[netsa-tools-discuss] SiLK/libfixbuf ignoring sFlow records

Eric van Wiltenburg vanwilt at uvic.ca
Mon Mar 23 18:47:33 EDT 2015


Hi there.

Running SiLK 3.9.0 with libfixbuf 1.6.2.  I¹ve been using SiLK with
netflow data for a number of months now and love it.  Recently I asked
network staff to throw me some sFlow data from a Brocade switch, but SiLK
isn't logging any sFlow data.  I believe it¹s a libfixbuf issue.

I captured a few packets and verified with Wireshark they are sFlow v5,
Enterprise=0.  Rwflowpack repeatedly spews the following (note the
consistent leftover value):

rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
Mismatch: (buffer has 1096, leftover 20)
rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
Mismatch: (buffer has 1096, leftover 20)
rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
Mismatch: (buffer has 1304, leftover 20)
rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
Mismatch: (buffer has 1208, leftover 20)
rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
Mismatch: (buffer has 1256, leftover 20)
rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
Mismatch: (buffer has 1184, leftover 20)
rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
Mismatch: (buffer has 1328, leftover 20)

There are occasionally some of these:
rwflowpack[25720]: sFlow sequence number mismatch for agent 0x0001,
expecting 0x90e9b1 received 0x90e9c5
rwflowpack[25720]: sFlow Sample sequence number mismatch for agent 0x0001,
expecting 0x25ae42a received 0x25ae47b



Recompiling libfixbuf with FB_SFLOW_DEBUG enabled yields the following
example:

version is 5
Sequence number 9470217
Enterprise 0;  Format 1;  Length 272
innerseqnum 39397488
Internal 1, Egress 66, Expanded 0, numrecs 4, datalen 1128
Ent 0, Format 1, Length 144, datalen: 1092
PROTOCOL is 1
TYPE is 2048
IPv4 proto 6
TCP sp 44402, dp 22136, flags 10
Ent 0, Format 1001, Length 16, datalen: 940
Ent 0, Format 1002, Length 16, datalen: 916
Ent 0, Format 1003, Length 32, datalen: 892
Enterprise 0;  Format 1;  Length 272
innerseqnum 39397489
Internal 1, Egress 67, Expanded 0, numrecs 4, datalen 848
Ent 0, Format 1, Length 144, datalen: 812
PROTOCOL is 1
TYPE is 2048
IPv4 proto 6
TCP sp 47557, dp 21831, flags 10
Ent 0, Format 1001, Length 16, datalen: 660
Ent 0, Format 1002, Length 16, datalen: 636
Ent 0, Format 1003, Length 32, datalen: 612
Enterprise 0;  Format 1;  Length 272
innerseqnum 39397490
Internal 1, Egress 67, Expanded 0, numrecs 4, datalen 568
Ent 0, Format 1, Length 144, datalen: 532
PROTOCOL is 1
TYPE is 2048
IPv4 proto 6
TCP sp 42188, dp 23887, flags 10
Ent 0, Format 1001, Length 16, datalen: 380
Ent 0, Format 1002, Length 16, datalen: 356
Ent 0, Format 1003, Length 32, datalen: 332
Enterprise 0;  Format 1;  Length 272
innerseqnum 39397491
Internal 1, Egress 67, Expanded 0, numrecs 4, datalen 288
Ent 0, Format 1, Length 144, datalen: 252
PROTOCOL is 1
TYPE is 2048
IPv4 proto 6
TCP sp 47557, dp 21831, flags 10
Ent 0, Format 1001, Length 16, datalen: 100
Ent 0, Format 1002, Length 16, datalen: 76
Ent 0, Format 1003, Length 32, datalen: 52
rwflowpack[21831]: 'brocade': Ignoring sFlow record: sFlow Record Length
Mismatch: (buffer has 1168, leftover 20)


I¹m not an sFlow expert, nor can I call myself a programmer.  I¹m working
my way through fbsflow.c, but I thought I¹d see if you had any ideas.

Thanks,
Eric




More information about the netsa-tools-discuss mailing list