Hi Cedric, 43874 is the IANA-assigned enterprise number of pmacct. You have that as part of your sFlow packets since tag or tag2 are part of your config directive aggregate. Tags is pmacct-specific information and hence it's encoded with the pmacct enterprise number. I believe you have two ways forward: either you remove tags from your aggregate; or you find a way to make them swallowed (decoded or skipped) by Net::sFlow (btw we should have Elisa, the author of Net::sFlow, on the list - dunno if she has anything to comment at this propo).
Cheers, Paolo On Wed, Jan 04, 2017 at 03:09:07PM +0100, Cédric ML wrote: > Hi Paolo, > sflowtool seems to give good results, but there's is still one > problem : in each sflow sample, I have this : > > skipping unknown flow_sample_element: 43874:2 len=16 > This causes problems with perl Net::sFlow library, as Flowdata > enterprise: 43874 is not recognized. > I'm unable to trace where this "43874" comes from... > > Regards, > Cédric > > > Le 29/12/2016 à 12:38, Paolo Lucente a écrit : > >Hi Cedric, > > > >While i can't say it's the very same issue, it seems related to what i > >describe in the following comment: > > > >https://github.com/pmacct/pmacct/issues/71#issuecomment-265497661 > > > >The sFlow dissector of Wireshark seems buggy and i recommend using > >sflowtools for debugging and troubleshooting purposes. > > > >Cheers, > >Paolo > > > >On Wed, Dec 28, 2016 at 04:22:19PM +0100, Cédric ML wrote: > >>Hello, > >>I'm trying to make pmacct work with a bgp agent (bird). > >> > >>pmacct is installed on the bgp router, bgp_agent session is up, and > >>prefixes are exported to pmacct process. > >> > >>This bgp router has three vlans (50,51,52) on interface eth0. > >> > >>I'm trying to get correct correct values in incoming/outgoing VLANs, > >>and source/destination AS (using pretag.map, maybe there is a > >>simpler way ?) > >> > >>My problem, when running "pmacctd -f pmacctd.sflow.conf", is that > >>wireshark tells me : "Expert Info (Error/Malformed): Malformed > >>Packet (Exception occurred)" > >>Agent address & ID are correctly displayed in capture (agent > >>address=127.0.0.1 & agent_id=0) > >> > >>Here's the output of pmacctd : > >> > >># pmacctd -f pmacctd.sflow.conf > >>INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd > >>1.6.2-git (20161222-00) > >>INFO ( default/core ): > >>INFO ( default/core ): Reading configuration file > >>'/usr/local/etc/pmacct/pmacctd.sflow.conf'. > >>INFO ( sfprobe/sfprobe ): plugin_pipe_size=4096000 bytes > >>plugin_buffer_size=384 bytes > >>INFO ( sfprobe/sfprobe ): ctrl channel: obtained=124928 bytes > >>target=85328 bytes > >>INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] (re)loading map. > >>DEBUG ( sfprobe/sfprobe ): Creating sFlow agent. > >>INFO ( sfprobe/sfprobe ): Exporting flows to [192.168.156.109]:6343 > >>INFO ( sfprobe/sfprobe ): Sampling at: 1/1000 > >>INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] map > >>successfully (re)loaded. > >>INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] (re)loading map. > >>INFO ( default/core ): [/usr/local/etc/pmacct/pretag.map] map > >>successfully (re)loaded. > >>INFO ( default/core ): link type is: 1 > >>WARN ( default/core ): eth0: no IPv4 address assigned > >>INFO ( default/core ): [/usr/local/etc/pmacct/agent_to_peer.map] > >>(re)loading map. > >>INFO ( default/core ): [/usr/local/etc/pmacct/agent_to_peer.map] map > >>successfully (re)loaded. > >>DEBUG ( default/core/BGP ): 1 thread(s) initialized > >>INFO ( default/core/BGP ): maximum BGP peers allowed: 2 > >>INFO ( default/core/BGP ): waiting for BGP data on 127.0.0.1:17917 > >>INFO ( default/core/BGP ): [127.0.0.1] BGP peers usage: 1/2 > >>INFO ( default/core/BGP ): [x.x.x.x] Capability: MultiProtocol [1] > >>AFI [1] SAFI [1] > >>INFO ( default/core/BGP ): [x.x.x.x] Capability: 4-bytes AS [41] ASN > >>[203596] > >>INFO ( default/core/BGP ): [x.x.x.x] BGP_OPEN: Local AS: 203596 > >>Remote AS: 203596 HoldTime: 240 > >>DEBUG ( default/core/BGP ): [x.x.x.x] BGP_KEEPALIVE received > >>DEBUG ( default/core/BGP ): [x.x.x.x] BGP_KEEPALIVE sent > >>DEBUG ( sfprobe/sfprobe ): c08c60e112a7 -> 6805ca3dca86 (len = 1478, > >>captured = 128) > >>DEBUG ( sfprobe/sfprobe ): 78baf965af1f -> 6805ca3dca86 (len = 64, > >>captured = 64) > >>DEBUG ( sfprobe/sfprobe ): 78baf965af1f -> 6805ca3dca86 (len = 64, > >>captured = 64) > >>... > >> > >> > >>Can anybody tell me what may be wrong in my config ? > >> > >>Best regards, > >>Cédric > >> > >>======================================== > >>== file pmacctd.sflow.conf > >>debug: true > >>daemonize: false > >>interface: eth0 > >>aggregate: tag, src_host, dst_host, src_port, dst_port, proto, tos, > >>src_as, dst_as > >>plugins: sfprobe[sfprobe] > >>sfprobe_receiver: 192.168.156.109:6343 > >>sfprobe_direction[sfprobe]: tag > >>sfprobe_ifindex[sfprobe]: tag2 > >>sampling_rate: 1000 > >>pmacctd_as: bgp > >>bgp_daemon: true > >>bgp_daemon_ip: 127.0.0.1 > >>bgp_daemon_port: 17917 > >>bgp_agent_map: /usr/local/etc/pmacct/agent_to_peer.map > >>bgp_peer_as_skip_subas: true > >>bgp_peer_src_as_type: bgp > >>pre_tag_map: /usr/local/etc/pmacct/pretag.map > >> > >>== file agent_to_peer.map > >>bgp_ip=x.x.x.x ip=0.0.0.0/0 > >> > >>== file pretag.map (inspired by examples/pretag.map.example) > >>set_tag=1 filter='ether src 00:26:51:cb:8f:db' jeq=five > >>set_tag=1 filter='ether src d4:6d:50:23:2b:ea' jeq=six > >>set_tag=1 filter='ether src 78:ba:f9:65:af:1f' jeq=seven > >>set_tag=2 filter='ether dst 00:26:51:cb:8f:db' jeq=five > >>set_tag=2 filter='ether dst d4:6d:50:23:2b:ea' jeq=six > >>set_tag=2 filter='ether dst 78:ba:f9:65:af:1f' jeq=seven > >>set_tag2=50 label=five > >>set_tag2=51 label=six > >>set_tag2=52 label=seven > >> > >>_______________________________________________ > >>pmacct-discussion mailing list > >>http://www.pmacct.net/#mailinglists > >_______________________________________________ > >pmacct-discussion mailing list > >http://www.pmacct.net/#mailinglists > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
