What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How can I troubleshoot sFlow collection

Votes:

0

I currently have a firewall device (Fortinet FortiGate) exporting sFlow v5 to a probe but nothing appears to show up. I have left it running for a while in case it takes time to start building up statistics but the sensor status reports "No Data Yet".

I have tried sending the same sFlow data to a different software product on another server and it all appears to work perfectly. I have a sniffer installed on the probe server and can see the sFlow traffic being received and doing a netstat -anb on the probe server I can see that the prtg probe process is listening on the correct port. I have also checked the Windows firewall to see if anything is being blocked but the probe process is exempt. I even added an exception for UDP port 6343 just in case but this hasn't helped.

prtg sflow troubleshooting

Created on Feb 26, 2010 4:52:06 PM



Best Answer

Accepted Answer

Votes:

0

Turns out that there was a bug in the firewall firmware and sFlow packets were not correctly reporting the input or output interfaces for each sample. These fields are optional according to the sFlow RFCs but nonetheless, Fortinet have added in the correct interface indexes to each sample now and PRTG now seems to be collecting and processing data as expected.

Created on Mar 14, 2010 9:55:52 PM



8 Replies

Votes:

0

did you check with e.g. wireshark if sFlow version5 reaches the PRTG probe PC?

Created on Mar 2, 2010 12:41:06 PM by Aurelio Lombardi [Paessler Support]



Votes:

0

Hi Aurelio,

Yes I have - as mentioned in the part that says "I have a sniffer installed on the probe server and can see the sFlow traffic being received".

Created on Mar 7, 2010 1:52:11 AM



Votes:

0

and you are positive that it is sFlow version 5 you are sending?

That was the most common sFlow issue we had in the past so far. That is why I am asking.

Created on Mar 7, 2010 8:10:50 AM by Aurelio Lombardi [Paessler Support]



Votes:

0

Hi Aurelio,

Yes - version 5, both counter and flow sample types. Wireshark decoder doesn't seem to have any problems with the sFlow. Neither does the 'other' product that I'm using. I can also send Netflow v5 and v9 to the same probe and it works.

I'm starting to wonder if there's some form of incompatibility with the PRTG and Fortinet sFlow implementations. Perhaps PRTG is expecting a specific field that is optional, hence the other products decode correctly but that makes PRTG drop traffic? I don't have any other sources of sFlow to compare with I'm afraid.

I'd send a copy of the Wireshark sniff but there doesn't seem to be a way to attach a file.

Created on Mar 8, 2010 12:59:24 AM



Votes:

0

and the port you receive your netflow data on and the port for the sFlow data are different right?

you could send a file to [email protected]

this might now be beyond knowledge base and has to go to support.

Created on Mar 8, 2010 6:11:46 AM by Aurelio Lombardi [Paessler Support]



Accepted Answer

Votes:

0

Turns out that there was a bug in the firewall firmware and sFlow packets were not correctly reporting the input or output interfaces for each sample. These fields are optional according to the sFlow RFCs but nonetheless, Fortinet have added in the correct interface indexes to each sample now and PRTG now seems to be collecting and processing data as expected.

Created on Mar 14, 2010 9:55:52 PM



Votes:

0

I'm having the same issue here. Is there something I am possibly missing here. I have my netflow sensor listening on 172.16.233.20 port 9997. It is still reporting no data yet. Wireshark is showing data coming in successfully on the probe PC. Any help would be great.

I have an HP 5412zl. Config below.

show run

sflow 1 destination 172.16.233.20 9997

sflow 1 polling A1-A24,B1-B24 50

sflow 1 sampling A1-A24,B1-B24 50

-------------------------------------------

Destination Instance : 1

sflow : Enabled

Datagrams Sent : 65875

Destination Address : 172.16.233.20

Receiver Port : 9997

Owner : sFlow

Timeout (seconds) : 1409444158

Max Datagram Size : 1400

Datagram Version Support : 5

--------------------------------------------

Netflow 5 Tester only shows packet data. When flow data is checked, no data is visible.

------------------------------------------

Wireshark is collecting data which shows the datya is coming in as expected.

Wireshark Output - excerpt (from Probe PC):

InMon sFlow

datagram version: 5

Sequence number: 65773

NumSamples: 7

+ Counters sample, seq 280, Generic, ifIndex 8, Ethernet

+ Counters sample, seq 272, Generic, ifIndex 31, Ethernet

+ Counters sample, seq 282, Generic, ifIndex 38, Ethernet

+ Counters sample, seq 271, Generic, ifIndex 10, Ethernet

+ Counters sample, seq 270, Generic, ifIndex 13, Ethernet

+ Counters sample, seq 275, Generic, ifIndex 36, Ethernet

+ Counters sample, seq 274, Generic, ifIndex 46, Ethernet

Created on Jul 28, 2010 7:06:05 AM



Votes:

0

do you know if any VLAN tags are included in the sFlow packets? If so, PRTG can not handle these yet as they change the way the header of the sFlow packet looks like.

Created on Jul 29, 2010 5:41:34 AM by Aurelio Lombardi [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.