sFlow Crashing with Argus

Carter Bullard carter at qosient.com
Tue Oct 14 10:43:43 EDT 2014 

Hey Avinash,
Doesn’t compile on Mac OS X, which is our primary development system.
No problem, I have lots of Linux, which I can use for this.

OK, a few things about Sflow.  There are two flow concepts in an Sflow
stream, there is the Sflow flow, and there is the Sflow data.
An Sflow stream is composed of PDU’s that have flow sample descriptors
and raw packets.  ra* should be able to deal with the flow descriptors,
but not the raw packet contents.  Argus is needed to parse the raw
packet contents, but support for Sflow packet decode is not done,
its scheduled for the next release.  

What we’ll do now is correct the core dump, and generate some appropriate
output.  You should notice that the ra* support for sflow is incomplete,
but shouldn’t generate a core dump.  The current implementation should
parse the datagrams but there isn’t any code to generate any argus records.

Now that I have some sense that the InMon Agent actually generates
reasonable data, I can work on ra* support for sflow datagrams.
Expect that what you are interested in, however, will be argus
support for sflow.

Carter


On Oct 14, 2014, at 1:06 AM, Avinash Jha <aavinash19.93 at gmail.com> wrote:

> Thanks Carter for the quick reply.
> 
> I have used inmon sflow agent as mentioned in the previous mail, it works fine.I have used it on ubuntu 12.04.Could you tell me what were the errors.It might be possible I have encountered similar errors?
> 
> What will be the advantage of pcap?ra can not directly read from pcap file.Right?Argus server can read and that will be of no use for this purpose.
> 
> One another question, I analyzed the code using gdb and spotted the line where core dumped occurred.
> In common/argus_import.c ,SFLengthCheck code was aborting as actual length(104) and adjusted length(60) were not equal.Could you illuminate me what are those two lengths and what might be the probable causes of mismatch?I could work on it.
> 
> Thanks.Waiting for your reply.
> Regards,
> Avinash Jha
> 
> 
> 
> 
> On Mon, Oct 13, 2014 at 11:00 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Avinash,
> There is not a lot of slow experience, so not surprising that there maybe a bug.
> Tried to compile the inmon sflow agent, and its has many errors.
> 
> Do you have a packet capture of the traffic  ???  If you can share that, I maybe
> able to debug.
> 
> Carter
> 
> 
>> On Oct 13, 2014, at 10:34 AM, Avinash Jha <aavinash19.93 at gmail.com> wrote:
>> 
>> Hi Carter , 
>> Apologies in advance if this question sounds very primitive. Actually I am new to Argus tool so I might be doing something wrong . 
>> 
>> I tested netflow with argus 3.0.8(ra and rasqlinsert).It works great.
>> I also wanted to use Sflow data and IPFIX data.But when I tried it using sflow simulator, I got core dump.
>> 
>> ra is showing core dump.
>> ra -S sflow://any:6343
>> Aborted (core dumped).
>> 
>> backtrace data is as follows 
>> #0  0x00007ffff7538425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
>> #1  0x00007ffff753bb8b in abort () from /lib/x86_64-linux-gnu/libc.so.6
>> #2  0x00000000004a70c3 in SFLengthCheck (sample=0x7fffffffd8e0, start=0x7ffff7101030 "", len=108) at ./argus_import.c:4002
>> #3  0x00000000004a3462 in ArgusParseSFFlowSample (sptr=0x7fffffffd8e0, state=0) at ./argus_import.c:2550
>> #4  0x00000000004a3b84 in ArgusProcessSflowDatagram (parser=0x7ffff7e9c010, input=0x7ffff7e2b010, cnt=292) at ./argus_import.c:2663
>> #5  0x00000000004a3dd9 in ArgusReadSflowDatagramSocket (parser=0x7ffff7e9c010, input=0x7ffff7e2b010) at ./argus_import.c:2739
>> #6  0x000000000046ebac in ArgusReadStream (parser=0x7ffff7e9c010, queue=0x124f1f0) at ./argus_client.c:772
>> #7  0x0000000000406906 in main (argc=5, argv=0x7fffffffe1d8) at ./argus_main.c:387
>> 
>> The simulator that I had used was 
>> ./sflsp -d eth4 -c 6343 -C localhost -s 1
>> http://www.inmon.com/technology/sflowVersion5.php#code
>> 
>> 
>> Could you please direct me to appropriate link or if you could kindly share your insights to overcome this issue it will be great . 
>> 
>> Thanks for reading my post patiently. 
>> 
>> Regards 
>> Avinash 
>>  
>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141014/1e6704b1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20141014/1e6704b1/attachment.sig>

More information about the argus mailing list