A couple weeks ago a customer reported an issue where, apparently, our NetFlow and sFlow Analyzer was not seeing traffic from Vyatta Core 6. This being the second time the issue is reported to us, I was encouraged to talk about it.

In general, whether it is a collector issue or an exporter issue, from a tech support view point, I would say that the Scrutinizer web interface does a great job signaling what might be preventing proper network traffic analysis. This customer’s Scrutinizer web  interface seemed to be saying: “There are flows coming from Vyatta, but there is nothing to report on”. Whenever he restarted the Netflow collector, everything would work well for a short period of time, then in the Scrutinizer web interface, while the Vyatta widget would  still be green, indicating that it is eventually sending netflow, its interfaces would turn yellow (no data to report for this interface) for a few hours before the collector completely stops.

What we found

His Vyatta was sending NetFlow packets that were not properly constructed. Looking at their content, we found that they did not contain flow information, but packet headers only, which gives Scrutinizer nothing to report on.

Recommendations

Unfortunately I am not a Vyatta expert. If you are experiencing a similar issue, I recommend consulting the Vyatta community, or try other software base routing/firewall systems such as nProbe, pfsense, Quagga,etc. I can’t tell you much about pfsense or Quagga; however, once in a while we get calls from nProbe users, it supports NetFlow and seems to work well for them.

Looks like Vyatta has joined the mix of vendors supporting NetFlow and sFlow. According to the Vyatta press release, it requires an upgrade to VC6 of their operating system which is still in alpha development. This will make them the first company I’m familiar with that supports both technologies on the same hardware. Typically vendors implement sFlow in hardware, but Vyatta did it in software as they did NetFlow v5 and v9 support.
Read more »