nfdump icon indicating copy to clipboard operation
nfdump copied to clipboard
verified publisher icon phaag

Dual-stack sfcapd Listener

Open phaag opened this issue 2 months ago • 5 comments

Discussed in https://github.com/phaag/nfdump/discussions/649

Originally posted by bnerickson December 5, 2025 Apologies if this has been asked/answered before.

Setup: OS: Rocky Linux 10.1 Kernel: 6.12.0-124.8.1.el10_1.x86_64 nfdump version: nfdump-1.7.7-1.el10_2.x86_64 / nfdump-libs-1.7.7-1.el10_2.x86_64

Background: I currently use an archaic version of nfsen to parse/display sflow data from Linux machines in LibreNMS. My environment is dual-stack and I serve up an _sflow SRV DNS record for those hosts to export sflow data to with hsflowd. sfcapd is running in the background. Here's a sample of the sfcapd command running on the LibreNMS host:

/usr/bin/sfcapd -D -p 6343 -u librenms -g librenms -B 200000 -S 1 -P /var/nfsen/var/run/p6343.pid -z -n hostname,192.168.0.97,/opt/librenms/rrd/profiles-data/live/hostname

Question: Is there any interest in adding simultaneous dual-stack support to sfcapd or would it be too difficult/impossible? Ideally I'd like to have something like the following running and instead of creating a dummy sflow entry in DNS to only return an A entry for my LibreNMS host I could just point the Linux machines at the LibreNMS A/AAAA entry:

/usr/bin/sfcapd -4 -6 -D -p 6343 -u librenms -g librenms -B 200000 -S 1 -P /var/nfsen/var/run/p6343.pid -z -n hostnamea,192.168.0.97,fd00::ffff:c0a8:61,/opt/librenms/rrd/profiles-data/live/hostnamea

phaag avatar Dec 06 '25 11:12 phaag

I implemented the dual listener stack in the current master repo. By default - without options, nfcapd and sfcapd listen on both IPv4 and IPv6. You may use the command line switches -4 and -6 to force the collector to listen only on the specified IP address version. @bnerickson - Please test and report back.

phaag avatar Dec 07 '25 13:12 phaag

Thank you very much, @phaag . I went ahead and ran a couple tests and verified that, with no -4 nor -6 option the daemon was listening on v4+v6:

(0) [12:54:17] [root@librenms:/root]
# ss -l --udp -n | grep 6343
UNCONN 0      0                  *:6343             *:*

Likewise, I confirmed that sfcapd was receiving and processing sflow data received for the same host using two unique IP addresses: one IPv4 and one IPv6:

/usr/bin/sfcapd -D -p 6343 -u librenms -g librenms -B 200000 -S 1 -P /var/nfsen/var/run/p6343.pid -z -n hostnameB,192.168.0.89,/opt/librenms/rrd/profiles-data/live/hostnameB:

Dec  7 11:15:00 librenms.domain sfcapd[5719]: Ident: 'hostnameB' Flows: 1, Packets: 1000, Bytes: 175000, Sequence Errors: 0, Bad Packets: 0, Blocks: 20

/usr/bin/sfcapd -D -p 6343 -u librenms -g librenms -B 200000 -S 1 -P /var/nfsen/var/run/p6343.pid -z -n hostname,fd00::ffff:c0a8:59,/opt/librenms/rrd/profiles-data/live/hostnameB

Dec  7 13:00:00 librenms.domain sfcapd[22233]: Ident: 'hostnameB Flows: 1, Packets: 1000, Bytes: 126000, Sequence Errors: 0, Bad Packets: 0, Blocks: 21

Outstanding: In the original discussion I mentioned (but probably did a poor job of specifying) the ability to specify multiple IP addresses per source ala: -n hostnameB,192.168.0.89,fd00::ffff:c0a8:59,/opt/librenms/rrd/profiles-data/live/hostnameB. Is that out-of-scope of this issue? As far as I can tell it is unsupported.

bnerickson avatar Dec 07 '25 21:12 bnerickson

Ahh - sorry for that - my bad. I thought, you just misspelled the syntax. Yes - so far multiple IP addresses for the -n option is unsupported. It needs more code rewriting, due to the internal logic. I can put that on the todo stack.

phaag avatar Dec 08 '25 11:12 phaag

If we speak about multiple IP addresses, would 2 be ok? (Whatever type of IP) The idea behind the -n option is to define a flow source by an IP address - and limit the receiving packets to this IP address - and store all flows in a dedicated directory. Multiple -n flow sources may be specified. Each flow source can have multiple exporters as exporting devices, like routers or firewalls may have multiple exporters defined. Would that work?

phaag avatar Dec 09 '25 10:12 phaag

For my purposes two IP addresses would be sufficient. I imagine others would also find it sufficient for the most common use-case (an IPv4 loopback address and IPv6 loopback address). That being said, there's always the chance someone has a setup where a device may be represented by even more IPv[46] addresses. For instance, maybe they have an IPv[46] OOB network for delivering sflow/syslog/etc data, but if that network fails they failover to their inband network via a separate pair of IPv[46] loopback addresses. That person would want a source represented by four IP addresses.

Ideally, and if the changes to code aren't too significant, a source could have any number of IP addresses ala:

-n hostnameB,192.168.0.89,fd00::ffff:c0a8:59,2001:db8::c0a8:59,10.0.0.89,/opt/librenms/rrd/profiles-data/live/hostnameB

And the incredibly oversimplified pseudo-code is something akin:

for option in dash_n_arg:
    if loop.first:
        verify_src_name_not_used_already(option)
        src_name = option
    if not loop.last
        verify_src_ip_not_used_already(option)
        src_ips += option
    if loop.last
        verify_src_dir_not_used_already(option)
        src_dir = option

But obviously it's at your discretion whether that's feasible/worth the time and effort to implement. Thanks again.

bnerickson avatar Dec 09 '25 19:12 bnerickson