nfdump icon indicating copy to clipboard operation
nfdump copied to clipboard

Published 20 hours ago verified publisher icon phaag

sfcapd corrupts sflow version

Open ale91x opened this issue 4 years ago • 3 comments

The sfsapd daemon corrupts the sflow version, making it impossible to forward.

nfdump -E /tmp/sflow/nfcapd.202012151334 Exporters: SysID: 1, IP: 192.168.1.219, version: 9999, ID: 1, Sequence failures: 0, packets: 113, flows: 113 Sampler for Exporter SysID: 1, Generic Sampler: mode: 0, interval: 8192

Mr P.Haag, I sent the files for analysis to the mail.

ale91x avatar Dec 15 '20 13:12 ale91x

Current the sflow version is not properly stored, however this can be fixed. Forwarding sflow using the built-in forwarder in sflowd is not affected by this. nfreplay does not forward sflow anyway.

phaag avatar Dec 18 '20 11:12 phaag

Thanks Peter, are there plans to implement a sfreplay, similarly nfreplay? This would be pretty cool for filtering and forwarding sflow.

ale91x avatar Dec 18 '20 12:12 ale91x

I need to check how complicated it is.

phaag avatar Dec 18 '20 13:12 phaag

sflow records are now properly marked with the version. So far there will be no sfreplay. However, sflow stored data may also be replayed with nfreplay.

phaag avatar Dec 18 '22 14:12 phaag