I am monitoring switches using SFlowV5, on some of the switches if I set sender IP to that of the switch I will get just the information for that switch. Which is exactly what I want. However that doesnt work for all of the switches. Some will stop reporting if I set it that way. I have a number of remote locations with subnets so I need to monitor that specific subnet, not all traffic on the port. I dont understand why some times that works and sometimes it doesnt. Can some one help me out here? Thanks!
Article Comments
Setting all of the switches we have to differing ports would be extremely difficult at this point, not to mention labor intensive. I ran the sflow tester and it came back with IP errors, but I dont know how to read it to figure out which IP addresses arent reporting correctly
Jun, 2015 - Permalink
I would at least try this for some of the switches that you see no traffic for to see if that port is just being overloaded with information or if the sender isn't sending correctly. What errors are you getting with the tester?
Jun, 2015 - Permalink
in the ip source I see failed 1194, but im not sure waht that means From the debug log 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446863,2908195208,1,0800,6,48,42,1064 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446863,2908195208,1001 5:49:41 PM,10.26.0.3,1,1,,0000002D,616604,750589994,1,0800,6,45,6,40 5:49:41 PM,10.26.0.3,1,1,,0000002D,616604,750589994,1001 5:49:41 PM,10.26.0.3,1,1,,0000002D,616605,750589994,1,0800,6,45,6,46 5:49:41 PM,10.26.0.3,1,1,,0000002D,616605,750589994,1001 5:49:41 PM,10.26.0.3,1,2 5:49:41 PM,10.26.0.3,1,2 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446864,2908196571,1,0800,6,48,42,1064 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446864,2908196571,1001 5:49:41 PM,10.26.0.3 And from the SFTest flow save file 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446863,2908195208,1,0800,6,48,42,1064 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446863,2908195208,1001 5:49:41 PM,10.26.0.3,1,1,,0000002D,616604,750589994,1,0800,6,45,6,40 5:49:41 PM,10.26.0.3,1,1,,0000002D,616604,750589994,1001 5:49:41 PM,10.26.0.3,1,1,,0000002D,616605,750589994,1,0800,6,45,6,46 5:49:41 PM,10.26.0.3,1,1,,0000002D,616605,750589994,1001 5:49:41 PM,10.26.0.3,1,2 5:49:41 PM,10.26.0.3,1,2 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446864,2908196571,1,0800,6,48,42,1064 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446864,2908196571,1001 5:49:41 PM,10.26.0.3
but i dont relly understand what I am looking at there. Or how to interpret what this log is tellign me
Jun, 2015 - Permalink
Under IP I see 1194 failed. Im not sure how to read the logs it gives. From the debug log 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446863,2908195208,1,0800,6,48,42,1064 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446863,2908195208,1001 5:49:41 PM,10.26.0.3,1,1,,0000002D,616604,750589994,1,0800,6,45,6,40 5:49:41 PM,10.26.0.3,1,1,,0000002D,616604,750589994,1001 5:49:41 PM,10.26.0.3,1,1,,0000002D,616605,750589994,1,0800,6,45,6,46 5:49:41 PM,10.26.0.3,1,1,,0000002D,616605,750589994,1001 5:49:41 PM,10.26.0.3,1,2 5:49:41 PM,10.26.0.3,1,2 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446864,2908196571,1,0800,6,48,42,1064 5:49:41 PM,10.26.0.3,1,1,,0000002A,4446864,2908196571,1001 5:49:41 PM,10.26.0.3
And from the Save 10.26.0.191:80->10.26.0.200:49195 P:6 IF/OF:48/42 5:50:33 PM 1431080 10.26.0.194:80->10.26.0.200:49193 P:6 IF/OF:48/42 5:50:33 PM 1415120 10.26.0.200:65016->10.26.0.192:80 P:6 IF/OF:42/48 5:50:34 PM 53240 10.26.0.107:63584->216.58.216.46:443 P:17 IF/OF:9/45 5:50:34 PM 1096888 10.26.0.190:80->10.26.0.200:49159 P:6 IF/OF:48/42 5:50:34 PM 1415120 10.26.0.200:65011->10.26.0.192:80 P:6 IF/OF:42/48 5:50:34 PM 53160 10.26.0.194:80->10.26.0.200:49193 P:6 IF/OF:48/42 5:50:35 PM 1430016 10.26.0.150:445->10.26.0.105:49221 P:6 IF/OF:47/12 5:50:35 PM 51961 10.26.0.193:80->10.26.0.200:49190 P:6 IF/OF:48/42 5:50:35 PM 1430016 10.26.0.150:4915->10.26.0.71:9100 P:6 IF/OF:47/13 5:50:35 PM 0 10.26.0.150:4915->10.26.0.71:9100 P:6 IF/OF:47/13 5:50:37 PM 825000 10.26.0.194:80->10.26.0.200:49193 P:6 IF/OF:48/42 5:50:37 PM 1418312 10.26.0.191:80->10.26.0.200:49195 P:6 IF/OF:48/42 5:50:37 PM 1417248 10.26.0.193:80->10.26.0.200:49190 P:6 IF/OF:48/42 5:50:37 PM 1443848 10.26.0.194:80->10.26.0.200:49193 P:6 IF/OF:48/42 5:50:38 PM 1443848 10.10.150.160:2598->10.26.0.106:2797 P:6 IF/OF:45/6 5:50:38 PM 31648 10.26.0.193:80->10.26.0.200:49190 P:6 IF/OF:48/42 5:50:38 PM 1470448 10.26.0.30:50959->216.58.216.46:443 P:6 IF/OF:37/45 5:50:38 PM 21200
Jun, 2015 - Permalink
Please try and see if setting up one of the devices to send to a different port has any better result and also please send us your logs directly to support@paessler.com so we can analyze them in whole.
Jun, 2015 - Permalink
pointing to different ports sort of worked. I made it so that each of my location has their own port, however I when I input it to only get info for that IP some of them fail. what logs do you want?
Jun, 2015 - Permalink
Can you send over the decoded flows for one of the locations that doesn't work when you specify the IP as well as a screenshot of the sflow tester showing the errors that you mentioned before? Can you also send over the IP address you are using as a filter in the sensor settings for the location?
Jun, 2015 - Permalink
You might also want to try and set up the various switches to send data to different ports on the PRTG server, eliminating the need for the sender IP to be set. You may also want to try and use the sFlow tester to see where packets are coming from to make sure that the IP of the packets being sent to the PRTG server matches the IP that you are using for the Sender IP address.
May, 2015 - Permalink