[flow-tools] Lost Flow Syslog Message, this can't be right
Mark Fullmer
maf@eng.oar.net
Tue, 16 Apr 2002 21:03:28 -0400
It's an out of order packet.
time event
----------------------------------------------------------
1 receive sequence id 508750230 - expecting 508750200
2 receive sequence id 508750200 - expecting 508750260
3 receive sequence id 508750260 - expecting 508750230
flip the order from 1,2,3 to 2,1,3 and everything matches up.
flow-tools could be smarter about this. It's harmless though.
One possible way of inducing this type of behavior is with a router
configured for per packet load sharing over an equal cost path.
mark
On Mon, Apr 15, 2002 at 01:35:41PM -0500, Poetzel, Christopher J. wrote:
> I have seen this type of message in my Syslog before and thought I would
> email to see if someone could explain it...
>
> Apr 15 13:09:06 jupiter flow-capture[2463]: ftpdu_seq_check():
> src_ip=192.5.170.2 dst_ip=146.137.1.70 d_version=5 expecting=508750200
> receiv
> ed=508750230 lost=30
>
> Apr 15 13:09:06 jupiter flow-capture[2463]: ftpdu_seq_check():
> src_ip=192.5.170.2 dst_ip=146.137.1.70 d_version=5 expecting=508750260
> receiv
> ed=508750200 lost=4294967235
>
> Apr 15 13:09:06 jupiter flow-capture[2463]: ftpdu_seq_check():
> src_ip=192.5.170.2 dst_ip=146.137.1.70 d_version=5 expecting=508750230
> receiv
> ed=508750260 lost=30
>
> I cannot believe that flow-tools would lose 4,294,967,235 flows.
> Any thoughts
>
>
>
> Chris Poetzel
> Argonne National Labratory
> Network Engineer
> CCNA
>
> 630-252-7431
> cpoetzel@anl.gov
>