search

sflow / host-sflow

host-sflow agent
http://sflow.net
Other
154 stars 55 forks source link

No out interfaces on flows #67

Closed Pelt10 closed 6 months ago

Pelt10 commented 6 months ago

Hello,

I use host-sflow on a virtual machine(Debian 11.7 with kernel 5.10.0-23) which acts as network-edge router. I have strange behaviour where I never have out interface(ifindex = 0) on all flows. Screenshot 2024-05-07 at 17 19 36

With debug enable on process I get this log (extract) :

takeSample: hook=0 tap=enp1s4 in=enp1s4 out=<not found> pkt_len=111 cap_len=115 mac_len=14 (BC241178846C -> D6E08A0CB402 et=0x0800)
dbg2:selected sampler enp1s4 ifIndex=11
dbg1:psample netlink (type=29) CMD = 0
dbg2:psample: grp=1 in=11 out=0 n=10 seq=27448 drops=0 pktlen=106
takeSample: hook=0 tap=enp1s4 in=enp1s4 out=<not found> pkt_len=92 cap_len=96 mac_len=14 (BC241178846C -> D6E08A0CB402 et=0x0800)
dbg2:selected sampler enp1s4 ifIndex=11
dbg1:psample netlink (type=29) CMD = 0
dbg2:psample: grp=1 in=11 out=0 n=10 seq=27449 drops=0 pktlen=66
takeSample: hook=0 tap=enp1s4 in=enp1s4 out=<not found> pkt_len=52 cap_len=56 mac_len=14 (BC241178846C -> D6E08A0CB402 et=0x0800)
dbg2:selected sampler enp1s4 ifIndex=11
dbg1:psample netlink (type=29) CMD = 0
dbg2:psample: grp=1 in=11 out=0 n=10 seq=27450 drops=0 pktlen=70
takeSample: hook=0 tap=enp1s4 in=enp1s4 out=<not found> pkt_len=56 cap_len=60 mac_len=14 (BC241178846C -> D6E08A0CB402 et=0x0800)
dbg2:selected sampler enp1s4 ifIndex=11

my configuration : 

$ cat /etc/hsflowd.conf
sflow {
  DNSSD = off
  polling = 10
  sampling = 1000

  agent = ens18

  collector {
    ip=XX.XX.XX.XX
    udpport=6343
  }

  # ====== Local configuration ======
  psample { group=1 }
  #  dent { sw=off switchport=enp[0-9]+s[0-9]* }
  # tcp { }
  # systemd { markTraffic = on }
}

With the tc_psample script(here) on all interfaces(tc_psample $DEV 1000 1).

Is there something I don't understand? Do you have any idea?

sflow commented 6 months ago

These are ingress samples, so it's quite likely that the PSAMPLE channel is reporting output-interface 0 (unknown) since that decision is made later in the pipeline. If hsflowd were to look up the routing tables then it might be able to fill in the egress interface for ingress samples. However that enhancement has not been made (yet).

So to get in/out visibility you might want to turn on bidirectional sampling.

The dent module should be able to issue the correct tc(1) commands for you, but first you need to tell the psample to expect egress samples too (the dent module will notice that and generate tc commands accordingly).

psample { group=1 ingress=on egress=on }
dent { sw=on switchport=enp.* }