search

cloudflare / goflow

The high-scalability sFlow/NetFlow/IPFIX collector used internally at Cloudflare.
BSD 3-Clause "New" or "Revised" License
852 stars 171 forks source link

Openvswitch ovs-vsctl connection #99

Open ekfoury opened 3 years ago

ekfoury commented 3 years ago

Hello everyone,

I would like to ask if anyone was able to use the openvswitch IPFIX with goflow. I tried openvswitch/goflow with sFlow and NetFlow, and both work great. With IPFIX, nothing is shown on the collector.

Has anyone experienced the same issue?

Thanks.

lspgn commented 3 years ago

Hello, Do you have a packet capture? There might be an issue if it's using Enterprise format (listed in #31).

ekfoury commented 3 years ago

Hello lspgn,

Attached is a pcap sample. I can see the IPFIX flows in wireshark, but nothing is appearing in goflow.

Thanks for your help.

ipfix.tar.gz

lspgn commented 3 years ago

Could you give me the CLI arguments you are passing?

ekfoury commented 3 years ago

I am starting goflow like this: sudo docker run --net=host -ti cloudflare/goflow:latest -kafka=false

And configuring the exporter on ovs like this: sudo ovs-vsctl -- set Bridge s1 ipfix=@if -- --id=@if create IPFIX targets=\"127.0.0.1:2055\" sampling=64

lspgn commented 3 years ago

After looking at the pcap, I noticed there are custom Enterprise fields in the templates. Unfortunately, this is issue #31 and the templates aren't properly decoded. If you can change the template that OVS is sending or change to NetFlow v9, it should collect without issues.

I am currently working on a fix and hope to have something in the coming days (after some freeze).

ekfoury commented 3 years ago

Gotcha! thanks for the help. I will just use NetFlow v9 for now. I will keep an eye on issue #31 for the future. Thanks.

jotak commented 3 years ago

FWIW here's a descriptive XML from ovs: https://github.com/openvswitch/ovs/blob/master/ofproto/ipfix.xml I'm trying to understand, for this issue with ovs to be fixed (ie. Enterprise format not being supported with goflow and breaking the decoder), am I right to assume that the work could be split in two parts:

  1. implement reading the enterprise number as per https://datatracker.ietf.org/doc/html/rfc7011#section-3.2
  2. interpret these fields using some descriptor such as the link I wrote above

1. can be done and would fix goflow when receiving the common IPFIX fields, though ignoring the custom ones. Am I understanding correctly?

jotak commented 3 years ago

I could make it work "partially" with ovs, standard fields are now recognized and collected ; there's not only the enterprise number parsing missing, but also variable length fields [1] such as string that are not supported currently in goflow. I can submit a fix after cleaning my work.

[1] cf https://datatracker.ietf.org/doc/html/rfc7011#section-7