Hi Tiago,
Great to read from you, about your issues:
1) can you send me a pcap with a data packet and the templates, both
data and sampling option? Being able to replay it will give me a chance
to understand what may be wrong.
2) vlan_out refers to the vlan after, say, some re-tagging took place.
It does not refer to outer vs inner vlan. What you are looking for is
cvlan. Problem being cvlan is not currently supported as an aggregation
primitive but only as a filter in the pre_tag_map. Implementing this
would not be a biggie & can squeeze in the dev cycles pretty easily;
just as above, i'd just ask you if you can send me some sample data so
not to perform the coding blindly.
Paolo
On Thu, Jul 27, 2023 at 08:41:17PM +0000, Tiago Felipe Gonçalves wrote:
> Hi,
>
> I’m using sfacctd, and nfacctd to collect/digest flows, but I’m having two
> issues with IPFIX 315 being exported by Cisco NCSs on my lab environment.
>
> =======================================================================================================================
> 1. The router is sending sampling rate template, but nfacctd is unable to
> detect it:
> Cisco NetFlow/IPFIX
> Version: 10
> Length: 140
> Timestamp: Jul 27, 2023 21:23:32.000000000 CEST
> ExportTime: 1690485812
> FlowSequence: 4603756
> Observation Domain Id: 4096
> Set 1 [id=257] (1 flows)
> FlowSet Id: (Data) (257)
> FlowSet Length: 124
> [Template Frame: 3]
> Flow 1
> Selector Id: 1
> Sampling Packet Interval: 32000
> Selector Algorithm: Random n-out-of-N Sampling (3)
> Sampling Size: 1
> Sampling Population: 32000
> SamplerName: ipfix_sm
> Selector Name: ipfix_sm
> String_len_short: 8
> Padding: 000000
>
> Seems that nfacctd understand the template:
>
> DEBUG ( default/core ): Received NetFlow/IPFIX packet from
> [192.168.245.145:21660] version [10] seqno [4621414]
> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [3] from
> [192.168.245.145:21660] seqno [4621414]
> DEBUG ( default/core ): NfV10 agent : 192.168.245.145:4096
> DEBUG ( default/core ): NfV10 template type : options
> DEBUG ( default/core ): NfV10 template ID : 338
> DEBUG ( default/core ):
> -------------------------------------------------------------
> DEBUG ( default/core ): | pen | field type | offset |
> size |
> DEBUG ( default/core ): | 0 | 149 [149 ] | 0 |
> 4 |
> DEBUG ( default/core ): | 0 | 160 [160 ] | 4 |
> 8 |
> DEBUG ( default/core ):
> -------------------------------------------------------------
> DEBUG ( default/core ): Netflow V9/IPFIX record size : 12
> DEBUG ( default/core ):
> DEBUG ( default/core ): Received NetFlow/IPFIX packet from
> [192.168.245.145:21660] version [10] seqno [4621414]
> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [338] from
> [192.168.245.145:21660] seqno [4621414]
> DEBUG ( default/core ): Received NetFlow/IPFIX packet from
> [192.168.245.145:21660] version [10] seqno [4621415]
> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [3] from
> [192.168.245.145:21660] seqno [4621415]
> DEBUG ( default/core ): NfV10 agent : 192.168.245.145:4096
> DEBUG ( default/core ): NfV10 template type : options
> DEBUG ( default/core ): NfV10 template ID : 257
> DEBUG ( default/core ):
> -------------------------------------------------------------
> DEBUG ( default/core ): | pen | field type | offset |
> size |
> DEBUG ( default/core ): | 0 | 302 [302 ] | 0 |
> 4 |
> DEBUG ( default/core ): | 0 | 305 [305 ] | 4 |
> 4 |
> DEBUG ( default/core ): | 0 | 304 [304 ] | 8 |
> 2 |
> DEBUG ( default/core ): | 0 | 309 [309 ] | 10 |
> 4 |
> DEBUG ( default/core ): | 0 | 310 [310 ] | 14 |
> 4 |
> DEBUG ( default/core ): | 0 | sampler name [84 ] | 18 |
> 90 |
> DEBUG ( default/core ): | 0 | 335 [335 ] | 108 |
> 65535 |
> DEBUG ( default/core ):
> -------------------------------------------------------------
> DEBUG ( default/core ): Netflow V9/IPFIX record size : 107
> DEBUG ( default/core ):
> DEBUG ( default/core ): Received NetFlow/IPFIX packet from
> [192.168.245.145:21660] version [10] seqno [4621415]
> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [257] from
> [192.168.245.145:21660] seqno [4621415]
> DEBUG ( default/core ): Received NetFlow/IPFIX packet from
> [172.31.31.162:63625] version [10] seqno [2092073163]
> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [335] from
> [172.31.31.162:63625] seqno [2092073163]
>
> But when printing the data, seems that sampling_rate is not being detected:
> {"event_type": "purge", "mac_src": "68:00:04:2e:0b:55", "mac_dst":
> "78:00:04:4c:5e:e7", "vlan_in": 1012, "vlan_out": 0, "etype": "800",
> "peer_ip_src": "192.168.245.145", "ip_proto": "tcp", "sampling_rate": 0,
> "stamp_inserted": "1690488600", "stamp_updated": "1690488901", "packets": 0,
> "bytes": 0}
>
> I have configured nfacctd_renormalize to true, and the same configuration
> pattern works for sflow. Can you please help me with that? Am I missing
> something?
>
> =======================================================================================================================
> 2. I have few l2transports using 2 qtags, and I do see it in the pcap:
> Flow 4
> InputInt: 15
> OutputInt: 5
> Data Link Frame Size: 106
> Data Link Frame Section:
> 7800044c5ee76800042e0ba6810003f4810000640800450004ce04d200007f06dc7cc612…
> Ethernet II, Src: 68:00:04:2e:0b:a6 (68:00:04:2e:0b:a6), Dst:
> 78:00:04:4c:5e:e7 (78:00:04:4c:5e:e7)
> 802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1012
> 802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100
> Internet Protocol Version 4, Src: 198.18.101.91, Dst: 198.18.100.91
> Transmission Control Protocol, Src Port: 48482, Dst Port: 80, Seq:
> 129018, Len: 44
> String_len_short: 106
>
> But I’m unable to get vlan_out:
> {"event_type": "purge", "mac_src": "68:00:04:2e:0b:55", "mac_dst":
> "78:00:04:4c:5e:e7", "vlan_in": 1012, "vlan_out": 0, "etype": "800",
> "peer_ip_src": "192.168.245.145", "ip_proto": "tcp", "sampling_rate": 0,
> "stamp_inserted": "1690488600", "stamp_updated": "1690488901", "packets": 0,
> "bytes": 0}
>
> Interface config:
> interface Bundle-Ether1.1012 l2transport
> encapsulation dot1q 1012 second-dot1q 100
> rewrite ingress tag pop 2 symmetric
> flow datalinkframesection monitor ipfix_mon sampler ipfix_sm ingress
> !
>
> IPFIX config:
> flow exporter-map ipfix_exp
> version ipfix
> options sampler-table
> template options timeout 30
> !
> dscp 40
> transport udp 2100
> source MgmtEth0/RP0/CPU0/0
> destination 192.168.245.240
> !
> flow monitor-map ipfix_mon
> record datalinksectiondump
> exporter ipfix_exp
> cache immediate
> cache entries 1000000
> cache timeout rate-limit 1000000
> !
> sampler-map ipfix_sm
> random 1 out-of 32000
>
> Can you please help me with that too? Also, similar setup works for sflow.
>
> =======================================================================================================================
>
> # nfacctd -V
> NetFlow Accounting Daemon, nfacctd 1.7.8-git [20221231-1 (723b0cb2)]
>
> Thanks in advance for any inputs.
>
>
> --
> (Atenciosamente|Best regards|Cordiali Saluti|Vriendelijke groeten),
>
> Tiago Felipe Gonçalves
> PGP Fingerprint - A2:82:BD:48:EE:8D:C4:99:C2:4E:81:D4:C4:7B:1C:2E:C7:F3:04:C9
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
