[logstash.codecs.sflow ] Invalid sflow packet received (End of file reached) #459
Comments
Stliin
changed the title
|
Would you mind sending a PCAP so that I can take a look? elastiflow@gmail.com |
|
You got mail :) If there is something else i can do to be of any assistance, let me know. |
|
The issue is that the sFlow flow samples include the extended_mpls_tunnel structure, which is currently not supported by the Logstash sFlow Codec. You will need to open an issue for logstash-codec-sflow and provide them the PCAP for development and testing. When you open the issue please mention this issue so that it is linked here. |
|
Great investigation. May there be a quick fix with womething like, optional_removed_field? Thanks once more. |
|
Hi Rob, Sorry to bother, but do you know when the contributors of logstash-codec-sflow checks their issues or a way to ping them? |
|
sflow plugin seems have supported the mpls_extended_tunnel since 2.1.0 release. |
|
Hello everyone. I have a similar issue: Invalid sflow packet received (End of file reached) with Huawei switches s6700, ELK 6.2.3 and Sflow plugin 2.1.3. May I send you pcap @robcowart ? Thanks in advance. |
|
Hey @robcowart, did you have any chances do view my pcap? |
|
They issue is that the device is sending sample structures that the codec doesn't support. This isn't an issue with the codec itself, rather that the device is referring to formats which are not defined in the sFlow standard. You can see in the this when looking at your PCAP in Wireshark. The flow contains structures of enterprise 0/format 0 and enterprise 0/format 16, which are not defined here... https://sflow.org/developers/structures.php
If you can provide any Huawei documentation regarding these structures, it may be possible to add support. However, I suspect that this is a bug in the Huawei implementation. |
|
This issue is being closed as this legacy version of ElastiFlow is now deprecated and is to be archived. Please try the new ElastiFlow, request a free Basic Tier license, and join the ElastiFlow Community Slack. Thank you. |
ELK stack 7.3.2 - elastiflow 3.5.1
I am trying to get some sflow in to the elastiflow.
The only thing i can see in the logs is:
Invalid sflow packet received (End of file reached)The device is an Brocade MLXe
I have checked the host and it receives sflow data, V5
Where can i begin investigate in order to get this solved?
Or a pointer in what direction so i can start dig in to this?
[2019-12-03T17:02:10,287][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2019-12-03T17:11:30,348][WARN ][logstash.codecs.sflow ] Invalid sflow packet received (End of file reached)
[2019-12-03T17:11:37,909][WARN ][logstash.codecs.sflow ] Invalid sflow packet received (End of file reached)
[2019-12-03T17:11:44,705][WARN ][logstash.codecs.sflow ] Invalid sflow packet received (End of file reached)
[2019-12-03T17:11:49,255][WARN ][logstash.codecs.sflow ] Invalid sflow packet received (End of file reached)
1 0.000000000 172.25.31.219 → 172.25.29.86 sFlow 1422 V5, agent 172.25.31.219, sub-agent ID 1, seq 18201097, 5 samples
2 7.748915188 172.25.31.219 → 172.25.29.86 sFlow 1422 V5, agent 172.25.31.219, sub-agent ID 1, seq 18201098, 6 samples
3 14.571135901 172.25.31.219 → 172.25.29.86 sFlow 1234 V5, agent 172.25.31.219, sub-agent ID 1, seq 18201099, 4 samples
4 19.144214689 172.25.31.219 → 172.25.29.86 sFlow 1218 V5, agent 172.25.31.219, sub-agent ID 1, seq 18201100, 4 samples
5 27.749316796 172.25.31.219 → 172.25.29.86 sFlow 1414 V5, agent 172.25.31.219, sub-agent ID 1, seq 18201101, 6 samples
6 37.971441395 172.25.31.219 → 172.25.29.86 sFlow 1346 V5, agent 172.25.31.219, sub-agent ID 1, seq 18201102, 4 samples
The text was updated successfully, but these errors were encountered: