[netsa-tools-discuss] SiLK/libfixbuf ignoring sFlow records

Emily Sarneso ecoff at sei.cmu.edu
Tue Mar 24 14:36:27 EDT 2015


Eric,

Thanks for the PCAP.  I have confirmed that there is an extra 20 bytes that seem to be just some non-zero filling.  I don’t know why they are in there or what purpose they serve.  Wireshark just seems to ignore them and a quick google search reveals that is what other tools do with them as well.  I have included a patch that you can apply to fixbuf that will ignore the extra fill bytes and log a warning message.

To apply the patch, save the attached file, change directory to the top of the sources (libfixbuf-1.6.2), and run the patch command:

patch -p1 < sflow_ignore_extra.diff

Configure, build, and install libfixbuf:

./configure ...
make
make install

Since it seems that every sFlow record you receive has the extra 20 bytes, you may either want to comment out the log message or compile fixbuf with:

make clean
CFLAGS="-DFB_SUPPRESS_LOGS=1" make -e

before installing, which will prevent the fixbuf log messages from being written to the rwflowpack log file.

Please let me know if you have any questions.

Emily




On Mar 24, 2015, at 10:37 AM, Emily Sarneso <ecoff at sei.cmu.edu> wrote:

> Hello Eric,
>
> Thanks for your interest in our tools.  I’m sorry to hear you’re having problems with collecting sFlow data.  sFlow support is somewhat new and we have had limited test deployments (that we know of) and the issue you are experiencing may be a problem in libfixbuf.
>
>> rwflowpack[21831]: 'brocade': Ignoring sFlow record: sFlow Record Length
>> Mismatch: (buffer has 1168, leftover 20)
>
>
> The sFlow Record Length mismatch concerns me, especially because there are consistently 20 extra bytes that fixbuf doesn’t think should be there.  From the debug information you provided (which is great, btw), the sFlow seems to be well-formed: there are 4 samples, each 272 bytes.  If you add in the sFlow header (28 bytes) and a sample header (8 bytes) for each of the samples: 28 + (4 * (272 + 8)) = 1148.  However, the buffer contains 1168 bytes.  The 20 extra bytes could be padding that fixbuf is not expecting or something else.
>
> Would it be possible to send me the PCAP file you are using to verify in Wireshark?  One sFlow packet should help me figure out what is going on here.
>
> Thanks,
>
> Emily
>
> ------
> Emily Sarneso
> CMU/SEI/CERT
> ecoff at cert.org
>
>
>
>
> On Mar 23, 2015, at 6:47 PM, Eric van Wiltenburg <vanwilt at uvic.ca> wrote:
>
>> Hi there.
>>
>> Running SiLK 3.9.0 with libfixbuf 1.6.2.  I¹ve been using SiLK with
>> netflow data for a number of months now and love it.  Recently I asked
>> network staff to throw me some sFlow data from a Brocade switch, but SiLK
>> isn't logging any sFlow data.  I believe it¹s a libfixbuf issue.
>>
>> I captured a few packets and verified with Wireshark they are sFlow v5,
>> Enterprise=0.  Rwflowpack repeatedly spews the following (note the
>> consistent leftover value):
>>
>> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
>> Mismatch: (buffer has 1096, leftover 20)
>> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
>> Mismatch: (buffer has 1096, leftover 20)
>> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
>> Mismatch: (buffer has 1304, leftover 20)
>> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
>> Mismatch: (buffer has 1208, leftover 20)
>> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
>> Mismatch: (buffer has 1256, leftover 20)
>> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
>> Mismatch: (buffer has 1184, leftover 20)
>> rwflowpack[20852]: 'brocade': Ignoring sFlow record: sFlow Record Length
>> Mismatch: (buffer has 1328, leftover 20)
>>
>> There are occasionally some of these:
>> rwflowpack[25720]: sFlow sequence number mismatch for agent 0x0001,
>> expecting 0x90e9b1 received 0x90e9c5
>> rwflowpack[25720]: sFlow Sample sequence number mismatch for agent 0x0001,
>> expecting 0x25ae42a received 0x25ae47b
>>
>>
>>
>> Recompiling libfixbuf with FB_SFLOW_DEBUG enabled yields the following
>> example:
>>
>> version is 5
>> Sequence number 9470217
>> Enterprise 0;  Format 1;  Length 272
>> innerseqnum 39397488
>> Internal 1, Egress 66, Expanded 0, numrecs 4, datalen 1128
>> Ent 0, Format 1, Length 144, datalen: 1092
>> PROTOCOL is 1
>> TYPE is 2048
>> IPv4 proto 6
>> TCP sp 44402, dp 22136, flags 10
>> Ent 0, Format 1001, Length 16, datalen: 940
>> Ent 0, Format 1002, Length 16, datalen: 916
>> Ent 0, Format 1003, Length 32, datalen: 892
>> Enterprise 0;  Format 1;  Length 272
>> innerseqnum 39397489
>> Internal 1, Egress 67, Expanded 0, numrecs 4, datalen 848
>> Ent 0, Format 1, Length 144, datalen: 812
>> PROTOCOL is 1
>> TYPE is 2048
>> IPv4 proto 6
>> TCP sp 47557, dp 21831, flags 10
>> Ent 0, Format 1001, Length 16, datalen: 660
>> Ent 0, Format 1002, Length 16, datalen: 636
>> Ent 0, Format 1003, Length 32, datalen: 612
>> Enterprise 0;  Format 1;  Length 272
>> innerseqnum 39397490
>> Internal 1, Egress 67, Expanded 0, numrecs 4, datalen 568
>> Ent 0, Format 1, Length 144, datalen: 532
>> PROTOCOL is 1
>> TYPE is 2048
>> IPv4 proto 6
>> TCP sp 42188, dp 23887, flags 10
>> Ent 0, Format 1001, Length 16, datalen: 380
>> Ent 0, Format 1002, Length 16, datalen: 356
>> Ent 0, Format 1003, Length 32, datalen: 332
>> Enterprise 0;  Format 1;  Length 272
>> innerseqnum 39397491
>> Internal 1, Egress 67, Expanded 0, numrecs 4, datalen 288
>> Ent 0, Format 1, Length 144, datalen: 252
>> PROTOCOL is 1
>> TYPE is 2048
>> IPv4 proto 6
>> TCP sp 47557, dp 21831, flags 10
>> Ent 0, Format 1001, Length 16, datalen: 100
>> Ent 0, Format 1002, Length 16, datalen: 76
>> Ent 0, Format 1003, Length 32, datalen: 52
>> rwflowpack[21831]: 'brocade': Ignoring sFlow record: sFlow Record Length
>> Mismatch: (buffer has 1168, leftover 20)
>>
>>
>> I¹m not an sFlow expert, nor can I call myself a programmer.  I¹m working
>> my way through fbsflow.c, but I thought I¹d see if you had any ideas.
>>
>> Thanks,
>> Eric
>>
>>
>
>

-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sflow_ignore_extra.diff
Type: application/octet-stream
Size: 758 bytes
Desc: sflow_ignore_extra.diff
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20150324/d183a8a9/attachment.obj>


More information about the netsa-tools-discuss mailing list