cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 11

NetFlow Packets Ignored or Not Formatted Properly?

Jump to solution

I have a lot of sFlow data being collected from Extreme switches.  I just recently set up one of our BSd-based routers (pfSense) to export NetFlow data.  However, NTA does not display any of the info and seems to act like it is ignoring all packets being sent to it from this router.  I have used Wireshark to look at what is coming into the server, and I do see the flow packets coming on the correct port (2055), and that port is added to the NAT config.  So, I am looking for help is seeing if there is an issue with the format of the packets coming from the router (pfSense running softflowd).  And if not, then any other ideas?

Screenshots of Wireshark captures:

 

 

Thanks in advance.

Aaron

0 Kudos
1 Solution
Level 19

The exporter must have the source IP, source port, sourceIf, ToS, dest IP, dest Port and protocol to show up in NTA. Several of these are missing from that export.

View solution in original post

0 Kudos
14 Replies
Level 9

I have a similar problem to the one shown here.  We have a network of 3750 switches that won't do NetFlow, so we set up SPAN ports and pushed the traffic to a Linux box.  The Linux box is using SoftFlowd to format the NetFlow stream and send it to my Orion NTA server.  When I run a WireShark capture, I get something similar to what you see above - the source/destination IPs and ports are coming through, but the InputInt and OutputInt and ToS show zero.

I'm definitely getting a steady stream of NetFlow data from the Linux box, but NTA doesn't appear to be accepting or processing any of it.  Has anyone else run into this situation, and can you suggest a fix? 

Thanks.

0 Kudos
Level 13

Hi,

the issue is, that both InputInterfaceIndex(InputInt) and OutputInterfaceIndex(OutputInt) are zero. If this happend, we can't map traffic to interface managed by Orion and we must drop this traffic.

 

ET;

0 Kudos
Level 11

Thanks ET.  Not sure how to fix that.  When I change the export to version 9 I get the same result - nothing.  Packet capture of v9....

0 Kudos
Level 13

Sorry, I'm developer, I don't know how to configure your router to export valid data Let's wait for some network engineer to resolve your problem.

0 Kudos
Level 19

Can you share you sflow config? I may be able to help you from that and a model number.

Andy

0 Kudos
Level 11

Hi Andy, sorry for the confusion, the sFlow data I collect from my Extreme switches is fine, other than being able to collect egress traffic only.

The issue I am having is setting up the FreeBSD-based pfSense routers to send properly formatted NetFlow data.

Aaron

0 Kudos
Level 19

Hi Aaron,

Is ther a config option for interfaces on the pfSense software or is it just on/off?

0 Kudos
Level 11

There is a config option - it appears as though I can only enable it for one interface at a time.  My config has one physical interface hosting numerous VLANs, so I tried enabling it first for the physical interface that hosts the VLANs, and then for a single logical VLAN interface.  Either way, using v5, I would end up with the data showing zero as the input and output interface ID's as noted above.  When I change to v9 I get the info shown above.  Using Wireshark I do see the packets referencing the correct traffic cross the interface (physical or VLAN), but something is not agreeing with NTA.

0 Kudos
Level 19

The exporter must have the source IP, source port, sourceIf, ToS, dest IP, dest Port and protocol to show up in NTA. Several of these are missing from that export.

View solution in original post

0 Kudos
Level 11

And in that regard, I have no idea how to make the add-on package send out what it should.  I haven't found much info on getting these packages to work well, and I have never found any info from anyone that was able to get something working with Orion (only other collectors).

0 Kudos
Level 19

N probe does but its Win32 based.

0 Kudos
Level 11

I am doing some reading on nProbe right now.  Is there a particular configuration you would recommend?  I am trying to use NTA to collect all of the traffic flowing into this router - again, it all comes into via a single physical interface from an Extreme switch, that only supports sFlow.  On this interface there is a pretty steady 10-15 Mbps outbound (to the network) and 5-10 Mbps inbound (to the router/Internet) - roughly 500+ wireless Internet customers.  I am very willing to put a 2-port stand-alone box inline for this.

Thanks again for the info.  Much appreciated.

Aaron

0 Kudos
Level 15
0 Kudos
Level 11

Actually, that may just be my answer.  More simple than you think.... I hope.  Just by using the port-mirroring, I should be able to configure my switch to output all traffic to a single interface.  Then, if possible, I can have the switch export the flow data for that port (not sure if it will do this on a mirror interface).  Since sFlow sample egress data only, this is what I need.  I can simply connect that interface to a dead-end node to bring it up.  Again, the only thing I need to verify is if the Extreme XOS will allow me to configure sFlow on a mirrored destination port...

Thanks a bunch qle!!!  I will update here a little later once I try it....

0 Kudos