[f-nsp] Only inbound traffic in sFlow export. Why?

Nikolay Pavlov quetzal at zone3000.net
Tue Mar 21 15:31:12 EST 2006


Hi, folks.

I have a strange issue on my core router Foundry BigIron 8000 with
sFlow export. I see only inbound traffic on sFlow samples:

host 206.53.60.34 is in my network (Also i did this test with other
hosts).

# sflowtool -p 3000 -t | tcpdump -nr - dst host 206.53.60.34
reading from file -, link-type EN10MB (Ethernet)
15:04:53.000000 IP 82.128.3.52.45013 > 206.53.60.34.80: . ack 24619974
win 17520 <nop,nop,timestamp 36603788 4211256578>
15:04:54.000000 IP 24.174.11.206.3373 > 206.53.60.34.80: P
1199114572:1199115084(512) ack 1789266672 win 64240 <nop,nop,timestamp
532058 4211258399>
15:04:58.000000 IP 85.104.28.86.1351 > 206.53.60.34.80: . ack 79673712
win 62788
15:04:58.000000 IP 81.208.106.73.57498 > 206.53.60.34.80: . ack
1730139818 win 17520
15:04:59.000000 IP 65.69.142.208.62916 > 206.53.60.34.80: . ack
3847022661 win 65535
15:04:59.000000 IP 61.68.133.228.3536 > 206.53.60.34.80: . ack
1335280708 win 8760
15:05:00.000000 IP 213.189.177.40.3402 > 206.53.60.34.80: . ack
3962404067 win 16153
15:05:01.000000 IP 82.169.132.243.22872 > 206.53.60.34.80: P
2078249237:2078249560(323) ack 2864397975 win 63592
^Ctcpdump: pcap_loop: error reading dump file: Interrupted system call


# sflowtool -p 3000 -t | tcpdump -nr - src host 206.53.60.34
reading from file -, link-type EN10MB (Ethernet)
^Ctcpdump: pcap_loop: error reading dump file: Interrupted system call

Here is output from "sh sflow" command:
-----------------------------------------------------------------------
telnet at Core# sh sflow
sFlow services are enabled.
sFlow agent IP address: xxx.xxx.xxx.xxx
Collector IP xxx.xxx.xxx.xxx, UDP 3000
Polling interval is 20 seconds.
Configured default sampling rate: 1 per 512 packets.
Actual default sampling rate: 1 per 512 packets.
24941397 UDP packets exported
191579929 sFlow samples collected.
sFlow ports: ethe 1/1 to 1/7 ethe 2/1 to 2/16 ethe 4/1 to 4/16 ethe 5/1
to 5/48 ethe 7/1 to 7/48
-----------------------------------------------------------------------


When i export flows from my border router (BigIron 8000 too) i see
traffic in both directions:

# sflowtool -t | tcpdump -nr - dst host 206.53.60.34
reading from file -, link-type EN10MB (Ethernet)
15:18:16.000000 IP 195.93.21.70.44620 > 206.53.60.34.80: P
4216426397:4216426900(503) ack 558911682 win 17520
15:18:16.000000 IP 209.76.82.237.4104 > 206.53.60.34.80: . ack
3051999951 win 65535
15:18:17.000000 IP 203.115.128.74.19487 > 206.53.60.34.80: . ack
649200153 win 65160 <nop,nop,timestamp 2010587857 4212863075>
15:18:17.000000 IP 65.151.66.148.2627 > 206.53.60.34.80: P
3261276588:3261276827(239) ack 3084905371 win 8760
15:18:18.000000 IP 64.228.129.114.1347 > 206.53.60.34.80: . ack
1942222805 win 16248
15:18:18.000000 IP 151.49.83.233.2195 > 206.53.60.34.80: . ack
2258415398 win 17520
15:18:18.000000 IP 62.6.113.207.1428 > 206.53.60.34.80: . ack 1739059353
win 8576
15:18:18.000000 IP 209.76.82.237.4104 > 206.53.60.34.80: . ack 55448 win
65535
^Ctcpdump: pcap_loop: error reading dump file: Interrupted system call

# sflowtool -t | tcpdump -nr - src host 206.53.60.34
reading from file -, link-type EN10MB (Ethernet)
15:18:23.000000 IP 206.53.60.34.80 > 84.139.177.56.63643: P
1273730257:1273731004(747) ack 1482625539 win 65535
15:18:23.000000 IP 206.53.60.34.80 > 70.89.28.201.26236: .
2888886127:2888887533(1406) ack 2658889069 win 65535
15:18:23.000000 IP 206.53.60.34.80 > 151.49.83.233.2195: .
2258616474:2258617934(1460) ack 1038346190 win 65535
15:18:23.000000 IP 206.53.60.34.80 > 202.146.253.4.39746: .
1025657670:1025659106(1436) ack 3576198457 win 33028
15:18:24.000000 IP 206.53.60.34.80 > 82.137.200.17.4237: .
614361912:614363360(1448) ack 2805195025 win 33304 <nop,nop,timestamp
4212877595 134434989>
15:18:24.000000 IP 206.53.60.34.80 > 207.200.116.199.33158: .
2934088899:2934090359(1460) ack 4225450683 win 32850
^Ctcpdump: pcap_loop: error reading dump file: Interrupted system call


-----------------------------------------------------------------------
telnet at Border# sh sflow
sFlow services are enabled.
sFlow agent IP address: xxx.xxx.xxx.xxx
Collector IP xxx.xxx.xxx.xxx, UDP 6343
Polling interval is 20 seconds.
Configured default sampling rate: 1 per 512 packets.
Actual default sampling rate: 1 per 512 packets.
565929 UDP packets exported
2883745 sFlow samples collected.
sFlow ports: ethe 1/1 to 1/4 ethe 4/1 to 4/16
-----------------------------------------------------------------------


-- 
============================================================================
= Best regards, Nikolay Pavlov. <<<--------------------------------------- =
============================================================================



More information about the foundry-nsp mailing list