how do you read tcpopts values ?
31 views
Skip to first unread message
Vlad Kratsberg
May 18, 2021, 2:01:34 PM5/18/21
to sFlow-RT
Hello,
How do you read 'tcpopts' values ?
For example, tcp_opts="2-1-3-1-1-1-1-1-1-1-1-1-1-1-1-4-0" ?
I am looking at wiki, at tcp options sections but because there are repeating options i can't make sense of it.
Could you please point me in the right direction how to read these ?
Thank you
Peter Phaal
May 18, 2021, 7:15:14 PM5/18/21
to sFlow-RT
The tcpopts field in sFlow-RT is an ordered list of the tcpoption types seen in the packet header. In your example, the TCP packet contained the following sequence of options:
2. maximum segment size
1. no-op
3. window scale
1. no-op
1. no-op
1. no-op
...
4. sack permitted
0. end of option list
It seems excessive to have 12 no-ops in a row.
sFlow-RT doesn't record option values, just the option types. You can forward the sFlow to tshark / tcpdump for further analysis.
You can use sFlow-RT to forward sFlow to additional analyzers:
Vlad Kratsberg
May 19, 2021, 1:58:48 PM5/19/21
to sFlow-RT
Hi Peter,
Thank you for response. Exactly, what i was looking for.
On the side note, how would I implement sFlow forwarding during container build ?
curl -H "Content-Type:application/json" -X PUT --data '{"address":"10.0.0.30"}' \
http://127.0.0.1:8008/forwarding/SessionA/json
My Dockerfile looks like this without forwarding and everything works great:
===========================================
FROM sflow/sflow-rt:latest
RUN /sflow-rt/get-app.sh sflow-rt browse-metrics && /sflow-rt/get-app.sh sflow-rt browse-flows && /sflow-rt/get-app.sh sflow-rt prometheus && /sflow-rt/get-app.sh sflow-rt flow-trend && /sflow-rt/get-app.sh sflow-rt top-flows && /sflow-rt/get-app.sh sflow-rt ddos-protect && /sflow-rt/get-app.sh sflow-rt ddos-blackhole
===========================================
2021-05-19T17:10:00Z INFO: Starting sFlow-RT 3.0-1549
2021-05-19T17:10:00Z INFO: Version check, 3.0-1591 available
2021-05-19T17:10:00Z INFO: Listening, sFlow port 6343
2021-05-19T17:10:01Z INFO: Listening, HTTP port 8008
2021-05-19T17:10:01Z INFO: app/ddos-blackhole/scripts/ddos.js started
2021-05-19T17:10:01Z INFO: app/browse-flows/scripts/top.js started
2021-05-19T17:10:01Z INFO: app/ddos-protect/scripts/ddos.js started
2021-05-19T17:10:01Z INFO: app/top-flows/scripts/top.js started
2021-05-19T17:10:01Z INFO: app/prometheus/scripts/export.js started
2021-05-19T17:10:01Z INFO: app/flow-trend/scripts/top.js started
When I add ENTRYPOINT.sh
==========================================================
#!/bin/sh
### Enable sFlow forwarding
curl -H "Content-Type:application/json" -X PUT --data '{"address":"10.120.225.69"}' http://127.0.0.1:8008/forwarding/sFlowForward/json
====================================================================
I get connection refused as the curl was executed before the application started.
curl: (7) Failed to connect to 127.0.0.1 port 8008: Connection refused
==============================================================
How can I enabled sflow forwarding via Dockerfile so that forwarding is applied after application is started ?
Thank you for your help.
Peter Phaal
May 19, 2021, 2:44:56 PM5/19/21
to sFlow-RT
The easiest (most reliable way) of performing custom initializing is to use the embedded JavaScript API.
For example, create the following init.js file in the same directory as your Dockerfile:
var addr = getSystemProperty('sflow.forward');
if(addr) {
setForward('sFlowForward',addr);
logInfo('forwarding sFlow to ' + addr);
}
Modify the Dockerfile to copy the script into the sFlow-RT home directory:
FROM sflow/sflow-rt:latest
COPY init.js /sflow-rt/init.js
ENV RTAPP="-Dscript.file=init.js -Ddns.servers=resolv.conf -Dgeo.country=resources/config/GeoLite2-Country.mmdb -Dgeo.asn=resources/config/GeoLite2-ASN.mmdb -Doui.names=resources/config/oui.txt"
RUN /sflow-rt/get-app.sh sflow-rt browse-metrics && /sflow-rt/get-app.sh sflow-rt browse-flows && /sflow-rt/get-app.sh sflow-rt prometheus && /sflow-rt/get-app.sh sflow-rt flow-trend && /sflow-rt/get-app.sh sflow-rt top-flows && /sflow-rt/get-app.sh sflow-rt ddos-protect && /sflow-rt/get-app.sh sflow-rt ddos-blackhole
The RTAPP environement variable lets you set default system properties for your container. I added additional settings you might find useful, making geographic and DNS functionality available when defining flows, e.g. country:ipsource returns the country code associated with the ipsource address, see Defining Flows. You can type these expressions in the browse-flows you have loaded.
Once you have built the container, lauch with -Dsflow.forward=ipaddr to enable forwarding:
docker run -p 8008:8008 -p 6343:6343/udp image -Dsflow.forward=10.0.0.1
Writing Applications gives an overview of sFlow-RT APIs and how to build more complex applications (like the ones you are loading).
Vlad Kratsberg
May 19, 2021, 3:17:20 PM5/19/21
to sFlow-RT
Thank you Peter,
Worked like a charm.
Reply all
Reply to author
Forward
0 new messages