[netsa-tools-discuss] SiLK/libfixbuf ignoring sFlow records

Sun Jun 14 16:39:34 EDT 2015

I too am trying to collect sFlow records using Silk 3.10 and libfixbuf
version 1.6.2.  I am running rwflowpack using the following command line:

/usr/local/sbin/rwflowpack
--sensor-configuration=/usr/local/share/silk/etc/sensor.conf
--root-directory=/data/silk --log-destination=syslog

Looking at the syslog I get a bunch of entries

Jun 14 10:12:43 IPAmonitor rwflowpack[40932]: sFlow Sample sequence number
mismatch for agent 0x0001, expecting 0x11f8b4 received 0xd9c88f3
Jun 14 10:12:44 IPAmonitor rwflowpack[40932]: sFlow Sample sequence number
mismatch for agent 0x0001, expecting 0xd9c8900 received 0x219a9
Jun 14 10:12:44 IPAmonitor rwflowpack[40932]: sFlow Sample sequence number
mismatch for agent 0x0001, expecting 0x219aa received 0xd9c8900
Jun 14 10:12:44 IPAmonitor rwflowpack[40932]: sFlow Sample sequence number
mismatch for agent 0x0001, expecting 0xd9c890a received 0x11f8b4

I have not encountered any of the "Ignoring sFlow record: sFlow Record
Length Mismatch" messages mentioned in this thread, applying the patch to
fbsflow.c did not make any difference.

No data is being collected in /data/silk. I have attached a 10 packet
capture of the sFlow traffic. Has anyone seen this problem? Thanks.

Kent Kuriyama

-------------- sensor.conf ---------------------
probe IPA-Core sflow listen-on-port 6343 protocol udp end probe sensor S0
sflow-probes IPA-Core external-interface 216 internal-interface remainder
end sensor
-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file.tcpdump
Type: application/octet-stream
Size: 10388 bytes
Desc: not available
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20150614/faecaaf2/attachment.obj>