[netflow-tools] failed exports
Andrew McGill
list2009 at lunch.za.net
Fri Sep 11 02:26:31 EST 2009
Hi Kevin,
It looks like you can get failures exporting flows when send() returns an
error. The errno value is not captured, so you'll have to figure it out.
You didn't say where the flows are going, but most likely, the netflow
receiver that you are sending to is not able to collect all of the data at the
rate it receives it, and the kernel is friendly enough to let you know about
some icmp that floated back towards the sender.
You can also get errors if you are getting interrupted system calls --
softflowd does not retry send() if it is interrupted. Maybe VMware is doing
something like this to you?
You can probably diagnose what the actual error is with strace -esend `pidof
softflowd` -- or maybe -esendto (I haven't tried this myself). If you see
EINTR, it should be easy to fix the code.
&:-)
On Wednesday 09 September 2009 21:23:30 Kevin Wilcox wrote:
> Hi everyone. I'm running softflowd 0.9.8 installed from ports on
> FreeBSD 7.2-RELEASE p3.
>
> It is a virtual machine sitting on VMWare ESX using the em device
> driver and works great. It collects like a fiend with no lag
> whatsoever.
>
> My problem is when I issue 'softflowctl statistics'. After having
> softflowd running for about 15 minutes and issuing 'softflowctl
> statistics' on my busier link, I get:
>
> softflowd[13049]: Accumulated statistics:
> Number of active flows: 184115
> Packets processed: 27177224
> Fragments: 83352
> Ignored packets: 27 (27 non-IP, 0 too short)
> Flows expired: 289532 (0 forced)
> Flows exported: 485703 in 14536 packets (133766 failures)
> Packets received by libpcap: 27235906
> Packets dropped by libpcap: 58531
> Packets dropped by interface: 63
>
> The issue is in the flows reported line, namely the number of
> failures. I'm not sure if it's a matter of the send buffer needing to
> be increased or, well, what else it could be. I've checked network and
> disk utilisation on this machine and the flow collector and all are
> well under capacity - if anything, they are minimal usage. All virtual
> NICs are gigabit and the physical structure underneath is 100Mb. I'm
> about to create dedicated virtual NICs for the flow export so data
> never leaves the vswitch but I'm wondering if any of you folks that
> are monitoring gigabit links have some advice on where I can look to
> find the source of the failures (aside from having my sensor/collector
> running on virtual machines)? Scanning the archives has shown some
> softflowctl export errors from a few years ago but I get nothing in
> syslog about errors...
>
> Thanks!
>
> kmw
More information about the netflow-tools
mailing list