[netsa-tools-discuss] I found problem with rwflowpack show "NetFlow V9 sequence number mismatch for domain" in log.
Waranon Piasri
waranon.piasri at bred-it.com
Thu Apr 16 22:04:12 EDT 2015
*Dear Emily,*
Thank you for you support.
*Best regards,*
Waranon Piasri.
On Fri, Apr 17, 2015 at 2:54 AM, Emily Sarneso <ecoff at sei.cmu.edu> wrote:
> Hello Waranon,
>
> The sequence number mismatch statement in the log is not really an error.
> libfixbuf, which is the library that processes the NetFlow v9 packets,
> expects the first record to have a sequence number of 0. Once libfixbuf
> receives the first packet it will set the expected sequence number
> appropriately. These warning messages do not indicate that it is skipping
> flow records - it still processes the records in the packet. The log
> messages are simply a way for the user to determine if packets are somehow
> are being dropped or are being received out of order.
>
> You can disable the sequence number mismatch, option template removal, and
> record count discrepancy log messages by reinstalling fixbuf using the
> following commands:
>
> make clean
> CFLAGS=“-DFB_SUPPRESS_LOGS=1” make -e
> make install
>
>
> -Emily
>
> -------
> Emily Sarneso
> CMU/SEI/CERT
> ecoff at cert.org
>
>
> On Apr 16, 2015, at 2:23 AM, Waranon Piasri <waranon.pia at gmail.com> wrote:
>
> > Dear All,
> >
> >
> > Hello, I have SiLK v. 3.10.1 and libfixbuf v.1.6.1. When I
> run rwflowpack command with
> > "rwflowpack --no-daemon --root-directory=/var/lib/flows/silk_device_1/
> --site-config-file=/etc/sysconfig/silk.conf
> > --sensor-configuration=/etc/sysconfig/sensor.conf
> --log-directory=/var/log/ --pack-interfaces --sensor-name=S0'"
> >
> > and I found some error in as below
> >
> > Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: 'rwflowpack'
> '--no-daemon' '--root-directory=/var/lib/flows/silk_device_1/'
> '--site-config-file=/etc/sysconfig/silk.conf'
> > '--sensor-configuration=/etc/sysconfig/sensor.conf'
> '--log-directory=/var/log/' '--pack-interfaces' '--sensor-name=S0'
> > Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: Using packing logic from
> /usr/lib64/silk/packlogic-twoway.so
> > Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: Creating stream cache
> > Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: Creating NetFlowV9 Reader
> for probe 'S0' on *:9996
> > Apr 15 05:16:21 BCIRENFLWP01 rwflowpack[8684]: Starting flush timer
> > Apr 15 05:16:37 BCIRENFLWP01 rwflowpack[8684]: 'S0': accepted connection
> from 10.20.144.102:46971, domain 0x0001
> > Apr 15 05:16:37 BCIRENFLWP01 rwflowpack[8684]: NetFlow V9 sequence
> number mismatch for domain 0x0001, expecting 0x0000 received 0x2740
> > Apr 15 05:16:40 BCIRENFLWP01 rwflowpack[8684]: 'S0': accepted connection
> from 10.20.144.101:38670, domain 0x0001
> > Apr 15 05:16:40 BCIRENFLWP01 rwflowpack[8684]: NetFlow V9 sequence
> number mismatch for domain 0x0001, expecting 0x0000 received 0x204d
> > Apr 15 05:18:21 BCIRENFLWP01 rwflowpack[8684]: 'S0': forward 0, reverse
> 0, ignored 0, nf9: missing-pkts 0
> > Apr 15 05:20:21 BCIRENFLWP01 rwflowpack[8684]: Flushing files after 120
> seconds.
> >
> > Please suggest me fix this problem.
> >
> > Best regards,
> > Waranon Piasri
>
>
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list