sflowtool tcpdump and wireshark cannot see packets detailed

[Phyo May Thet]

Hello,

   I am trying to capture the sflow data using tcpdump but I cannot see any packets information. In this case, I tried to send iperf UDP packets between two OpenStack Nodes and Network is configured with VxLAN. Could you please suggest what is going wrong? Thank you.

# sflowtool -p 6343 -l | grep FLOW

FLOW,192.168.121.81,0,1,fa163e33025b,fa163e2ac5f8,0x0800,0,0,10.0.0.3,10.0.0.2,17,0x00,64,43449,46354,0x18,0,-18,100

FLOW,192.168.121.81,0,1,fa163e4e8dad,fa163ec33bdc,0x0800,0,0,10.0.0.3,10.0.0.2,17,0x00,64,33762,46354,0x00,0,-18,100

# sflowtool -p 6343 -t | tcpdump -r -

reading from file -, link-type EN10MB (Ethernet)

10:54:56.000000 [|ether]

10:55:07.000000 [|ether]

10:55:07.000000 [|ether]

I also tried with wireshark as well but it shows error as follows:

$ wireshark -k -i <(sflowtool -t)

10:37:22          Warn Error "The file appears to be damaged or corrupt." while reading: "pcapng_read_packet_block: cap_len 32 is larger than packet_len 0." ("/tmp/wireshark_pcapng_63_20170315103722_PhCGl0")

10:37:23          Warn Error "Less data was read than was expected" while reading: "(null)" ("/tmp/wireshark_pcapng_63_20170315103722_PhCGl0")

[Neil McKee]

Which version of sflowtool?

/usr/local/bin/sflowtool -h 2>&1 | grep version

Latest is 3.40.

And which version of tcpdump?

/usr/sbin/tcpdump --version

Note that Wireshark can recognize sFlow natively, so you don't need sflowtool to "unwrap" the packet headers.

Or you might try sFlow-RT since it will decode deeper than sflowtool and unpack the vxlan tunneling.

Neil

--
You received this message because you are subscribed to the Google Groups "sFlow" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sflow+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Phyo May Thet]

Dear Neil,

   Thanks for your information. The versions are as follows:

$/usr/sbin/tcpdump --version

tcpdump version 4.9.0

libpcap version 1.5.3

OpenSSL 1.0.1f 6 Jan 2014

$ /usr/local/bin/sflowtool -h 2>&1 | grep version

/usr/local/bin/sflowtool version: 3.40

You mean I can directly monitor the sFlow OVS bridge using Wireshark? I have tried to monitor the OVS bridge using Wireshark but it doesn't show any packets. 

Best regards,

Phyo

To unsubscribe from this group and stop receiving emails from it, send an email to sflow+un...@googlegroups.com.

[Neil McKee]

It works for me with:

libpcap 1.7.4

tcpdump 4.9.0

sflowtool 3.40

on a Fedora 24 system.   So not sure, but maybe you just need to update libpcap?

While you can decode individual sFlow packets with Wireshark,  to monitor an OVS instance (or a whole network of them) I would suggest a higher level tool. sFlowTrend has a free version.  sFlow-RT is free to evaluate.  A whole collection of ecosystem tools are listed here: http://sflow.org/products/collectors.php.

I suggest you run hsflowd on the hypervisors too,  and have it configure sFlow on the OVS for you:

http://sflow.net

To unsubscribe from this group and stop receiving emails from it, send an email to sflow+unsubscribe@googlegroups.com.

[Phyo May Thet]

Thank you for your suggestions, Neil. After updated from libpcap 1.5.3 to 1.8.1, I can see the detailed packets information via tcpdump and wireshark.

Best regards,

Phyo