NTOP and SFlow problems

English Network/Internet
1

Hi,
I’m trying to setup a NTOP host to collect SFlow data from our switches. I’m using SLES 11 SP3 and ntop 5.0.1.44.1 from Opensuse.

When I start NTOP, it starts complaining about sflow data:

my@myserver:$> sudo ntop
Password:
Tue Oct 29 20:59:38 2013 Initializing gdbm databases
Tue Oct 29 20:59:38 2013 ntop will be started as user ntop
Tue Oct 29 20:59:38 2013 WARNING -s set so will ATTEMPT to open interface w/o promisc mode (this will probably fail below)
Tue Oct 29 20:59:38 2013 ntop v.5.0.1 (64 bit)
Tue Oct 29 20:59:38 2013 Configured on Ago 28 2013 10:05:01, built on Ago 28 201310:05:01.
Tue Oct 29 20:59:38 2013 Copyright 1998-2012 by Luca Deri <deri@ntop.org>
Tue Oct 29 20:59:38 2013 Get the freshest ntop from ntop
Tue Oct 29 20:59:38 2013 NOTE: ntop is running from ‘ntop’
Tue Oct 29 20:59:38 2013 NOTE: (but see warning on man page for the --instance parameter)
Tue Oct 29 20:59:38 2013 NOTE: ntop libraries are in ‘/usr/lib64’
Tue Oct 29 20:59:38 2013 Initializing ntop
Tue Oct 29 20:59:38 2013 Checking eth0 for additional devices
Tue Oct 29 20:59:38 2013 Resetting traffic statistics for device eth0
Tue Oct 29 20:59:38 2013 Initializing device eth0 (0)
Tue Oct 29 20:59:38 2013 DLT: Device 0 [eth0] is 1, mtu 9000, header 14
Tue Oct 29 20:59:38 2013 Initialized events [mask: 0][path: ]
Tue Oct 29 20:59:38 2013 Initializing gdbm databases
Tue Oct 29 20:59:38 2013 VENDOR: Loading MAC address table.
Tue Oct 29 20:59:38 2013 VENDOR: Checking for MAC address table file
Tue Oct 29 20:59:38 2013 VENDOR: File ‘/etc/ntop/specialMAC.txt.gz’ does not need to be reloaded
Tue Oct 29 20:59:38 2013 VENDOR: ntop continues ok
Tue Oct 29 20:59:38 2013 VENDOR: Checking for MAC address table file
Tue Oct 29 20:59:38 2013 VENDOR: File ‘/etc/ntop/oui.txt.gz’ does not need to be reloaded
Tue Oct 29 20:59:38 2013 VENDOR: ntop continues ok
Tue Oct 29 20:59:38 2013 Fingerprint: Loading signature file
Tue Oct 29 20:59:38 2013 Fingerprint: Checking for Fingerprint file… file
Tue Oct 29 20:59:38 2013 Fingerprint: Loading file ‘/etc/ntop/etter.finger.os.gz’
Tue Oct 29 20:59:38 2013 Fingerprint: …loaded 1765 records
Tue Oct 29 20:59:38 2013 Initializing external applications
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781766649600]: SFP: Started thread for fingerprinting
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781758256896]: SIH: Started thread for idle hosts detection
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781749864192]: DNSAR(1): Started thread for DNS address resolution
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781741471488]: DNSAR(2): Started thread for DNS address resolution
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781733078784]: DNSAR(3): Started thread for DNS address resolution
Tue Oct 29 20:59:38 2013 Calling plugin start functions (if any)
Tue Oct 29 20:59:38 2013 GeoIP: loaded config file /etc/ntop/GeoLiteCity.dat
Tue Oct 29 20:59:38 2013 GeoIP: loaded ASN config file /etc/ntop/GeoIPASNum.dat
Tue Oct 29 20:59:38 2013 NOTE: Interface merge enabled by default
Tue Oct 29 20:59:38 2013 SSL: Initializing…
Tue Oct 29 20:59:38 2013 SSL_PRNG: Automatically initialized!
Tue Oct 29 20:59:38 2013 WARNING SSL: Unable to find certificate ‘ntop-cert.pem’. SSL support has been disabled
Tue Oct 29 20:59:38 2013 INITWEB: Initializing web server
Tue Oct 29 20:59:38 2013 INITWEB: Initializing TCP/IP socket connections for web server
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781758256896]: SIH: Idle host scan thread starting [p50427]
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781749864192]: DNSAR(1): Address resolution thread running
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781741471488]: DNSAR(2): Address resolution thread running
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781733078784]: DNSAR(3): Address resolution thread running
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781766649600]: SFP: Fingerprint scan thread starting [p50427]
Tue Oct 29 20:59:38 2013 INITWEB: Initialized socket, port 3000, address (any)
Tue Oct 29 20:59:38 2013 INITWEB: Waiting for HTTP connections on port 3000
Tue Oct 29 20:59:38 2013 INITWEB: Starting web server
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781724686080]: INITWEB: Started thread for web server
Tue Oct 29 20:59:38 2013 Listening on [eth0]
Tue Oct 29 20:59:38 2013 Loading Plugins
Tue Oct 29 20:59:38 2013 Searching for plugins in /usr/lib64/ntop/plugins
Tue Oct 29 20:59:38 2013 SFLOW: Welcome to sFlow.(C) 2002-12 by Luca Deri
Tue Oct 29 20:59:38 2013 RRD: Welcome to Round-Robin Database. (C) 2002-12 by Luca Deri.
Tue Oct 29 20:59:38 2013 NETFLOW: Welcome to NetFlow.(C) 2002-12 by Luca Deri
Tue Oct 29 20:59:38 2013 Calling plugin start functions (if any)
Tue Oct 29 20:59:38 2013 RRD: Welcome to the RRD plugin
Tue Oct 29 20:59:38 2013 RRD: Mask for new directories is 0700
Tue Oct 29 20:59:38 2013 RRD: Mask for new files is 0066
Tue Oct 29 20:59:38 2013 THREADMGMT: RRD: Started thread (t139781709678336) for data collection
Tue Oct 29 20:59:38 2013 SFLOW: initializing ‘2’ devices
Tue Oct 29 20:59:38 2013 SFLOW: createsFlowDevice(2)
Tue Oct 29 20:59:38 2013 Creating dummy interface, ‘sFlow-device.2’
Tue Oct 29 20:59:38 2013 SFLOW: Created a UDP socket (15)
Tue Oct 29 20:59:38 2013 SFLOW: Collector listening on port 6343
Tue Oct 29 20:59:38 2013 THREADMGMT: SFLOW: Started thread (139781682247424) for receiving flows on port 6343
Tue Oct 29 20:59:38 2013 Initializing device sFlow-device.2 (1)
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781709678336]: RRD: Data collection thread starting [p50427]
Tue Oct 29 20:59:38 2013 THREADMGMT: SFLOW: thread starting [p50427, t139781682247424]…
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781724686080]: WEB: Server connection thread starting [p50427]
Tue Oct 29 20:59:38 2013 Note: SIGPIPE handler set (ignore)
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781724686080]: WEB: Server connection thread running [p50427]
Tue Oct 29 20:59:38 2013 WEB: ntop’s web server is now processing requests
Tue Oct 29 20:59:38 2013 SFLOW: createsFlowDevice created device 1
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781891471488]: ntop RUNSTATE: INITNONROOT(3)
Tue Oct 29 20:59:38 2013 Now running as requested user ‘ntop’ (110:113)
Tue Oct 29 20:59:38 2013 Note: Reporting device initally set to 0 [eth0]
Tue Oct 29 20:59:38 2013 INIT: Created pid file (/var/lib/ntop/ntop.pid)
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781891471488]: ntop RUNSTATE: RUN(4)
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781673854720]: NPS(1): Started thread for network packet sniffing [eth0]
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781673854720]: NPS(eth0): pcapDispatch thread starting [p50427]
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781673854720]: NPS(eth0): pcapDispatch thread running [p50427]
Tue Oct 29 20:59:38 2013 THREADMGMT: SFLOW: thread running [p50427, t139781682247424]…
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781758256896]: SIH: Idle host scan thread running [p50427]
Tue Oct 29 20:59:38 2013 THREADMGMT[t139781766649600]: SFP: Fingerprint scan thread running [p50427]
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 100)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 88)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3
flow_sample_element length error (expected 24, found 20)
SFABORT: 3
flow_sample_element length error (expected 1, found 148)
SFABORT: 3

(…)

I’ve searched a bit around, but only found old hits.
Could anyone send me some clues on how to fix this?

2

These are the openSUSE forums. You need to go here for your question: https://forums.suse.com/forum.php

Thank You,

3

The package was downloaded from OpenSuse repository, and recompiled from source. Do I really need to ask in the SuSE forums, just to have the answer that I need to come back here?

4

On 2013-10-30 16:26, jqueiroz wrote:
>
> jdmcdaniel3;2594350 Wrote:
>> These are the openSUSE forums. You need to go here for your question:
>> https://forums.suse.com/forum.php
>>
>> Thank You,
>
> The package was downloaded from OpenSuse repository, and recompiled from
> source. Do I really need to ask in the SuSE forums, just to have the
> answer that I need to come back here?

You should not mix packages from different sources, results are not
predictable. Ask on the SUSE forums where to get an ntop package for
SLES/SLED.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

5

There’s no NTOP package in SUSE.

Does OpenSuse is so different from SLES 11 that no one can help me here? Oh, Lord…

That’s OK, I understand that I’ll have to find myself a way to solve this.

Please, someone call a moderator to close this topic.

6

SLES 11 is a commercial product, openSUSE is not and you mix the two at your own risk, but unsupported here.

Thank You,

7

On 2013-10-30 17:26, jqueiroz wrote:
>
> There’s no NTOP package in SUSE.
>
> Does OpenSuse is so different from SLES 11 that no one can help me here?
> Oh, Lord…

Yes, they are different. I had no idea that SUSE did not include the
ntop package, for instance. Kernels are different versions on both,
different libraries… SLES takes one openSUSE version as base, and then
it starts diferring over its lifetime. You can not pick one from the
other distro and expect them to work. They may work, they may not. If
they don’t, you uninstall that and search for another package, but you
can not expect people that don’t even use SLES to try to help you with
that mixture.

For your info, I did find NTOP packages designed for SLES in the build
service:


http://software.opensuse.org/package/ntop

if you tick “show other versions”, “show unstable versions”:

SUSE SLE-11 SP 3

server:monitoring

SUSE SLE-11 SP 2

server:monitoring
home:luizluca:branch…

However, those are not official, and might break (breach?) your
maintenance contract. Precisely on this we (most of us, anyway) can not
help you because we can not know what terms those contracts have, they
are not familiar to us.

So, even if you use packages from the opensuse.org build service made
for SLES, you have to ask your colleagues from the SUSE forums about how
well or bad they work on SLES.

It is not that we do not wish to help you, is that we do not have the
knowledge.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)