sFlow on TP-Link L3 Switch (T2600G) partial data capture.

[Matt Ruston]

Hi all, I would be very interested to know if anyone has experience setting up sFlow from a tplink switch to sFlowTrend? I have my switch connecting to sFlowTrend as it shows things such as TOPN however I'm missing lots of other useful data such as unicasts, multicasts, broadcasts, discards etc.

Just wondering if anyone has encountered similar? Many thanks.

[sgjohnston]

Hi Matt,

We don't have any specific experience of sFlow on TPLink. It sounds like sFlowTrend is receiving flow data (used for top-n) but not counter data (for the other charts). The sFlow standard requires that counter data is sent along with flow data. Normally, you would expect a configuration option for this, specifying the time between counter exports - we would recommend every 20 or 30 seconds. Looking in the manual for the switch, I can't see any option for this - are you aware of any option to control it?

Another config option that I noticed was the maxData parameter, under the sflow collector command. This defaults to 300, which strikes me as low - perhaps if there's insufficient space in the datagram for the counter sample, it just gets lost? It would be worth increasing this, to eg the max of 1400.

If neither of these work, would you be able to capture a pcap of the sFlow being received by sFlowTrend? We would need a minimum of 5 minutes, and you can filter out traffic other than UDP:6343. If you could send that to sflowtrend[at]inmon.com, we can take a look at it. Also, Please include the output from "show sflow global" and "sflow sflow sampler" on the switch.

[Kevin J. Crandall]

My preferred and most reliable method for weird gear is to create a mirrored aka SPAN port of the desired physical port or a port that is tagged on the desired vlan.  Then I take a Raspberry Pi (any variant, I use RPi 3+) running basic Raspbian without the gui, harden it, and install nprobe (properly licensed from ntop.org) and jack it in to the port mirror.  nprobe must then be configured to emit the desired netflow to the collector.  This configuration works on 99% of devices that have mirrored port functionality.  nprobe is simply the best emitter on the market and its behavior is always reproducible.

I don't remember subscribing to this group, but I have a lot of experience with emitters such as Checkpoint firewalls, Cisco switch/router/firewall gear, Cisco with NBAR, HP MSR routers, pfsense and nprobe, and collectors such as ntopng, scrutinizer, solarwinds, etc.  I prefer Plixer's Scrutinizer as my collector of choice. 

On Wed, Sep 30, 2020, 18:24 Matt Ruston <rust...@gmail.com> wrote:

Hi all, I would be very interested to know if anyone has experience setting up sFlow from a tplink switch to sFlowTrend? I have my switch connecting to sFlowTrend as it shows things such as TOPN however I'm missing lots of other useful data such as unicasts, multicasts, broadcasts, discards etc.

Just wondering if anyone has encountered similar? Many thanks.

--
You received this message because you are subscribed to the Google Groups "sFlowTrend" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sflowtrend+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sflowtrend/f3630fb1-ce5d-4fa9-9130-a4c14beb8e53n%40googlegroups.com.