add pcap option outbound=on to sample outbound packet only #35
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ng bpf commands remove src/Linux/Makefile to remove dependecy on mod_docker.o
setup74
changed the title
|
I fixed the spurious Makefile dependency. Thanks for pointing that out. I don't know why we would want an option to sample outbound packets only, though? What purpose do you have in mind? |
|
To be used for HAPROXYs with single interfae using pcap sampling,
where same traffic comes in and out "twice"
(between clinet - HAPROXY and HAPROXY - Real Servers)
throught the samwe interface.
So to account the service traffic "once", need to do post-process sflow data
or just do sample one direction only.
When HAPROXYs' VIPs and ports are complex and to be dynanically changed
the post-procssing is hard to be implemented correctly.
So just doing outbound-only sampling is easy solution for this case.
… 2019. 11. 2. 오전 3:26, sflow ***@***.***> 작성:
I fixed the spurious Makefile dependency. Thanks for pointing that out. I don't know why we would want an option to sample outbound packets only, though? What purpose do you have in mind?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#35?email_source=notifications&email_token=AHHYWAJJWGEAT5AL6VZE6KTQRRYGLA5CNFSM4JHF7EPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEC3YUYQ#issuecomment-548899426>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHHYWAJLGQ2NELTWGIUKHFDQRRYGLANCNFSM4JHF7EPA>.
|
|
Selecting egress traffic is straightforward to do in post-processing. Just select packet samples where output ifindex == datasource index. It's better not to filter at source because there may be other types of analysis that would need to see the ingress packets. The general philosophy of sFlow is to keep the agent simple and select data of interest at the collector. |
|
My host's interface is configured as:
eth2, eth3 --> bond1 --> bond1.300 --> (macvlan) --> { macvlan sub interfaces in different netns }
(to run HAPROXYs with separate network name spaces for each different overlay networks)
And unfortunately the hsflowd cannot catch the interface identity, when pcaping on:
eth2, eth3, bond1, bond1.300
as in/out_interface value 0; also shown as hsflowd's debug output:
takeSample: hook=0 tap=bond1 in=<not found> out=<not found> pkt_len=78 cap_len=64 mac_len=14 (...)
(pcaping on each netns's macvlan sub interfaces catches interface identity,
but i hope only one hsflowd running on aggration point bond1.300)
But, even with this configuratition, pcaping with BPF outbound-only filtering works!
(tested with Linux kernel 4.19.12-1.el7.elrepo.x86_64)
So is this strangely looking outbound-only option for.
… 2019. 11. 2. 오후 2:18, sflow-rt ***@***.***> 작성:
Selecting egress traffic is straightforward to do in post-processing. Just select packet samples where output ifindex == datasource index.
It's better not to filter at source because there may be other types of analysis that would need to see the ingress packets. The general philosophy of sFlow is to keep the agent simple and select data of interest at the collector.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#35?email_source=notifications&email_token=AHHYWALEYS32GJU52OZLN4DQRUETZA5CNFSM4JHF7EPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEC4UFEQ#issuecomment-549012114>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHHYWAMG4FRS4ZMNY5MWASDQRUETZANCNFSM4JHF7EPA>.
|
|
It sounds like you enabled pcap { dev=bond1.300)? Do you get packet direction information if you enable pcap { dev=eth2 } and pcap { dev=eth3 } (or pcap { dev=bond1 }) instead? This would allow you to monitor all macvlan tunnels (by filtering on the tunnel attributes in the sFlow analyzer). |
|
I used pcap sampling; the hsflowd.conf is (with ouitbound_only patch):
sflow {
sampling=700
sampling.10G=700
collector {
ip = _my_collector_ip_
udpport = _my_collector_port_
}
pcap {
dev = bond1.300
outbound_only = on
}
}
With my collector (pmacctd's sfacctd to dump sflow data cached into text csv files)
sampling_direction info is printe out as emply string (no info)
Pcap dev on dev eth2, eth3 shows same pattern: no interface info and no sampling_direction info
I think, it might be from that macvlan sub interfaces are on it's own separate network name spaces;
so the macvlan's sub interfaces are not appeared in default network namespace where the hsflowd is running.
… 2019. 11. 4. 오전 11:34, sflow-rt ***@***.***> 작성:
It sounds like you enabled pcap { dev=bond1.300)? Do you get packet direction information if you enable pcap { dev=eth2 } and pcap { dev=eth3 } (or pcap { dev=bond1 }) instead? This would allow you to monitor all macvlan tunnels (by filtering on the tunnel attributes in the sFlow analyzer).
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
add pcap option outbound=on to sample outbound packet only, usng bpf commands
remove src/Linux/Makefile to remove invalid dependecy on mod_docker.o in actions for hsflowd