Softflowd not sending data

mcury

SG-3100 22.01

Installed softflowd , and its not sending any data to my netflow server, confirmed by tcpdump.
I wonder if its related to this bug: redmine #10436

mcury

Its not related to the redmine #10436, no Segmentation fault (core dumped).

This doesn't work:

/usr/local/bin/softflowd -D -i 1:mvneta1.100 -n 192.168.255.253:2055 -v 9 -T full -A sec -p /var/run/softflowd.mvneta1.pid
Using mvneta1.100 (idx: 1)
softflowd v1.0.0 starting data collection
Exporting flows to [192.168.255.253]:2055

This does work:

/usr/local/bin/softflowd -D -i 1:mvneta1 -n 192.168.255.253:9995 -v 9 -T full -A sec -p /var/run/softflowd.mvneta1.pid -c /var/run/softflowd.mvneta1.ctl -P udp
Using mvneta1 (idx: 1)
softflowd v1.0.0 starting data collection
Exporting flows to [192.168.255.253]:9995
ADD FLOW seq:1 [172.16.200.1]:22 <> [192.168.255.254]:48902 proto:6 vlan>:0 vlan<:0  ether:00:00:00:00:00:00 <> 00:00:00:00:00:00 
ADD FLOW seq:2 [52.38.204.228]:443 <> [192.168.255.254]:50948 proto:6 vlan>:0 vlan<:0  ether:00:00:00:00:00:00 <> 00:00:00:00:00:00 
ADD FLOW seq:3 [192.168.255.252]:50355 <> [239.255.255.250]:1900 proto:17 vlan>:0 vlan<:0  ether:00:00:00:00:00:00 <> 00:00:00:00:00:00 

ps auxwww:

/usr/local/bin/softflowd -i 1:mvneta1.100 -n 192.168.255.253:2055 -m 8192 -L 1 -v 9 -T full -A sec -p /var/run/softflowd.mvneta1.100.pid -c /var/run/softflowd.mvneta1.100.ctl

mcury

This post is deleted!

mcury

The problem happens when its listening on a VLAN.
If I change the parameter from "-i 1:mvneta1.100" to "-i 1:mvneta1", it works.

Shouldn't softflowd run only on the mvneta1 interface?
Its getting flows from everything, VLANs included, only parent interface is required

mcury

With -D option, I can see the daemon working, sending flows..
But nothing is actually sent, tcpdump -ni mvneta1.100 udp port 9995 remains empty..

anotheruserwithquestions

Bump on this.

Same problem here on two 1100 devices. Totally fine on a much larger netgate appliance though.

If softflowd is allowed to run in "-D" for a bit ... cores out.
VERY frustrating as this blinding visibility/correlation into the vlans/subnets behind the devices. An 1100 won't do ntopng very well.

The latest docs on the netgate site don't even match the GUI for softflow settings :(

anotheruserwithquestions

No one ever uses softflowd on the 1100? Or has never seen it just not send data and/or core out?

This is not reassuring that included software (regardless of who wrote it) doesn't just ... work. There aren't that many settings to fiddle with.

I mean, if the project is dead, then why is the software included at all? If one cannot support/update/maintain it ... why would one ever continue to pretend it's a legit working package?

And if the project is indeed dead ... is there no other way to dump flow data if the 1100 can't handle ntopng?

alextg

Did anyone manage to get this working?

I am still struggling with softflow to send data. Nothing is send and it stops working after a few minutes.

keyser

@alextg Consider upgrading to pfsense plus 24.03. It has a much better native netflow export feature where you can enable it on a rule by rule basis (or globally)