sfcapd not logging sflow data from Arista

[robobeaver6]

sfcapd Version: 1.6.18 nfsen Version: 1.3.8 $Id: nfsen 71 2017-01-19 16:16:21Z peter $ Running on Centos 7 kernel 3.10.0-1062.1.1.el7.x86_64

I have nfsen working with netflow, and am attempting to add a couple of arista DCS-7280SR2K-48C6-M-R switches running EOS 4.25.4M that do hardware accelerated sflow. I have added them to the %sources in the nfsen.conf

     'switch1'        => { 'port' => '6343', 'IP' => '10.10.38.8', 'type' => 'sflow', 'col' => '#FF0099', 'optarg' => ' -T all ' },
     'switch2'        => { 'port' => '6343', 'IP' => '10.10.8.67', 'type' => 'sflow', 'col' => '#FF0066', 'optarg' => ' -T all ' },

I then run nfsen reconfig successfully.

I restart nfsen, the new hosts show up and I have files being created in the profiles-data directory with a length of 276B. I do not have any firewall running and I can confirm I can see the sflow v5 data coming from the switch using tshark. I can also see that the sfcapd process is listening:

[root@nfsen ~]# netstat -antup | grep 6343
udp        0      0 0.0.0.0:6343            0.0.0.0:*                           122944/sfcapd 

I can confirm the process is receiving the packets by running strace -p 122944, which shows a recvfrom() for each packet. When it rotates the files every 5 min, I see it stat, rename, open and write no problem. It just doesn't seem to write anything other than the default empty file info.

   recvfrom(3, "\0\0\0\5\0\0\0\1\n\322\10C\0\0\0\0\0\2\307\v\5l\362P\0\0\0\7\0\0\0\2"..., 65535, 0, {sa_family=AF_INET, sin_port=htons(51771), sin_addr=inet_addr("10.10.8.67")}, [16]) = 1269
    recvfrom(3, "\0\0\0\5\0\0\0\1\n\322&\10\0\0\0\0\0\2\25\6\5l>\240\0\0\0\3\0\0\0\2"..., 65535, 0, {sa_family=AF_INET, sin_port=htons(41901), sin_addr=inet_addr("10.10.38.8")}, [16]) = 565
    alarm(0)                                = 10
    stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3661, ...}) = 0
    lseek(6, 0, SEEK_SET)                   = 0
    write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140
    write(6, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136
    close(6)                                = 0
    stat("/data/nfsen/profiles-data/live/switch1/2021/08/17", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
    rename("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942", "/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855") = 0
    stat("/data/nfsen/profiles-data/live/switch1/2021/08/17/nfcapd.202108171855", {st_mode=S_IFREG|0644, st_size=276, ...}) = 0
    semop(9764873, [{0, -1, 0}], 1)         = 0
    semop(9764873, [{0, 1, 0}], 1)          = 0
    sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 0) = 121
    open("/data/nfsen/profiles-data/live/switch1/nfcapd.current.122942", O_RDWR|O_CREAT|O_TRUNC, 0644) = 6
    write(6, "\f\245\1\0\1\0\0\0\0\0\0\0switch1\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140
    write(6, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136
    lseek(7, 0, SEEK_SET)                   = 0
    write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140
    write(7, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136
    close(7)                                = 0
    stat("/data/nfsen/profiles-data/live/switch2/2021/08/17", {st_mode=S_IFDIR|0755, st_size=12288, ...}) = 0
    rename("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942", "/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855") = 0
    stat("/data/nfsen/profiles-data/live/switch2/2021/08/17/nfcapd.202108171855", {st_mode=S_IFREG|0644, st_size=276, ...}) = 0
    semop(9797642, [{0, -1, 0}], 1)         = 0
    semop(9797642, [{0, 1, 0}], 1)          = 0
    sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 121, MSG_NOSIGNAL, NULL, 0) = 121
    open("/data/nfsen/profiles-data/live/switch2/nfcapd.current.122942", O_RDWR|O_CREAT|O_TRUNC, 0644) = 7
    write(7, "\f\245\1\0\1\0\0\0\0\0\0\0switch2\0\0\0\0\0\0\0\0\0\0\0"..., 140) = 140
    write(7, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 136) = 136
    sendto(4, "<30>Aug 17 19:00:00 sfcapd[12294"..., 60, MSG_NOSIGNAL, NULL, 0) = 60
    alarm(310)                              = 0

If I run the sfcaptd process in the console with -E it just seems to sit there

[root@nfsen ~]# /usr/bin/sfcapd -w -p 6343 -u observium -g observium -B 200000 -S 1 -P /data/nfsen/var/run/p6343.pid \
                                           -z -n switch1,10.210.38.8,/data/nfsen/profiles-data/live/switch1 -E -T all Add extension: 2 byte input/output interface index Add extension: 4 byte input/output interface index Add extension: 2 byte src/dst AS number Add extension: 4 byte src/dst AS number Add extension: dst tos, direction, src/dst mask Add extension: IPv4 next hop Add extension: IPv6 next hop Add extension: IPv4 BGP next IP Add extension: IPv6 BGP next IP Add extension: src/dst vlan id Add extension: 4 byte output packets Add extension: 8 byte output packets Add extension: 4 byte output bytes Add extension: 8 byte output bytes Add extension: 4 byte aggregated flows Add extension: 8 byte aggregated flows Add extension: in src/out dst mac address Add extension: in dst/out src mac address Add extension: MPLS Labels Add extension: IPv4 router IP addr Add extension: IPv6 router IP addr Add extension: router ID Add extension: BGP adjacent prev/next AS Add extension: time packet received Add extension: NSEL Common block Add extension: NSEL xlate ports Add extension: NSEL xlate IPv4 addr Add extension: NSEL xlate IPv6 addr Add extension: NSEL ACL ingress/egress acl ID Add extension: NSEL username Add extension: NSEL max username Add extension: nprobe/nfpcapd latency Add extension: NEL Common block Add extension: Compat NEL IPv4 Add extension: NAT Port Block Allocation File Block Header: 
  NumBlocks     =           0
  Size          =           0
  id             =           2

File Block Header: 
  NumBlocks     =           0
  Size          =           0
  id             =           2

The file size doesn't change from 276B, all of the files in the profiles-data/live/switch1/2021/08/17/ folders are 276B for the hosts using sflow. Netflow works fine. Host names and IP addresses have been replaced to protect the innocent.

[phaag]

Thanks for the report. May I ask you to pcap a few 1000 packets to the sflow collector and send me this pcap off list? You find my email in the AUTHORS file.

Please make sure you have no firewall, or SElinux rules active.

[robobeaver6]

I have just discovered that if I turn off hardware acceleration on the switch nfsen starts processing the packets. Literally the only thing that changes on the switch config is no sflow hardware acceleration. I am in the process of capturing another set of pcaps to send you to compare.

[phaag]

It looks like as the HW acceleration sflow stream only contains counter samples and no flow samples. Counter samples are discarded from sfcapd, as they are not relevant. Maybe you can convince the Arista to send flow samples as well in HW acceleration mode. There was recently a different issue with Arista - see #283. Maybe @lisaens could help here. If you agree, I consider this case closed.

[lisaens]

Sorry, we aren't using hardware acceleration and I have no knowledge of it, so I have nothing to contribute.