search

calmh / ipfixcat

Convert an IPFIX stream to readable JSON
MIT License
26 stars 3 forks source link

Not decoding IPFIX packets from OVS 2.5.0 #4

Open alexanderturner opened 7 years ago

alexanderturner commented 7 years ago

As per header, configured OVS with the following agent config

ovs-vsctl -- set Bridge testbr ipfix=@i -- --id=@i create IPFIX targets=\"127.0.0.1:4739\" sampling=1 other_config:enable-input-sampling=true

Output as follows:

root@ubuntu:~# socat udp-recv:4739 stdout | ipfixcat
2017/01/09 23:32:03 ipfixcat
^C
root@ubuntu:~# socat udp-recv:4739 stdout

qXs��7
a>~x�>�@��C�CbTTT
qXs��8
a>��>~x@���!�!bTTT^Croot@ubuntu:~#
alexanderturner commented 7 years ago

Looks as if this issue exists if obs point and obs domain id's aren't set (looks as if they're set as iif.FieldID iif.Value). This should throw an error

calmh commented 7 years ago

PCAP or similar?

alexanderturner commented 7 years ago

test.pcap.zip

calmh commented 7 years ago

Thanks, I'll look into it.

calmh commented 7 years ago

I don't know, I extracted the template and a data packet and it works for me;

jb@unu:~/s/g/c/ipfix $ ipfixcat < data | jsonpp 
2017/01/10 09:25:32 ipfixcat 
{
  "exportTime": 1483968705,
  "templateId": 266,
  "fields": [
    {
      "name": "observationPointId",
      "field": 138,
      "raw": [
        0,
        0,
        0,
        0
      ]
    },
    {
      "name": "flowDirection",
      "field": 61,
      "value": 1
    },
    {
      "name": "sourceMacAddress",
      "field": 56,
      "raw": [
        0,
        22,
        62,
        126,
        120,
        128
      ]
    },
    {
      "name": "destinationMacAddress",
      "field": 80,
      "raw": [
        0,
        22,
        62,
        30,
        216,
        199
      ]
    },
    {
      "name": "ethernetType",
      "field": 256,
      "value": 2048
    },
    {
      "name": "ethernetHeaderLength",
      "field": 240,
      "value": 14
    },
    {
      "name": "ipVersion",
      "field": 60,
      "value": 4
    },
    {
      "name": "ipTTL",
      "field": 192,
      "value": 64
    },
    {
      "name": "protocolIdentifier",
      "field": 4,
      "value": 1
    },
    {
      "name": "ipDiffServCodePoint",
      "field": 195,
      "value": 0
    },
    {
      "name": "ipPrecedence",
      "field": 196,
      "value": 0
    },
    {
      "name": "ipClassOfService",
      "field": 5,
      "value": 0
    },
    {
      "name": "sourceIPv4Address",
      "field": 8,
      "value": "172.17.1.2"
    },
    {
      "name": "destinationIPv4Address",
      "field": 12,
      "value": "172.17.1.1"
    },
    {
      "name": "icmpTypeIPv4",
      "field": 176,
      "value": 8
    },
    {
      "name": "icmpCodeIPv4",
      "field": 177,
      "value": 0
    },
    {
      "name": "flowStartDeltaMicroseconds",
      "field": 158,
      "value": 413638
    },
    {
      "name": "flowEndDeltaMicroseconds",
      "field": 159,
      "value": 413638
    },
    {
      "name": "packetDeltaCount",
      "field": 2,
      "value": 1
    },
    {
      "name": "layer2OctetDeltaCount",
      "field": 352,
      "value": 98
    },
    {
      "name": "flowEndReason",
      "field": 136,
      "value": 2
    },
    {
      "name": "octetDeltaCount",
      "field": 1,
      "value": 84
    },
    {
      "name": "octetDeltaSumOfSquares",
      "field": 198,
      "value": 7056
    },
    {
      "name": "minimumIpTotalLength",
      "field": 25,
      "value": 84
    },
    {
      "name": "maximumIpTotalLength",
      "field": 26,
      "value": 84
    }
  ]
}
calmh commented 7 years ago

Run with IPFIXDEBUG=1 set and you may get some more info on what's happening.