search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.39k stars 561 forks source link

SFLOW v4 in Community Edition #715

Closed Shev84 closed 6 years ago

Shev84 commented 6 years ago

On Features Page of FastNetMon there is info about support for SFLOW v4 (since version 1.1.3). I've installed that latest version, and using tcpdump I can see: 15:06:32.593946 IP (tos 0x0, ttl 61, id 10487, offset 0, flags [DF], proto UDP (17), length 1420) x.x.x.x.32768 > x.x.x.x.6343: sFlow version 4 packet not supported

So my question is, does FastNetMon Community Edition support SFLOW v4?

If yes, are there any options in fastnetmon.conf file that should be placed to get this working?

EDIT: From fastnetmon.log:

_2018-03-13 15:51:35,174 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:35,342 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:36,121 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:36,413 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:37,352 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:37,415 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:38,278 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:38,413 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:39,268 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:39,439 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:39,996 [ERROR] sflow: we haven't support for COUNTERSSAMPLE for sFLOW v4 and ignore it completely 2018-03-13 15:51:40,459 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:40,947 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:41,508 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:42,318 [ERROR] sflow: hit INMPACKETTYPE_IPV4, very strange 2018-03-13 15:51:42,562 [ERROR] sflow: hit INMPACKETTYPEIPV4, very strange

pavel-odintsov commented 6 years ago

Hello!

It's not about sFlow v4, community version supports.

You device generates very strange flow samples and adds IP header directly without Ethernet headers. We do not support it at all even for sFlow v5. It's very rare approach and I know only one tool which implements it this way.