Just to inform you of the following: 1: I applied the obvious patch you suggested and it works well. 2: I've tried to find Cisco documentation for the sample mode field for Netflow v5, but was unable to do so. The field itself is documented in newer revisions of the version 5 documents and two sampling modes are mentioned elsewhere (0x01 and 0x02), but I can't find anything on the remaining possible values for the sampling mode field. 3: A support request has been filed with Juniper for compliance with the Netflow v5 specifications when using sampling. Pmacct has been cited as collector reference.
all the best and thank you, -- Inge > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Paolo Lucente > Sent: 17. mars 2007 13:58 > To: [email protected] > Subject: Re: [pmacct-discussion] Juniper cFlow, sampling and > nfacctd handling > > Hi Inge, > > On Fri, Mar 16, 2007 at 05:09:30PM +0100, Inge Bj?rnvall > Arnesen wrote: > > > Then I looked at pkt_handler.c and compared it with the > tcdump/Ethereal dumps from Juniper: > > > > In NF_counters_renormalize_handler(), starting line 1199 it says: > > > > switch (hdr->version) { > > case 5: > > hdr5 = (struct struct_header_v5 *) pptrs->f_header; > > is_sampled = ( ntohs(hdr5->sampling) & 0xC000 ); > > srate = ( ntohs(hdr5->sampling) & 0x3FFF ); > > if (is_sampled) { > > pdata->pkt_len = pdata->pkt_len * srate; > > pdata->pkt_num = pdata->pkt_num * srate; > > } > > break; > > default: > > break; > > } > > > > This looks neat as I interpret, but it does not match the > v5 datagrams from Juniper. Looking at that, it has in its > Netflow v5 header (taken from Etherreal): > > > > 00.. .... .... .... = SamplingMode: No sampling mode configured (0) > > ..00 0011 1110 1000 = SampleRate: 1000 > > > > [ ... ] > > > > Questions: > > > > 1: Does Netflow v5 say that sampling mode must be set for > sample rate to be valid? > > 2: Has anybody else gotten this to work and if so, how? > > 3: Can I get Juniper/cFlow to report sampling mode? > > 1. Yes, it has. The meaning of the first two bits are: "00" > no sampling, > 01 sampling is enabled, so read the remaining 14 bits to get > the sampling rate. Of course the quick and dirty solution to > make it working with your Juniper is to replace the check on > the first two bits with a check on the remaining 14 bits: > > + if (srate) { > - if (is_sampled) { > > A more polite solution would be to add a configuration option > to do this. > > 2. I've got this working reading NetFlow v5 datagrams coming > from a few Cisco gears. Can't remember right now of any other > vendors. Also note that this feature is not enabled for > NetFlow v9 yet. Only all sFlow versions and NetFlow v5. IHMO, > the NetFlow v9 way of hande sampling is certainly greatly > flexible but smells a lot of over-engineering. > > 3. Yes. You can either report the issue to Juniper or apply > the patch of 1). It should work straight away. Or a mix of > the two solutions, one for the short term, the other for the > longer term. > > Hope this helps. > > Cheers, > Paolo > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
