sFlow agent on Huawei sends too short packets when traffic includes vlans #990
Comments
|
We have customer with that exact issue with Huawei NE 8000 F1A. Software: Issue: |
|
Another very strange thing with Huawei that they do export Ethernet, Raw and IPv4 headers in same time.
|
|
I actually do not see any advantages in exporting all of them as RAW includes all the things. As consequence each flow entry is almost 288 bytes and each UDP packet carries just 4 of them: Other vendors can export 10-15 packets in each UDP packet by exporting only raw. |
|
I got some hints from Neil McKee from InMon Corp to look on standard and Standard is pretty clear about this case: A flow_sample must contain packet header information. The prefered format for reporting packet header information is the sampled_header. However, if the packet header is not available to the sampling process then one or more of sampled_ethernet, sampled_ipv4, sampled_ipv6 may be used. So raw packet header is more then enough. Ethernet and IPv4 headers are redundant in this case and can be skipped. |
|
I re-opened ticket for visibility. Both FastNetMon Advanced and Community can handle such packets but we need to communicate / confirm it with Huawei. |
|
about the packet lenth, you can try this command: |
|
Hello!
Thank you for feedback. It is supported by Huawei?
…On Fri, 1 Sep 2023 at 11:29, jackey123-king ***@***.***> wrote:
about the packet lenth, you can try this command:
"sflow max-packet-length"
The sflow max-packet-length command configures the maximum length of sFlow
packet payload.
—
Reply to this email directly, view it on GitHub
<#990 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAU56ZSNZTDGLNCXZWFELJTXYGMHZANCNFSM6AAAAAA2OYABCY>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
|
yes,Huawei‘s router can support this function. |
|
I found this option "sflow flow-sampling max-header length": https://support.huawei.com/enterprise/en/doc/EDOC1000178165?section=j04t |
|
We confirmed that NE40E-F1A-14H24Q is affected too. Looks like whole Huawei router product line is affected |
|
Worth to mention that this issue has side effects that FastNetMon does not observe TCP flags at all and it may negatively affect quality of mitigation in BGP Flow Spec mode. |
|
Unfortunately we got yet another pretty crazy bug from Huawei NE40E-F1A-14H24Q
When BGP Flow Spec discards or rate limits some traffic it leads to disappearance of ASN information in sFlow (it's stored in extended gateway data section). It simply vanishes. Also, Huawei does not report such traffic as discarded via special encoding of output interface type (but it's not 100% confirmed) |
You may notice that Wireshark can decode only part of TCP header and it can retrieve only source and destination port:
Other fields such as TCP flags or ACK numbers are located close to end of TCP packet and this data was cropped by router.
Majority of other vendors include larger parts of packet header to include whole TCP packet.
The text was updated successfully, but these errors were encountered: