I searched the web for the answer to this problem to no avail.
I've got fprobe capturing traffic mirrored from a mirror port on a
router, generating netflow packets which it sends to netflow's
flow-collector on the loopback (see diagram below). In the logs are
reports of the following errors which strongly suggests I'm losing data.
netstat reports the Recv-Q to be zero(0) although the cpu was
occassional sitting at 100%, but this still occurs when the machine is
more lightly loaded. The hardware was upgraded yesterday to eliminate
any load related problems and these errors are persisting.
Can anyone think of why this is happening?
Jan 12 14:59:53 f2 flow-capture[10768]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=987487520
received=987487760 lost=240
Jan 12 14:59:53 f2 flow-capture[10768]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=987487790
received=987488000 lost=210
Jan 12 14:59:53 f2 flow-capture[10768]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=987488030
received=987488270 lost=240
Jan 12 14:59:53 f2 flow-capture[10768]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=127.0.0.1 d_version=5 expecting=987488300
received=987488510 lost=210
Diagramatically, the set up is,
mirrored netflow
traffic
router --------> fprobe -------> flow-capture ----> custom script
eth2 lo0 ^
|
It's at the point which traffic is being lost.
platform is ubuntu server
# uname -a
Linux f2 2.6.24-19-server #1 SMP Wed Aug 20 23:54:28 UTC 2008 i686 GNU/Linux
fprobe: a NetFlow probe. Version 1.1
flow-tools version 0.68
Jeff.