[netsa-tools-discuss] I found problem with rwflowpack show "NetFlow V9 sequence number mismatch for domain" in log.
Emily Sarneso
ecoff at sei.cmu.edu
Thu Apr 16 15:54:13 EDT 2015
Hello Waranon,
The sequence number mismatch statement in the log is not really an error. libfixbuf, which is the library that processes the NetFlow v9 packets, expects the first record to have a sequence number of 0. Once libfixbuf receives the first packet it will set the expected sequence number appropriately. These warning messages do not indicate that it is skipping flow records - it still processes the records in the packet. The log messages are simply a way for the user to determine if packets are somehow are being dropped or are being received out of order.
You can disable the sequence number mismatch, option template removal, and record count discrepancy log messages by reinstalling fixbuf using the following commands:
make clean
CFLAGS=“-DFB_SUPPRESS_LOGS=1” make -e
make install
-Emily
-------
Emily Sarneso
CMU/SEI/CERT
ecoff at cert.org
On Apr 16, 2015, at 2:23 AM, Waranon Piasri <waranon.pia at gmail.com> wrote:
> Dear All,
>
>
> Hello, I have SiLK v. 3.10.1 and libfixbuf v.1.6.1. When I run rwflowpack command with
> "rwflowpack --no-daemon --root-directory=/var/lib/flows/silk_device_1/ --site-config-file=/etc/sysconfig/silk.conf
> --sensor-configuration=/etc/sysconfig/sensor.conf --log-directory=/var/log/ --pack-interfaces --sensor-name=S0'"
>
> and I found some error in as below
>
> Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: 'rwflowpack' '--no-daemon' '--root-directory=/var/lib/flows/silk_device_1/' '--site-config-file=/etc/sysconfig/silk.conf'
> '--sensor-configuration=/etc/sysconfig/sensor.conf' '--log-directory=/var/log/' '--pack-interfaces' '--sensor-name=S0'
> Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: Using packing logic from /usr/lib64/silk/packlogic-twoway.so
> Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: Creating stream cache
> Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: Creating NetFlowV9 Reader for probe 'S0' on *:9996
> Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: Starting flush timer
> Apr 15 05:16:37 BCIRENFLWP01 rwflowpack[8684]: 'S0': accepted connection from 10.20.144.102:46971, domain 0x0001
> Apr 15 05:16:37 BCIRENFLWP01 rwflowpack[8684]: NetFlow V9 sequence number mismatch for domain 0x0001, expecting 0x0000 received 0x2740
> Apr 15 05:16:40 BCIRENFLWP01 rwflowpack[8684]: 'S0': accepted connection from 10.20.144.101:38670, domain 0x0001
> Apr 15 05:16:40 BCIRENFLWP01 rwflowpack[8684]: NetFlow V9 sequence number mismatch for domain 0x0001, expecting 0x0000 received 0x204d
> Apr 15 05:18:21 BCIRENFLWP01 rwflowpack[8684]: 'S0': forward 0, reverse 0, ignored 0, nf9: missing-pkts 0
> Apr 15 05:20:21 BCIRENFLWP01 rwflowpack[8684]: Flushing files after 120 seconds.
>
> Please suggest me fix this problem.
>
> Best regards,
> Waranon Piasri
More information about the netsa-tools-discuss
mailing list