Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand key for template cache in IPFix and v9 #167

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Expand key for template cache in IPFix and v9 #167

wants to merge 4 commits into from

Conversation

rachelScout
Copy link

@rachelScout rachelScout commented Sep 29, 2022
edited
Loading

Currently V9 and IPFIX templates are cached using template id and exporter address as a key.
Rfc3954 implies that v9 templates should be cached using the following fields:

msg header Source ID
exporter source IP
Template id

As stated below:

Source ID:
A 32-bit value that identifies the Exporter Observation Domain.
NetFlow Collectors SHOULD use the combination of the source IP
address and the Source ID field to separate different export
streams originating from the same Exporter.

@rachelScout rachelScout force-pushed the fix_template_cache_for_IPFix_and_v9 branch from bb195b1 to 093b7bf Compare October 19, 2022 08:31
@rachelScout rachelScout force-pushed the fix_template_cache_for_IPFix_and_v9 branch from 7b0f583 to 87be2c7 Compare October 19, 2022 08:51
@rachelScout rachelScout force-pushed the fix_template_cache_for_IPFix_and_v9 branch from f3bcbe3 to cdacb22 Compare October 19, 2022 09:38
@rachelScout rachelScout changed the title fix_template_cache_for_IPFix_and_v9 Expand key for template cache in IPFix and v9 Oct 23, 2022
@dbardbar
Copy link
Contributor

dbardbar commented Feb 9, 2023

@akshah,

A pcap that demonstrates the problem is attached. In packet #1 and #2, template id 257 is being sent on domain id 3.
In packet #3, the same template id from the same host is being send, but now on domain 4. The elements are slightly different on this packet. The last 2 elements are of type mibObjectValueOID (element id 436) and mibObjectValueBits (element id 437), while in packet #1 those fields were element octetDeltaCount (element id 1) and packetDeltaCount (element id 2).

Now comes packet #4, which demonstrates the problem. It has template id 257, and domain 3, so it should be parsed using the template from packet #1, and not the template seen later, in packet #3.
In Wireshark this is done correctly. You can see when looking at packet #4 that the it knows the the template packet is #1, and parses the data in packet #4 based on the template in packet #1.

In vflow without the fix, packet #4 is being parsed based on packet #3, because it came later, and vflow ignores the domain id. In vflow with the fix, packet #4 is being parsed on the packet #1, because that's the packet which matches the combination of sender IP + template id + domain id.

ipfix_different_domain.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rachelScout @dbardbar @newlandk @tinselcity