[netsa-tools-discuss] SiLK/libfixbuf ignoring sFlow records

Emily Sarneso ecoff at sei.cmu.edu
Tue Mar 24 10:37:35 EDT 2015 

Hello Eric,

Thanks for your interest in our tools.  I’m sorry to hear you’re having problems with collecting sFlow data.  sFlow support is somewhat new and we have had limited test deployments (that we know of) and the issue you are experiencing may be a problem in libfixbuf.  

> rwflowpack[21831]: 'brocade': Ignoring sFlow record: sFlow Record Length
> Mismatch: (buffer has 1168, leftover 20)


The sFlow Record Length mismatch concerns me, especially because there are consistently 20 extra bytes that fixbuf doesn’t think should be there.  From the debug information you provided (which is great, btw), the sFlow seems to be well-formed: there are 4 samples, each 272 bytes.  If you add in the sFlow header (28 bytes) and a sample header (8 bytes) for each of the samples: 28 + (4 * (272 + 8)) = 1148.  However, the buffer contains 1168 bytes.  The 20 extra bytes could be padding that fixbuf is not expecting or something else.  

Would it be possible to send me the PCAP file you are using to verify in Wireshark?  One sFlow packet should help me figure out what is going on here. 

Thanks,

Emily

------
Emily Sarneso
CMU/SEI/CERT
ecoff at cert.org




On Mar 23, 2015, at 6:47 PM, Eric van Wiltenburg <vanwilt at uvic.ca> wrote:

> Hi there.
> 
> Running SiLK 3.9.0 with libfixbuf 1.6.2.  I¹ve been using SiLK with
> netflow data for a number of months now and love it.  Recently I asked
> network staff to throw me some sFlow data from a Brocade switch, but SiLK
> isn't logging any sFlow data.  I believe it¹s a libfixbuf issue.
> 
> I captured a few packets and verified with Wireshark they are sFlow v5,
> Enterprise=0.  Rwflowpack repeatedly spews the following (note the
> consistent leftover value):
> 
> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
> Mismatch: (buffer has 1096, leftover 20)
> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
> Mismatch: (buffer has 1096, leftover 20)
> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
> Mismatch: (buffer has 1304, leftover 20)
> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
> Mismatch: (buffer has 1208, leftover 20)
> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
> Mismatch: (buffer has 1256, leftover 20)
> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
> Mismatch: (buffer has 1184, leftover 20)
> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
> Mismatch: (buffer has 1328, leftover 20)
> 
> There are occasionally some of these:
> rwflowpack[25720]: sFlow sequence number mismatch for agent 0x0001,
> expecting 0x90e9b1 received 0x90e9c5
> rwflowpack[25720]: sFlow Sample sequence number mismatch for agent 0x0001,
> expecting 0x25ae42a received 0x25ae47b
> 
> 
> 
> Recompiling libfixbuf with FB_SFLOW_DEBUG enabled yields the following
> example:
> 
> version is 5
> Sequence number 9470217
> Enterprise 0;  Format 1;  Length 272
> innerseqnum 39397488
> Internal 1, Egress 66, Expanded 0, numrecs 4, datalen 1128
> Ent 0, Format 1, Length 144, datalen: 1092
> PROTOCOL is 1
> TYPE is 2048
> IPv4 proto 6
> TCP sp 44402, dp 22136, flags 10
> Ent 0, Format 1001, Length 16, datalen: 940
> Ent 0, Format 1002, Length 16, datalen: 916
> Ent 0, Format 1003, Length 32, datalen: 892
> Enterprise 0;  Format 1;  Length 272
> innerseqnum 39397489
> Internal 1, Egress 67, Expanded 0, numrecs 4, datalen 848
> Ent 0, Format 1, Length 144, datalen: 812
> PROTOCOL is 1
> TYPE is 2048
> IPv4 proto 6
> TCP sp 47557, dp 21831, flags 10
> Ent 0, Format 1001, Length 16, datalen: 660
> Ent 0, Format 1002, Length 16, datalen: 636
> Ent 0, Format 1003, Length 32, datalen: 612
> Enterprise 0;  Format 1;  Length 272
> innerseqnum 39397490
> Internal 1, Egress 67, Expanded 0, numrecs 4, datalen 568
> Ent 0, Format 1, Length 144, datalen: 532
> PROTOCOL is 1
> TYPE is 2048
> IPv4 proto 6
> TCP sp 42188, dp 23887, flags 10
> Ent 0, Format 1001, Length 16, datalen: 380
> Ent 0, Format 1002, Length 16, datalen: 356
> Ent 0, Format 1003, Length 32, datalen: 332
> Enterprise 0;  Format 1;  Length 272
> innerseqnum 39397491
> Internal 1, Egress 67, Expanded 0, numrecs 4, datalen 288
> Ent 0, Format 1, Length 144, datalen: 252
> PROTOCOL is 1
> TYPE is 2048
> IPv4 proto 6
> TCP sp 47557, dp 21831, flags 10
> Ent 0, Format 1001, Length 16, datalen: 100
> Ent 0, Format 1002, Length 16, datalen: 76
> Ent 0, Format 1003, Length 32, datalen: 52
> rwflowpack[21831]: 'brocade': Ignoring sFlow record: sFlow Record Length
> Mismatch: (buffer has 1168, leftover 20)
> 
> 
> I¹m not an sFlow expert, nor can I call myself a programmer.  I¹m working
> my way through fbsflow.c, but I thought I¹d see if you had any ideas.
> 
> Thanks,
> Eric
> 
>

More information about the netsa-tools-discuss mailing list