hotid
commented
3 years ago Кажется, вот так будет похоже на rfc7012:
diff --git a/ipt_NETFLOW.h b/ipt_NETFLOW.h
index 80160a9..50a0605 100644
--- a/ipt_NETFLOW.h
+++ b/ipt_NETFLOW.h
@@ -76,24 +76,24 @@ struct netflow5_pdu {
one(id, a, len) \
one(id, b, len)
#define Elements \
- two(1, IN_BYTES, octetDeltaCount, 4) \
- two(2, IN_PKTS, packetDeltaCount, 4) \
+ two(1, IN_BYTES, octetDeltaCount, 8) \
+ two(2, IN_PKTS, packetDeltaCount, 8) \
two(4, PROTOCOL, protocolIdentifier, 1) \
two(5, TOS, ipClassOfService, 1) \
- two(6, TCP_FLAGS, tcpControlBits, 1) \
+ two(6, TCP_FLAGS, tcpControlBits, 2) \
two(7, L4_SRC_PORT, sourceTransportPort, 2) \
two(8, IPV4_SRC_ADDR, sourceIPv4Address, 4) \
two(9, SRC_MASK, sourceIPv4PrefixLength, 1) \
- two(10, INPUT_SNMP, ingressInterface, 2) \
+ two(10, INPUT_SNMP, ingressInterface, 4) \
two(11, L4_DST_PORT, destinationTransportPort, 2) \
two(12, IPV4_DST_ADDR, destinationIPv4Address, 4) \
two(13, DST_MASK, destinationIPv4PrefixLength, 1) \
- two(14, OUTPUT_SNMP, egressInterface, 2) \
+ two(14, OUTPUT_SNMP, egressInterface, 4) \
two(15, IPV4_NEXT_HOP, ipNextHopIPv4Address, 4) \
two(21, LAST_SWITCHED, flowEndSysUpTime, 4) \
two(22, FIRST_SWITCHED, flowStartSysUpTime, 4) \
- one(25, minimumIpTotalLength, 2) \
- one(26, maximumIpTotalLength, 2) \
+ one(25, minimumIpTotalLength, 8) \
+ one(26, maximumIpTotalLength, 8) \
two(27, IPV6_SRC_ADDR, sourceIPv6Address, 16) \
two(28, IPV6_DST_ADDR, destinationIPv6Address, 16) \
two(31, IPV6_FLOW_LABEL, flowLabelIPv6, 3) \
@@ -104,7 +104,7 @@ struct netflow5_pdu {
two(42, TOTAL_FLOWS_EXP, exportedFlowRecordTotalCount, 8) \
two(48, FLOW_SAMPLER_ID, samplerId, 1) \
two(49, FLOW_SAMPLER_MODE, samplerMode, 1) \
- two(50, FLOW_SAMPLER_RANDOM_INTERVAL, samplerRandomInterval, 2) \
+ two(50, FLOW_SAMPLER_RANDOM_INTERVAL, samplerRandomInterval, 4) \
one(52, minimumTTL, 1) \
one(53, maximumTTL, 1) \
two(56, SRC_MAC, sourceMacAddress, 6) \
@@ -113,7 +113,7 @@ struct netflow5_pdu {
two(60, IP_VERSION, ipVersion, 1) \
two(61, DIRECTION, flowDirection, 1) \
two(62, IPV6_NEXT_HOP, ipNextHopIPv6Address, 16) \
- two(64, IPV6_OPTION_HEADERS, ipv6ExtensionHeaders, 2) \
+ two(64, IPV6_OPTION_HEADERS, ipv6ExtensionHeaders, 4) \
two(70, MPLS_LABEL_1, mplsTopLabelStackSection, 3) \
two(71, MPLS_LABEL_2, mplsLabelStackSection2, 3) \
two(72, MPLS_LABEL_3, mplsLabelStackSection3, 3) \
@@ -148,10 +148,10 @@ struct netflow5_pdu {
one(167, notSentPacketTotalCount, 8) \
one(168, notSentOctetTotalCount, 8) \
one(200, mplsTopLabelTTL, 1) \
- one(201, mplsLabelStackLength, 1) \
- one(202, mplsLabelStackDepth, 1) \
+ one(201, mplsLabelStackLength, 4) \
+ one(202, mplsLabelStackDepth, 4) \
one(208, ipv4Options, 4) \
- one(209, tcpOptions, 4) \
+ one(209, tcpOptions, 8) \
one(225, postNATSourceIPv4Address, 4) \
one(226, postNATDestinationIPv4Address, 4) \
one(227, postNAPTSourceTransportPort, 2) \
@@ -161,24 +161,24 @@ struct netflow5_pdu {
one(244, dot1qPriority, 1) \
one(245, dot1qCustomerVlanId, 2) \
one(246, dot1qCustomerPriority, 1) \
- one(252, ingressPhysicalInterface, 2) \
- one(253, egressPhysicalInterface, 2) \
+ one(252, ingressPhysicalInterface, 4) \
+ one(253, egressPhysicalInterface, 4) \
one(256, ethernetType, 2) \
one(295, IPSecSPI, 4) \
one(300, observationDomainName, 128) \
- one(302, selectorId, 1) \
- one(309, samplingSize, 1) \
- one(310, samplingPopulation, 2) \
+ one(302, selectorId, 8) \
+ one(309, samplingSize, 4) \
+ one(310, samplingPopulation, 4) \
one(318, selectorIdTotalPktsObserved, 8) \
one(319, selectorIdTotalPktsSelected, 8) \
one(323, observationTimeMilliseconds, 8) \
one(324, observationTimeMicroseconds, 8) \
one(325, observationTimeNanoseconds, 8) \
- one(390, flowSelectorAlgorithm, 1) \
+ one(390, flowSelectorAlgorithm, 2) \
one(394, selectorIDTotalFlowsObserved, 8) \
one(395, selectorIDTotalFlowsSelected, 8) \
- one(396, samplingFlowInterval, 1) \
- one(397, samplingFlowSpacing, 2)
+ one(396, samplingFlowInterval, 8) \
+ one(397, samplingFlowSpacing, 8)
enum {
Elements
aabc
Добрый день. Согласно https://www.iana.org/assignments/ipfix/ipfix.xhtml - ingressInterface/egressInterface это unsigned32..
При экспорте ipfix в ipt_netflow длина элементов ingressInterface/egressInterface - 2 байта. Формально мы вроде как сообщаем длину наших атрибутов в темплейте, но некоторые коллекторы (VerizonDigital/vflow), например, как-то странно на это реагируют.
При использовании оригинальной версии ipt_netflow, vflow выдаёт ingressInterface в json такого вида: {"I":10,"V":"0xffff"}, т.е. индекс интерфейса передаётся как string.
После вот такого изменения
vflow обрабатывает атрибуты как и ожидается: {"I":10,"V":65536}