IPFix data only on IPv6 ? #105
Comments
|
Hi Christian, Also you mention IPFIX on port Regarding the missing IPv6 address, you may be right
But I would need to have a look at the template. Are you using an encapsulation? |
|
Hi Louis, I'm using GoFlow2 v1.1.0 (2022-03-26T23:35:31+0000) and the Docker Compose files of the last v1.1.0 release. Yes you are right, IPFIX port is 2055 and I used 2055 for productive traffic and 4739 for replaying the capture with tcpreplay.. both, direct productive traffic and the replay has that issue.. Concerning the capture I have to ask If I'm allowed to send it to you.. because of the IPs and data privacy. Concerning the encapsulation.. uff.. I have to ask to be 100% sure but as a first answer I would say no.. thanks a lot for your help Christian |
|
Hi Louis, `(1374 bytes) Obs-Domain-ID=16777216 [Data-Template:1910] [Options-Template:50710] [Data:50710] /Users/cpetrasch/Downloads/ipfix_25k.pcap 25000 total packets, 25000 shown Does that help in the meantime ? |
|
Oh ok that makes sense: From my previous experimentations, Juniper and Cisco were producing two templates, one for IPv4, one for IPv6. Will try to get something this weekend. Thanks for reporting! |
|
Would you be able to check this branch #106 |
|
Hi Louis,
I crosschecked the new branch. I startet the branch with the docker-compose file in the kcg directory. In my understanding the docker container will be built every time from the code ? Am I right ? Here are the informations you asked for: IPv4: Flow 1 |
|
A colleague of mine send me the documentation of the template, maybe that could help:
|
|
Just in case: Before starting the compose. Without running |
|
Ah.. okay.. it was my doubt that I'm doing sth. wrong.. Okay.. we are one step closer now.. cool :).. many thanks.. IPv4: goflow_1 | {"Type":"IPFIX","ObservationPointID":0,"ObservationDomainID":33554432,"TimeReceived":1659072751,"SequenceNum":661958810,"SamplingRate":1,"SamplerAddress":"111.111.111.111","TimeFlowStart":1657629111,"TimeFlowEnd":1657629111,"TimeFlowStartMs":1657629111770,"TimeFlowEndMs":1657629111800,"Bytes":2940,"Packets":2,"SrcAddr":"::","DstAddr":"::","Etype":2048,"Proto":6,"SrcPort":443,"DstPort":16969,"InIf":0,"OutIf":0,"SrcMac":"c8:e7XX:XX:92:e6","DstMac":"68:ab:XX:XX:dd:5a","SrcVlan":0,"DstVlan":0,"VlanId":0,"IngressVrfID":32,"EgressVrfID":0,"IPTos":0,"ForwardingStatus":0,"IPTTL":0,"TCPFlags":16,"IcmpType":0,"IcmpCode":0,"IPv6FlowLabel":0,"FragmentId":0,"FragmentOffset":0,"BiFlowDirection":0,"SrcAS":0,"DstAS":0,"NextHop":"","NextHopAS":0,"SrcNet":0,"DstNet":0,"EtypeName":"IPv4","ProtoName":"TCP","IcmpName":""} IPv6: It seems that with that new build the flow Etypename will be recognized as IPv4 and IPv6 correctly but the IP addresses are still not read.. BTW: Sending you the capture is for data privacy reasons not possible.. But I can do the tests for you like we are doing at the moment... Thanks a lot for your help.. really appreciated :) |
|
I think i know what happened. The fix checks for length whereas it should be testing for "zeroes". Will get a fix. |
|
Hi Louis.. ah that could be 👍 .. thanks and have a nice weekend |
|
Could you try the artifacts from this build? Made a few changes |
|
Hi Louis.. it's working.. great work :)... thanks a lot: {"Type":"IPFIX","ObservationPointID":0,"ObservationDomainID":33554432,"TimeReceived":1659333755,"SequenceNum":661958900,"SamplingRate":1,"SamplerAddress":"111.111.111.111","TimeFlowStart":1657629111,"TimeFlowEnd":1657629111,"TimeFlowStartMs":1657629111802,"TimeFlowEndMs":1657629111802,"Bytes":70,"Packets":1,"SrcAddr":"222.222.222.222","DstAddr":"333.333.333.333","Etype":2048,"Proto":6,"SrcPort":443,"DstPort":59960,"InIf":0,"OutIf":0,"SrcMac":"44:f4:XX:XX:10:a5","DstMac":"3c:08:XX:XX:2f:04","SrcVlan":0,"DstVlan":0,"VlanId":0,"IngressVrfID":32,"EgressVrfID":0,"IPTos":0,"ForwardingStatus":0,"IPTTL":0,"TCPFlags":0,"IcmpType":0,"IcmpCode":0,"IPv6FlowLabel":0,"FragmentId":0,"FragmentOffset":0,"BiFlowDirection":0,"SrcAS":0,"DstAS":0,"NextHop":"","NextHopAS":0,"SrcNet":0,"DstNet":0,"EtypeName":"IPv4","ProtoName":"TCP","IcmpName":""} {"event_type": "purge", "mac_src": "44:f4:XX:XX:10:a5", "mac_dst": "3c:08:XX:XX:2f:04", "peer_ip_src": "111.111.111.111", "ip_src": "222.222.222.222", "ip_dst": "333.333.333.333", "port_src": 443, "port_dst": 59960, "tcp_flags": "0", "ip_proto": "6", "timestamp_start": "2022-07-12 14:31:51.802000", "timestamp_end": "2022-07-12 14:31:51.802000", "ip_prot_ver": "4", "in_phys_int": "1342177332", "dot1q_cvlan": "0", "dot1q_vlan": "0", "out_phys_int": "1342177282", "post_dot1q_cvlan": "0", "post_dot1q_vlan": "2", "in_vrfid": "32", "packets": 1, "bytes": 70} IPv6 is working like a charm as well :).. Even I had to check how to get "InIf" and "OutIf". Because this values are zero and pmacct reads that. But that are custom primitives in pmacct as well.. name=in_phys_int field_type=252 len=4 semantics=u_int So I have to have a look how to deal with that in goflow2. If I do that, maybe I get a value for this fields as well. Thanks a lot for all that help.. very appreciated :) 👍 |
|
Cool! For interface, I could likely implement mapping of: |
|
Great.. that would be very helpful, if its not to much work and you could implement ingressPhysicalInterface/egressPhysicalInterface :+1 thanks.. May I ask you another question ? I don't want to steal your time.. It's no problem if it's not possible.. I was great that you helped us that bugfix :).. During my replays/tests with my 25k UDP Stream test capture I figured out that pmacct finds 12885 flows in that capture after receiving the template ( fresh start of pmacct ) and goflow2 ( also after a fresh restart ) finds only 10787. I investigated that behavior with one sample src address and figured out that pmacct sees 20 flows more for that sample src ip. Looking deeper it 17 of that 20 flows came from the same MAC address and the remaining 3 were a related looking Mac address. I attached the Wireshark capture of one one that flow.. maybe you can have a look and see something suspicious why goflow2 didn't see that flows ? In my eyes it didn't look strange.. |
|
Regarding the following, I am missing important details to troubleshoot.
Could you describe how you count? |
|
Regarding the interface index.
I have a solution that does not involve changing the code. ipfix:
mapping:
- field: 252
destination: InIf
- field: 253
destination: OutIfAnd run |
|
One more question:
What is the model/series and possibly the version of the OS? I am trying to investigate the template. |
|
Hi Louis.. the mapping solution works :) :+1 .. great.. thanks a lot.. Concerning the other issue.. I count by writing the output of goflow2 and pmacct to disk and do a grep for "IPFIX" | wc -l in goflow2 and a grep for another unique Key ( event_type ) in the pmacct file. If I don't restart the tools I got for the first run of goflow2 11430 flows ( pmacct 12886 ) , second run 27270 ( pmacct 38526 ). That means that pmacct finds 12712 more flows for that 2 runs.
No, it's swaying.. f. e. for a second test a restarted goflow2 and got 11246 flows in the first run and 27170 in second run, if I do a 3rd run with out restart, I got 28022 flows.. everything with the same pcap which is replayed.
The model is Nokia 7750 and OS is 21.10 .. You can find the template on page 285 Concerning "Are they counted properly in the /metrics Prometheus endpoint?" and the extraction of the 20 flows I have to do my homework and come back to you.. Thanks lot for your help again :) best regards |
|
This seems to be a performance issue. The Prometheus page should give better insights on the decode metrics. Thank you for the details on the device. |
|
Ah.. that could be.. I will retry.. ... I have retried with sending 10Mbit/s instead of 100 Mbit/s. all flows found.. ( 12886 ) great :D 👍 .. thanks.. Next step, I will try to increase performance by increasing the number of listeners |
|
okay, I increased the listeners.. wow.. for 100Mbit/s of traffic I need 30 parallel listeners.. to write that 12886 flows in json format to file fast enough. The server has no real load, I think maybe it's the IOPs.. anyway.. for production I'll switch the format to Protobuf and send to Kafka anyway. So I'm looking forward to this performance. If you are interested I can send you the results. Thank you for all that help Louis.. It was really appreciated. Hope to meet you personally on a RIPE meeting to say a hello and invite you to a beer or sth. else :) best regards |
|
FYI: JSON - 25k udp packets - 100 Mbit/s replay speed - 30 listener - 12886 - everything is there Protobuf - 25k udp packets - 100 Mbit/s replay speed - 1 listener - 12886 - everything is there :) :) :) -- very happy |
|
Thank you :) . |
|
JFYI I'll be improving the socket repeat in #107 (using a count argument), |
|
Solved.. thank you very much :) |
Hi there,
I capture IPFiX data on Port 2055, template will be send every 5 minutes... if I start goflow2 with the parameters:
goflow2 -loglevel="debug" -transport.file="./goflow2.output2" -listen="sflow://[IPV4_IP]:6343,netflow:///[IPV4_IP]:4739"
I see only packets with EtypeName:"IPv6" like that:
And I see no IP addresses
But I know that these packets are IPv4 ( crosschecked with pmacct ). I ran goflow2 20 minutes, a template have to be send. That was crosschecked with pmacct as well. I made a traffic dump to compare the tools output..
I can see that goflow2 captures not all flows. Goflow2 around 11500 - PMACCT 12886.
My suspect is that goflow2 thinks that is all IPv6 and can't read the IP addresses if a IPFIX flow is IPv4.
If a flow is IPv6 then it works..
Do I something wrong ?
Does anybody has an idea ?
Help would be very appreciated..
thanks and best regards
Christian
The text was updated successfully, but these errors were encountered: