Packet sampling rate

[alarig]

Hi,

I’m configuring an AS-Stats and the configuration asks for the sampling rate of the netflow input. I don’t see any configuration option to set it, nor what is the default one. Which value should I put?

Thanks

[aabc]

   sampler=deterministic:123
   sampler=random:123
   sampler=hash:123
     - enables Flow Sampling. To disable set to the empty value or to `0'.
       Note, that this is flow sampling (as of RFC 7014), not packet
       sampling (PSAMP).

       There is three sampling modes:

         deterministic:  select each N-th observed flow; in IPFIX this mode
                         is called Systematic count-based Sampling;
         random:         select randomly one out of N flows.
         hash:           select hash-randomly one out of N flows.

       Number after colon is population size N, with valid values 2-16383.
       (This 16383 limit is for compatibility with NetFlow v5.)
         Using 'deterministic' and 'random' sampling will not reduce resource
       usage caused by the module, because flows are sampled late in exporting
       process. This will reduces amount of flows which go to the collector,
       thus, reducing load on the collector.
         On the other hand, using 'hash' sampling will reduce CPU and memory
       load caused by the module, because flows are discarded early in the
       processing chain. They are discarded almost like in random sampler,
       except that pseudo-random value is depend on the Flow Key hash for each
       packet.
         All required NetFlow/IPFIX information to signal use of sampling is
       also sent to the collector. 'Hash' sampling will be presented as 'random'
       sampling to the collector, because of their similarity.
       Note, that Flow Sampling is compatible with NetFlow v5, v9, and IPFIX.

[alarig]

Ah, I misunderstood the difference between packet and flow sampling. So per default, it’s 1:1? I don’t use this option in my config file:

edge03-ifog ~ # cat /etc/modprobe.d/ipt_NETFLOW.conf
options ipt_NETFLOW destination=10.0.0.1:9000@45.91.126.237 protocol=9

[aabc]

Flow sampling is not enabled by default. That would be crazy.

[wk27]

@alarig you have to configure the module with a sampler feature (of course if you compile it from the sources) ./configure --enable-sampler

After that choose sampling rate in yours "/etc/modprobe.d/ipt_NETFLOW.conf" file. This is example for 1:10000. options ipt_NETFLOW destination=10.0.0.1:9000@45.91.126.237 sampler=deterministic:10000 protocol=9

Check your sampling rate results here. cat /proc/net/stat/ipt_netflow

P.S. Make sure that you reloaded ipt_NETFLOW module.

[wk27]

@aabc I've compiled v2.5, but "SamplingRate" field in netflow packet is always equals 0 (no matter protocol 9 or 10). I use "sampler=deterministic:1000". Is this a bug?

[aabc]

What is "SamplingRate" field.

[aabc]

List of attributes https://www.iana.org/assignments/ipfix/ipfix.xhtml I only export sampling mode, sampling interval. There is no sampling rates.

[wk27]

What is "SamplingRate" field.

We need to know the sampling rate to extrapolate stats, but this field is always equals to 0 (it means that we send stats for every flow, but it's not true, the correct SamplingRate is 1000).

[aabc]

So, what attribute it is?

[wk27]

We've just found this code in our netflow collector:

b := NetFlowPopulate(record.OptionsValues, 305, &samplingRate) if b { return samplingRate, b } b = NetFlowPopulate(record.OptionsValues, 50, &samplingRate) if b { return samplingRate, b } b = NetFlowPopulate(record.OptionsValues, 34, &samplingRate) if b { return samplingRate, b }

34 (samplingInterval) and 50 (samplerRandomInterval) options are deprecated. Current option is 305 (samplingPacketInterval) and this might be a problem.

[wk27]

Hi. We have found that module doesn't send this options.

Set 1
 FlowSet Id: Data Template (V10 [IPFIX]) (2)
 FlowSet Length: 76
 Template (Id = 259, Count = 17)
 Template Id: 259
 Field Count: 17
 Field (1/17): IP_SRC_ADDR
 0... .... .... .... = Pen provided: No
 .000 0000 0000 1000 = Type: IP_SRC_ADDR (8)
 Length: 4
 Field (2/17): IP_DST_ADDR
 0... .... .... .... = Pen provided: No
 .000 0000 0000 1100 = Type: IP_DST_ADDR (12)
 Length: 4
 Field (3/17): IP_NEXT_HOP
 0... .... .... .... = Pen provided: No
 .000 0000 0000 1111 = Type: IP_NEXT_HOP (15)
 Length: 4
 Field (4/17): L4_SRC_PORT
 0... .... .... .... = Pen provided: No
 .000 0000 0000 0111 = Type: L4_SRC_PORT (7)
 Length: 2
 Field (5/17): L4_DST_PORT
 0... .... .... .... = Pen provided: No
 .000 0000 0000 1011 = Type: L4_DST_PORT (11)
 Length: 2
 Field (6/17): TCP_FLAGS
 0... .... .... .... = Pen provided: No
 .000 0000 0000 0110 = Type: TCP_FLAGS (6)
 Length: 1
 Field (7/17): INPUT_SNMP
 0... .... .... .... = Pen provided: No
 .000 0000 0000 1010 = Type: INPUT_SNMP (10)
 Length: 2
 Field (8/17): OUTPUT_SNMP
 0... .... .... .... = Pen provided: No
 .000 0000 0000 1110 = Type: OUTPUT_SNMP (14)
 Length: 2
 Field (9/17): PKTS
 0... .... .... .... = Pen provided: No
 .000 0000 0000 0010 = Type: PKTS (2)
 Length: 4
 Field (10/17): BYTES
 0... .... .... .... = Pen provided: No
 .000 0000 0000 0001 = Type: BYTES (1)
 Length: 4
Field (11/17): flowStartMilliseconds
 0... .... .... .... = Pen provided: No
 .000 0000 1001 1000 = Type: flowStartMilliseconds (152)
 Length: 8
 Field (12/17): flowEndMilliseconds
 0... .... .... .... = Pen provided: No
 .000 0000 1001 1001 = Type: flowEndMilliseconds (153)
 Length: 8
 Field (13/17): PROTOCOL
 0... .... .... .... = Pen provided: No
 .000 0000 0000 0100 = Type: PROTOCOL (4)
 Length: 1
 Field (14/17): IP_TOS
 0... .... .... .... = Pen provided: No
 .000 0000 0000 0101 = Type: IP_TOS (5)
 Length: 1
 Field (15/17): flowEndReason
 0... .... .... .... = Pen provided: No
 .000 0000 1000 1000 = Type: flowEndReason (136)
 Length: 1
 Field (16/17): TCP_OPTION_MAP
 0... .... .... .... = Pen provided: No
 .000 0000 1101 0001 = Type: TCP_OPTION_MAP (209)
 Length: 4
 Field (17/17): selectorId
 0... .... .... .... = Pen provided: No
 .000 0001 0010 1110 = Type: selectorId (302)
 Length: 1

And that's all, 17 attributes.

For v9 is 14 attributes.

FlowSet 1
 FlowSet Id: Data Template (V9) (0)
 FlowSet Length: 64
 Template (Id = 268, Count = 14)
 Template Id: 268
 Field Count: 14
 Field (1/14): IP_SRC_ADDR
 Type: IP_SRC_ADDR (8)
 Length: 4
 Field (2/14): IP_DST_ADDR
 Type: IP_DST_ADDR (12)
 Length: 4
 Field (3/14): IP_NEXT_HOP
 Type: IP_NEXT_HOP (15)
 Length: 4
 Field (4/14): L4_SRC_PORT
 Type: L4_SRC_PORT (7)
 Length: 2
 Field (5/14): L4_DST_PORT
 Type: L4_DST_PORT (11)
 Length: 2
 Field (6/14): INPUT_SNMP
 Type: INPUT_SNMP (10)
 Length: 2
 Field (7/14): OUTPUT_SNMP
 Type: OUTPUT_SNMP (14)
 Length: 2
 Field (8/14): PKTS
 Type: PKTS (2)
 Length: 4
 Field (9/14): BYTES
 Type: BYTES (1)
 Length: 4
 Field (10/14): FIRST_SWITCHED
 Type: FIRST_SWITCHED (22)
 Length: 4
 Field (11/14): LAST_SWITCHED
 Type: LAST_SWITCHED (21)
 Length: 4
 Field (12/14): PROTOCOL
 Type: PROTOCOL (4)
 Length: 1
 Field (13/14): IP_TOS
 Type: IP_TOS (5)
 Length: 1
 Field (14/14): FLOW_SAMPLER_ID
 Type: FLOW_SAMPLER_ID (48)
 Length: 1

[aabc]

@wk27 You are right! I should send new attributes for IPFIX (but not for v9, I think).

[aabc]

34 (samplingInterval) and 50 (samplerRandomInterval) options are deprecated. Current option is 305 (samplingPacketInterval) and this might be a problem.

Well, this is actually incorrect assumption about ipt-netflow - it's not using Packet Sampling (as of https://tools.ietf.org/html/rfc5477). So, there attributes are never provided and don't need to be deprecated or updated.

ipt-netflow uses Flow Sampling, see https://tools.ietf.org/html/rfc7014. I cannot provide attributes that does not reflect sampling model used in ipt-netflow.

[aabc]

@wk27 You are right! I should send new attributes for IPFIX (but not for v9, I think).

Excuse me, for agreeing to you too soon.

See https://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-flowselectoralgorithm I believe I already correctly provide appropriate attributes for the Flow Sampling.

So all this issue turned out to be is inappropriate. There is no Packet Sampling nor packet sampling rate for ipt-netflow.