tag:blogger.com,1999:blog-1978652979840829013.post5698098648258820189..comments2024-02-13T07:05:41.069-08:00Comments on sFlow: ULOGPeterhttp://www.blogger.com/profile/00856599914190257147noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-1978652979840829013.post-9697090004160286422016-09-24T05:00:56.320-07:002016-09-24T05:00:56.320-07:00Hi Neil,
I also have the same issue as tbriche.
...Hi Neil,<br /><br />I also have the same issue as tbriche.<br /><br />$ sflowtool -l<br />CNTR,114.212.80.2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br />CNTR,114.212.80.2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br />CNTR,114.212.80.2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br />CNTR,114.212.80.2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br />CNTR,114.212.80.2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br />CNTR,114.212.80.2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br /><br />I have verify the output of my iptables --list --verbose --line-numbers<br />Chain INPUT (policy ACCEPT 999 packets, 128K bytes)<br />num pkts bytes target prot opt in out source destination<br />1 60 48542 NFLOG all -- any any anywhere anywhere statistic mode random probability 0.002500 nflog-prefix "SFLOW" nflog-group 5<br /><br />But when I run "hsflowd -ddd", I haven't the output as you said:<br />netlink (228 bytes left) msg [len=208 type=1024 flags=0x0 seq=0 pid=0]<br /><br />I don't know why. Do you have an idea?<br /><br />I also check out the latest sources from github and try using PCAP, but it doesn't work.<br /><br />How should I do and could you please help me?<br /><br />Thanks,<br />Hanyang<br />Anonymoushttps://www.blogger.com/profile/04074169917396733308noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-87492974646482818782016-03-21T14:31:29.877-07:002016-03-21T14:31:29.877-07:00Hi Neil,
many thanks for your reply,
as you sugge...Hi Neil,<br />many thanks for your reply,<br /><br />as you suggested, I have verify the output of my iptables --list --verbose, and I noticed that no options were passed. That 's why I forced manually those params into the iptables conf file.<br /><br />After that everything worked fine.<br /><br />Many thanks again.<br /><br />Thierry<br />tbrichehttps://www.blogger.com/profile/16480059052169311076noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-88746506287794653922016-03-18T15:46:23.280-07:002016-03-18T15:46:23.280-07:00Three suggestions:
(1) is iptables seeing packets...Three suggestions:<br /><br />(1) is iptables seeing packets? When I run "iptables --list --versbose" on a test server here I see:<br /><br />Chain INPUT (policy ACCEPT 448M packets, 282G bytes)<br /> pkts bytes target prot opt in out source destination <br /> 118M 61G NFLOG all -- any any anywhere anywhere statistic mode random probability 0.10000000009 nflog-prefix SFLOW nflog-group 5<br /><br />(and hsflowd.conf has "nflogGroup=5" and "nflogProbability=0.1")<br /><br />(2) If you run it with "hsflowd -ddd" you should see individual messages for every packet received on the NFLOG channel:<br /><br />netlink (228 bytes left) msg [len=208 type=1024 flags=0x0 seq=0 pid=0]<br /><br />(3) if you check out the very latest sources from github, and install libpcap-dev(el) then you can "make PCAP=yes" and use this in hsflowd.conf as another way to get packets (alternative to ULOG/NFLOG):<br /><br />pcap { dev = eth0 }<br /><br />If your kernel is 3.19 or later then this works out to be very efficient:<br />https://drive.google.com/a/inmon.com/file/d/0B7iu87Nt-FO9UWw1UE50MzdKLVU/view<br /><br />Neil<br /><br />Neilhttps://www.blogger.com/profile/07028992976537765707noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-54565139223639809162016-03-18T08:54:50.356-07:002016-03-18T08:54:50.356-07:00Hi Neil, I used your indications to set my hsflowd...Hi Neil, I used your indications to set my hsflowd deamon with the NFLOG support.<br /><br />By launching the deamon manually, I see that the NFLOG socket are ready :<br /><br />configVMs<br />NFLOG socket fd=7<br />initAgent suceeded<br />Arena 0:<br />system bytes = 135168<br />in use bytes = 25728<br />Total (incl. mmap):<br />system bytes = 135168<br />in use bytes = 25728<br />max mmap regions = 0<br />max mmap bytes = 0<br />drop_priviliges: getuid=0<br />getrlimit(__RLIMIT_MEMLOCK) = 65536 (max=65536)<br />getrlimit(__RLIMIT_NPROC) = 7339 (max=7339)<br />getrlimit(RLIMIT_STACK) = 8388608 (max=4294967295)<br />getrlimit(RLIMIT_CORE) = 0 (max=4294967295)<br />getrlimit(RLIMIT_CPU) = 4294967295 (max=4294967295)<br />getrlimit(RLIMIT_DATA) = 4294967295 (max=4294967295)<br />getrlimit(RLIMIT_FSIZE) = 4294967295 (max=4294967295)<br />getrlimit(__RLIMIT_RSS) = 4294967295 (max=4294967295)<br />getrlimit(RLIMIT_NOFILE) = 1024 (max=4096)<br />getrlimit(RLIMIT_AS) = 4294967295 (max=4294967295)<br />getrlimit(__RLIMIT_LOCKS) = 4294967295 (max=4294967295)<br />state -> RUN<br />polling interval changed from 0 to 30<br />syncOutputFile<br />configVMs<br />my_os_calloc(128)<br />my_os_calloc(256)<br />setAddressPriorities<br />interfaces added: 0 removed: 0 cameup: 0 wentdown: 0 changed: 0<br />selectAgentAddress<br />selectAgentAddress selected agentIP with highest priority<br />agentAddressChanged=YES<br /><br /><br />and IPTABLES seems to be good too :<br />Chain INPUT (policy ACCEPT 0 packets, 0 bytes)<br /> pkts bytes target prot opt in out source destination <br />10403 1239K NFLOG all -- any any anywhere anywhere <br /><br /><br />But on my collector, sflowtool show me only 0,0,0... so I suppose I missed something, but I don't know where or what ?<br /><br /># sflowtool -c 172.31.1.149 -d 6343 -l -4<br />CNTR,172.31.1.149,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br />CNTR,172.31.1.149,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br />CNTR,172.31.1.149,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br />CNTR,172.31.1.149,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br />CNTR,172.31.1.149,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0<br /><br />Do you have an Idea ?<br /><br />Thanks for your help<br />Thierrytbrichehttps://www.blogger.com/profile/16480059052169311076noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-41024693448240252262015-12-24T09:36:36.274-08:002015-12-24T09:36:36.274-08:00Hi Neil. I have hsflowd configured to receive NFLO...Hi Neil. I have hsflowd configured to receive NFLOG from iptables but how is it supposed to appear on sflowtrend? I have the free version and it looks like it can only receive data from host (cpu, memory etc.) or from SNMP (routers). <br /><br />I did not have the libnfnetlink-dev installed so I will give it another try.Petskuhttps://www.blogger.com/profile/10940038491710890868noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-28520933988928945012015-12-24T08:34:35.555-08:002015-12-24T08:34:35.555-08:00sFlowTrend will work, because it's a standard...sFlowTrend will work, because it's a standard sFlow feed. You just have to get hsflowd configured appropriately for your servers. If ULOG is not working you can now try NFLOG instead. You may need to do something like this before you build hsflowd from the latest sources:<br /><br />sudo apt-get install libnfnetlink-dev<br /><br />then hsflowd will compile with the hooks that are required. See the latest hsflowd.conf for a commented-out example of using iptables to send packets to NFLOG:<br /><br />https://github.com/sflow/host-sflow/blob/master/src/Linux/scripts/hsflowd.conf#L96<br />Neilhttps://www.blogger.com/profile/07028992976537765707noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-21332938502780539172015-12-23T08:27:03.510-08:002015-12-23T08:27:03.510-08:00Looks indeed like Traffic Sentinel (not free), sfl...Looks indeed like Traffic Sentinel (not free), sflow trend cannot do iptables logs. I tried. So have to find a free tool to do the same. So far no luck.Petskuhttps://www.blogger.com/profile/10940038491710890868noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-89320372462675761392015-12-23T08:11:20.689-08:002015-12-23T08:11:20.689-08:00It looks like the chart was captured from sFlowTre...It looks like the chart was captured from <a href="http://www.inmon.com/products/sFlowTrend.php" rel="nofollow">sFlowTrend</a> or <a href="http://www.inmon.com/products/trafficsentinel.php" rel="nofollow">Traffic Sentinel</a>Peterhttps://www.blogger.com/profile/00856599914190257147noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-87278631149195164422015-12-23T07:11:33.832-08:002015-12-23T07:11:33.832-08:00What is that sflow analyzer in the picture?What is that sflow analyzer in the picture?Petskuhttps://www.blogger.com/profile/10940038491710890868noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-18359813167445424952015-05-05T12:13:01.857-07:002015-05-05T12:13:01.857-07:00Yes. We hope to update it to use the newer mechan...Yes. We hope to update it to use the newer mechanism. Probably before the end of this month.<br /><br />Neil<br />Neilhttps://www.blogger.com/profile/07028992976537765707noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-58178326292756370642015-05-05T02:43:48.305-07:002015-05-05T02:43:48.305-07:00ULOG target was removed since 3.17.0 kernel releas...ULOG target was removed since 3.17.0 kernel release. See:<br />http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7200135bc1e61f1437dc326ae2ef2f310c50b4eb<br />will it be updated?Piyushhttps://www.blogger.com/profile/16543362061331481159noreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-69180734267639761002014-06-16T11:29:52.097-07:002014-06-16T11:29:52.097-07:00Ubuntu 12.04 has a busted implementation/build of ...Ubuntu 12.04 has a busted implementation/build of the stats module, ie- ulog does not work. I tried 14.04 pkgs on 12, they installed, but I get no stats reporting in other than host sflow stats.<br /><br />Can anyone advise if they've had success on 12.04 (without having to go build patched up iptables packages). I'm also curious if you must have DNSSD = on. I've tried both with no success.<br /><br />Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1978652979840829013.post-82335495399734376872014-06-16T11:25:35.388-07:002014-06-16T11:25:35.388-07:00I was not able to get this working on Ubuntu 12.04...I was not able to get this working on Ubuntu 12.04. iptables modules for statistics are not built/linked correctly so ulog will not work. I used iptables packages for 14.04 that were supposed to be fixed/patched. I can not get anything other than the normal base host sflow metrics to report.<br /><br />Other notes -- I have tried this with and without DNSSD = on/off and various forms of iptables commands -- nothing.<br /><br />Is DNSSD a must for this to work?Anonymousnoreply@blogger.com