search

Edgio / vflow

Enterprise Network Flow Collector (IPFIX, sFlow, Netflow)
http://www.verizonmedia.com
Apache License 2.0
1.1k stars 225 forks source link

Sflow paring issue #154

Open KrunalT opened 3 years ago

KrunalT commented 3 years ago

Hello,

When I am parsing sflow using vflow so in that 2 cases is happening.

  1. When I have given the below flow it's parsed successfully and given respected output, you can see that I am getting data into Samples

12:22:28.035013 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 216) 172.16.14.5.50315 > 10.20.40.34.6343: sFlowv5, IPv4 agent 192.168.2.3, agent-id 0, seqnum 10897, uptime 1741164485, samples 1, length 188 flow sample (1), length 152, seqnum 3168, type 0, idx 527, rate 1000, pool 3169000, drops 0, input 527 output 0 records 1 enterprise 0 Raw packet (1) length 112 protocol Ethernet (1), length 99, stripped bytes 4, header_size 95

{"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":10897,"SysUpTime":1741164485,"SamplesNo":1,"Samples":[{"SequenceNo":3168,"SourceID":0,"SamplingRate":1000,"SamplePool":3169000,"Drops":0,"Input":527,"Output":0,"RecordsNo":1,"Records":{"RawHeader":{"L2":{"SrcMAC":"00:50:56:bb:1f:4b","DstMAC":"33:33:00:01:00:03","Vlan":0,"EtherType":34525},"L3":{"Version":6,"TrafficClass":0,"FlowLabel":0,"PayloadLen":41,"NextHeader":17,"HopLimit":1,"Src":"fe80::9de:899c:c1e4:c19c","Dst":"ff02::1:3"},"L4":{"SrcPort":53081,"DstPort":5355}}}}],"Counters":[],"AgentID":"192.168.2.3","ColTime":1635317548}

  1. But from the same server when I am getting below type of flow it's not returning values into Samples, but getting data into Counters

12:15:38.171862 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 232) 172.16.14.5.50315 > 10.20.40.34.6343: sFlowv5, IPv4 agent 192.168.2.3, agent-id 0, seqnum 10851, uptime 1740755104, samples 1, length 204 counter sample (2), length 168, seqnum 4281, type 0, idx 526, records 2 enterprise 0, Generic counter (1) length 88 ifindex 526, iftype 6, ifspeed 1000000000, ifdirection 1 (full-duplex) ifstatus 3, adminstatus: up, operstatus: up In octets 27308635, unicast pkts 303822, multicast pkts 0, broadcast pkts 0, discards 0 In errors 0, unknown protos 0 Out octets 24091432, unicast pkts 184520, multicast pkts 0, broadcast pkts 0, discards 0 Out errors 0, promisc mode 0 enterprise 0, Ethernet counter (2) length 52 align errors 0, fcs errors 0, single collision 0, multiple collision 0, test error 0 deferred 0, late collision 0, excessive collision 0, mac trans error 0 carrier error 0, frames too long 0, mac receive errors 0, symbol errors 0

{"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":10851,"SysUpTime":1740755104,"SamplesNo":1,"Samples":[],"Counters":[{"SequenceNo":4281,"SourceIDType":0,"SourceIDIdx":526,"RecordsNo":2,"Records":{"EthInt":{"AlignmentErrors":0,"FCSErrors":0,"SingleCollisionFrames":0,"MultipleCollisionFrames":0,"SQETestErrors":0,"DeferredTransmissions":0,"LateCollisions":0,"ExcessiveCollisions":0,"InternalMACTransmitErrors":0,"CarrierSenseErrors":0,"FrameTooLongs":0,"InternalMACReceiveErrors":0,"SymbolErrors":0},"GenInt":{"Index":526,"Type":6,"Speed":1000000000,"Direction":1,"Status":3,"InOctets":27308635,"InUnicastPackets":303822,"InMulticastPackets":0,"InBroadcastPackets":0,"InDiscards":0,"InErrors":0,"InUnknownProtocols":0,"OutOctets":24091432,"OutUnicastPackets":184520,"OutMulticastPackets":0,"OutBroadcastPackets":0,"OutDiscards":0,"OutErrors":0,"PromiscuousMode":0}}}],"AgentID":"192.168.2.3","ColTime":1635317138}

So here I want to understand between two returning counters and the reason for that.

If any further details require please let me know.

mehrdadrad commented 3 years ago

vFlow doesn't support expanded flow sample / type 3. It supports type 1 and 2. maybe it sends type 3 as well?!

KrunalT commented 3 years ago

Alright @mehrdadrad, Yes it's expanded flow.

I have another issue is that, getting diff total length in sflow. You can check below tcpdump and output.

11:22:50.476764 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 212) 172.16.14.5.52991 > 10.20.40.34.6343: sFlowv5, IPv4 agent 128.0.0.4, agent-id 0, seqnum 12581, uptime 120987363, samples 1, length 184 flow sample (1), length 148, seqnum 2023, type 0, idx 527, rate 2000, pool 4048000, drops 0, input 527 output 2147483648 records 1 enterprise 0 Raw packet (1) length 108 protocol Ethernet (1), length 96, stripped bytes 4, header_size 92

{"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":12581,"SysUpTime":120987363,"SamplesNo":1,"Samples":[{"SequenceNo":2023,"SourceID":0,"SourceIDType":0,"SourceIDIdx":527,"SamplingRate":2000,"SamplePool":4048000,"Drops":0,"InputFormat":0,"Input":527,"OutputFormat":0,"Output":2147483648,"RecordsNo":1,"Records":{"RawHeader":{"L2":{"SrcMAC":"00:50:56:bb:3f:9b","DstMAC":"ff:ff:ff:ff:ff:ff","Vlan":0,"EtherType":2048},"L3":{"Version":4,"TOS":0,"TotalLen":78,"ID":14230,"Flags":0,"FragOff":0,"TTL":128,"Protocol":17,"Checksum":38521,"Src":"172.16.8.112","Dst":"172.16.11.255"},"L4":{"SrcPort":137,"DstPort":137}}}}],"Counters":[],"AgentID":"128.0.0.4","ColTime":1636955570}

Here TotalLen getting 78 but actually, it is 96.

Here I am attaching another one as well with pcap so you can correct me if I am wrong

Edge Cast Output:

{"Version":5,"IPVersion":1,"AgentSubID":0,"SequenceNo":22336,"SysUpTime":177701040,"SamplesNo":1,"Samples":[{"SequenceNo":5840,"SourceID":0,"SourceIDType":0,"SourceIDIdx":527,"SamplingRate":1000,"SamplePool":5841000,"Drops":0,"InputFormat":0,"Input":527,"OutputFormat":0,"Output":0,"RecordsNo":1,"Records":{"RawHeader":{"L2":{"SrcMAC":"00:50:56:bb:dc:6e","DstMAC":"33:33:00:01:00:03","Vlan":0,"EtherType":34525},"L3":{"Version":6,"TrafficClass":0,"FlowLabel":0,"PayloadLen":41,"NextHeader":17,"HopLimit":1,"Src":"fe80::6465:df0:31ee:aff4","Dst":"ff02::1:3"},"L4":{"SrcPort":64771,"DstPort":5355}}}}],"Counters":[],"AgentID":"128.0.0.4","ColTime":1637213837}

TCP Dump Text,

11:07:17.506673 IP (tos 0x0, ttl 254, id 0, offset 0, flags [none], proto UDP (17), length 216) 172.16.14.5.49674 > ranjit-HP-ProBook-430-G3.6343: sFlowv5, IPv4 agent 128.0.0.4, agent-id 0, seqnum 22336, uptime 177701040, samples 1, length 188 flow sample (1), length 152, seqnum 5840, type 0, idx 527, rate 1000, pool 5841000, drops 0, input 527 output 0 records 1 enterprise 0 Raw packet (1) length 112 protocol Ethernet (1), length 99, stripped bytes 4, header_size 95

PCAP File:

sflow_data.zip

could you please help me out to understand?

yangyu66 commented 2 years ago

@mehrdadrad, any plan to support expanded flow sample / type 3? I'm interested in creating a pr to add that