[netflow-tools] softflowd keeps crashing
alex k
xela at mailinglist.at
Mon Apr 13 20:14:45 EST 2009
Hi,
> On Sun, 12 Apr 2009, alex k wrote:
>
>> Hi Damien,
>>
>> Softflowd crashed again.
>>
>> In the nohup.out file I found the following:
>>
>> Shutting down after pcap EOF
>> Shutting down on user request
>> Starting expiry scan: mode -1
>> ...then a lot of...
>> Queuing flow seq:102338 ... for expiry reason 6 (or 5, 1, 4)
>> ...then a lot of...
>> EXPIRED: seq:...
>>
>> With nfdump I found again (at that time) entries with date about six
>> weeks
>> in the future.
>> But no wrong date in nohup.out.
>
> Are all the flows incorrectly dated, or just the ones from around the time
> softflowd exited?
>
It seems to me, that the first one or two flows after the crash (softflowd
gets started automatically) are the wrong dated ones.
It crashed at 00:04 and was started a few seconds after that (I found a
very fast way to do that).
nfdump -M /usr/local/nfsen/profiles-data/live/eth0 -T -r
2009/04/11/nfcapd.200904110005 -o long -c 1000
nfdump filter: any
Date flow start Duration Proto ...
2009-05-30 17:07:11.487 60.820 TCP ...
2009-05-30 17:07:11.487 60.820 TCP ...
2009-04-11 00:04:24.256 60.735 TCP ...
2009-04-11 00:04:24.256 60.735 TCP ...
It doesn't have to do anything with the crash itself but is the only
abnormal thing I can see.
>> What happened? Network error? Corrupted file? Socket problem?
>
> Is anything restarting (bringing down and back up) the network interface
> on which softflowd is listening? That can cause this sort of problem.
> This line:
>
>> Shutting down after pcap EOF
>
> Indicates that libpcap has closed itself.
As far as I can see, the network interface had no problem at that time.
The host is monitored and was never unreachable.
It could have been a problem with VMware. (The IP with the wrong dated
entries is a virtual machine.)
How can I find out, if it's a libpcap problem? It all happens in memory,
right?
xela
>
> -d
>
More information about the netflow-tools
mailing list