decode well the counter as none of the tools I usually use to decode sflow know this counter. Wireshark or sflowtool are not able to decode it. Would you be able if I send you a decoded counter to validate if it is fine or not?

[ashangit]

Good news the last release of sflowtool is able to decode the LAG counter and as confirm that mac struct is a 6 bytes for mac + 2 bytes for padding.

[ashangit]

logstash-codec-sflow 1.2.1 is available with the LAG counter. Please let me know if you face any issue with it

[Ios77]

Thanks for the good work! Other problem correlated maybe with this so I commented

@logger.warn("Unknown record entreprise

{record['record_entreprise'].to_s}, format

{record['record_format'].to_s}")

in sflow.rb

Maybe now is ok, I will try the new version as soon as possible.

Thanks a lot,

Ivan

On 02/11/2016 23:35, Nicolas Fraison wrote:

logstash-codec-sflow 1.2.1 is available with the LAG counter. Please let me know if you face any issue with it

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/ashangit/logstash-codec-sflow/issues/4#issuecomment-258020525, or mute the thread https://github.com/notifications/unsubscribe-auth/AV5Xds63b8YAo7e_csm1gGOLh2K-pxQdks5q6RA9gaJpZM4KcI01.

.~. /V\ // \ /( )\ ^`~'^

---

Ivan Dallaserra CREATE-NET Via alla Cascata 56/D - 38123 Povo, Trento - Italy e-mail: ivan.dallaserra@create-net.org Tel: (+39) 0461 314197 Fax: (+39) 0461 421157

www.create-net.org

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited according to the Italian Law 196/2003 of the Legislature. If you received this in error, please contact the sender and delete the material from any computer.

Le informazioni contenute in questo messaggio di posta elettronica e nei file allegati sono da considerarsi strettamente riservate. Il loro utilizzo e' consentito esclusivamente al destinatario del messaggio, per le finalita' indicate nel messaggio stesso. Qualora riceveste questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla cancellazione del messaggio stesso dal Vostro sistema. Trattenere il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalita' diverse, costituisce comportamento contrario ai principi dettati dal D. Lgs. 196/2003.

[Ios77]

With plugin update command I get logstash-codec-sflow-2.0.0 not 1.2.1. In 2.0 version no more needing to comment the line in sflow.rb but I don't get the lag field decoded. There is something I am missing? I suppose I can manually roll back to 1.2.1, but why 2.0?

[ashangit]

2.0 release is for logstash 5.0. So depending to the logstash release you are using you should download the 2.0 or 1.2.1 (with logstash 2.3.4 the plugin download by default is 1.2.1)

For the lag counter here is an exemple of event I have from your network trace with plugin 2.0: { "dot3adAggPortStatsMarkerPDUsRx" => "4294967295", "dot3adAggPortStatsLACPDUsRx" => "4294967295", "dot3adAggPortStatsLACPDUsTx" => "4294967295", "dot3adAggPortStatsMarkerPDUsTx" => "4294967295", "source_id_type" => "0", "dot3adAggPortPartnerAdminState" => "62", "type" => "sflow", "uptime_in_ms" => "2329998928", "sflow_type" => "expanded_counter_sample", "dot3adAggPortPartnerOperState" => "62", "sub_agent_id" => "0", "ip_version" => "1", "dot3adAggPortStatsUnknownRx" => "4294967295", "@version" => "1", "dot3adAggPortStatsMarkerResponsePDUsRx" => "4294967295", "host" => "0:0:0:0:0:0:0:1", "dot3adAggPortStatsIllegalRx" => "4294967295", "dot3adAggPortActorOperState" => "62", "dot3adAggPortStatsMarkerResponsePDUsTx" => "4294967295", "dot3adAggPortActorSystemID" => "00:00:00:00:00:00", "agent_ip" => "XX.X.X.XX", "sample_seq_number" => "28366", "@timestamp" => 2016-11-03T09:15:09.988Z, "source_id_index" => "1054084", "dot3adAggPortActorAdminState" => "62", "dot3adAggPortAttachedAggID" => "43", "dot3adAggPortPartnerOperSystemID" => "00:00:00:00:00:00" }

[Ios77]

You can close thanks,

Ivan