Using Analytics

Configuring vFlow for Analytics

Redirecting Analytics to a Rear Facing NIC

Using vFlows to Disable Communication

Configuring Mirroring for vFlows and Ports

Port Mirroring to a Remote Host

Managing Traffic Classes with vFlow

Applying CoS Queue Mapping based on Re-Marked DSCP in vFlow

Configuring Burst Size in vFlow for Maximum Bandwidth

Displaying Multiple Objects for Show Commands

Support for Policy-based Routing

Using Application Flows and Statistics

Support for Policy-based Routing

Configuring vFlows in Virtual Wire Mode

Support for TCP Parameters using vFlows

Configuring vFlows with User Defined Fields (UDFs)

Configuring Priority-based Flow Control

Configuring Priority-based Flow Control Port Statistics

About sFlow

Using Wireshark to Analyze Packets in Real Time

Configuring vFlow for Analytics

A vFlow can be used to capture packets for analysis, and you can determine if the vFlow captures packets across the fabric or on a single switch. Packets are captured by forwarding them from the data plane of the switch to the control plane.

A flow that directs packets to the switch CPU can be configured to save packets to a file by enabling the log-packets parameter. Netvisor writes the file using a libcap compatible format so you can use programs like TCPdump and Wireshark to read the file. You export the file to clients using NFS or SFTP.

Packet capture data is available with switch or fabric scope. Netvisor stores the pcap files stored over NFS in the following locations:

/net/<ServerSw_Name>/ONVL/global/flow/<Flow_Name>/switch/<Switch_Name>/pcap

/net/<ServerSw_Name>/ONVL//<_Name>/flow/<Flow_Name>/
switch/<Switch_Name>/pcap

/net/<ServerSw_Name>/ONVL/global/flow/<Flow_Name>/fabric/pcap

/net/<ServerSw_Name>/ONVL//<_Name>/flow/<Flow_Name>/
fabric/pcap

Snooping only works if you use the parameters, copy-to-cpu or to-cpu. The copy-to-cpu parameter ensures that the data plane forwards the packets and sends a copy to the CPU. Use this parameter if you want traffic to flow through the switch. The to-cpu parameter does not forward packets and interrupts traffic on the switch. To snoop all application flow packets of protocol type TCP, enter the following CLI commands at the prompt:

CLI network-admin@switch > vflow-create name snoop_all scope local proto tcp action copy-to-cpu

Then use the following command to display the output:

CLI network-admin@switch > vflow-snoop

switch: pleiades24, flow: snoop_all, port: 65, size: 66, time: 20:07:15.03867188

smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip

sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp

sport: 42120, dport: 33399

 

switch: pleiades24, flow: snoop_all, port: 65, size: 184, time: 20:07:15.03882961

smac: 64:0e:94:28:00:fa, dmac: 64:0e:94:2c:00:7a, etype: ip

sip: 192.168.2.51, dip: 192.168.2.31, proto: tcp

sport: 42120, dport: 33399

 

switch: pleiades24, flow: snoop_all, port: 43, size: 66, time: 20:07:15.03893740

smac: 64:0e:94:2c:00:7a, dmac: 64:0e:94:28:00:fa, etype: ip

sip: 192.168.2.31, dip: 192.168.2.51, proto: tcp

sport: 33399, dport: 42120

 

To restrict the flows captured to TCP port 22, SSH traffic, create the following vFlow:

CLI network-admin@switch > vflow-create name snoop_ssh scope local action copy-to-cpu src-port 22 proto tcp vflow-add-filter name snoop_ssh

 

Then use the vflow-snoop command to display the results:

switch: pleiades24, flow: snoop_ssh, port: 41, size: 230, time: 10:56:57.05785917 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356

switch: pleiades24, flow: snoop_ssh, port: 41, size: 118, time: 10:56:57.05922560 src-mac: 00:15:17:ea:f8:70, dst-mac: f4:6d:04:0e:77:60, etype: ip src-ip: 10.9.11.18, dst-ip: 10.9.10.65, proto: tcp src-port: 22, dst-port: 62356

 

The optional parameter vflow-add-filter restricts the output of the vflow-snoop command to the packets matching the snoop_ssh flow definition.

To capture traffic packets for a flow across the entire fabric, create a flow with the scope of fabric. To copy the packets to a pcap file, add the log-packets option:

CLI network-admin@switch > vflow-create name fab_snoop_all scope fabric action copy-to-cpu port 22 log-packets yes

If you enable log-packets, Netvisor allows you to access the separate pcap files for all switches on any switch. In addition, Netvisor provides a consolidated pcap file that aggregates the packets from all switches in the entire fabric.

Support for IPv6 IP Addresses and vFlow Configurations

You must modify the vFlow table profile using the new command, vflow-table-profile-modify:

vflow-table-profile-modify profile ipv6 hw-tbl switch-main percent 10

You must reboot the switch in order for the settings to take effect. To ensure that the profile is available after rebooting, use the vflow-table-show command:

vflow-table-show

switch   name                  flow-max flow-used flow-tbl-slices capability     flow-profile

-------- --------------------- -------- --------- --------------- -------------- ------------

lev-leo2 Egress-Table-1-0      512      0         1               match-metadata system       

lev-leo2 IPv6-Table-1-0        2048     0         1               none           ipv6         <=========

lev-leo2 System-L1-L4-Tun-1-0  1536     41        2               set-metadata   system       

lev-leo2 System-VCAP-table-1-0 512      0         1               none           system

 

Redirecting Analytics to a Rear Facing NIC

This feature provides an option to copy analytics traffic to one of the rear facing NICs instead of the CPU. By redirecting analytics traffic to a dedicated port instead of the common CPU port, Netvisor OS alleviates the load on the CPU port.

Netvosr provides an analytics port as part of all VLANs and removes the port from the flood map. When you enable the connection-stats-setting to redirect analytics, Netvisor OS receives information from the switch vPort database. This feature does not impact HA (High Availability) impact as Netvisor supports this feature locallyto the switch.

The following command specifies the target of analytics traffic on the supported switch:

connection-stats-settings-modify redirect-analytics-vflow span3

    

The following command entered through the CLI returns to the default setting of redirecting the traffic to CPU:

connection-stats-settings-modify redirect-analytics-vflow none

 

Using vFlows to Disable Communication

Flows can be used to specify communications not allowed with a switch or a fabric. Use the following steps to create a vFlow as a firewall:

1. Define a VLAN and destination IP-based flow and specify to drop the flow on the switch, with statistics monitoring enabled:

CLI network-admin@switch > vflow-create name flow3 scope local vlan 99 dst-ip 172.168.24.1 action drop stats enable

 

Display the statistics for the new flow above as the traffic is dropped:

CLI network-admin@switch > vflow-stats-show name flow3 show-diff-interval 5

switch    name  packets  bytes  cpu-packets  cpu-bytes

aquila02  flow3 864      116K   0            0

switch    name  packets  bytes  cpu-packets  cpu-bytes

aquila02  flow3 5        936K   0            0

 

Netvisor has many options available for creating vFlows, and vFlows can be used to shape traffic, capture statistics, capture flow metadata, capture packets, or manage communications. The options include:

vlan

in-port

out-port

ether-type

src-mac

src-mac-mask

dst-mac

dst-mac-mask

src-ip

src-ip-mask

dst-ip

dst-ip-mask

src-port

dst-port

dscp

tos

proto

flow-class

uplink-ports

bw-min

bw-max

precedence

action

action-value

no-mirror

mirror

no-process-mirror

process-mirror

no-log-packets

log-packets

packet-log-max

stats

stats-interval

duration

no-transient

transient

vxlan

vxlan-ether-type

vxlan-proto

Use Case Scenario

In a real use case, the command connection-show server-ip 10.9.10.117 was used to analyze a suspicious connections to server 10.9.10.117:

switch:                     switch02

vlan:                       1

client-ip:                  10.9.9.33

server-ip:                  10.9.9.107

service:                    http

dur(s):                     0

latency(us):                65

out-bytes:                  0

in-bytes:                   0

active:                     yes

switch:                     switch02

vlan:                       1

client-ip:                  10.9.9.33

server-ip:                  10.9.9.107

service:                    http

dur(s):                     210

latency(us):                7

out-bytes:                  48804

in-bytes:                   6120

active:                     yes

switch:                     switch02

vlan:                       1

client-ip:                  10.9.9.33

server-ip:                  10.9.9.107

service:                    http

dur(s):                     328

latency(us):                30

out-bytes:                  48720

in-bytes:                   612620

active:                     yes

Configuring Mirroring for vFlows and Ports

An Netvisor OS fabric administrator can run services and applications within the switch. Consider the use case of an application that needs access to data flowing through the switch, but does not want to impede that flow. The port-mirroring feature provides this functionality.

The system predefines a mirror configuration, but does not insert any traffic into the mirror. Use the following steps to setup mirroring to send from all of the data ports to the span port (port 66)The command syntax for mirror-modify is as follows:

CLI network-admin@switch > mirror-modify out-port port-list in-port port-list [policy port|vflow] mirroring|no-mirroring

CLI network-admin@switch > mirror-show [format fields-to-display] [parsable-delim character] [sort-asc] [sort-desc] [show dups] [layout vertical|horizontal] [show-interval seconds-interval]

View the status of mirroring by entering the following at the CLI command prompt:

CLI network-admin@switch > mirror-show

switch: T6001-ON

direction: bidirection

out-port:

in-port:

mirroring: disable

 

Because Netvisor does not auto-configure the parameter out-port and disables mirroring by default, no data mirroring occurs on the ports.

To modify the mirroring configuration, use the following steps:

1. Use the mirror-modify command to set the output to the span port. However, if you see more than 10Gb of traffic on ports 1-64, do not execute this command.

CLI network-admin@switch > mirror-modify in-port 1-64 out-put 66 mirroring

mirror-show

switch:        T6001-ON

direction:     bidirection

out-put:       66

in-port:       1-64

mirroring:     enable

To disable the configuration, use the following command:

CLI network-admin@switch > mirror-modify no-mirroring

mirror-show

switch: T6001-ON

direction: bidirection

out-port: 66

in-port: 1-64

mirroring: disable

 

Port Mirroring to a Remote Host

A port mirroring configuration that allows mirrored traffic to be transmitted to a remote host located across L2 or L3 IP network. This feature allows you to monitor traffic from source ports distributed over multiple switches, which means that you can centralize your network capture devices. Port Mirroring to a remote host works by mirroring the traffic from the source ports of a mirrored port session onto a VLAN dedicated for the port mirroring session. Netvisor trunks the VLAN to other switches, allowing session traffic to transport across multiple switches. On the switch containing the destination port for the session, Netvisor missors traffic from the session VLAN out the destination port. Netvisor provides parameters for the mirror-create command for this feature.

Mirroring Traffic to a Virtual Machine (VM) Interface

Netvisor supports mirroring traffic coming from a switch port rear facing network interface card (NIC) to a VM NICd. You may find this feature useful for several reasons:

Managing Traffic Classes with vFlow

Netvisor OS provides a full set of traffic class features, including the ability to view and create traffic classes, as well as assign traffic classes to flows to manage the quality of service of the flow traffic and shape the traffic passing through an Netvisor fabric.

To display the currently defined traffic classes:

CLI network-admin@switch > vflow-class-show

name          scope  type   priority

------------- ------ ------ --------

meter         fabric system 0        

guaranteed_bw fabric system 9        

lossless      fabric system 10       

control       fabric system 11

 

The higher the priority number, the higher the priority of the class. To add a vflow class, use the vflow-class-create command:

CLI network-admin@switch > vflow-class-create name traffic-1 scope fabric priority 5

Netvisor creates a traffic class with a scope of fabric and medium priority.

To add a traffic class to a vFlow, create a vFlow and assign a traffic class. In this case the flow applies to a single IP address:

CLI network-admin@switch > vflow-create name losslessflow scope local src-ip 10.11.1.10 src-ip-mask 255.255.255.255 action none flow-class lossless

CLI network-admin@switch > vflow-show name losslessflow layout vertical

switch: aquila12

name: losslessflow

scope: local

type: vflow

vlan: 0

:

in-port:

out-port:

ether-type: 0

src-ip: 10.11.1.10

dst-ip:::

src-port: 0

dst-port: 0

proto: ip

flow-class: lossless

bw-max: 0

pri: 0

action: none

action-value: 0

transient: no

 

Traffic from IP address 10.11.1.10 now has a very high priority throughout the switch. For a similar high priority throughout the fabric use scope fabric rather than scope local.

When a TCP session goes through the NPU, and Netvisor exceeds capacity, the return traffic with TCP ACK packets can get dropped from the session. To avoid this, create a flow that matches the TCP ACK packets and set a higher precedence for it.

Applying CoS Queue Mapping based on Re-Marked DSCP in vFlow

Currently, Netvisor OS allows a vFlow to mark or re-mark matched packets with a DSCP value on egress. As a result, Netvisor OS does not prioritize any of the traffic in terms of the egress port CoS queue selected for transmit. Another feature, Enabling DSCP to Priority and CoS Mappings introduces the ability to create DSCP QoS maps and apply to ports, but the maps apply to ingress packets. This feature introduces the ability prioritize traffic based on the remarked DSCP value in a vFlow

Netvisor OS creates named DSCP maps as independent objects, and applies the maps to ingress ports for prioritization of packets based on the DSCP markings. In this feature, you can apply the same maps in a vFlow. QoS maps can be applied to ports, but not to Flow Processor entries corresponding to vFlows. This implementation does the prioritization explicitly, since flows can be configured with CoSQ values. The implementation has the following features:

You can specify the name of a DSCP map in the vflow-create command:

dscp-map dscp-map name | none

Specify the DSCP map to apply on the flow. Please reapply if map priorities are updated.

 

Configuring Burst Size in vFlow for Maximum Bandwidth

The vflow-create and vflow-modify commands support a configurable burst-size parameter. Netvisor requires attaching a flow-class to a meter by configuring the bw-max parameter to a vFlow.

You may find the feature useful because you can now specify different burst-sizes for different types of metered traffic. For example, you can configure higher burst levels for a metered application that may produce bursty traffic patterns when you click on it, such as a media-rich Web page link.

This feature defaults to burst-size auto, which auto-calculates the burst size based on the maximum bandwidth settings for the vFlow. You can configure a burst-size number between 256B through 128MB.

CLI network-admin@switch > vflow-create name name-string scope local|fabric in-port port-list bw-max bw-max-number burst-size number

For example, to create a vFlow with a burst size of 12 MB, use the following syntax:

CLI network-admin@switch > vflow-create name flow1 scope local in-port 12 bw-max 5G burst-size 12M

Displaying Multiple Objects for Show Commands

In previous versions of software, Netvisor did not display multiple objects for show commands. Netvisor displayed either one object or all objects in show ouput. For example, the show command, vflow-show, displayed all vFlows or just one specified vFlow.

Now, you can specify multiple objects to display. For example, for vflow-show, you can specify which vFlows to display:

vflow-show name [TAB]

Internal-Keepalive      

System-S                

System-F                

System-R                

System-VLE-S            

System-VLE-F            

System-VLE-R            

VIRT_WIRE_MAS_SLV_17_19

VIRT_WIRE_SLV_MAS_19_17

VIRT_WIRE_MAS_SLV_18_20

VIRT_WIRE_MAS_SLV_20_18

 

Now you can specify the vFlows to display:

vflow-show name System-S,System-R

switch   name     scope type   proto tcp-flags precedence action      action-to-ports-value enable

-------- -------- ----- ------ ----- --------- ---------- ----------- --------------------- ------

dorado05 System-S local system tcp   syn       default    copy-to-cpu none                  enable

dorado05 System-R local system tcp   rst       default    copy-to-cpu none                  enable

 

 

cpu-class-show name arp,dhcp,l3-miss

 switch   name    scope rate-limit hog-protect hog-protect-support queue

 -------- ------- ----- ---------- ----------- ------------------- -----

Leaf1    arp     local 1000       disable     supported           21    

Leaf1    dhcp    local 1000       disable     none                24    

 Leaf1    l3-miss local 1000       disable     none                10

 

Support for Policy-based Routing

Policy-based Routing (PBR) enables flexible packet forwarding and routing through user defined policies. Unlike traditional routing based on destination IP address only, PBR allows you to define routes based on other parameters such as source and destination IP addresses, protocol, or souce and destination port numbers.

Policy-based routes match packets based on the following criteria:

Configure PBR using vFlow commands. Internally, policy routing of the packets uses a vFlow entry. Netvisor creates PBR vFlow entries in a new vFlow table, System-L3-L4-PBR.

To enable PBR, use the following command:

system-settings-modify policy-based-routing

 

To disable PBR, use the following command:

system-settings-modify no-policy-based-routing

 

To display the vFlow table, use the following command:

vflow-table-show

switch      name                 flow-max   flow-used flow-tbs-slices capability     flow-profile

-------- --------------------  --------   --------- --------------- -------------  ----------------

Spine1   System-L3-L4-PBR-1-0                                       set-metadata  system=>PBR Table

 

Now you configure a vFlow for the routing policy, using the following syntax:

vflow-create name name-string vrouter-name name-string scope local next-hop-ip gateway-ip-address table-name System-L3-L4-PBR-1-0

 

You can only specify the scope as local.

Using Application Flows and Statistics

Displaying Standard Statistics

Display standard statistics consisting of flow-based information collected and tracked continuously by the switch.

To show connection-level statistics, traffic flows between a pair of hosts for an application service, including current connections and all connections since the creation of the fabric, enter the following CLI command at the prompt:

CLI network-admin@switch > connection-stats-show

switch:        pleiades24

mac:           00:e0:81:e4:02:12

vlan:          200

ip:            100.200.1.3

port:          53

iconns:        80

oconns:        0

ibytes:        0

obytes:        0

total-bytes:   0

last-seen-ago: 4d19h32m23s

switch:        pleiades24

mac:           00:12:c0:80:1e:85

vlan:          200

ip:            100.200.1.4

port:          16

iconns:        0

oconns:        70684

ibytes:        578M

obytes:        890M

total-bytes:   1.43G

last-seen-ago: 46s

 

From the information displayed in the output, you can see statistics for each switch, VLANs, client and server IP addresses, as well as the services on each connection. Latency and other information is also displayed.

The latency(us) column displays the running latency measurement for the TCP connection in microseconds. It indicates end-to-end latency and includes the protocol stack processing for the connected hosts and all intermediary network hops.

This is not the same latency measurement experience by a packet transiting the switch port-to-port. The port-to-port latency is platform-dependent and you should refer to the datasheet for your switch model.

To display specific types of connections, use the additional parameters with the command. For instance to display VLANs of connections,

 

CLI network-admin@switch > connection-stats-show vlan

switch   vlan vxlan  client-ip   server-ip    service active age

switch12 1    0          10.9.10.152 96.17.77.96  http     yes 35m27s

switch12 5    0          10.12.1.47  10.9.10.204  445      yes 7m56s

switch12 1    0          10.9.9.21   23.62.97.88  http     yes 3m41s

switch12 1    0          10.9.9.21   23.60.129.224http     yes 3m44s

switch12 1    0          10.9.10.72  10.9.99.23   http     yes 7s

. . .

 

To display a summary of traffic statistics for each application service, use the service-stats-show command.

CLI network-admin@switch > service-stats-show

switch         service         bytes

pleiades24     53495           584

pleiades24     8084            845M

pleiades24     59475           33.9K

pleiades24     imap            1.83M

pleiades24     35356           106

pleiades24     54341           584

 

From the information displayed in the output, review each switch, service, and the number of bytes used by each service.

Understanding vFlow Statistics

Virtual network-based flows, vflows, display statistics for packet traffic flows on a switch and across the

fabric. Netvisor vFlows are very powerful and provide many features such as quality of service (QoS), traffic shaping,packet redirect, drop actions, mirror, and capture.

A vFlow can be configured to store log statistics to a file accessible to clients using NFS and SFTP. If you enable statistics logging, Netvisor periodically polls the switch for the most recent statistics for each flow and saves the statistics to an exported file. Netvisor also saves individual statistics received from other switches in the fabric and combines the statistics from all switches to record aggregate statistics for the entire fabric.

The switch consists of two components, the switch and the server. vFlows with operations like drop are executed within the switch component. Some vFlows operations for QoS take place in the switch component, while others operate within the co-processor by directing pertinent traffic to the co-processor.

There, the traffic is managed and then sent back to the switch component.Other actions such as copy-to-cpu sends the match traffic to the server component where the traffic is managed and then forwards packets for delivery. In general, the details are managed by Netvisor including fabric scope commands that cause all switches within a fabric to participate in an operation and sends the compiled results to the CLI or to log files.

Before you can access the files, you must enable SFTP access to the log files by using the admin-service-modify command.

 

CLI network-admin@switch > CLI network-admin@switch > vflow-share-show

switch enable share-path

pleiades24 fab1-global no pleiades24://fab1-global

pleiades24 fab1-global no pleiades24://fab1-global

pleiades24 fab1-global no pleiades24:///fab1-global

pleiades24 fab1-global no pleiades24://fab1-global

pleiades24 fab1-global no pleiades24://fab1-global

CLI network-admin@switch > CLI network-admin@switch > vflow-share-modify fab1-global enable

vflow-share-show

switch enable share-path

pleiades24 fab1-global yes pleiades24://fab1-global

pleiades24 fab1-global no pleiades24://fab1-global

pleiades24 fab1-global no pleiades24://fab1-global

pleiades24 fab1-global no pleiades24://fab1-global

pleiades24 fab1-global no pleiades24://fab1-global

 

You can then access the statistics log files using NFS in the following locations:

For the switch scope, the files are located in

/net/switch-name//-name/flow/flow-name/switch/

switch-name/stats

For the fabric scope, the files are located in

/net/switch-name//-name/flow/flow-name/fabric/

stats

To create a vFLow for example, Host-Agent-Discover, and measure statistics, enter the following command:

CLI network-admin@switch > CLI network-admin@switch > vflow-create name Host-Agent-Discover scope local system

To view all vFlows currently tracked by the switch or fabric, use the vflow-show command:

CLI network-admin@switch > vflow-show

switch:           pleiades24

name:             Host-Agent-Discover

scope:            local

type:             system

dst-ip:           224.4.9.6

precedence:       2

action:           copy-to-cpu

switch:           pleiades24

name:             DHCP-client

scope:            local

type:             system

in-port:          1-68

src-port:         68

proto:            udp

precedence:       2

action:           copy-to-cpu

switch:          pleiades24

name:             Host-Agent-Discover

scope:            local

type:             system

dst-ip:           224.4.9.6

precedence:       2

action:           copy-to-cpu

switch:          pleiades24

name:             DHCP-client

scope:            local

type:             system

in-port:          1-68

src-port:         68

proto:            udp

precedence:       2

action:           copy-to-cpu

 

From the information displayed in the output, you can review the switch, the name of the vFlow, scope, type of vFlow, destination IP address, precedence, and action for the vFlow.

To display statistics for all vFlows, use the vflow-stats-show command:

CLI network-admin@switch > vflow-stats-show

switch     name          packets   bytes    cpu-packets    cpu-bytes

------     ----          -------   -----    -----------    ---------

pleiades24IGMP-Flow      368K      23.0M    392K           23.0M

pleiades24 LLDP-Flow     82.9K     26.3M    82.9K          26.0M

pleiades24 Host-Agent    17.8K     1.11M    0              0

pleiades24 ECP           0         0        0              0

 

To monitor statistics of a vFlow and update every 10 seconds, use the following syntax:

CLI network-admin@switch > vflow-stats-show name flow1 show-diff-interval 10

 

To log persistent records of flow statistics, use the logging parameter and collect statistics every 10 seconds:

CLI network-admin@switch > vflow-create name monitor-flow scope local ether-type arp stats log stats-interval 5

Display the statistics logs for the new flow using the vflow-stats-show command.

 

Informational Note: Conflicting vFlows

Multiple vFlows can be active at once, but Netvisor cannot apply them at the same time. You can use the precedence parameter to set the order of the vFlows. If you set the precedence to a higher value (0 - 10 with 0 as the lowest precedence), the vFlow has a higher precedence than those with lower values. If you are seeing error messages about vFlow conflicts, try adding a precedence value to new or existing vFlows.

Creating vFlows with the Scope Fabric

To create vFlows across the entire fabric, configure the vFlow with the scope fabric and stats enable option. Using these parameters enables statistics for the flow on all switches for all members of the fabric and you can display the statistics for any switch in the fabric.

To create a vFlow for VLAN1 with the scope fabric, use the following syntax:

CLI network-admin@switch > vflow-create name fab_flow1 scope fabric stats enable vlan 1

To display the statistics for the new vFlow for a switch in the fabric, use the following syntax:

CLI network-admin@switch > switch switch-name vflow-stats-show name fab_flow1

name      packets      bytes  cpu-packets  cpu-bytes

----      -------      -----  -----------  ---------

fab_flow1 51.4K        13.8M  50.1K        13.1M

 

If you omit the switch name, all vFlow statistics for the fabric are displayed.

switch    name      packets bytes cpu-packets cpu-bytes

------    ----      ------- ----- ----------- ---------

pleiades1 fab_flow1 1.32K   305K  1.29K       291K

pleiades2 fab_flow1 910     256K  884         243K

 

Example Use Cases for vFlows

The following examples illustrate how to use vFlows to impact traffic on the switch. You can regulate bandwidth, create multiple vFlows, or share bandwidth.

Creating Multiple vFlows

1. You can create multiple vFlows and add precedence values to the vFlows. Netvisor matches the packet to the vFlow with the highest precedence. Create the first vFlow:

CLI network-admin@switch > vflow-create name client-flow1 scope fabric  bw flow-class meter bw-max 2g

Create the second vFlow:

CLI network-admin@switch > vflow-create name client-flow2 scope fabric  bw flow-class meter bw-max 5g src-ip 192.168.20.1

vflow-create: Flow conflicts with Flow client-flow1, ID68: specify fields to make flows mutually exclusive or change the flow precedence

 

Netvisor generates the error message because the vFlow configurations conflict with each other. To differentiate between the two flows, assign a different precedence to client-flow2:

CLI network-admin@switch > vflow-create name client-flow2 scope fabric  bw flow-class meter bw-max 5g src-ip 192.168.20.1 precedence 5

Configuring Bandwidth Sharing for a Single VLAN

In some instances, you may want to configure bandwidth sharing for a single VLAN with different IP addresses or subnets. To do this, you must create a VRG with the required bandwidth:

CLI network-admin@switch > vrg-create name admin-vrg vlans 100 data-bw-min 1g data-bw-max 2g scope fabric

You created a VRG with the guaranteed bandwidth of 1 Gbps and limited to a maximum of 2 Gbps. Now, create a vFLow for each IP address:

CLI network-admin@switch > vflow-create name vfl-1 scope fabric vlan 100 src-ip 1.1.1.1

CLI network-admin@switch > vflow-create name vfl-2 scope fabric vlan 100 src-ip 2.2.2.2

CLI network-admin@switch > vflow-create name vfl-3 scope fabric vlan 100 src-ip 3.3.3.3

CLI network-admin@switch > vflow-create name vfl-4 scope fabric vlan 100 src-ip 4.4.4.4

In this example, the specified IP addresses each have a guaranteed bandwidth between 1 Gbps and 2 Gbps.

If you want to specify a subnet, 100.100.100.0/28, and VLAN 53 with maximum bandwidth of 50 Mbps, use the following syntax:

CLI network-admin@switch > vrg-create name vrg-custom scope fabric data-bw-min 50M data-bw-max 50M vlan 53

CLI network-admin@switch > vflow-create name vfl-cust scope fabric src-ip 100.100.100.0 src-ip-mask 255.255.255.240 vlan 53

But later on, you found that sixteen IP addresses fell short of the network requirements and you needed an additional 8 with the subnet, 101.101.101.8/29 requiring e the same bandwidth as the previous subnet. Use the following syntax:

CLI network-admin@switch > vflow-create name vfl-cust-2 scope fabric src-ip 101.101.101.8 src-ip-mask 255.255.255.248 vlan 53

You now have two vFlows on VLAN 53.

Then, you discover that 50 Mbps is not sufficient to support the network traffic affected by the vFlow, and you want to upgrade to 80 Mbps:

CLI network-admin@switch > vrg-modify name vrg-custom data-bw-min 80M data-bw-max 80M

CLI network-admin@switch >

Configuring vFlows in Virtual Wire Mode

vFlows can be configured on Virtual Wire platforms. You can configure a vFLow to store log statistics to a file accessible to clients using NFS and SFTP. If statistics logging is enabled, Netvisor OS periodically polls the switch for the most recent statistics for each flow and saves the statistics to an exported file. Netvisor OS also saves individual statistics received from other switches in the fabric and combines the statistics from all switches to record aggregate statistics for the entire fabric.

Support for TCP Parameters using vFlows

Packet Broker requires the ability to create flows based on TCP control bits in a packet. The commands, vflow-create and vflow-modify have a new option tcp-flags. The supported TCP control bits include FIN, SYN, RST, PUSH, ACK, and URG.

Setting the ACK bit is supported only if it is combined with other TCP bits such as SYN and FIN and not as a single parameter.

Netvisor supports only to-port and mirror actions for vFlows with tcp-flags filter. Netvisor adds the action mirror-to-port on vFlows with tcp-flags. If you enable analytics, then Netvisor applies the parameter, copy-to-cpu, to the same vFlow. Also, Netvisor creates the vFlows with a precedence of 3 or above. Netvisor also creates System vFlows with precedence 2 so that analytics can work even with these vFlows.

To create a vFlow for the default system table, use the following syntax:

CLI (network-admin@Spine1)>vflow-create name Redirect-TCP-Reset tcp-flags RST action to-port

CLI(network-admin@Spine1)>vflow-create name Redirect-TCP-ECN-Capable tcp-flags ECN,RST action to-port

CLI(network-admin@Spine1)>vflow-create name Mirror-TCP-Finished tcp-flags FIN action mirror

 

Use the vflow-table-show command to display vFlow tables:

CLI (network-admin@Spine1)> vflow-table-show format all layout vertical

switch:          Spine1

name:            Egress-Table-1-0

id:              a0000d7:1

flow-max:        1024

flow-used:       0

flow-tbl-slices: 1

capability:      match-metadata

flow-tbl-bank:   Egress

flow-profile:    system

switch:          Spine1

name:            Decap-Table-1-0

id:              a0000d7:2

flow-max:        1024

flow-used:       0

flow-tbl-slices: 2

capability:      none

flow-tbl-bank:   Match-Metadata

flow-profile:    vxlan

switch:          tac-f64-sw5

name:            OpenFlow-L2-L3-1-0

id:              a0000d7:3

flow-max:        1024

flow-used:       0

flow-tbl-slices: 7

capability:      none

flow-tbl-bank:   Match-Metadata

flow-profile:    openflow

Configuring vFlows with User Defined Fields (UDFs)

A User Defined Field (UDF) can match up to 128 bytes of a packet starting from the first byte of the packet. The relative offset can be given to the match location. The length of the match can be from 1 to 4 bytes. Hardware with a Trident chip supports the creation of 8 UDF IDs. Each ID matches a 2 byte portion of a packet. Creating a UDF with a length of 3 or 4 bytes requires 2 UDF IDs whereas a UDF with length of 1 or 2 bytes required 1 UDF ID. The length specified for each UDF determines the total number of UDFs supported by Netvisor OS. If you specify a length of 3 or 4 bytes, you can create a maximum of 4 UDFs. If you specify a length of 1 or 2 bytes, a maximum of 8 UDFs can be created.

A UDF adds a qualifier to the vFlow group, and you should create all UDFs before creating any vFlows.

Netvisor disables the feature by default, and you must enable it using the following command:

CLI(network-admin@Spine1)>vflow-settings-modify enable-user-defined-flow

You must reboot Netvisor OS for the parameter to take effect on the platform.

To disable the feature, use the following command:

CLI(network-admin@Spine1)>vflow-settings-modify no-user-defined-flow

A new command, udf-create, adds the qualifier to the UDF group in the hardware. This allocates UDF IDs based on the length. The command, vflow-create, also has new fields to provide the data and mask to be matched by the vFlow. You can create vFlows with either one or two UDFs.

You cannot modify a UDF after adding it to a vFlow. You must delete the vFlow, modify the UDF, and re-create the vFlow with the modified UDF.

 

New Commands for UDF

To create a new UDF, use the following command:

CLI(network-admin@Spine1)>udf-create name u1 scope local offset 10 length 2 header packet-start

udf-create

Create the UDF qualifier list

name name-string

Create the UDF name

scope local|fabric

Scope for the UDF

offset number-bytes

The offset in bytes. This is a value between 1 and 128.

length number-bytes

The length in bytes. This is a value between 1 and 4 bytes.

header packet-start|l3-outer|l3-inner|l4-outer|l4-inner

The header from where offset is calculated.

CLI network-admin@switch > udf-delete name u1

udf-delete

Delete UDF qualifier list

name name-string

The name of the UDF to delete.

CLI(network-admin@Spine1)>udf-modify name u1 scope local offset 20 length 4 header packet-start

udf-modify

Modify UDF qualifier list

name name-string

The name of the UDF to modify.

one or more of the following options:

 

offset number-bytes

The offset in bytes. This is a value between 1 and 128.

length number-bytes

The length in bytes. This is a value between 1 and 4 bytes.

header packet-start|l3-outer|l3-inner|l4-outer|l4-inner

The header from where offset is calculated.

 

CLI(network-admin@Spine1)>udf-show

switch name scope offset length header

------ ---- ----- ------ ------ ------------

k2     u1   local 20     4      packet-start

k2     u2   local 24     4      packet-start

udf-show

Displays the UDF qualifier list

name name-string

Displays the UDF name

scope local|fabric

Displays the scope for the UDF

offset number-bytes

Displays the offset in bytes. This is a value between 1 and 128.

length number-bytes

Displays the length in bytes. This is a value between 1 and 4 bytes.

header packet-start|l3-outer|l3-inner|l4-outer|l4-inner

Displays the header from where the offset is calculated.

 

The command, vflow-create, has the following new parameters:

udf-name1 udf-name   

Specify the name of the UDF.

udf-data1 udf-data1-number

Specify UDF data1q with the format 0xa0a0a01

udf-data1-mask udf-data1-mask-number

Specify he mask for udf-data with the format 0xffffffff.

udf-name2 udf-name

Specify the name of the UDF.

udf-data2 udf-data2-number

Specify UDF data2 with the format 0xa0a0a01

udf-data2-mask udf-data2-mask-number

Specify the mask for udf-data with the format 0xffffffff.

CLI(network-admin@Spine1)>vflow-create name vf scope local udf-name1 u1 udf-data 0x0a0a0a01 udf-data-mask1 0xffffffff udf-name2 u2 udf-data2 0x0a0a1400 udf-data-mask2 0xffffff00

CLI(network-admin@Spine1)>vflow-show

switch name scope type  precedence udf-name1 udf-data1 udf-data-mask1

------ ---- ----- ----- ---------- --------- --------- --------------

K2     vf   local vflow default    u1        0xa0a0a01 0xffffffff

 

udf-name2 udf-data2 udf-data-mask2 enable

--------- --------- -------------- ------

u2        0xa0a1400 0xffffff00     enable

Configuring DSCP to CoS Mapping

Netvisor OS supports creating Quality of Service (QoS) maps for configuring hardware-based mapping of Differentiated Services Code Point (DSCP) value in a received IP header to a Cost of Service (CoS) priority. This helps in prioritizing traffic based on DSCP markings by using the appropriate egress CoS queues to send packets out.

Netvisor creates the DSCP value as the 6 upper bits in the 8-bit ToS field of an IP header. Details about the specific values and the proposed traffic disposition can be found in these RFCs :

A quick summary of DSCP in Netvisor OS:

New commands support this feature:

dscp-map-create

Create a DSCP priority mapping table with default DSCP to priority mappings.

name name-string

Create a name for the DSCP map

dscp-map-delete

Delete a DSCP priority mapping table.

name name-string

The name of the DSCP map to delete.

dscp-map-show

Display a DSCP priority mapping table

name name-string

Display the name of the DSCP map.

This command displays output only if you configure DSCP maps.

dscp-map-pri-map-modify

Update priority mappings in tables.

dscp-map selector:

name name-string

Specify the name for the DSCP map to modify.

the following pri-map arguments:

 

pri number

Specify a CoS priority from 0 to 7.

dsmap number-list

Specify a DSCP value(s)as a single value, comma separated list, or a number range.

dscp-map-pri-map-show

Display priority mappings in tables.

dscp-map selector:

name name-string

Display the name of the DSCP map.

the following pri-map arguments:

 

pri number

Display a CoS priority from 0 to 7.

dsmap number-list

Display a DSCP value(s)a DSCP value(s)as a single value, comma separated list, or a number range.

The dscp-map-pri-map-show displays output only if you configure DSCP maps.

Netvisor lists the default values in the following dscp-map-pri-map-show output:

CLI (network-admin@Spine1)>dscp-map-pri-map-show name dscp-map1

switch  name pri dsmap

------- ---- --- -----------

Spine1  ds2  0   none

Spine1  ds2  1   8,10,12,14

Spine1  ds2  2   16,18,20,22

Spine1  ds2  3   24,26,28,30

Spine1  ds2  4   32,34,36,38

Spine1  ds2  5   40

Spine1  ds2  6   48

Spine1  ds2  7   56

 

The command, port-config-modify, has a new parameter, dscp-map map-name|none to support this feature. Using the option none deletes or cancels a DSCP map previously configured on the port.

Configuring Priority-based Flow Control

Priority Flow Control (PFC) is an IEEE standard (802.1qbb) for link level flow control on Ethernet networks. Functionally, this feature is similar to the IEEE standard 802.3 for PAUSE mechanism, except that it operates at the granularity of individual packet priorities or traffic class, instead of port level. When a queue corresponding to traffic with a particular traffic class reaches a predetermined threshold, either auto or statically set, the switch chip generates a PFC frame and sends it back to the sender. For PFC to work effectively end to end on the network, all switches and hosts in the traffic path are configured to enable PFC, and configured for traffic class to priority mappings.

Netvisor OS introduces a new command to configure priorities, or traffic classes, for PFC. The configuration allows you to add ports where PFC is enabled. When enabled, Netvisor OS performs traffic class to CoS queue mappings, as well as to packet priorities, in the background. Netvisor performs the following mappings:

Netisor enables PFC i to both transmit and receive on the selected port. For transmit, Netvisor OS pauses traffic corresponding to the traffic class indicated in the received PFC frame. For receive, Netvisor OS generates a PFC frame when a queue corresponding to a traffic class reaches the pause threshold. Netvisor OS auto-configures parameters such buffer threshold,and pause timer value. Disabling PFC turns off PFC for receive and transmit, although the traffic class priority and queue mappings remain.

On switches with a Broadcom Trident II chip, even with ingress admission control enabled (in lossless mode), by default, Netvisor only creates the traffic class or priority group 7 with the memory management unit (MMU) buffer resources. Packets of all priorities utilize the resources of the default priority group unless specifically configured. This implies when enabling a new priority group for PFC, Netvisor generates the buffer configuration and savesin the chip configuration file, which is read during system initialization for MMU setup. As a result, when you enable a new priority for PFC, you must restart Netvisor OS. Adding new ports to an existing priority group setting, for another port or ports, does not require restarting Netvisor OS.

Configure up to three priority group buffer settings on switches in Netvisor. If you attempt to configure more than three, Netvisor returns an error message.

Create a new PFC configuration on port 2 with a priority group of 2, using the following command:

CLI (network-admin@Spine1)>port-pfc-create priority 2 port 1-10

Priority configuration will be effective after restart.

 

Modify the ports and change them to 11-15, using the following command:

CLI (network-admin@Spine1)>port-pfc-modify priority 2 port 11-15

Priority configuration will be effective after restart.

 

Delete the configuration, using the following command:

CLI (network-admin@Spine1)>port-pfc-delete priority 2 port 11-15

 

Display the configuration, using the port-pfc-show command:

CLI (network-admin@Spine1)>port-pfc-show

switch  priority port  error

------- -------- ----- -----

Spine1  2        11-20      

Spine1  3        11-20      

 

Configuring Priority-based Flow Control Port Statistics

Netvisor introduced Priority-based Flow Control (PFC) n Version 2.5.4, but the feature implementation did not include displaying statistics related to PFC. You may find it helpful to view the stats to confirm or debug traffic characteristics when using PFC. New commands allow you to display PFC stats per port and adjust the statistics collection.

port-pfc-clear

port port-list

Specify the ports to delete PFC statistics.

port-pfc-stats-settings-modify

enable|disable

Specify if you want to enable or disable PFC statistics collection.

interval duration: #d#h#m#

Specify the interval between statistics collection.

disk-space disk-space-number

Specify the amount of disk space for statistics collection.

port-pfc-stats-settings-show

enable|disable

Specify if you want to enable or disable PFC statistics collection.

interval duration: #d#h#m#

Specify the interval between statistics collection.

disk-space disk-space-number

Specify the amount of disk space for statistics collection.

port-pfc-stats-show

time date/time: yyyy-mm-ddTHH:mm:ss

Displays the date and time for statistics collection.

start-time date/time: yyyy-mm-ddTHH:mm:ss

Displays the start date and time for statistics collection.

end-time date/time: yyyy-mm-ddTHH:mm:ss

Displays the end date and time for statistics collection.

duration duration: #d#h#m#s

Displays the duration for statistics collection.

interval duration: #d#h#m#s

Displays the interval between statistics collection.

since-start

Displays the statistics since the start time.

older-than duration: #d#h#m#s

Displays the statistics older than the specified time.

within-last duration: #d#h#m#s

Displays the statistics within a specified time.

port port-list

Displays the port list.

      

 

About sFlow

Because businesses rely on network services for mission critical applications, small changes in network usage can impact network performance and reliability. As a result, these changes can also impact a business’ ability to conduct key business functions and increase the cost of maintaining network services.

Figure 1: Overview of sFlow

sFlow-Collectors.png

sFlow provides the visibility into network usage and active routes on the network by providing the data required to effectively control and manage network usage. This ensures that network services provide a competitive edge to the business.

A few examples of sFlow applications include the following:

sFlow is an open source sampling tool providing constant traffic flow information on all enabled interfaces simultaneously. sFlow sends data to a collector that formats the data into charts and graphs while recording and identifying trends on the network. You can use this information for troubleshooting a network, perform diagnostics, and analysis of data.

The sFlow agent on the switch samples packets from data flows and forwards headers of the sample packet to a collector at regular intervals. You can specify the number of packets to sample from the total packets which is called the sample rate. sFlow stores the packets and sends the packets to the collector at an interval that configured on the switch. sFlow refers to this as the polling interval. You can sample different types of packets such as frames sent to the CPU or interfaces of the switch, routed packets, flooded packets, and multicast packets. However, sFlow does not sample the following packet types:

Configuring the sFlow Collector

Before configuring the sFlow agents, you must configure the sFlow collector. The sFlow collector receives sFlow datagrams from the sFlow agents. In this example, the sFlow collector has an IP address of 10.1.1.243, and a default port of 6343. The collector name is net-man-all, and the scope is fabric. If you specify the scope as fabric, then additional switches joining the fabric receive the sFlow collector configuration. If you specify the scope as local, then the Netvisor configures the sFlow collector only on one switch.

CLI network-admin@switch > sflow-collector-create collector-ip 10.1.1.243 collector-port 6343 name net-man-all scope fabric

You can add as many collectors as needed for your configuration.

Enabling sFlow on the Network

You must configure and enable sFlow on each switch that you want to use for monitoring network traffic. You can only configure one sFlow per switch.

On each switch in the example diagram, use the following command to enable sFlow, net-monitor, on ingress ports 57-59, sample type raw, sample-rate 4096, sample interval 5 seconds, trunc-length 160 bytes, on VLAN 200:

CLI network-admin@switch > sflow-create name net-monitor sample-type raw ports 57-59 sample-rate 4096 trunc-length 160 vlan 200

Adding Additional Ports to sFlow

To add the ports, 61-62, to the sFlow configuration, you must use the following command on each switch:

CLI network-admin@switch > sflow-port-add sflow-name net-monitor switch 10.1.1.23 ports 61-62

In this example, use the IP address of the switch as the name of the switch.

Removing Ports from the sFlow Configuration

You can remove ports from the sFlow configuration by using the sflow-port-remove command:

CLI network-admin@switch > sflow-port-remove sflow-name net-monitor switch 10.1.1.23 ports 61-62

Counter Sampling

For counter sampling, also called polling, the sFlow agent periodically polls the hardware interface statistics registers, counters, in the switch chip for per port statistics, and stores the statistics in RAM until it is time to send the next message to the sFlow collector. The sFlow agent collects overall port statistics such as the number of broadcasts, and errors.

The agent then includes the statistics in the sFlow datagrams sent to the sFlow collector along with the packet sampling information. From these statistics, the sFlow obtains information about the actual utilization of each port. For instance, sFlow captures information about broadcast to multicast to unicast rations.

When you configure the agent for counter sampling, sFlow sends an sFlow datagram at intervals of a second, at most. The datagram contains a snapshot of the counters cached in RAM from the most recent polling of interface counters.

Packet Sampling

sFlow uses packet sampling to characterize network traffic. If you configure the sFlow agent for packet sampling, the agent takes copies of random samples of packets forwarded within the switch CPU and sends them to the switch for processing. The CPU sends a configured portion of the sampled packet, containing a number of protocol headers and possibly some of the payload data to the sFlow collector. Random sampling prevents the synchronization of periodic traffic patterns. On the average, sFlow captures and analyzes 1 in every N packets. The sampling can apply to ingress and egress frames independently. The rate the agent sends datagrams depends on the sampling rate, the traffic rate, and the configured maximum datagram size. Typically, sFlow includes several samples in the datagram.

Agent to Collector Datagrams

After gathering packet and counter samples, each sFlow agent creates a packet of the data and sends it to an sFlow collector in UDP datagrams. The datagrams contain the IP address of the sFlow collector and the standard UDP destination port number of 6343. Using a standardized port helps avoid configuration between sFlow agents and collectors. If you configure the sFlow agent for counter sampling or packet sampling, or both, an sFlow datagram can contain either interface counters, packet samples, or a mixture of both.

The following table provides information about the contents of sFlow datagrams:

Packet Header

Information

Version

The sFlow version used on the network.

IP Address Type

An IPv4 or IPv6 address

Source IP Address

The IP address of the sFlow agent

Sequence Number

The sequence number of the datagram

System Uptime

The length of time that the system is operational.

Sample Count

The number of samples in the datagram

Ingress Interfaces

The ifindex of the switch port where the packets entered the agent.

Egress Interfaces

The ifindex of the switch port where the packets exited the agent.

Sample dataset

sFlow-specific parameters:

• Sequence Numbers

• Sampling Rate

• Total Packets available for sampling

• Number of sampled packets dropped because there was no processing resource for them.

Packet Samples

Packet sample information and may contain several samples.

Packet data

The sampled data that may include the packet payload data and the number on length of protocol headers. This information depends on the size of the size, up to 200 bytes.

Counter Sample

Counter statistical information - fitted in where space permits.

If index

The ifindex of the interface related to the counters.

Physical Interface Parameters

• Speed

• Duplex mode

• Admin status

• Operational status of the interface

In Counters

• ifInOctets

• ifInUnicastPkts

• ifInMultiPkts

• ifInBroadcastPkts

• ifInDiscards

• ifInErrors

• ifInUnknownProbs

Out Counters

• ifOutOctets

• ifOutUcastPkts

• ifOutDiscards

• ifOutErrors

Promiscuous Mode

The private VLAN promiscuous mode of the interface

Ethernet Statistics

• Alignment Errors

• FCS Errors

• SQE Errors

• Deferred Transmission

• Internal MAC errors

• Carrier sense errors

• Overlength frame errors

• Symbol errors

Analyzing Live Traffic Using Wireshark

Wireshark is a well known network protocol analyzer and one of many applications used for network protocol analysis. Wireshark can interactively browse packet data from a live network or from a previously save PCAP file.


 

Informational Note:You can download Wireshark from http://www.wireshark.org

To use Wireshark to decode a previously saved packet flow capture file, export the file from the switch and analyze it with Wireshark.


 

Informational Note:

The path to a Netvisor switch pcap file has the format: /net/<ServerSw_Name>/ONVL/global/flow/<Flow_Name>/<Switch_Name>/pcap

 

Using Wireshark to Analyze Packets in Real Time

To use Wireshark to interactively analyze packets in real time, you must capture a packet traffic flow, either on a specific switch or across the entire fabric using the scope option. Include the log-packets option to send packets to the associated pcap files, for example

CLI network-admin@switch > vflow-snoop scope fabric src-ip 112.168.3.105 action copy-to-cpu log-packets

Next, create a FIFO on the host running Wireshark.

mkfifo /tmp/pcap

Start Wireshark, and select Options from the Capture menu.

Enter the FIFO path you created in the Interface field: /tmp/pcap

Figure 2:

wireshark.jpg

Wireshark Capture Options

Use tail to copy the PCAP file to the FIFO:

tail +0f \

/net/ServerSw_Name//global/flow/Flow_Name/switch/Switch_Name/
pcap/tmp/pcap

 

Substitute ServerSw_Name, Flow_Name and Switch_Name to match your environment. Live capture continues until the packet capture file is rotated. By default, Netvisor allows the maximum packet capture file size as 10MB but you can configure with the packet-log-max option of the vflow-create and vflow-modify commands.


 

Informational Note:

The mkfifo command used in this task is a standard feature of UNIX-like operating systems, including MacOS. For Windows platforms, you may need to install the GNU CoreUtils package available at http://gnuwin32.sourceforge.net/packages/coreutils.htm.