Not seeing any flows using sflow-rt_3.0-1532 running on a Raspberry Pi

[Steve Saeedi]

I've installed the standard sflow-rt package on a RPI 4b and I've installed three apps. 

pi@raspberrypi:/usr/local/sflow-rt/log $ !tail

tail -1000f sflow-rt-0.log

2020-11-12T12:35:14-07:00 INFO: Starting sFlow-RT 3.0-1532

2020-11-12T12:35:14-07:00 INFO: Version check, running latest

2020-11-12T12:35:14-07:00 INFO: Listening, sFlow port 6343

2020-11-12T12:35:15-07:00 INFO: Listening, HTTP port 8008

2020-11-12T12:35:15-07:00 INFO: app/flow-trend/scripts/top.js started

2020-11-12T12:35:15-07:00 INFO: app/top-flows/scripts/top.js started

2020-11-12T12:35:15-07:00 INFO: app/flow-graph/scripts/graph.js started

It's connected to an Extreme switch which has sflow enabled sending to the RPI.

# sh sflow stat

SFLOW Statistics

Received frames     : 28565111

Sampled Frames      : 1554

Transmitted Frames  : 5618

Broadcast Frames    : 14388022

Multicast Frames    : 586989

Packet Drops        : 0

No flows have been detected on sflow-rt. I'm not seeing any errors.

http://10.4.1.137:8008/flows/json shows an empty []

Any hints to help me diagnose this issue?

TIA,

Steve

[Peter Phaal]

You need to configure a flow specification before flow records will be generated:

https://sflow-rt.com/define_flow.php

I see that you have the flow-trend application installed. In the Flow Trend web user interface, click on one of the flow definitions to define a flow and start trending the top keys.

You can verify that you are receiving packet samples by querying /flowkeys/json to see the list of tokens being decoded from the packet samples. These tokens can be used as keys to define flows.

[Steve Saeedi]

Thanks for the quick response. I believe I've defined the flows correctly.

% curl -H "Content-Type:application/json" -X PUT --data '{"keys":"ipsource,ipdestination,tcpsourceport,tcpdestinationport", "value":"bytes", "log":true}' http://10.4.1.137:8008/flow/tcp/json

http://10.4.1.137:8008/flowkeys/json results in an empty {}

http://10.4.1.137:8008/flow/tcp/json results in

{

 "t": 2,

 "log": true,

 "keys": "ipsource,ipdestination,tcpsourceport,tcpdestinationport",

 "activeTimeout": 60,

 "value": "bytes",

 "fs": ",",

 "n": 5

}

I believe the config on the Extreme Networks switch (10.4.1.10) is correct as well.

enable sflow

configure sflow collector 10.4.1.137 port 6343 vr "VR-Mgmt"

configure sflow agent ipaddress 10.4.1.10

enable sflow ports 1 both

TIA.

[Peter Phaal]

Does the sFlow-RT status page show values for Agents, sFlow Bytes, and sFlow Packets?

Can you see sFlow arriving using tcpdump? For example,

sudo tcpdump -i eth0 udp port 6343

Have you opened UDP port 6343 on your firewall? Even if tcpdump shows that sFlow is arriving it can still be dropped by the Linux firewall.

The sFlow-RT /analyzer/json and /agents/json query will let you see if there are any issues with the sFlow datagrams.

[Steve Saeedi]

Thanks for the response, Peter. My switches were configured to send out the management vlan, and I corrected that for the test and the sFlow started arriving at the Pi.

Thanks for your help.