Closed avimas closed 5 years ago
avimas
commented
5 years ago Probably adding the elements specified in
https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-40805D0E-8A97-4011-B85C-CBF37812DBB5.html To the new ipfix.elements file Will fix the issue I’ll give it a try.
mehrdadrad
commented
5 years ago Yes pls add it to ipfix.elements and restart the vflow
avimas
commented
5 years ago So I added the elements to the ipfix.elements file and I started to get the this error "[vflow] 2018/09/20 15:01:03 IPFIX element key (210) not exist", which is strange as 210 is a known element also defined in the ipfix.elements file. After some debugging I noticed element 210 is always sent after an element which its PEN is set, and the function func (tr TemplateRecord) unmarshal(r reader.Reader) uses the same TemplateFieldSpecifier for unmarshaling all fields specifieres, once the PEN is in the field specifier is set it never gets clean and all known IPFIX elements after this element have their PEN set to the previous enterprise number (Vmware in this case).
I modified the function func (f TemplateFieldSpecifier) unmarshal(r reader.Reader) error in ipfix/decoder.go
to
func (f TemplateFieldSpecifier) unmarshal(r reader.Reader) error { var err error
if f.ElementID, err = r.Uint16(); err != nil {
return err
}
if f.Length, err = r.Uint16(); err != nil {
return err
}
if f.ElementID > 0x8000 {
f.ElementID = f.ElementID & 0x7fff
if f.EnterpriseNo, err = r.Uint32(); err != nil {
return err
}
}else {
f.EnterpriseNo = 0;
}
return nil}
and the issue has been resolved.
I have an ESX Server configured to send IPFIX flows to vflow server (installed on a Centos using the latest RPM version: 0.6.5), but no flows are sent to the MQ,
I can see the following errors in Vflow log:
Looking at the code it looks like there are no fatal errors so I am not sure why other fields are not being parsed/sent to the MQ.
attached is the pcap file from the Vmware server ipfix.zip