From owner-freebsd-net@FreeBSD.ORG  Tue May 26 13:36:56 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 63A13FD9
 for <freebsd-net@freebsd.org>; Tue, 26 May 2015 13:36:56 +0000 (UTC)
 (envelope-from emz@norma.perm.ru)
Received: from elf.hq.norma.perm.ru (unknown [IPv6:2a00:7540:1::5])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.norma.perm.ru",
 Issuer "Vivat-Trade UNIX Root CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id D7E1C87A
 for <freebsd-net@freebsd.org>; Tue, 26 May 2015 13:36:53 +0000 (UTC)
 (envelope-from emz@norma.perm.ru)
Received: from bsdrookie.norma.com. ([IPv6:fd00::77d])
 by elf.hq.norma.perm.ru (8.14.9/8.14.9) with ESMTP id t4QDal5d002698
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
 for <freebsd-net@freebsd.org>; Tue, 26 May 2015 18:36:47 +0500 (YEKT)
 (envelope-from emz@norma.perm.ru)
Message-ID: <556476EF.1090706@norma.perm.ru>
Date: Tue, 26 May 2015 18:36:47 +0500
From: "Eugene M. Zheganin" <emz@norma.perm.ru>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: ng_netflow
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (elf.hq.norma.perm.ru [IPv6:fd00::30a]);
 Tue, 26 May 2015 18:36:47 +0500 (YEKT)
X-Spam-Status: No hits=-99.8 bayes=0.0000 testhits AWL=0.600,BAYES_00=-1.9,
 RDNS_NONE=0.793,SPF_SOFTFAIL=0.665,USER_IN_WHITELIST=-100 autolearn=no
 autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on elf.hq.norma.perm.ru
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 13:36:56 -0000

Hi.

I'm using ng_netflow along with flow-tools to collect traffic statistics.
What is bothering me, is that I constantly see lost flow. What is even
more weird - is that ng_netflow and flow-capture are on the same host,
and are communication via lo0:

May 26 18:33:16 balancer1 flow-capture[67265]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=49.51.57.55 d_version=5 expect
ing=2033661856 received=2033666446 lost=4590
May 26 18:33:17 balancer1 flow-capture[67265]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=0.0.0.0 d_version=5 expecting=
2033666446 received=2033666476 lost=30
May 26 18:33:17 balancer1 flow-capture[67265]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=49.52.48.48 d_version=5 expect
ing=2033461677 received=2033666926 lost=205249
May 26 18:33:17 balancer1 flow-capture[67265]: ftpdu_seq_check():
src_ip=127.0.0.1 dst_ip=0.0.0.0 d_version=5 expecting=
2033666926 received=2033666956 lost=30

Plus I see weird IPs like "dst_ip=0.0.0.0" or "dst_ip=0.2.0.4".
Can someone point me what m I doing wrong ?

I configure the netflow like this:

/usr/sbin/ngctl -f- <<-SEQ
    mkpeer bge0: netflow lower iface0
    name bge0:lower netflow

    connect bge0: netflow: upper out0

    connect bge1: netflow: lower iface1
    connect bge1: netflow: upper out1

    msg netflow: setconfig { iface=0 conf=63 }
    msg netflow: setconfig { iface=1 conf=63 }

    msg netflow: setmtu { mtu=16384 }

    mkpeer netflow: ksocket export inet/dgram/udp
    msg netflow:export connect inet/127.0.0.1:4444
    name netflow:export ksocket
SEQ

By the way setting MTU to 16384 doesn't change the packet size as
tcpdump sees it on lo0.

Thanks.
Eugene.