Missing @reverse suffix using split biflow mode

[RacekM]

Hi, I am from CSIRT-MU, and I have a couple of questions about ipfixcol2. When using a PEN biflow mode, the reverse ipfix attributes are in a format XXXXX@reverse:YYYYY@reverse but when I use a SPLIT biflow mode then the reverse attributes are in another form XXXXXX:YYYYY@reverse (missing @reverse in the first part).

We think that it is an inconsistency.

I tried to investigate how does it internally works and if I get it right then If I use PEN biflow mode then internally in code there are two separated PEN configurations for each direction, but in SPLIT mode there is only one PEN conf, so the PEN name is not different for the reverse direction.

Would it be possible to unify this behaviour across different biflow modes somehow?

Also, would it be possible to add the possibility to adjust the form of a reverse suffix(@reverse)?

[Lukas955]

Hi,

yes, you are right that the naming is slightly inconsistent between these two modes. It was probably necessary to internally distinguish two PEN scopes in biflow mode. Nevertheless, I will try to look whether its possible to solve it soon.

Regarding the second question, yes, it would be possible, for example, by adding additional parameter to the scope definition, which will redefine the default value @reverse. However, is it really necessary to redefine it? Why would you like to change it?

Lukas

[xdanos]

Hi, Dan from CSIRT-MU here.

One of the possible problems with @reverse is the fact that @ is a reserved symbol in some tools.

This is not a priority issue, we just wanted to ask.