Mailing List Archive

sFlow question
Hello,

I would like to set up Ntopng as a sFlow collector to monitor a network of virtual machines. I used VirtualBox to create the network (see attached image "Network 2.png"). My goal is to display sFlow data relative to the flows passing through an Open vSwitch (OVS) installed on a CentOS 7 server. I have installed Ntopng in a CentOS 7 VM in Community mode. The load generators are used to simulate traffic through the OVS with Iperf.

I put the IP address 10.0.0.4/28 in the OVS to enable it to export sFlow packets to the Ntopng VM:
ip addr add 10.0.0.4/28 dev ovs2
ip link set ovs2 up

According to the documentation of Open vSwitch (http://docs.openvswitch.org/en/latest/howto/sflow/), the sFlow configuration in the OVS is as follows:
ovs-vsctl -- --id=@sflow create sflow agent=ovs2 target="\"10.0.0.3:6343\"" header=128 sampling=64 polling=10 -- set bridge ovs2 sflow=@sflow

To collect sFlow data, the configuration of nProbe in /etc/nprobe/nprobe.conf is the following:
-i none
-n none
-3 6343
--zmq "tcp://*:5556"

That of Ntopng in /etc/ntopng/ntopng.conf is:
-i "tcp://127.0.0.1:5556"
-m "10.0.0.0/28"

A tcpdump in the Ntopng VM shows incoming sFlow packets (see attached image "Tcpdump sFlow.png").

When I check the interface tcp://127.0.0.1:5556 in Ntopng, sFlow Counter Updates become equal to 1. However, Collected flows remain to 0 and I am not able to observe sFlow data in Ntopng.
I have tried to put -S 64 (same sampling as the OVS one) and --disable-sflow-upscale options in /etc/nprobe/nprobe.conf, no polling and header options in the OVS, the result is still the same.

I have also tested the same setup with NetFlow in OVS instead of sFlow and everything is running well, NetFlow data is plotted in Ntopng. What am I doing wrong with sFlow please?

Thank you very much in advance for answering my question.

Best regards,

Arnaud POLOSSAT
Airbus Defence and Space
1, Bvd Jean Moulin, CS 40001
78 996 Elancourt Cedex, France
E-mail: arnaud.polossat@fr.airbus.com<mailto:arnaud.polossat@fr.airbus.com>


***************************************************************
Ce courriel (incluant ses eventuelles pieces jointes) peut contenir des informations confidentielles et/ou protegees ou dont la diffusion est restreinte. Si vous avez recu ce courriel par erreur, vous ne devez ni le copier, ni l'utiliser, ni en divulguer le contenu a quiconque. Merci d'en avertir immediatement l'expediteur et d'effacer ce courriel de votre systeme. Airbus Defence and Space et les sociétés Airbus Group declinent toute responsabilite en cas de corruption par virus, d'alteration ou de falsification de ce courriel lors de sa transmission par voie electronique.
This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Airbus Defence and Space and Airbus Group companies disclaim any and all liability if this email transmission was virus corrupted, altered or falsified.
---------------------------------------------------------------------
Airbus Defence and Space SAS (393 341 516 RCS Toulouse) - Capital: 29.821.072 EUR - Siege social: 31 rue des Cosmonautes, ZI du Palays, 31402 Toulouse cedex 4, France
Re: sFlow question [ In reply to ]
> On 13 Sep 2018, at 11:35, Polossat, Arnaud [FR] <arnaud.polossat@fr.airbus.com> wrote:
>
> Hello,
>
> I would like to set up Ntopng as a sFlow collector to monitor a network of virtual machines. I used VirtualBox to create the network (see attached image “Network 2.png”). My goal is to display sFlow data relative to the flows passing through an Open vSwitch (OVS) installed on a CentOS 7 server. I have installed Ntopng in a CentOS 7 VM in Community mode. The load generators are used to simulate traffic through the OVS with Iperf.
>
> I put the IP address 10.0.0.4/28 in the OVS to enable it to export sFlow packets to the Ntopng VM:
> ip addr add 10.0.0.4/28 dev ovs2
> ip link set ovs2 up
>
> According to the documentation of Open vSwitch (http://docs.openvswitch.org/en/latest/howto/sflow/ <http://docs.openvswitch.org/en/latest/howto/sflow/>), the sFlow configuration in the OVS is as follows:
> ovs-vsctl -- --id=@sflow create sflow agent=ovs2 target="\"10.0.0.3:6343\"" header=128 sampling=64 polling=10 -- set bridge ovs2 sflow=@sflow
>
> To collect sFlow data, the configuration of nProbe in /etc/nprobe/nprobe.conf is the following:
> -i none
> -n none
> -3 6343
> --zmq "tcp://*:5556 <tcp://*:5556>"
>
> That of Ntopng in /etc/ntopng/ntopng.conf is:
> -i "tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556>"
> -m "10.0.0.0/28"
>
> A tcpdump in the Ntopng VM shows incoming sFlow packets (see attached image “Tcpdump sFlow.png”).
>
> When I check the interface tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556> in Ntopng, sFlow Counter Updates become equal to 1. However, Collected flows remain to 0 and I am not able to observe sFlow data in Ntopng.

run nProbe with option -b = 2 and see the periodic stats that are printed. Check if collected and exported flows are increasing.

Look at the ntopng interface page. There are collection statistics there (e.g., collected flows and ZMQ interface updates). Are they increasing? Feel free to post a screenshot of that page here.

> I have tried to put –S 64 (same sampling as the OVS one) and --disable-sflow-upscale options in /etc/nprobe/nprobe.conf, no polling and header options in the OVS, the result is still the same.
>
> I have also tested the same setup with NetFlow in OVS instead of sFlow and everything is running well, NetFlow data is plotted in Ntopng. What am I doing wrong with sFlow please?
>
> Thank you very much in advance for answering my question.
>
> Best regards,
>
> Arnaud POLOSSAT
> Airbus Defence and Space
> 1, Bvd Jean Moulin, CS 40001
> 78 996 Elancourt Cedex, France
> E-mail: arnaud.polossat@fr.airbus.com <mailto:arnaud.polossat@fr.airbus.com>
>
> ***************************************************************
> Ce courriel (incluant ses eventuelles pieces jointes) peut contenir des informations confidentielles et/ou protegees ou dont la diffusion est restreinte. Si vous avez recu ce courriel par erreur, vous ne devez ni le copier, ni l'utiliser, ni en divulguer le contenu a quiconque. Merci d'en avertir immediatement l'expediteur et d'effacer ce courriel de votre systeme. Airbus Defence and Space et les sociétés Airbus Group declinent toute responsabilite en cas de corruption par virus, d'alteration ou de falsification de ce courriel lors de sa transmission par voie electronique.
> This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Airbus Defence and Space and Airbus Group companies disclaim any and all liability if this email transmission was virus corrupted, altered or falsified.
> ---------------------------------------------------------------------
> Airbus Defence and Space SAS (393 341 516 RCS Toulouse) - Capital: 29.821.072 EUR - Siege social: 31 rue des Cosmonautes, ZI du Palays, 31402 Toulouse cedex 4, France
> <Network 2.png><Tcpdump sFlow.png>_______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>
Re: sFlow question [ In reply to ]
> On 13 Sep 2018, at 11:35, Polossat, Arnaud [FR] <arnaud.polossat@fr.airbus.com> wrote:
>
> Hello,
>
> I would like to set up Ntopng as a sFlow collector to monitor a network of virtual machines. I used VirtualBox to create the network (see attached image “Network 2.png”). My goal is to display sFlow data relative to the flows passing through an Open vSwitch (OVS) installed on a CentOS 7 server. I have installed Ntopng in a CentOS 7 VM in Community mode. The load generators are used to simulate traffic through the OVS with Iperf.
>
> I put the IP address 10.0.0.4/28 in the OVS to enable it to export sFlow packets to the Ntopng VM:
> ip addr add 10.0.0.4/28 dev ovs2
> ip link set ovs2 up
>
> According to the documentation of Open vSwitch (http://docs.openvswitch.org/en/latest/howto/sflow/ <http://docs.openvswitch.org/en/latest/howto/sflow/>), the sFlow configuration in the OVS is as follows:
> ovs-vsctl -- --id=@sflow create sflow agent=ovs2 target="\"10.0.0.3:6343\"" header=128 sampling=64 polling=10 -- set bridge ovs2 sflow=@sflow
>
> To collect sFlow data, the configuration of nProbe in /etc/nprobe/nprobe.conf is the following:
> -i none
> -n none
> -3 6343
> --zmq "tcp://*:5556 <tcp://*:5556>"
>
> That of Ntopng in /etc/ntopng/ntopng.conf is:
> -i "tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556>"
> -m "10.0.0.0/28"
>
> A tcpdump in the Ntopng VM shows incoming sFlow packets (see attached image “Tcpdump sFlow.png”).
>
> When I check the interface tcp://127.0.0.1:5556 <tcp://127.0.0.1:5556> in Ntopng, sFlow Counter Updates become equal to 1. However, Collected flows remain to 0 and I am not able to observe sFlow data in Ntopng.

run nProbe with option -b = 2 and see the periodic stats that are printed. Check if collected and exported flows are increasing.

Look at the ntopng interface page. There are collection statistics there (e.g., collected flows and ZMQ interface updates). Are they increasing? Feel free to post a screenshot of that page here.

> I have tried to put –S 64 (same sampling as the OVS one) and --disable-sflow-upscale options in /etc/nprobe/nprobe.conf, no polling and header options in the OVS, the result is still the same.
>
> I have also tested the same setup with NetFlow in OVS instead of sFlow and everything is running well, NetFlow data is plotted in Ntopng. What am I doing wrong with sFlow please?
>
> Thank you very much in advance for answering my question.
>
> Best regards,
>
> Arnaud POLOSSAT
> Airbus Defence and Space
> 1, Bvd Jean Moulin, CS 40001
> 78 996 Elancourt Cedex, France
> E-mail: arnaud.polossat@fr.airbus.com <mailto:arnaud.polossat@fr.airbus.com>
>
> ***************************************************************
> Ce courriel (incluant ses eventuelles pieces jointes) peut contenir des informations confidentielles et/ou protegees ou dont la diffusion est restreinte. Si vous avez recu ce courriel par erreur, vous ne devez ni le copier, ni l'utiliser, ni en divulguer le contenu a quiconque. Merci d'en avertir immediatement l'expediteur et d'effacer ce courriel de votre systeme. Airbus Defence and Space et les sociétés Airbus Group declinent toute responsabilite en cas de corruption par virus, d'alteration ou de falsification de ce courriel lors de sa transmission par voie electronique.
> This email (including any attachments) may contain confidential and/or privileged information or information otherwise protected from disclosure. If you are not the intended recipient, please notify the sender immediately, do not copy this message or any attachments and do not use it for any purpose or disclose its content to any person, but delete this message and any attachments from your system. Airbus Defence and Space and Airbus Group companies disclaim any and all liability if this email transmission was virus corrupted, altered or falsified.
> ---------------------------------------------------------------------
> Airbus Defence and Space SAS (393 341 516 RCS Toulouse) - Capital: 29.821.072 EUR - Siege social: 31 rue des Cosmonautes, ZI du Palays, 31402 Toulouse cedex 4, France
> <Network 2.png><Tcpdump sFlow.png>_______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>