Query on sflow extended bgp src_as and dst_as
13 views
Skip to first unread message
Vinu Chandran
Jan 31, 2024, 12:46:40 AMJan 31
to sFlow
Hello all,
I've a test topology like below
-----> Ingress traffic -----> port-1 -- Device-1 --- port-2 ----------------> port-3 --- Device-2 --------->
Device-1 and Device-2 and running BGP and are neighbors. Device-1 is in AS-501 and Device-2 is in AS-502.
Sflow is enabled in Device-1 and port-1 and port-2 are part of sflow enabled ports.
TCP traffic is sent from left to right. Flows gets exported to collector. At the collector am using sfcapd.
SFCAPD is started using "sfcapd -w -D -E -Tall -l /flow_base_dir/sflow/router1/ -p 6343"
Once the exported flows are collected at collector, its aggregated using the below command
$ nfdump -q -r /flow_base_dir/sflow/router1/nfcapd.xxxxx -A 'srcas,dstas,bgpnext' -o raw
$ nfdump -q -r /flow_base_dir/sflow/router1/nfcapd.xxxxx -A 'srcas,dstas,bgpnext' -o raw
I see the below output. I see that src_as and dst_as are same. AS-502. My query here is what is the expected values of src_as and dst_as. Should it be 501 and 502 or both should be 502 ?
#++++++++++++++++++++++++++++++#
Flow Record:
Flags = 0x80 Sampled
export sysid = 1
size = 104
first = 1706479737 [2024-01-29 03:38:57]
last = 1706479797 [2024-01-29 03:39:57]
msec_first = 915
msec_last = 305
src addr = 0.0.0.0
dst addr = 0.0.0.0
src port = 0
dst port = 0
fwd status = 0
tcp flags = 0x00 ......
proto = 0
(src)tos = 0
(in)packets = 1191936
(in)bytes = 147800064
input = 0
output = 0
src as = 502
dst as = 502
src mask = 0 /0
dst mask = 0 /0
dst tos = 0
direction = 0
src vlan = 0
dst vlan = 0
in src mac = 00:00:00:00:00:00
out dst mac = 00:00:00:00:00:00
received at = 0 [1970-01-01 05:30:00.000]
ip next hop = 0.0.0.0
bgp next hop = 10.0.0.2
ip router = 0.0.0.0
Flags = 0x80 Sampled
export sysid = 1
size = 104
first = 1706479737 [2024-01-29 03:38:57]
last = 1706479797 [2024-01-29 03:39:57]
msec_first = 915
msec_last = 305
src addr = 0.0.0.0
dst addr = 0.0.0.0
src port = 0
dst port = 0
fwd status = 0
tcp flags = 0x00 ......
proto = 0
(src)tos = 0
(in)packets = 1191936
(in)bytes = 147800064
input = 0
output = 0
src as = 502
dst as = 502
src mask = 0 /0
dst mask = 0 /0
dst tos = 0
direction = 0
src vlan = 0
dst vlan = 0
in src mac = 00:00:00:00:00:00
out dst mac = 00:00:00:00:00:00
received at = 0 [1970-01-01 05:30:00.000]
ip next hop = 0.0.0.0
bgp next hop = 10.0.0.2
ip router = 0.0.0.0
#++++++++++++++++++++++++++++++++++++++++++++++#
Thanks and regards
-Vinu
Peter Phaal
Jan 31, 2024, 1:18:08 AMJan 31
to sFlow
It's not clear what nfdump is doing with the sFlow since most fields appear to be missing.
Have you tried looking at the data using sflowtool (https://github.com/sflow/sflowtool)? The sflowtool output prints a detailed report of the contents of the sFlow datagrams.
Reply all
Reply to author
Forward
0 new messages