[netsa-tools-discuss] yaf rejected packets

Emily Sarneso ecoff at cert.org
Tue Mar 7 10:48:16 EST 2017 

Hello Leo,

I’m sure you have realized by now that YAF is actually rejecting much more than 47% of packets (there is a bug in the percentage calculations).  YAF is actually rejecting 90% of the total packets due to rejected packet type, of which:

6435584 (39%) ARP
10204677 (61%) 802.3 (Ethernet SLOW protocols like LACP)
2322 (0.01%) LLDP
26752 (0.16%) (unknown)

Assuming you are not running YAF with --ip4-only or --ip6-only, it’s difficult to say what the other (unknown) unsupported Layer 3 headers are.  Without modifying the code or capturing PCAP and looking at the data, I can only tell you that they are not IPv4, IPv6, ARP, LLDP, Ethernet type 0x8809 or 0x00-0x0100 (802.3 SLOW protocols).  If you are running YAF with '--ip4-only' or '--ip6-only' then the rejected protocol stats would be counted in that “unknown" category.  Sorry the output statistics are somewhat confusing.  I’ll make sure to fix the formatting (and percentage calculations) in the next YAF release.

If the packets are MPLS tagged, then there are compile options in YAF to collect non-IP packets (--enable-mpls, --enable-nonip).  However, it unfortunately won’t tell you much about the packets.

Hope that helps,

Emily



--------------------
Emily Sarneso
CMU/SEI/CERT
ecoff at cert.org






> On Mar 6, 2017, at 12:13 AM, Chris Inacio <inacio at cert.org> wrote:
> 
> 
> 
> From: Bistmans, Leo <leo.bistmans at uza.be>
> Reply: Bistmans, Leo <leo.bistmans at uza.be>
> Date: March 3, 2017 at 11:06:18 AM
> To: netsa-tools-discuss at cert.org <netsa-tools-discuss at cert.org>
> Subject:  [netsa-tools-discuss] yaf rejected packets 
> 
>> [2017-01-27 10:59:07] Processed 1786701 packets into 36580 flows: 
>> [2017-01-27 10:59:07] Mean flow rate 0.53/s. 
>> [2017-01-27 10:59:07] Mean packet rate 25.67/s. 
>> [2017-01-27 10:59:07] Virtual bandwidth 0.1761 Mbps. 
>> [2017-01-27 10:59:07] Maximum flow table size 67. 
>> [2017-01-27 10:59:07] 13657 flush events. 
>> [2017-01-27 10:59:07] 30595 asymmetric/unidirectional flows detected (83.64%) 
>> [2017-01-27 10:59:07] YAF read 18456072 total packets 
>> [2017-01-27 10:59:07] Assembled 36 fragments into 0 packets: 
>> [2017-01-27 10:59:07] Expired 15 incomplete fragmented packets. (0.00%) 
>> [2017-01-27 10:59:07] Maximum fragment table size 4. 
>> [2017-01-27 10:59:07] Rejected 16669335 packets during decode: (47.46%) 
>> [2017-01-27 10:59:07] 16669335 due to unsupported/rejected packet type: (47.46%) 
>> [2017-01-27 10:59:07] 16669335 unsupported/rejected Layer 3 headers. (47.46%) 
>> [2017-01-27 10:59:07] 6435584 ARP packets. (18.32%) 
>> [2017-01-27 10:59:07] 2322 LLDP packets. (0.01%) 
>> [2017-01-27 10:59:07] 10204677 802.3 packets. (29.05%) 
>> 
>> Fear of missing out on this high level of rejected packets. 
>> What would be best way to find out which type of data that gets discarded from statistics? 
>> 
>> 
>> yaf can be compiled for powerpc based network switch with CumulusLinux 2.5.x It is now feeding ipfix into a Flowmon collector tool. 
>> 
>> Regards, 
>> Leo Bistmans 
>> 
> Leo,
> 
> Are you running MPLS?
> Can you tell us how you configured yaf, which options?  (the output from `yaf —version` will do it.)
> 
> We very much want to make sure that you aren’t losing 47% of your packets.
> 
> regards,
> -- 
> Chris Inacio
> inacio at cert.org

More information about the netsa-tools-discuss mailing list