[netflow-tools] problems with pfflowd that don't happen with softflowd
Damien Miller
djm at mindrot.org
Tue May 3 11:53:36 EST 2005
Michael W. Lucas wrote:
> with pfflowd and the patch, no records appear. Here's the tcpdump:
OK, so it is not the interface index. I'll have to install flow-tools to
see what the problem is.
> With softflowd and the patch, it appears that flow-capture stops
> receiving records. I started the tcpdump on the collector and ran
> "softflowctl expire-all" on the shaper, then checked the flow-capture
> file contents:
>
> #flowdumper tmp-v05.2005-05-01.083501-0400 | wc -l
> 0
> #
>
> Mind you, once I do a "softflowctl shutdown" and restart with the
> unpatched softflowd binary, I abruptly see:
>
> #flowdumper tmp-v05.2005-05-01.083501-0400 | wc -l
> 26151
> #
>
> So, could the flows just be resent upon shutdown? Or perhaps
> flow-capture somehow cached them before writing them to disk. :-(
That is most likely: softflowd sends immediately on expiry - it doesn't
queue export packets.
> I can rerun the test early tomorrow morning.
>
> tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size 1500 bytes
> 08:38:01.723537 IP (tos 0x0, ttl 63, id 16481, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1538, 30 recs
> 08:38:01.723685 IP (tos 0x0, ttl 63, id 16482, offset 0, flags [none], length: 1492) a.b.c.d.51473 > w.x.y.z.port: NetFlow v5, 230.801 uptime, 1114951081.726391000, #1568, 30 recs
The sequence numbers look OK at least :)
-d
More information about the netflow-tools
mailing list