Query on sflow extended bgp src_as and dst_as
17 views
Skip to first unread message
Vinu Chandran
Jan 31, 2024, 12:46:40 AM1/31/24
to sFlow
Hello all,
I've a test topology like below
-----> Ingress traffic -----> port-1 -- Device-1 --- port-2 ----------------> port-3 --- Device-2 --------->
Device-1 and Device-2 and running BGP and are neighbors. Device-1 is in AS-501 and Device-2 is in AS-502.
Sflow is enabled in Device-1 and port-1 and port-2 are part of sflow enabled ports.
TCP traffic is sent from left to right. Flows gets exported to collector. At the collector am using sfcapd.
SFCAPD is started using "sfcapd -w -D -E -Tall -l /flow_base_dir/sflow/router1/ -p 6343"
Once the exported flows are collected at collector, its aggregated using the below command
$ nfdump -q -r /flow_base_dir/sflow/router1/nfcapd.xxxxx -A 'srcas,dstas,bgpnext' -o raw
$ nfdump -q -r /flow_base_dir/sflow/router1/nfcapd.xxxxx -A 'srcas,dstas,bgpnext' -o raw
I see the below output. I see that src_as and dst_as are same. AS-502. My query here is what is the expected values of src_as and dst_as. Should it be 501 and 502 or both should be 502 ?
#++++++++++++++++++++++++++++++#
Flow Record:
Flags = 0x80 Sampled
export sysid = 1
size = 104
first = 1706479737 [2024-01-29 03:38:57]
last = 1706479797 [2024-01-29 03:39:57]
msec_first = 915
msec_last = 305
src addr = 0.0.0.0
dst addr = 0.0.0.0
src port = 0
dst port = 0
fwd status = 0
tcp flags = 0x00 ......
proto = 0
(src)tos = 0
(in)packets = 1191936
(in)bytes = 147800064
input = 0
output = 0
src as = 502
dst as = 502
src mask = 0 /0
dst mask = 0 /0
dst tos = 0
direction = 0
src vlan = 0
dst vlan = 0
in src mac = 00:00:00:00:00:00
out dst mac = 00:00:00:00:00:00
received at = 0 [1970-01-01 05:30:00.000]
ip next hop = 0.0.0.0
bgp next hop = 10.0.0.2
ip router = 0.0.0.0
Flags = 0x80 Sampled
export sysid = 1
size = 104
first = 1706479737 [2024-01-29 03:38:57]
last = 1706479797 [2024-01-29 03:39:57]
msec_first = 915
msec_last = 305
src addr = 0.0.0.0
dst addr = 0.0.0.0
src port = 0
dst port = 0
fwd status = 0
tcp flags = 0x00 ......
proto = 0
(src)tos = 0
(in)packets = 1191936
(in)bytes = 147800064
input = 0
output = 0
src as = 502
dst as = 502
src mask = 0 /0
dst mask = 0 /0
dst tos = 0
direction = 0
src vlan = 0
dst vlan = 0
in src mac = 00:00:00:00:00:00
out dst mac = 00:00:00:00:00:00
received at = 0 [1970-01-01 05:30:00.000]
ip next hop = 0.0.0.0
bgp next hop = 10.0.0.2
ip router = 0.0.0.0
#++++++++++++++++++++++++++++++++++++++++++++++#
Thanks and regards
-Vinu
Peter Phaal
Jan 31, 2024, 1:18:08 AM1/31/24
to sFlow
It's not clear what nfdump is doing with the sFlow since most fields appear to be missing.
Have you tried looking at the data using sflowtool (https://github.com/sflow/sflowtool)? The sflowtool output prints a detailed report of the contents of the sFlow datagrams.
Reply all
Reply to author
Forward
0 new messages