No flow sample output with "host sflow" and "sflowtool"

[Albert Feng]

Hello everyone, 

I'm trying to capture datagrams using "host sflow" and "sflowtool" on centos 6.5. (The versions I used are the latest source code)

But when I run the command "sflowtool -l", no flow sample output.

$ sflowtool -l
CNTR,ip,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,ip,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,ip,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,ip,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,ip,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
CNTR,ip,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0

I have verify the output of my iptables --list --verbose --line-numbers

Chain INPUT (policy ACCEPT 999 packets, 128K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       60 48542 NFLOG      all  --  any    any     anywhere             anywhere            statistic mode random probability 0.002500 nflog-prefix "SFLOW" nflog-group 5

The hsflowd.config

sflow {
  collector { ip=127.0.0.1 udpport=6343 }
  nflog { group = 5  probability = 0.0025 }
}

But when I run "hsflowd -ddd", I haven't the output as follows:

netlink (228 bytes left) msg [len=208 type=1024 flags=0x0 seq=0 pid=0]

(ref:  http://blog.sflow.com/2010/12/ulog.html#comment-form_8874650628779465392)

I don't know why. Do you have an idea?

I also try to use PCAP, but it still doesn't work.

How should I do and could you please help me?

Thanks,

Albert

[Neil McKee]

Hi Albert,

It looks like you don't have enough packets yet for the default sampling-rate.   You can either generate some more traffic,  or change your hsflowd.conf to set a more aggressive sampling-rate:

sampling.1G = 10

sampling.10G = 10

sampling = 10

(the last one is the default that it will fall back on if the interface does not have an ifSpeed)

FYI those counter-samples with all zeros are triggered by the host counter-samples (the ones that have cpu/mem/disk counters but not the interface-counters that sflowtool -l is trying to print).

Neil

------
Neil McKee
InMon Corp.
http://www.inmon.com

--
You received this message because you are subscribed to the Google Groups "sFlow" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sflow+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[a...@kempiak.fr]

Hi,

I've got the same issue.

I'm generating 60Mbytes per sec of traffic and still no flowsample displayed with sflowtool :/

[Neil McKee]

What version of hsflowd is running (hsflowd -v)?  And was it compiled with FEATURES=NFLOG ?   (ls /etc/hsflowd/modules/mod_nflog.so).

You can see more if you do this:

sudo service hsflowd stop

sudo hsflowd -ddd 2>&1 

or perhaps with a filter like this:

sudo hsflowd -ddd 2>&1 | grep -i nflog

Feel free to send me the config file and the debug output.  You can also raise an issue directly on github here:

https://github.com/sflow/host-sflow/issues

Neil

------
Neil McKee
InMon Corp.
http://www.inmon.com

--