QRadar: Missed x datagrams from xx.xx.xx.xx, Expected sequence #

Troubleshooting

Problem

Some datagrams are lost because the NetFlow export uses User Datagram Protocol (UDP) to send them.

Resolving The Problem

You might encounter the following messages on your Netflow enabled flow sources/devices

qflow0: [WARNING] default_Netflow: Missed 1 datagrams from 192.168.1.1:0, Expected sequence #: 1111111111 Received: 1111111110

Cause From Cisco:

Because NetFlow export uses User Datagram Protocol (UDP) to send export datagram's, it is possible for datagram's to be lost. To determine whether or not flow export information is lost, the version 5 header format contains a flow sequence number. The sequence number is equal to the sequence number of the previous plus the number of flows in the previous datagram. After receiving a new datagram, the receiving application can subtract the expected sequence number from the sequence number in the header to get the number of missed flows.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Flows","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Missed x datagrams from xx.xx.xx.xx, Expected sequence #

Troubleshooting

Problem

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?