host-sflow icon indicating copy to clipboard operation
host-sflow copied to clipboard

Published 20 hours ago verified publisher icon sflow

add pcap option outbound=on to sample outbound packet only

Open setup74 opened this issue 5 years ago • 6 comments

add pcap option outbound=on to sample outbound packet only, usng bpf commands

remove src/Linux/Makefile to remove invalid dependecy on mod_docker.o in actions for hsflowd

setup74 avatar Oct 31 '19 08:10 setup74

I fixed the spurious Makefile dependency. Thanks for pointing that out. I don't know why we would want an option to sample outbound packets only, though? What purpose do you have in mind?

sflow avatar Nov 01 '19 18:11 sflow

To be used for HAPROXYs with single interfae using pcap sampling, where same traffic comes in and out "twice" (between clinet - HAPROXY and HAPROXY - Real Servers) throught the samwe interface. So to account the service traffic "once", need to do post-process sflow data or just do sample one direction only.

When HAPROXYs' VIPs and ports are complex and to be dynanically changed the post-procssing is hard to be implemented correctly. So just doing outbound-only sampling is easy solution for this case.

      1. 오전 3:26, sflow [email protected] 작성:

I fixed the spurious Makefile dependency. Thanks for pointing that out. I don't know why we would want an option to sample outbound packets only, though? What purpose do you have in mind?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sflow/host-sflow/pull/35?email_source=notifications&email_token=AHHYWAJJWGEAT5AL6VZE6KTQRRYGLA5CNFSM4JHF7EPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEC3YUYQ#issuecomment-548899426, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHYWAJLGQ2NELTWGIUKHFDQRRYGLANCNFSM4JHF7EPA.

setup74 avatar Nov 02 '19 02:11 setup74

Selecting egress traffic is straightforward to do in post-processing. Just select packet samples where output ifindex == datasource index.

It's better not to filter at source because there may be other types of analysis that would need to see the ingress packets. The general philosophy of sFlow is to keep the agent simple and select data of interest at the collector.

sflow-rt avatar Nov 02 '19 05:11 sflow-rt

My host's interface is configured as: eth2, eth3 --> bond1 --> bond1.300 --> (macvlan) --> { macvlan sub interfaces in different netns } (to run HAPROXYs with separate network name spaces for each different overlay networks)

And unfortunately the hsflowd cannot catch the interface identity, when pcaping on: eth2, eth3, bond1, bond1.300

as in/out_interface value 0; also shown as hsflowd's debug output: takeSample: hook=0 tap=bond1 in= out= pkt_len=78 cap_len=64 mac_len=14 (...)

(pcaping on each netns's macvlan sub interfaces catches interface identity, but i hope only one hsflowd running on aggration point bond1.300)

But, even with this configuratition, pcaping with BPF outbound-only filtering works! (tested with Linux kernel 4.19.12-1.el7.elrepo.x86_64)

So is this strangely looking outbound-only option for.

      1. 오후 2:18, sflow-rt [email protected] 작성:

Selecting egress traffic is straightforward to do in post-processing. Just select packet samples where output ifindex == datasource index.

It's better not to filter at source because there may be other types of analysis that would need to see the ingress packets. The general philosophy of sFlow is to keep the agent simple and select data of interest at the collector.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sflow/host-sflow/pull/35?email_source=notifications&email_token=AHHYWALEYS32GJU52OZLN4DQRUETZA5CNFSM4JHF7EPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEC4UFEQ#issuecomment-549012114, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHHYWAMG4FRS4ZMNY5MWASDQRUETZANCNFSM4JHF7EPA.

setup74 avatar Nov 04 '19 02:11 setup74

It sounds like you enabled pcap { dev=bond1.300)? Do you get packet direction information if you enable pcap { dev=eth2 } and pcap { dev=eth3 } (or pcap { dev=bond1 }) instead? This would allow you to monitor all macvlan tunnels (by filtering on the tunnel attributes in the sFlow analyzer).

sflow-rt avatar Nov 04 '19 02:11 sflow-rt

I used pcap sampling; the hsflowd.conf is (with ouitbound_only patch):

sflow { sampling=700 sampling.10G=700 collector { ip = my_collector_ip udpport = my_collector_port } pcap { dev = bond1.300 outbound_only = on } }

With my collector (pmacctd's sfacctd to dump sflow data cached into text csv files) sampling_direction info is printe out as emply string (no info)

Pcap dev on dev eth2, eth3 shows same pattern: no interface info and no sampling_direction info

I think, it might be from that macvlan sub interfaces are on it's own separate network name spaces; so the macvlan's sub interfaces are not appeared in default network namespace where the hsflowd is running.

      1. 오전 11:34, sflow-rt [email protected] 작성:

It sounds like you enabled pcap { dev=bond1.300)? Do you get packet direction information if you enable pcap { dev=eth2 } and pcap { dev=eth3 } (or pcap { dev=bond1 }) instead? This would allow you to monitor all macvlan tunnels (by filtering on the tunnel attributes in the sFlow analyzer).

setup74 avatar Nov 04 '19 05:11 setup74