2 Replies Latest reply on Sep 1, 2014 7:00 AM by habanero

    Anyone else seeing nfcapd buffer overflow messages in their receivers' /var/log/messages log?

    habanero

      I just stood up a new 9.4.0 implementation and noticed both receivers are showing these messages constantly. Incoming flow and event rate appears well within the receivers' rated capacity. I have flow data in the system but the frequent "flush buffer and skip records" messages makes me wonder if I have all of it. Thanks!

       

      9.4.0 build 20140715122654 on ERC2600s

       

      Aug 28 04:14:13 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

      Aug 28 04:14:13 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

      Aug 28 04:14:13 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

      Aug 28 04:15:18 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

      Aug 28 04:15:18 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

      Aug 28 04:15:18 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

      Aug 28 04:15:41 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

      Aug 28 04:15:41 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

      Aug 28 04:15:41 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

      Aug 28 04:16:30 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

      Aug 28 04:16:30 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

      Aug 28 04:16:30 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

      Aug 28 04:17:05 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

      Aug 28 04:17:05 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

      Aug 28 04:17:05 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

      Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: 418115521 questions, 1627 cache entries, 752 negative entries, 7% cache hits

      Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: throttle map: 1, ns speeds: 4

      Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: outpacket/query ratio 0%, 0% throttled, 0 no-delegation drops

      Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: 0 outgoing tcp connections, 1 queries running, 76931 outgoing timeouts

      Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: 2484 packet cache entries, 99% packet cache hits

      Aug 28 04:17:17 McAfee pdns_recursor[1132]: stats: 219 qps (average over 1801 seconds)

      Aug 28 04:17:42 McAfee IPSDBServerctl[1482]: Info: -- Mark -- 1409199462

      Aug 28 04:17:46 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

      Aug 28 04:17:46 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

      Aug 28 04:17:46 McAfee nfcapd: Buffer size: size: 64, bsize: 5242912 > 5242880

      Aug 28 04:18:29 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

      Aug 28 04:18:29 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

      Aug 28 04:18:29 McAfee nfcapd: Buffer size: size: 64, bsize: 5242912 > 5242880

      Aug 28 04:19:06 McAfee nfcapd: ### Software error ###: netflow_v5_v7.c line 675

      Aug 28 04:19:06 McAfee nfcapd: Process_v5: Output buffer overflow! Flush buffer and skip records.

      Aug 28 04:19:06 McAfee nfcapd: Buffer size: size: 0, bsize: 5242900 > 5242880

      Aug 28 04:20:01 McAfee Inline[1489]: Event Stats: Uncompressed=68566, Compressed=681808 (Physical=31481) (1=681807, 2=0, 3=0) Max=14992 secs Bad Time=347

      Aug 28 04:20:01 McAfee Inline[1489]: Flow Stats: Uncompressed=141066, Compressed=1325360 (Physical=100620) (0=1325360, 1=0, 2=0, 3=0) Max=6206 secs Bad Time=49

        • 1. Re: Anyone else seeing nfcapd buffer overflow messages in their receivers' /var/log/messages log?
          alexander_h

          Honestly,

           

          This is bad as the packets that are not captured will be dropped.

          Below is a good article providing info about the process of capturing and dumping to file which afterwards should be parsed.

          NFDUMP

           

          It might be a problem with the nfcapd version as on the vm's it's 1.61 which is old as release.

          I could see that this is caused by the V5 flow process so you might try to send netflow in v7 and see if the problem still persist.

           

          Most probable the fix will be to increase the buffer as it is supposed to be fixed in the version you are using:

           

          9.4.0 20140715 (Hotfix 3)
          Reference NumberDeviceAreaIssue Description

          37441

          ESM

          ESM - OtherAdditional language support added to ESM.

          35618

          ELM

          SearchCompleted searches are not filtering correctly.

          37526

          REC

          ParsersLog “Unknown Syslog” events are not working.

          37453

          REC

          Data Sources

          Duplicate IP address error for generic SQL Oracle data sources.

          37344

          REC

          Data Sources

          eStreamer occasionally becomes unresponsive.

          37321

          REC

          Data SourcesBuffer overflow error with Netflow.

           

           

           

          What i can say is call McAfee and ask for details regarding the solution.

          • 2. Re: Anyone else seeing nfcapd buffer overflow messages in their receivers' /var/log/messages log?
            habanero

            Thanks. I've opened a service ticket. One of the first things they asked was to verify the build number which I've done. Anyone else running 9.4.0 20140715 or later still seeing these errors?