nfdump 1.7 sflow not read, how to debug?

[atbohmer]

Hello,

Running nfdump Version: 1.7.4-9198d94 Options: ZSTD BZIP2 Date: 2024-03-17 with compie time configure options: ./configure --enable-nftrack --enable-nfprofile --enable-sflow --enable-readpcap

nfsen config:
'bigip_f5' => { 'port' => '9001', 'col' => '#B54FC6', 'type' => 'sflow' },

UDP/9001 sflow records are seen via tcpdump, but is seems sflow does not process them (counters 0)

System is a Redhat 9 VM (running since a few days), setup was running and working regarding sflow on a RH7 server. All netflow processes are ok (even erspan, thansk Peter), but sflow has a problem.

Cheers,
Andre

[phaag]

Hey Andre,
Please make sure, your firewall does not block port 9001. Even if it sounds to easy, it is the most often reason for cases like these.

Please note, that tcpdump grabs the packets before the firewall, therefore you'll see them always. If you think it should be open, dump these packets from port 9001 with tcpdump -w 9001.pcap ..... for a minute or so and feed them to a test instance of sfcapd: sfcapd -w /tmp -vv -f 9001.pcap As you already compiled with --enable-readpcap, sfcapd already can read this pcap.
If you get now a valid flow file, then you need to check your firewall again, or any other host settings, otherwise send me that pcap, so I can check, what's wrong.

If you open that pcap with wireshark and set decode as to sflow you should also get an idea, if that pcap is sflow or not.

Cheers
Peter

[atbohmer]

Hoi Peter,

Thansk for your time and great tips, checked it and indeed we have a tcpdump feed and are able to read it with correct output. So again had a look at the local firewall rules, RH9 with nft so need to get accustomed to it instead of iptables. Indeed the platform guys made a typo we overlooked: ip saddr 10.1.1.0/24 tcp dport 9001 accept comment "90001 UDP Netflow LB" -> tcp as proto!

Cheers,
Andre