Hi Paolo, Thanks for the prompt answer and support as usual, we really appreciate it. I’ll forward the pcap directly to you.
Thanks again, and have a nice week! > On 29 Jul 2023, at 23:43, Paolo Lucente <pa...@pmacct.net> wrote: > > > Hi Tiago, > > Great to read from you, about your issues: > > 1) can you send me a pcap with a data packet and the templates, both > data and sampling option? Being able to replay it will give me a chance > to understand what may be wrong. > > 2) vlan_out refers to the vlan after, say, some re-tagging took place. > It does not refer to outer vs inner vlan. What you are looking for is > cvlan. Problem being cvlan is not currently supported as an aggregation > primitive but only as a filter in the pre_tag_map. Implementing this > would not be a biggie & can squeeze in the dev cycles pretty easily; > just as above, i'd just ask you if you can send me some sample data so > not to perform the coding blindly. > > Paolo > > > On Thu, Jul 27, 2023 at 08:41:17PM +0000, Tiago Felipe Gonçalves wrote: >> Hi, >> >> I’m using sfacctd, and nfacctd to collect/digest flows, but I’m having two >> issues with IPFIX 315 being exported by Cisco NCSs on my lab environment. >> >> ======================================================================================================================= >> 1. The router is sending sampling rate template, but nfacctd is unable to >> detect it: >> Cisco NetFlow/IPFIX >> Version: 10 >> Length: 140 >> Timestamp: Jul 27, 2023 21:23:32.000000000 CEST >> ExportTime: 1690485812 >> FlowSequence: 4603756 >> Observation Domain Id: 4096 >> Set 1 [id=257] (1 flows) >> FlowSet Id: (Data) (257) >> FlowSet Length: 124 >> [Template Frame: 3] >> Flow 1 >> Selector Id: 1 >> Sampling Packet Interval: 32000 >> Selector Algorithm: Random n-out-of-N Sampling (3) >> Sampling Size: 1 >> Sampling Population: 32000 >> SamplerName: ipfix_sm >> Selector Name: ipfix_sm >> String_len_short: 8 >> Padding: 000000 >> >> Seems that nfacctd understand the template: >> >> DEBUG ( default/core ): Received NetFlow/IPFIX packet from >> [192.168.245.145:21660] version [10] seqno [4621414] >> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [3] from >> [192.168.245.145:21660] seqno [4621414] >> DEBUG ( default/core ): NfV10 agent : 192.168.245.145:4096 >> DEBUG ( default/core ): NfV10 template type : options >> DEBUG ( default/core ): NfV10 template ID : 338 >> DEBUG ( default/core ): >> ------------------------------------------------------------- >> DEBUG ( default/core ): | pen | field type | offset | >> size | >> DEBUG ( default/core ): | 0 | 149 [149 ] | 0 | >> 4 | >> DEBUG ( default/core ): | 0 | 160 [160 ] | 4 | >> 8 | >> DEBUG ( default/core ): >> ------------------------------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 12 >> DEBUG ( default/core ): >> DEBUG ( default/core ): Received NetFlow/IPFIX packet from >> [192.168.245.145:21660] version [10] seqno [4621414] >> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [338] from >> [192.168.245.145:21660] seqno [4621414] >> DEBUG ( default/core ): Received NetFlow/IPFIX packet from >> [192.168.245.145:21660] version [10] seqno [4621415] >> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [3] from >> [192.168.245.145:21660] seqno [4621415] >> DEBUG ( default/core ): NfV10 agent : 192.168.245.145:4096 >> DEBUG ( default/core ): NfV10 template type : options >> DEBUG ( default/core ): NfV10 template ID : 257 >> DEBUG ( default/core ): >> ------------------------------------------------------------- >> DEBUG ( default/core ): | pen | field type | offset | >> size | >> DEBUG ( default/core ): | 0 | 302 [302 ] | 0 | >> 4 | >> DEBUG ( default/core ): | 0 | 305 [305 ] | 4 | >> 4 | >> DEBUG ( default/core ): | 0 | 304 [304 ] | 8 | >> 2 | >> DEBUG ( default/core ): | 0 | 309 [309 ] | 10 | >> 4 | >> DEBUG ( default/core ): | 0 | 310 [310 ] | 14 | >> 4 | >> DEBUG ( default/core ): | 0 | sampler name [84 ] | 18 | >> 90 | >> DEBUG ( default/core ): | 0 | 335 [335 ] | 108 | >> 65535 | >> DEBUG ( default/core ): >> ------------------------------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 107 >> DEBUG ( default/core ): >> DEBUG ( default/core ): Received NetFlow/IPFIX packet from >> [192.168.245.145:21660] version [10] seqno [4621415] >> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [257] from >> [192.168.245.145:21660] seqno [4621415] >> DEBUG ( default/core ): Received NetFlow/IPFIX packet from >> [172.31.31.162:63625] version [10] seqno [2092073163] >> DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [335] from >> [172.31.31.162:63625] seqno [2092073163] >> >> But when printing the data, seems that sampling_rate is not being detected: >> {"event_type": "purge", "mac_src": "68:00:04:2e:0b:55", "mac_dst": >> "78:00:04:4c:5e:e7", "vlan_in": 1012, "vlan_out": 0, "etype": "800", >> "peer_ip_src": "192.168.245.145", "ip_proto": "tcp", "sampling_rate": 0, >> "stamp_inserted": "1690488600", "stamp_updated": "1690488901", "packets": 0, >> "bytes": 0} >> >> I have configured nfacctd_renormalize to true, and the same configuration >> pattern works for sflow. Can you please help me with that? Am I missing >> something? >> >> ======================================================================================================================= >> 2. I have few l2transports using 2 qtags, and I do see it in the pcap: >> Flow 4 >> InputInt: 15 >> OutputInt: 5 >> Data Link Frame Size: 106 >> Data Link Frame Section: >> 7800044c5ee76800042e0ba6810003f4810000640800450004ce04d200007f06dc7cc612… >> Ethernet II, Src: 68:00:04:2e:0b:a6 (68:00:04:2e:0b:a6), Dst: >> 78:00:04:4c:5e:e7 (78:00:04:4c:5e:e7) >> 802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 1012 >> 802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100 >> Internet Protocol Version 4, Src: 198.18.101.91, Dst: 198.18.100.91 >> Transmission Control Protocol, Src Port: 48482, Dst Port: 80, Seq: >> 129018, Len: 44 >> String_len_short: 106 >> >> But I’m unable to get vlan_out: >> {"event_type": "purge", "mac_src": "68:00:04:2e:0b:55", "mac_dst": >> "78:00:04:4c:5e:e7", "vlan_in": 1012, "vlan_out": 0, "etype": "800", >> "peer_ip_src": "192.168.245.145", "ip_proto": "tcp", "sampling_rate": 0, >> "stamp_inserted": "1690488600", "stamp_updated": "1690488901", "packets": 0, >> "bytes": 0} >> >> Interface config: >> interface Bundle-Ether1.1012 l2transport >> encapsulation dot1q 1012 second-dot1q 100 >> rewrite ingress tag pop 2 symmetric >> flow datalinkframesection monitor ipfix_mon sampler ipfix_sm ingress >> ! >> >> IPFIX config: >> flow exporter-map ipfix_exp >> version ipfix >> options sampler-table >> template options timeout 30 >> ! >> dscp 40 >> transport udp 2100 >> source MgmtEth0/RP0/CPU0/0 >> destination 192.168.245.240 >> ! >> flow monitor-map ipfix_mon >> record datalinksectiondump >> exporter ipfix_exp >> cache immediate >> cache entries 1000000 >> cache timeout rate-limit 1000000 >> ! >> sampler-map ipfix_sm >> random 1 out-of 32000 >> >> Can you please help me with that too? Also, similar setup works for sflow. >> >> ======================================================================================================================= >> >> # nfacctd -V >> NetFlow Accounting Daemon, nfacctd 1.7.8-git [20221231-1 (723b0cb2)] >> >> Thanks in advance for any inputs. >> >> >> -- >> (Atenciosamente|Best regards|Cordiali Saluti|Vriendelijke groeten), >> >> Tiago Felipe Gonçalves >> PGP Fingerprint - A2:82:BD:48:EE:8D:C4:99:C2:4E:81:D4:C4:7B:1C:2E:C7:F3:04:C9 _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists