[clug] fprobe and netflow

Mon Jan 12 05:55:31 GMT 2009

Anyone out there have any experience with fprobe and netflow? I searched 
the web for the answer to no avail.

I've got fprobe capturing traffic mirrored from a port on a router, 
generating netflow packets which it sends to netflow's flow-collector on 
the loopback (see diagram below). In the logs are to following errors 
which strongly suggests I'm losing data. netstat reports the Recv-Q to 
be zero(0) although the cpu is occassional sitting at 100%, but this 
still occurs when the machine is more lightly loaded.

 Can anyone think of why this is happeneng?

Jan 12 14:59:53 f2 flow-capture[10768]: ftpdu_seq_check(): 
src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=987487520 
received=987487760 lost=240
Jan 12 14:59:53 f2 flow-capture[10768]: ftpdu_seq_check(): 
src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=987487790 
received=987488000 lost=210
Jan 12 14:59:53 f2 flow-capture[10768]: ftpdu_seq_check(): 
src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=987488030 
received=987488270 lost=240
Jan 12 14:59:53 f2 flow-capture[10768]: ftpdu_seq_check(): 
src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=987488300 
received=987488510 lost=210

Diagramatically, the set up is,

         mirrored         netflow
          traffic
  router --------> fprobe -------> flow-collector ----> custom script

                                       ^
                                       |
                 It's at the point which traffic is being lost.

Jeff.