cancel
Showing results for 
Search instead for 
Did you mean: 

Anyone else seeing nfcapd buffer overflow messages in their receivers' /var/log/messages log?

I just stood up a new 9.4.0 implementation and noticed both receivers are showing these messages constantly. Incoming flow and event rate appears well within the receivers' rated capacity. I have flow data in the system but the frequent "flush buffer and skip records" messages makes me wonder if I have all of it. Thanks!

9.4.0 build 20140715122654 on ERC2600s

Aug 28 04:14:13 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

Aug 28 04:14:13 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

Aug 28 04:14:13 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

Aug 28 04:15:18 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

Aug 28 04:15:18 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

Aug 28 04:15:18 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

Aug 28 04:15:41 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

Aug 28 04:15:41 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

Aug 28 04:15:41 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

Aug 28 04:16:30 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

Aug 28 04:16:30 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

Aug 28 04:16:30 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

Aug 28 04:17:05 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

Aug 28 04:17:05 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

Aug 28 04:17:05 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: 418115521 questions, 1627 cache entries, 752 negative entries, 7% cache hits

Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: throttle map: 1, ns speeds: 4

Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: outpacket/query ratio 0%, 0% throttled, 0 no-delegation drops

Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: 0 outgoing tcp connections, 1 queries running, 76931 outgoing timeouts

Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: 2484 packet cache entries, 99% packet cache hits

Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: 219 qps (average over 1801 seconds)

Aug 28 04:17:42 McAfee IPSDBServerctl[1482]: Info: -- Mark -- 1409199462

Aug 28 04:17:46 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

Aug 28 04:17:46 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

Aug 28 04:17:46 McAfee nfcapd: Buffer size: size: 64, bsize: 5242912 > 5242880

Aug 28 04:18:29 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

Aug 28 04:18:29 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

Aug 28 04:18:29 McAfee nfcapd: Buffer size: size: 64, bsize: 5242912 > 5242880

Aug 28 04:19:06 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

Aug 28 04:19:06 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

Aug 28 04:19:06 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

Aug 28 04:20:01 McAfee Inline[1489]: Event Stats: Uncompressed=68566, Compressed=681808 (Physical=31481) (1=681807, 2=0, 3=0) Max=14992 secs Bad Time=347

Aug 28 04:20:01 McAfee Inline[1489]: Flow Stats: Uncompressed=141066, Compressed=1325360 (Physical=100620) (0=1325360, 1=0, 2=0, 3=0) Max=6206 secs Bad Time=49

2 Replies

Re: Anyone else seeing nfcapd buffer overflow messages in their receivers' /var/log/messages log?

Honestly,

This is bad as the packets that are not captured will be dropped.

Below is a good article providing info about the process of capturing and dumping to file which afterwards should be parsed.

NFDUMP

It might be a problem with the nfcapd version as on the vm's it's 1.61 which is old as release.

I could see that this is caused by the V5 flow process so you might try to send netflow in v7 and see if the problem still persist.

Most probable the fix will be to increase the buffer as it is supposed to be fixed in the version you are using:

9.4.0 20140715 (Hotfix 3)
Reference NumberDeviceAreaIssue Description

37441

ESM

ESM - OtherAdditional language support added to ESM.

35618

ELM

SearchCompleted searches are not filtering correctly.

37526

REC

ParsersLog “Unknown Syslog” events are not working.

37453

REC

Data Sources

Duplicate IP address error for generic SQL Oracle data sources.

37344

REC

Data Sources

eStreamer occasionally becomes unresponsive.

37321

REC

Data SourcesBuffer overflow error with Netflow.

What i can say is call McAfee and ask for details regarding the solution.

Re: Anyone else seeing nfcapd buffer overflow messages in their receivers' /var/log/messages log?

Thanks. I've opened a service ticket. One of the first things they asked was to verify the build number which I've done. Anyone else running 9.4.0 20140715 or later still seeing these errors?