[netflow-tools] problems with pfflowd that don't happen with softflowd

Sun May 1 22:46:40 EST 2005

On Sat, Apr 30, 2005 at 11:02:18PM +1000, Damien Miller wrote:
> Michael W. Lucas wrote:
...
> 
> There might be more to it. Could you try capturing with
> "tcpdump -s1500 -vvvTcnfp"? It will show some more details.

with pfflowd and the patch, no records appear.  Here's the tcpdump:

#tcpdump -n -i bge0 -s1500 -vvvTcnfp | grep a.b.c.d
tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size 1500 bytes
08:25:26.482635 IP (tos 0x0, ttl  63, id 12722, offset 0, flags [none], length: 628) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 122.768 uptime, 1114950326.485754000, #761, 12 recs
08:25:26.482642 IP (tos 0x0, ttl  63, id 12723, offset 0, flags [none], length: 628) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 122.768 uptime, 1114950326.485780000, #773, 12 recs
08:25:26.482783 IP (tos 0x0, ttl  63, id 12724, offset 0, flags [none], length: 628) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 122.768 uptime, 1114950326.485793000, #785, 12 recs
08:25:26.482789 IP (tos 0x0, ttl  63, id 12725, offset 0, flags [none], length: 628) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 122.768 uptime, 1114950326.485805000, #797, 12 recs
08:25:26.482929 IP (tos 0x0, ttl  63, id 12726, offset 0, flags [none], length: 484) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 122.768 uptime, 1114950326.485815000, #809,  9 recs
08:25:32.833883 IP (tos 0x0, ttl  63, id 12741, offset 0, flags [none], length: 628) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 129.119 uptime, 1114950332.837027000, #818, 12 recs
08:25:32.834031 IP (tos 0x0, ttl  63, id 12742, offset 0, flags [none], length: 628) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 129.119 uptime, 1114950332.837054000, #830, 12 recs
08:25:32.834036 IP (tos 0x0, ttl  63, id 12743, offset 0, flags [none], length: 628) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 129.119 uptime, 1114950332.837067000, #842, 12 recs
08:25:32.834178 IP (tos 0x0, ttl  63, id 12744, offset 0, flags [none], length: 628) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 129.119 uptime, 1114950332.837079000, #854, 12 recs
08:25:38.378356 IP (tos 0x0, ttl  63, id 12755, offset 0, flags [none], length: 340) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 134.663 uptime, 1114950338.381608000, #866,  6 recs
08:25:42.921488 IP (tos 0x0, ttl  63, id 12766, offset 0, flags [none], length: 580) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 139.206 uptime, 1114950342.924569000, #872, 11 recs
08:25:42.921494 IP (tos 0x0, ttl  63, id 12767, offset 0, flags [none], length: 628) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 139.206 uptime, 1114950342.924595000, #883, 12 recs
08:25:42.921634 IP (tos 0x0, ttl  63, id 12768, offset 0, flags [none], length: 436) a.b.c.d.56113 > w.x.y.z.port: NetFlow v5, 139.206 uptime, 1114950342.924607000, #895,  8 recs

With softflowd and the patch, it appears that flow-capture stops
receiving records.  I started the tcpdump on the collector and ran
"softflowctl expire-all" on the shaper, then checked the flow-capture
file contents:

#flowdumper tmp-v05.2005-05-01.083501-0400 | wc -l
       0
#

Mind you, once I do a "softflowctl shutdown" and restart with the
unpatched softflowd binary, I abruptly see:

#flowdumper tmp-v05.2005-05-01.083501-0400 | wc -l
   26151
#

So, could the flows just be resent upon shutdown?  Or perhaps
flow-capture somehow cached them before writing them to disk.  :-(

I can rerun the test early tomorrow morning.

tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size 1500 bytes
08:38:01.723537 IP (tos 0x0, ttl  63, id 16481, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1538, 30 recs
08:38:01.723685 IP (tos 0x0, ttl  63, id 16482, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1568, 30 recs
08:38:01.723831 IP (tos 0x0, ttl  63, id 16483, offset 0, flags [none], length: 1444) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1598, 29 recs
08:38:01.723838 IP (tos 0x0, ttl  63, id 16484, offset 0, flags [none], length: 1444) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1627, 29 recs
08:38:01.723980 IP (tos 0x0, ttl  63, id 16485, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1656, 30 recs
08:38:01.724126 IP (tos 0x0, ttl  63, id 16486, offset 0, flags [none], length: 1444) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1686, 29 recs
08:38:01.724274 IP (tos 0x0, ttl  63, id 16487, offset 0, flags [none], length: 1444) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1715, 29 recs
08:38:01.724421 IP (tos 0x0, ttl  63, id 16488, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1744, 30 recs
08:38:01.724568 IP (tos 0x0, ttl  63, id 16489, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1774, 30 recs
08:38:01.724575 IP (tos 0x0, ttl  63, id 16490, offset 0, flags [none], length: 1444) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1804, 29 recs
08:38:01.724715 IP (tos 0x0, ttl  63, id 16491, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1833, 30 recs
08:38:01.724862 IP (tos 0x0, ttl  63, id 16492, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1863, 30 recs
08:38:01.725010 IP (tos 0x0, ttl  63, id 16493, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1893, 30 recs
08:38:01.725156 IP (tos 0x0, ttl  63, id 16494, offset 0, flags [none], length: 1444) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1923, 29 recs
08:38:01.725163 IP (tos 0x0, ttl  63, id 16495, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1952, 30 recs
08:38:01.725304 IP (tos 0x0, ttl  63, id 16496, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1982, 30 recs
08:38:01.725452 IP (tos 0x0, ttl  63, id 16497, offset 0, flags [none], length: 772) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #2012, 15 recs

Thanks!

==ml

-- 
Michael W. Lucas	mwlucas at FreeBSD.org, mwlucas at BlackHelicopters.org
		http://www.BlackHelicopters.org/~mwlucas/
	       Latest book: Cisco Routers for the Desperate
	        http://www.CiscoRoutersForTheDesperate.com